SECURITY: OpenTable isn’t just for customers — it shares ALL your data from ALL venues

Saturday, December 6, 2025

https://www.theverge.com/report/822110/opentable-ai-assisted-data-restaurants

Your online reservations are telling restaurants all about you

  • OpenTable is sharing your dining habits, both good and bad.

by Dominic Preston
Nov 17, 2025, 1:59 PM EST

*** begin quote ***

Your Online Reservations Are Telling Restaurants All About You [theverge.com]

If you make reservations through OpenTable, restaurants may be getting more information about you than you realize. Because OpenTable isn’t just for customers…it’s “billed to restaurants as a one-stop shop” that can integrate with restaurants’ payment and order management systems. When you make a new reservation, OpenTable gathers information “based on the orders you’ve made and money you’ve spent at other restaurants in the past” and shows it to restaurants using AI-assisted tags. According to an OpenTable representative, “what [they] share with restaurants is guided by the choices you’ve made in your privacy preferences,” but The Verge found the platform’s privacy policy “actually a little opaque on this.”

Want to opt out of this data sharing? “You can do so by logging into your account, heading to your profile, and then going to the ‘Preferences’ page. You’ll find six options related to the privacy policy, but the one that matters most is the last one: ‘Allow OpenTable to use Point of Sale information.’ Untick that, and your order history should be your own again.”

*** end quote ***

Surprise, surprise.  And, you thought OpenTable was wearing a “white hat”!  Argh!

I remember a Law & Order episode where a Mafia informant was killed when a special cake was delivered to a fancy restaurant in lower Manhattan.  (The Shearson data center was near by and I was familiar with it and the area.). So is OpenTable a security risk.  Maybe is your looking over your shoulder for a hitman, process server, or a jealous ex-lover.

More common reason would be that your treatment at a restaurant may be related to your spending habits (i.e., big spender gets special treatment; poor tipper gets spit in their food).  YMMV!

And like most tracking done by your phone, it may subject you to unexpected intrusions. 

Consult the Electronic Freedom Foundation for more horror stories.

— 30 —

Leave a Comment » | SECURITY | Tagged: , , , | Permalink
Posted by reinkefj

SECURITY: New Hampshire cold case should be a warning

Friday, December 5, 2025
https://nypost.com/2025/11/26/us-news/new-hampshire-judith-lord-cold-case-solved-half-a-century-later-identifying-ernest-gable-as-killer/
 
New Hampshire cold case is solved half a century after flawed FBI report allowed killer to escape
By Nicholas McEntyre
Published Nov. 26, 2025, 1:25 a.m. ET
 

*** begin quote ***

Despite Gable being identified as a suspect, he could not be properly accused because “the case was severely hindered by a flawed forensic report issued by the FBI in 1975,” Formella said.

“At the time, microscopic hair analysis techniques led to an incorrect conclusion that the suspect could not have contributed the hairs found at the scene,” the report found.

Other evidence contradicted the analysis results, with Gable’s fingerprints being found at the scene and witnesses revealing that Lord had feared him.

During their investigation, detectives discovered Lord had been afraid of both her husband and Gable for some time because of his “persistent and unwanted advances.”

“Judith told her sister she was afraid of both her husband and her African American neighbor next door, indicating Mr. Gable, because he ‘had made remarks to her about wanting to see her nude,’” the attorney general’s report found.

*** end quote ***

​A solved cold case that should be a warning to everyone.  Don’t stay where there are creepy neighbors.
 
And maybe this is not the only “mistake” due to the FBI incompetence?
 
#endtheFBI
 
— 30 —
 
 
 

Leave a Comment » | SECURITY | Tagged: , , | Permalink
Posted by reinkefj

SECURITY: Bitcoin mining hardware exec falls for sophisticated crypto scam

Sunday, November 30, 2025

https://arstechnica.com/information-technology/2025/11/bonkers-bitcoin-heist-5-star-hotels-cash-filled-envelopes-vanishing-funds/

Bitcoin mining hardware exec falls for sophisticated crypto scam to tune of $200k
Joel Khalili – Nov 18, 2025 1:37 PM 

*** begin quote ***

As Kent Halliburton stood in a bathroom at the Rosewood Hotel in central Amsterdam, thousands of miles from home, running his fingers through an envelope filled with 10,000 euros in crisp banknotes, he started to wonder what he had gotten himself into.

Halliburton is the cofounder and CEO of Sazmining, a company that operates bitcoin mining hardware on behalf of clients—a model known as “mining-as-a-service.” Halliburton is based in Peru, but Sazmining runs mining hardware out of third-party data centers across Norway, Paraguay, Ethiopia, and the United States.

As Halliburton tells it, he had flown to Amsterdam the previous day, August 5, to meet Even and Maxim, two representatives of a wealthy Monaco-based family. The family office had offered to purchase hundreds of bitcoin mining rigs from Sazmining—around $4 million worth—which the company would install at a facility currently under construction in Ethiopia. Before finalizing the deal, the family office had asked to meet Halliburton in person.

*** end quote ***

Sorry, but NO ONE gets cash filled envelopes in an honest transaction.

That should have been the first clue to a scam.

Then to “prove a capability or a holding” of bitcoin transfer some to a strange wallet?

Just reading the story, my ex-CISO “spydee senses” were on high alert.

