![]() ![]() The attacker saw 2fa messages passing from Payonerr to a Movistar phone number but had the problem of not knowing the email of the Payoneer user to change the password and make the transactions. The attacker compromised the gatway SMS used to send the 2fa to Movistar customers (the platforms use this to sneak the cost) Well guys, the payoneer mystery is solved. There is an insightful tweet in Spanish that is translated as follows: I tried to rise the issue here in HN but got unnoticed. There was a big issue with Payoneer's SMSs in Argentina under Movistar. Get a real phone number for which you have the ability to get customer support. My sincere advice (if you’re a free Voice user) would be to delink your Google Voice number from all critical services. Google Voice is a total mess, and as a “free” consumer service that Google has shown little interest in maintaining and supporting, you don’t get any kind of support or help whatsoever. After maybe a few weeks or several weeks, that Google Voice number will not even show up for reclamation. You’ll have to retry with another number over and over again until you start banging your head against the wall. Even then, Google Voice will send the OTP and make it seem as if the linking worked but will show as unlinked (and the Google Voice number unavailable) after just a minute or two. You have to get a new phone number that has never ever been used with Google Voice and then try to link it. Once that happens, you cannot reclaim that Google Voice number using the same linked phone number. If you happen to not use it for a little while, Google Voice will send an email with minimal notice (with Murphy’s Law, this will be during a vacation break) that the number will be deactivated. Google Voice (the free service) has its own pitfalls, which I believe make it a very poor choice to use for online accounts. This means I would have to actively participate in a mass compromise of my accounts, making it way more likely to be noticed. With a Yubikey I have to physically insert it and tap the button for each login - which is relatively rare because active sessions don't tend to expire. Security: If your device gets compromised, it's pretty much game over: the attacker can now log in to all your accounts, any time they want. Individually enrolling each device would be a nightmare, and having the credentials sync is a bad idea from a security perspective. My Yubikey has USB and NFC, so it can trivially be used with all of them. ![]() Portability: I have a smartphone, a work laptop, a home laptop, and a home desktop. A Yubikey will essentially last forever, and if you stay clear of the insanity that is Passkeys its Webauthn element can support an infinite number of websites. ![]() Longevity: Laptops and smartphones generally only have a 3-5 year lifespan due to battery degradation, and many people will want to swap it for one with more storage or whatever anyways. You can run it through the washing machine and it'll be fine. You can play tennis with a Yubikey and it'll be fine. A Yubikey has essentially zero resale value, so you will not lose them due to random theft.ĭurability: If you drop your smartphone, there's a pretty good chance you'll shatter the screen and buy a new one. Theft: A $2000 laptop is an easy target for anyone with sticky fingers, and so is a $1000 smartphone. That's what a significant fraction of internet users are like. Either way, it looked nothing like facebook and didn't use blue. I think it was pinterest, but I may not remember correctly. That site got a wave of users submitting help requests because they couldn't log in with their facebook credentials, and accusations of subterfuge or wrongdoing because their accounts were deleted. Some other site briefly was the top result when searching for google. Lots of people were logging into facebook by searching facebook, instead of typing, then following the top result. In the politest way possible, I question whether you've interacted with the modal user.Įdit: I can try to dig up the article, but here's the precis: 5-ish years ago, google briefly changed their search results ranking. I promise you there is a significant percentage of people that would fumble enrollment you handwaved away a giant problem (multiple enrollment, not present) and many people would put them all on the same keychain.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |