How to tell if you’ve been hacked—and what to do about it

How to tell if you’ve been hacked—and what to do about it.

-- Tom

 

At the end of article there is interesting rationalization of users acting insecure:

It puts some things in different perspective.

 

The article seems to make a confusion between a user being hacked and a service he or she uses being hacked. Then, the only part that sounds like having a remote connection to the title is this: "Generally, the best way to tell if your device has been compromised is to run anti-malware software and conduct a scan". The rest of the article has almost nothing to do with the proposed subject...

 

I'd rather the article had got straight to the point and talked about decent 2FA for websites. Progress on this has been pitiful, although I'm vaguely hoping FIDO will come to something and get adopted.

Is anyone else deeply sceptical of the use of mobiles as the second factor? I have two big problems with that, first, the companies are desperate for your mobile number because they can then use it for all kinds of marketing and profiling, second, the mobile phone is highly likely to be stolen and is hard to secure in its own right.

For now, a Yubikey and LastPass/Password Safe does me ok.

 

Of course the mobile phone can be stolen but in order to use your mobile phone they need to know your PIN and normally after just three tries your phone SIM is locked. Meanwhile, you will have already blocked the SIM and using another one. So, unless your phone is wide open (i.e. you do not need a PIN to use it), loosing it is not a big deal.

For smart phone many (e.g. lastpass) will provide you with the option of 2FA via software token (e.g. authenticator), again if you use a smartphone for authentication the minimim you can do is to protect it with a PIN/password to start with. If the mobile get stolen, the first thing they will do is to reset it and selling it. They will not care about the data in it unless you are a specific target but even in that case the recovery of info is not that easy and more difficult in near future as most manufacturer will further refine full lock and wiping options.

 

How To Not Get Hacked at the World's Preeminent Hacker Conference.

-- Tom

 

The Pin/biometric on a mobile can protect against casual thieves, but you then have the problem of account/key recovery, and attempting to prove you are who you say you are. In other words, a semi-self-inflicted denial of service, attempting to make the phone what it is not. In addition, this does not protect you against remote malware assaults on the phone software once you are running programs on it - they're complex minicomputers, not what you want from a cryptographic token! With a Yubikey, it's easy enough to create a replacement key. It doesn't need charging, has no battery, and there's no problem with taking it with you into all environments including the wet. Why should I agree to 2fa using a mobile when I don't have to?

I understand the nfc based Yubico Neo will give 2fa on Lastpass for mobiles (which is what I use on PCs), but it does not work for authentication on them. I like Lastpass a lot, but it ought to be the important websites that are offering decent 2fa natively, and what I'm saying is that the easy solution using mobiles for 2fa is not what I want, isn't the right solution, nor should it be forced on people.