And inputing a key “seed phrase” into an unknown software wallet you just downloaded was just the height of stupidity.

Sorry to pile on and beat a “dead horse”, but the warning signs were there.

Who knew if “wealthy Monaco-based family office” was even a real entity.  Or if they even knew what was going on in their name.

Argh!

“You can’t cheat an honest man.” — W. C. Fields

— 30 —

Leave a Comment » | SECURITY | Tagged: , , , , , , , , , | Permalink
Posted by reinkefj

SECURITY: Germany may dictate no end-to-end encryption

Tuesday, October 14, 2025

https://digitalchew.com/2025/10/05/chat-control-could-break-encryption-warns-signal/

Chat Control Could Break Encryption, Warns Signal
Reginald Edward
October 5, 2025

*** begin quote ***

Key Takeaways

  • Signal’s president warns Germany that Chat Control could destroy user privacy.
  • Chat Control forces apps to scan messages before encryption.
  • The plan would weaken secure chats and allow mass surveillance.
  • Signal says it will leave the EU if Chat Control becomes law.
  • Germany’s vote on Chat Control could shape global privacy rules.

*** end quote ***

And what happens when one Gooferment does it —  whatever the particular “it” is, other Gooferments think “what a great idea” and do it too.

Argh!

— 30 —

Leave a Comment » | SECURITY | Tagged: , , , , , , , , , , , , | Permalink
Posted by reinkefj

SECURITY: Q-day threats — post-quantum security

Monday, September 29, 2025

https://blog.cloudflare.com/you-dont-need-quantum-hardware/?utm_source=tldrinfosec/

You don’t need quantum hardware for post-quantum security

2025-09-19

Luke Valenta

*** begin quote ***

You don’t need quantum hardware for post-quantum security (15 minute read)

Organizations can prepare for quantum computing threats (Q-day) using post-quantum cryptography (PQC) deployed on existing hardware without needing expensive quantum technologies like quantum key distribution (QKD) or quantum random number generators (QRNG). Being “quantum ready” means systems remain secure after quantum computers can break conventional cryptography. Beware of vendor claims that quantum hardware products are necessary for quantum-resistant security. Organizations should prioritize implementing PQC algorithms on current infrastructure rather than investing in quantum hardware solutions that are neither necessary nor sufficient for protection against quantum adversaries.

*** end quote ***

This has huge implications for both digital signatures and ₿itcoin.

— 30 —

Leave a Comment » | SECURITY | Tagged: , , | Permalink
Posted by reinkefj

SECURITY: Fake US and Canadian IDs

Sunday, September 28, 2025

https://hackread.com/chinese-network-ofake-us-canadian-ids/?utm_source=tldrinfosec

Chinese Network Selling Thousands of Fake US and Canadian IDs

  • New investigation exposes a China-based ring that sold over 6,500 fake United States and Canadian IDs using well-planned covert packaging. Learn how this operation threatens national security and enables financial crime.

by Deeba Ahmed — September 19, 2025

*** begin quote ***

Chinese Network Selling Thousands of Fake US and Canadian IDs (3 minute read)

CloudSEK exposed a China-based operation called “ForgeCraft” that sold over 6,500 counterfeit US and Canadian driver’s licenses and Social Security cards to more than 4,500 buyers, generating over $785,000 in revenue through 83 websites and using covert packaging methods to ship fake IDs hidden in everyday items. The sophisticated fake documents feature scannable barcodes, holograms, and UV markings and pose national security risks by enabling financial fraud, bypassing border checks, and potentially facilitating voter fraud. CloudSEK researchers identified the main operator’s location in Xiamen, China, and shared evidence with authorities to disrupt the operation.

*** end quote ***

So how do we stop this?

Clearly, this is an “epidemic” and undermines everything that needs “security”.

Must be a way to create a crypto hash and block chain implementation to compare it with.

— 30 —

Leave a Comment » | SECURITY | Tagged: , | Permalink
Posted by reinkefj

SECURITY: Don’t forget the old printer as a “data leak”

Thursday, September 18, 2025

FROM TLDR Information Security 2025-09-10

*** begin quote ***

USB drives are still a problem – but they’re not your only data exfiltration risk (Sponsor)

While most organizations focus on blocking USB devices, attackers and insiders can just as easily steal data through network shares, cloud storage, or even local folder access. You need visibility and control over ALL storage access points.

*** end quote ***

Yeah, but I remember that brokers used to keep a shadow book at home.  Meticulously copying or printing duplicates of “their” Client accounts.  

Now it’s easy to just use your phone to take a picture.  AI or software will even extract the text from the picture so no reentering data drudgery. 

I’ve even seen utilities that will put files into QR codes for backup and recovery.

Never underestimate human inginuity to get what they want. Be it drugs, sex, money, or data.

— 30 —

Leave a Comment » | SECURITY | Tagged: , , , , , | Permalink
Posted by reinkefj

SECURITY: Does Uber know who’s really driving?

Tuesday, August 26, 2025

https://www.ericpetersautos.com/2025/08/11/why-ride-hailing-is-not-as-safe-as-you-think/

Why Ride-Hailing Is Not as Safe as You Think
By badger – August 11, 2025

*** begin quote ***

Even with driver photos and license details, identity fraud is possible. Some drivers rent accounts or share them illegally. That raises big safety questions. Safety becomes an illusion when systems are not properly enforced. You might not know who is actually behind the wheel. This illusion affects both riders and drivers alike. When safety is marketed more than it is practiced, everyone loses in the end.

*** end quote ***

I know that Uber has updated their app with a code you give the driver and you get a photo of the driver.  I thought that would be enough.  

BUT, (and there is always a BIG butt), the “renting” and “sharing” of accounts shows a monkey wrench into their system.

Maybe they should require you to take a picture of the driver that then Uber can use AI to confirm who’s really driving?

— 30 —

Leave a Comment » | SECURITY | Tagged: , , , | Permalink
Posted by reinkefj

SECURITY: No technology needed for this hack; just call up and lie

Sunday, August 17, 2025

https://www.wnd.com/2025/08/helpdesk-havoc-why-clorox-is-suing-indian-company/

Why Clorox is suing Indian company for $380 million

  • In Clorox’s telling, the hacker didn’t crack advanced encryption or spear-phish executives. He just called Cognizant on the phone and lied

By Amanda Bartolotta  —  August 7, 2025

*** begin quote ***

In a San Francisco courtroom, the Clorox Company recently dropped a legal bombshell – a $380 million lawsuit against Indian-American information technology company Cognizant, alleging gross negligence in a 2023 cyberattack.

In the complaint dated July 22, 2025, Clorox contends a hacker simply called Cognizant’s helpdesk, lied about being an employee and was handed network credentials – no identity verification, no oversight, just a password transfer. The resulting cyberattack ended up paralyzing Clorox’s operations, costing upwards of $49 million in remediation and much more in lost business.

*** end quote ***

Way back when I ran an information security desk, long before “password managers”, in the “yellow sticky note” era, I was challenged to reduce the number of password resets my group was doing.  Not for security; a cost saving attempt.  (We figured that every call cost the company about 50$ in lost productivity.)  So my team came up with a great solution, when a call came in for a forgotten password, we’d just have the person have his supervisor call in for a reset.  Laugh!  Calls dropped dramatically.  It was trivial to verify the supervisor since we’d just call them back at their number listed in the company phonebook.  (Those still existed.)  Then the supervisor would connect the employee and we’d do the reset.  Call dropped so much we had weekly pool when the next one would come in.  (Dollar a head per week.  Pool grew about 20$ per week.)  Sometimes we went a month without a reset.

Guess outsourcing your help desk was NOT so cost effective?

— 30 — 

Leave a Comment » | SECURITY | Tagged: , , , , | Permalink
Posted by reinkefj

SECURITY: Your own domain can prevent phishing

Saturday, July 12, 2025

An Original Thought

May I suggest that you have your own domain?

The common wisdom, or is that common whizdumb, is to own your own name as a domain name. I own “reinke.cc”. (I like saying “sea sea me at reinke.cc”! me@reinke.cc will actually work!) 

It gives one quite a bit of control. And, it’s very cheap. I know three solutions: wordpressdotcom with gmail, email only with 1and1, and domain+email+webspace also at 1and1. 

My point is not that you should use 1and1. http://www.1and1.com/?k_id=9113251 I could care less which one you use. It’s that getting on to your own domain with email is cheap and easy. 

And, it’s not aol, hotmail, yahoo, or gmail. It IS your own “personal brand”. And, the “bad guys” can’t fool you!

If you have your own domain, you can “bulletproof” your email from phishing and frauds!

Let’s assume that you have “your own domain” named “yourowndomain.com”, and you bank at “your bank” at “yourbank.com”.

You give “yourbank.com” your email address as “yourbankcom@yourowndomain.com”.  (Be prepared for some strange looks when you do this because the folk never heard of such and email address.)

Then you can set up an email filter  — let’s use Gmail as an example  —  that says:

  • Comes from “yourbank.com” and
  • Is addressed to “yourbankcom@yourowndomain.com” and 
  • You specify an label of “yourbank”

So all your email comes into GMAIL and gets assigned a label “INBOX”.

  • Anything that comes in that purports to be from “yourbank” MUST have the GMAIL assigned label of both “INBOX” and “yourbank”.
  • You can also set up an email filter for addressed to “yourbankcom@yourowndomain.com” and NOT addressed from “yourbank.com” and label it “PHISHING ATTACK”.
  • You can also set up an email filter for addressed NOT to “yourbankcom@yourowndomain.com” and addressed from “yourbankcom@yourowndomain.com” and label it “BANK GAVE OUT YOUR EMAIL ADDRESS”.

Pretty tricky and quickly eliminates PHISHING ATTACKS and identifies when the “BANK GAVE OUT YOUR EMAIL ADDRESS”.

Applause please?  

Why the email providers can’t protect you by using the appropriate internet protocols is beyond me!

*** begin quote ***

Email authentication methods and protocols 

  • SPF (Sender Policy Framework)

    A sender policy framework (SPF) is a record published in your DNS that lists all the IP addresses that are allowed to send emails on behalf of your domain. When an incoming email is received, the recipient server will check the SPF record to verify if the sending IP address is authorized to send emails for that particular domain. If it’s not listed in the SPF record, there’s a higher chance that the email will be marked as spam or blocked altogether. While SPFs can help to prevent spam and phishing attempts, they also may reject legitimate emails in situations where the sender’s domain SPF records aren’t properly configured.

  • DKIM (DomainKeys Identified Mail)

    DKIM stands as a pivotal technology in the battle against email spoofing by attaching a digital signature to each outgoing email, linked directly to the sender’s domain name. This signature enables the recipient’s email server to verify whether an email purportedly sent from a specific domain is authorized by that domain’s owner. Given that emails often undergo multiple hops—redistributed by mailing lists or forwarding rules—DKIM ensures that signed messages can be reliably relayed by any server, maintaining their integrity and authenticity throughout their journey.

  • DMARC (Domain-based Message Authentication, Reporting, and Conformance)

    The DMARC protocol was built on top of SPF and DKIM, and relies on senders and receivers sharing information to ensure a smooth validation process. DMARC refers to SPF and DKIM records to validate a sender’s identity, along with testing whether the domain they use is found in the “from” address. If an email does not pass the validation test, DMARC provides rules on how to treat the message based on certain conditions. This protocol can help domain owners block phishing attacks by filtering such messages into spam, or rejecting them altogether.

  • BIMI (Brand Indicators for Message Identification)

    If you’ve ever seen an email from a brand that included their logo right in the sender column, that brand was using BIMI. Improving email security with BIMI involves using an authentication system that enables trusted senders to display an icon of their choice directly in senders’ inboxes. BIMI can boost recipients’ trust in your messages, while heightening visibility of your brand.

  • MTA-STS (Mail Transfer Agent Strict Transport Security)

    MTA-STS is a security standard that enables you to send and receive messages securely over an encrypted SMTP connection. The MTA-STS protocol enhances email security by enabling an SMTP client to confirm the server’s identity during the TLS handshake. It does this by requiring the server to present its certificate fingerprint, which the client then matches with a trust store of certificates from verified servers. This process ensures the client does not connect to fraudulent servers, maintaining secure communication. 

  • TLS reporting

    TLS reporting is a mechanism that enables email senders to report issues with TLS connectivity.

    T is more effective when used alongside MTA-STS. The strict enforcement mode of MTA-STS will prevent email delivery if TLS issues are detected, ensuring a higher level of security and reliability in email communications.

  • ARC (Authenticated Received Chain)

    ARC acts as a “chain of custody” for email messages. It enables every entity involved in processing the message to clearly see which entities have previously interacted with it. At every stage of handling, it provides a detailed authentication assessment. The primary advantage of ARC, now adopted by the majority of mail servers, is its solution to a significant issue: previously, when a DMARC-protected email was forwarded, it would fail DKIM authentication and, consequently, DMARC. ARC preserves all original authentication information, allowing the final recipient’s mail server to verify that the email was DKIM authenticated before being forwarded.

*** end quote ***

— 30 —

Leave a Comment » | SECURITY | Tagged: , , | Permalink
Posted by reinkefj

SECURITY: SMS is not a good 2FA (Second Factor Authentication)

Saturday, May 10, 2025

https://www.makeuseof.com/security-apps-protect-your-data/?utm_medium=newsletter&utm_campaign=MUO-202505090800&utm_source=MUO-NL&user=cmVpbmtlZmpAZ21haWwuY29t&lctg=7e6c3cd411d6a815afa18582d54bd455914c43c5f69df1448b8ec20ee4959f71

Install These 5 Security Apps Now to Protect Your Data
Jowi Morales

<< EDITOR ADDED DATE 2025-05-07>>

*** begin quote ***

Authenticator

Usernames and passwords are no longer as secure as you might think; that’s why you should switch to two-factor authentication (2FA)to help secure your online access. You can easily set this up on most accounts, including your accounts on Google, Meta, and more, ensuring that any potential hacker who has compromised your username and password combination still needs a one-time password to gain access.

However, we don’t recommend using SMS for your 2FA code because of its many disadvantages. For example, if you’ve been specifically targeted by personal identity thieves, they can trick your mobile provider into transferring your number to a SIM card that they have (called SIM swap), meaning they will receive your OTP codes on their device. Furthermore, SMS messages can be intercepted, meaning someone targeting you can easily steal your OTPs even if you did not lose access to your SIM card. And if you lose your phone signal (or your service provider runs into problems), you won’t get your codes and will be unable to access your accounts.

*** end quote ***

Personally, I use Google Authenticator. But I have AUTHY, LASTPASS, and BITWARDEN. Can’t say I prefer one over another, but given how stuff gets “deprecated” (i.e., abandoned), I’m ready to switch.

I have a running debate with my bank about their use of SMS.  So far, I’m losing but I’m still nagging.

Argh!

—30—

Leave a Comment » | SECURITY | Tagged: , , | Permalink
Posted by reinkefj

SECURITY: Don’t just take your power from any source?

Wednesday, April 30, 2025

https://arstechnica.com/security/2025/04/ios-and-android-juice-jacking-defenses-have-been-trivial-to-bypass-for-years/

SON OF JUICE JACKING ARISES

  • iOS and Android juice jacking defenses have been trivial to bypass for years
  • New ChoiceJacking attack allows malicious chargers to steal data from phones.

Dan Goodin – Apr 28, 2025 7:00 AM 

*** begin quote ***

Word that juice-jacking-style attacks are once again possible on some Android devices and out-of-date iPhones is likely to breathe new life into the constant warnings from federal authorities, tech pundits, news outlets, and local and state government agencies that phone users should steer clear of public charging stations.

As I reported in 2023, these warnings are mostly scaremongering, and the advent of ChoiceJacking does little to change that, given that there are no documented cases of such attacks in the wild. That said, people using Android devices that don’t support Google’s new authentication requirement may want to refrain from public charging.

*** end quote ***

This reinforces my personal preference for having an external battery for recharge.  All my cars and my EDC pack have an ANKER power block, my own power plug, and 3 short USB-A cables.  My SOP is to not use “public ports” unless I have no other choice.  Suggest that anyone who values their security should do the same.

—30—

Leave a Comment » | SECURITY | Tagged: , , , | Permalink
Posted by reinkefj

SECURITY: may verify “authentic” accounts

Friday, April 25, 2025

https://bsky.social/about/blog/04-21-2025-verification

A New Form of Verification on Bluesky
April 21, 2025 by The Bluesky Team

*** begin quote ***

In 2023, we launched our first layer of verification: letting individuals and organizations set their domain as their username. Since then, over 270,000 accounts have linked their Bluesky username to their website. Domain handles continue to be an important part of verification on Bluesky. At the same time, we’ve heard from users that a larger visual signal would be useful in knowing which accounts are authentic.

*** and ***

During this initial phase, Bluesky is not accepting direct applications for verification. As this feature stabilizes, we’ll launch a request form for notable and authentic accounts interested in becoming verified or becoming trusted verifiers.

*** end quote ***

Interesting that they MAY verify real people. 

With or without a “subscription”?

Often thought that ISPs if they wanted could tie a User’s identity to the credit card they pay with.  Also, they COULD, but don’t allow such an identity to create sub accounts for children and young adults.  

Wouldn’t this cut down on the number and kind of bots that spam the inet with trash?

Seems so simple to me.

Argh!

—30—

Leave a Comment » | SECURITY | Tagged: , | Permalink
Posted by reinkefj

SECURITY: Time to end credit card number and social security numbers

Tuesday, February 18, 2025

https:///174085/cyber-crime/google-tag-manager-gtm-e-skimmer-software-in-magento.html

https://securityaffairs.com/

Crooks use Google Tag Manager skimmer to steal credit card data from a Magento-based e-stores

Pierluigi Paganini

February 11, 2025 

*** begin quote ***

Crooks use Google Tag Manager skimmer to steal credit card data from a Magento-based e-stores

Threat actors are using Google Tag Manager (GTM) to install credit card skimmer malware on Magento-based e-stores, according to Sucuri researchers. The malware hides in a website’s database and steals credit card information entered during the checkout process, sending it to the attackers’ server. This sophisticated attack demonstrates how criminals are using legitimate platforms like GTM to deploy malicious code that is difficult to detect. 

*** end quote ***

Isn’t it about time to retire the concept and strategy of using numbers for identification?

Social Security Numbers, credit card numbers, account numbers, or any kind of numbers are just not secure enough any more.  I even have my doubts about crypto keys used for “wallets”.

The Gooferment and Visa are the primary actors that we need to lead the change. 

Medicare transitioned from a number to an alphameric string to stop the frauds.  Why can’t social security?  

I’m not sure what should take its place but how about a secure hash of your name?

“John Q Public” could easily become “9YWJSN0BSVR3IKNV11A2HZM 8X70I24JXUA6REACFTXYD7WC436”!

Go ahead hackers guess that!

—30—

Leave a Comment » | SECURITY | Tagged: , , , | Permalink
Posted by reinkefj

SECURITY: Why doesn’t the Gooferment mandate not using SMS for 2FA?

Saturday, January 25, 2025

https://www.makeuseof.com/why-sms-2fa-insecure/?user=cmVpbmtlZmpAZ21haWwuY29t&lctg=7e6c3cd411d6a815afa18582d54bd455914c43c5f69df1448b8ec20ee4959f71

Why I Don’t Use SMS for 2FA (and What I Use Instead)
By John Awa-abuon
Published Dec 14, 2024

  •     SIM Swaps Allow Hackers to Steal Your Phone Number
  •     SMS Messages Can Be Intercepted
  •     SMS Is Tied to Your Phone Number
  •     What I Use Instead: Authenticator Apps

Two-factor authentication (2FA) adds a vital layer of security to your online accounts, but unfortunately, not all methods are created equal. Many people rely on SMS-based 2FA, assuming it’s a safe choice. Unfortunately, SMS is far from foolproof. Here’s why I’ve stopped using SMS for 2FA and what I use instead…

*** begin quote ***

What I Use Instead: Authenticator Apps

Rather than relying on SMS for 2FA, I’ve switched to 2FA authenticator apps. Apps like Google Authenticator, Microsoft Authenticator, and Authy generate time-based one-time passwords (TOTP) directly on your device, offering a much safer and more reliable alternative to SMS.

The first major advantage of authenticator apps is security. Unlike SMS, these apps generate codes locally on your phone, meaning they’re not transmitted over networks that could be intercepted or exploited. They’re also protected by additional layers of security—many apps require a passcode, fingerprint, or face scan to access the codes.

Another reason I prefer authenticator apps is their offline functionality. Since the codes are generated directly on the device, you don’t need a cellular connection to use them. Whether you’re in a remote area with no service or simply indoors with poor reception, you can still access your codes as long as you have your device.

I prefer Authy over other authenticator apps because it offers cloud backups, making it easy to recover my accounts if I lose my phone. At the same time, it secures these backups with encryption, ensuring that only I can access them. Google Authenticator is another popular choice. Both options are free, widely supported, and easy to set up.

Using an authenticator app is straightforward. Once you’ve set it up, usually by scanning a QR code provided by the website during the 2FA setup process, you simply open the app to access a code whenever you log in. The codes refresh every 30 seconds, so even if someone manages to steal one, it becomes useless almost immediately.

Two-factor authentication is essential for keeping your accounts secure, but the method you use matters. While SMS-based 2FA might seem convenient, it’s riddled with vulnerabilities—from SIM swaps to interception methods and even practical issues like poor cellular reception. These risks make SMS an unreliable safeguard for your online security.

*** end quote ***

The Gooferment politicians and bureaucrats have warned that the phone networks have been hacked.

So why not MANDATE better security.   

Seems simple to me?

—30—

Leave a Comment » | SECURITY | Tagged: , | Permalink
Posted by reinkefj

SECURITY: Got a pin for an Affirm account I don’t have?

Thursday, January 9, 2025

You have to be kidding me!  They “are aware of the issue”?  I went into full “identify theft” mode.  

“BATTLE STATIONS.  All hands report.  Stand by to fire at any available target.  Notify CIC of any intruders.  You are authorized to fire at any unidentified objects.  THIS IS NOT A DRILL.”

I was ready to trigger password reset on all financial and email accounts.

Argh!

But they “are aware of the issue”!

*** begin quote ***

Dear Fedinand,

Thank you for contacting Affirm!

I’m Alejandra from the Customer Care team, and I hope you are doing well.

If you don’t have an Affirm account, please ignore the text message that you received. We are aware of this issue and working on a fix. Be sure to not give your pin out to anyone. Do not click on any links sent referring to OTP (one-time passwords) if you did not request it.

*** end quote ***

YMMV

—30—

Leave a Comment » | SECURITY | Tagged: , , | Permalink
Posted by reinkefj

SECURITY: Do NOT use the “Go to Apple ID.” link

Wednesday, November 27, 2024

https://www.tomsguide.com/computing/online-security/new-scam-says-your-apple-id-is-suspended-watch-out-for-this-attack?lrh=20fd2805ce1d1131c95034f150bb97a3971479cbf1c94537a55e6a39cfe362aa

New scam says your Apple ID is suspended — watch out for this attack
News
By Amber Bouman
last updated 16 hours ago

  • Don’t let hackers get their hands on your Apple ID with these tips

*** begin quote ***

Another day, another attempt to steal your log in credentials – this time courtesy of a phishing email that claims to be from Apple Support. Don’t be fooled however, this isn’t from Cupertino. It’s actually an attempt to get you to click on a link so hackers can steal your login credentials and other sensitive information.

This email, like many other phishing attempts, uses look-a-like formatting and other details to make you think it’s coming from a legitimate source. This latest threat says that your Apple ID has been suspended due to unusual activity or missing or invalid information. The email looks remarkably similar to actual emails from Apple Support and contains a blue button that says “Go to Apple ID.”

*** end quote ***

It is really amazing that this <synonym for excrement> still works.

Browsers should not automatically make emails clickable.

Argh!

—30—

Leave a Comment » | SECURITY | Tagged: , , , | Permalink
Posted by reinkefj

SECURITY: Once again, a warning to “firewall” and “air gap” personal technology from your employer

Thursday, October 17, 2024

https://www.macrumors.com/2024/10/09/do-not-use-iphone-mirroring-corporate-mac/

Here’s Why You Shouldn’t Use iPhone Mirroring on a Corporate Mac

Wednesday October 9, 2024 4:31 am PDT by Tim Hardwick

*** begin quote ***

Apple’s new iPhone Mirroring feature in macOS Sequoia might seem like a convenient way to access your phone from your work computer, but security firm Sevco has uncovered a significant privacy risk that should make employees think twice before enabling this feature on company-owned Macs, at least for now.

*** and ***

When executed in a Terminal window that has been granted full disk access without setting up iPhone Mirroring, the command returns a normal list of macOS applications. But when executed in that same Terminal window after setting up iPhone Mirroring, it also returns personal iOS applications and metadata.

For employees, this means that apps they use privately could become visible to their employer’s IT department without their knowledge or consent. This could potentially reveal sensitive personal information, such as dating apps, health-related apps, or VPNs used in countries with restricted internet access.

*** end quote ***

Your employer, their network, and their tools should NEVER be used for your private purposes.  

The easiest way to ensure that separation is to maintain a strict “air gap” (i.e., strictly never connecting anything by wire, bluetooth, or network wifi to something “corporate”).  

If for no other reason than when your employer gets hit with a virus, ransomware, or some corporate security “tool”, then it would get your hardware in its grasp.

Argh!

Don’t forget that the employer can claim your hardware is suspect of having their data on it!

—30—

Leave a Comment » | SECURITY | Tagged: , , , , | Permalink
Posted by reinkefj

SECURITY: A static social security number is the flaw in EVERY financial security scheme

Saturday, October 12, 2024

https://www.theregister.com/2024/10/04/comcast_fcbs_ransomware_theft/

Cybersecurity Month
About a quarter million Comcast subscribers had their data stolen from debt collector

  • Cable giant says ransomware involved, FBCS keeps schtum

Connor Jones
Fri 4 Oct 2024 // 20:13 UTC

*** begin quote ***

Among the data types stolen were names, addresses, Social Security numbers, dates of birth, and the Comcast account numbers and ID numbers used internally at FBCS. The data pertains to those registered as customers at “around 2021.” Comcast stopped using FBCS for debt collection services in 2020.

*** end quote ***

As with ALL problems, digging down for who’s at fault, eventually end at the Gooferment.

I remember n=my original Social Security card as saying in big red font all caps “NOT FOR IDENTIFICATION PURPOSES”.

I’m sure that the tin foil hats of that era would have opposed it for either “THE MARK OF THE DEVIL” or “where is your papers please” or just the enumeration of privacy concerns.  And they, like almost all Conspiracy Theorists, would have been correct.  Look what a mess SSN has created.

At the root of the problem is the SSN.  

Fundamentally insecure!  Medicare abandoned the SSN on its own medicare cards.  Never explained but probably due to fraud.  Which still is a huge problem.

I suggest that the SSN be abandoned.  Credit cards use a 16 digit number with error correction in it and the “secret” card code on the back.  Why can’t the same be done to replace SSN.

Sure “credit reporting agencies”, banks, brokers, and all would have to retool.  

So what.

No one ever voted to approve this Universal Identifier.  

So let’s unvote it out.

Surely SCIENCE can come up with a better one.  Maybe based on our DNA, or biometric, or maybe nothing is best.

Google and Apple now have passkeys based on their device’s “biometric”.  

Even that would be better than SSN!

# – # – # – # – # 

FOOTNOTE: The word schtum means to remain silent. Specifically, it means not sharing any information, or telling anyone what you know. Schtum is most often used when referring to information that is harmful or sensitive in nature.

—30—

Leave a Comment » | SECURITY | Tagged: , , , , , , | Permalink
Posted by reinkefj

SECURITY:  YubiKeys are vulnerable to cloning attacks

Wednesday, September 4, 2024

https://tldr.tech/infosec/2024-09-04

TLDR Information Security 2024-09-04

https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/

YubiKeys are vulnerable to cloning attacks thanks to newly discovered side channel (3 minute read)

The YubiKey 5 hardware token for two-factor authentication has a cryptographic flaw that makes it vulnerable to cloning attacks when physically accessed by an attacker. Yubico has confirmed that all YubiKey 5 models are susceptible to cloning due to a side channel vulnerability in the Infineon microcontroller used in various authentication devices. Updating firmware on affected YubiKeys is not possible, leaving them permanently vulnerable to potential attacks.

# – # – # – # – # 

Guess that you can toss these in the trash can or trash bin!

Still think that the authenticator app of a phone is the best two factor authentication technique.

—30—

Leave a Comment » | SECURITY | Tagged: , , , , | Permalink
Posted by reinkefj

SECURITY: A lesson in what phishing looks like

Wednesday, July 10, 2024

https://www.amazon.com/gp/video/detail/B0CQCDMY2V/ref=atv_dp_share_r_em_5605dba96bbd4

The Beekeeper

A retired military operative, who now serves as a Beekeeper in a secret organization that protects the world like bees in a hive, is forced into a campaign of revenge when his neighbor’s finances are wiped out after a phishing scam.

# – # – # – # – # 

The beginning of this movie should be required watching BEFORE anyone gets a personal computer.  

The ‘nice old lady” gets scammed out of everything she has by calling in after a pop up on her computer.  Been there getting pop ups, spam emails, and whatever.

Lesson Number 1 is have yourself some “tech support” relative.  Or at least, don’t trust anyone online.

The lady has a flash of insight to call her bank but gets talked out it when the nice man on the phone says “he’ll lose his job.”

The rest of the movie is mission impossible type hokum but enjoyable to see the “bad guys” get karma visited upon them.

All in all, the part about scammers is very believable and should serve as a warning to all computer Users.

—30—

https://nypost.com/2024/07/07/us-news/scammers-get-away-with-billions-from-elderly-americans-every-year/

—30—

Leave a Comment » | SECURITY | Tagged: , , | Permalink
Posted by reinkefj

SECURITY: PASSKEYS appears to be NOT the secuirty “silver bullet””

Sunday, April 28, 2024

https://fy.blackhats.net.au/blog/2024-04-26-passkeys-a-shattered-dream/

*** begin quote ***

The Enshittocene Period

Since then Passkeys are now seen as a way to capture users and audiences into a platform. What better way to encourage long term entrapment of users then by locking all their credentials into your platform, and even better, credentials that can’t be extracted or exported in any capacity.

Both Chrome and Safari will try to force you into using either hybrid (caBLE) where you scan a QR code with your phone to authenticate – you have to click through menus to use a security key. caBLE is not even a good experience, taking more than 60 seconds work in most cases. The UI is beyond obnoxious at this point. Sometimes I think the password game has a better ux.

The more egregious offender is Android, which won’t even activate your security key if the website sends the set of options that are needed for Passkeys. This means the IDP gets to choose what device you enroll without your input. And of course, all the developer examples only show you the options to activate “Google Passkeys stored in Google Password Manager”. After all, why would you want to use anything else?

A sobering pair of reads are the Github Passkey Beta and Github Passkey threads. There are instances of users whose security keys are not able to be enrolled as the resident key slots are filled. Multiple users describe that Android can not create Passkeys due to platform bugs. Some devices need firmware resets to create Passkeys. Keys can be saved on the client but not the server leading to duplicate account presence and credentials that don’t work, or worse lead users to delete the real credentials.

The helplessness of users on these threads is obvious – and these are technical early adopters. The users we need to be advocates for changing from passwords to passkeys. If these users can’t make it work how will people from other disciplines fare?

Externally there are other issues. Apple Keychain has personally wiped out all my Passkeys on three separate occasions. There are external reports we have recieved of other users whose Keychain Passkeys have been wiped just like mine.

Now as users we have the expectation that keys won’t be created or they will have disappeared when we need them most.

In order to try to resolve this the workgroup seems to be doubling down on more complex JS apis to try to patch over the issues that they created in the first place. All this extra complexity comes with fragility and more bad experiences, but without resolving the core problems.

It’s a mess.

*** end quote ***

So this ends my interest in “passkeys”.  Too bad.  It had a lot of promise.

Argh!

—30—

Leave a Comment » | SECURITY | Tagged: | Permalink
Posted by reinkefj

SECURITY: PSEG is behind the times

Sunday, November 12, 2023

https://pseg.mypreferencecenter.com/Global/StandardEmailView?subscriberId=0b431ab7-81ba-4b16-a2c5-64639c48d2fb&campaignSendId=85b7bcf6-ed43-40f1-8b1c-874631f58ed8&isTest=False

*** begin quote ***

Lastly, you’ll be required to enter a phone number where you will receive an authentication code.

*** end quote ***

I guess PSEG hasn’t gotten the message that codes via text is NOT secure.

Argh!

And, no where to complain.

BPU? Maybe!

—30—

Leave a Comment » | SECURITY | Tagged: , , | Permalink
Posted by reinkefj

SECURITY: Email is NOT secure; password resets by email is just stupid!

Wednesday, May 3, 2023

https://www.ghacks.net/2023/04/28/protect-your-money-att-email-accounts-under-attack-by-hackers/

Protect your money: AT&T email accounts under attack by hackers
Onur Demirkol
Apr 28, 2023

*** begin quote ***

A recent report says that hackers have been breaking into email addresses provided by AT&T and stealing huge amounts of cryptocurrency.

According to a report from Tech Crunch, unknown hackers have been hacking email addresses provided by AT&T to steal cryptocurrency from users. The report says that the attacks started at the beginning of April by a gang of cybercriminals. They found a way to hack into email addresses and steal people’s money on crypto.

The hackers have gained access to a section of AT&T’s internal network, allowing them to generate mail keys for any user. Mail keys are used by AT&T users to log into their accounts with third-party apps like Outlook without using their passwords. In other words, they are a kind of “secure measure” that allows log-ins from third-party apps.

*** and ***

If you own an email account provided by AT&T, you might want to improve your security measures or the different precautions. The affected email addresses include att.net, sbcglobal.net, bellsouth.net, and other AT&T email addresses.

*** end quote ***

As a former Wall Street InfoSec guy, I never allowed my enterprises passwords to be reset by email.

Guess I was a little ahead of my time and a lot of good it did me.

Argh!

—30—

Leave a Comment » | SECURITY | Tagged: , , , , , | Permalink
Posted by reinkefj

SECURITY: Passkeys don’t solve every security problem

Tuesday, March 21, 2023

https://www.reviewgeek.com/148254/why-you-should-start-using-passkeys/

Why You Should Start Using Passkeys
Danny Chadwick
Mar 16, 2023, 2:55 pm EDT | 5 min read

*** begin quote ***

Passwords have been our first line of defense against hackers since the 1960s. But, now they’re showing their age and limitations in the 21st-century data wars. Not even password managers are safe. Passkeys are now here to help. Here’s why you should switch and enjoy a more secure digital future.

*** end quote ***

Passkeys solve the “password” problem for only one use case.

Use cases are programmer speak for how the application interacts with the User.

If you’re the average plain vanilla User, then they are fine. 

But, if you access the application from different hardware, then you can’t use a passkey.  

Apple shares the passkeys in its walled garden, so that is another use case addressed.

I’m not sure how Google / Android addresses the use case of a different platform usage.

Having password managers storing the passkey may solve the problem but defeat the concept.

IMHO

—30—

Leave a Comment » | SECURITY | Tagged: , , , | Permalink
Posted by reinkefj

SECURITY: PARKMOBIL has been cracked

Sunday, March 12, 2023

ATTENTION: ParkMobile

I use dedicated email addresses from my own domain. Yours is “parkmobile@reinke.cc”. I just received a spam message addressed to my unique email address for you. That means it was sent after someone got your data. Please investigate the hack.

# – # – # – # – # 

Anyone bet that no one responds?  And probably no one, other than me, cares.

This demonstrates the value of your own domain and using unique emails.

—30—

Leave a Comment » | SECURITY | Tagged: , , | Permalink
Posted by reinkefj

« Previous Entries