Patch Lady – check those extensions

Topic

New Reply

So the other day I upgraded my Dad’s Windows 7 computer to Windows 10.  And I totally forgot that one thing lost in the update was his start pages.  H
[See the full post at: Patch Lady – check those extensions]

Susan Bradley Patch Lady/Prudent patcher

4 users thanked author for this post.

AlexEiffel, Elly, geekdom, Microfix

Reply | Quote

Replies

Here is what I additionally recommend:

Some banks allow you to create a verbal password. This requires a visit to a bank branch to set up, after they have verified who you are. The idea is that, whenever you call your bank to talk to a representative in order to make any kind of changes to your bank accounts, the bank representative will ask you for your verbal password. If you don’t provide it, that is where the call ends.

I also recommend turning on email alerts for any card purchases and for any money transfers to or from your bank accounts. Configure the email alerts for card purchases to zero dollars (or $1 if zero dollars is not allowed) so that you will receive an email alert for all card purchases or card charges.

I also recommend not saving any banking login passwords in web browsers or in mobile devices. It is safer to have to type in the login passwords every single time.

I also recommend using strong passwords which have additional characters other than A-Z and 1-9.

 

Reply | Quote

I too have seen non-techies get tricked into installing malicious browser extensions. The security around extensions is miserable, many of them can see and modify every word on
every web page. A compromised browser also compromises text message based 2FA.

The safest environment for non-techies doing financial stuff  is thus a Chromebook running in Guest mode where extensions are prohibited. Or, an iOS browser that likewise does not support extensions.

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

1 user thanked author for this post.

AlexEiffel

Reply | Quote

I don’t see what else can be done without harming legitimate users. The extensions are already locked to the Chrome webstore, where they have to be vetted. They have a special permission system for the things they can do, which they warn you about before you install. Plus, if an extension doesn’t actually need full permissions, it should be rejected by Chrome entirely

My parents aren’t tech savvy, so they previously would wind up with that sort of thing, but not any time recently. Not since they didn’t get automatically added by downloading some game they wanted to try. Mom can’t even figure out how to open a new window or tab, but she never runs into problems.

I’m not sure this problem is that widespread. Maybe there’s a subset of users who need some sort of extra security, like the ability to lock out the ability to add extensions by default. Not something super secure, just something they’d have to go out of their way to undo. It could be like a parental lock system.

I use extensions all the time, and already some proposals for the new extension model make me nervous, not providing a way to run userscripts, and limiting adblockers for “performance reasons.” I already have to be ready to jump ship to a different browser if they ever force extensions to use the next version of the API instead of the WebExtensions compatible model they use now.

Reply | Quote

Hackers now use sim swap cell phone to bypass two step. My family just went thru it. Verizon could not stop hackers from taking and swamping the sim even thought told them not to do. Six times Verizon let hackers take over the cell phone.

Moderator note: Edited for content. Please read forum rules.

Reply | Quote

So is two factor authentication not a good idea? How can one safeguard against this kind of SIM card hacking?

Reply | Quote

[jabeattyauditor]

LHiggins wrote:

So is two factor authentication not a good idea? How can one safeguard against this kind of SIM card hacking?

SMS-based 2FA is a bad idea but there are alternatives. If your financial institution supports one of time-code authenticators (Google Authenticator, Microsoft Authenticator, etc.) use that instead. It’s simple to install the app on your cellphone, then launch it when you need access. Key in your username, password, and (when prompted) then the code generated by the app.

Authenticator-based access can’t easily be acquired via a SIM swap.

• This reply was modified 5 years, 9 months ago by jabeattyauditor.

1 user thanked author for this post.

AlexEiffel

Reply | Quote

The two step verification with cell phone is useless. Sprint gave out my sim three times to hackers, who broke into several accounts. Plus I read an article on Zdnet that it happen to Matt aswell. There is zero protection in this world from hackers. This is why my grandparents had all their money in the matters in the basement under cement blocks. Might have to start thinking of doing the same.

https://www.zdnet.com/article/sim-swap-horror-story-ive-lost-decades-of-data-and-google-wont-lift-a-finger/

Reply | Quote

Well, just a SMS or call without authentication really is insecure in many ways. Properly designed MFA/2FA should not rely on just SMS delivery or call being picked up.

(SMS may take up to several days to be delivered in case of certain otherwise very simple transport-layer error conditions, too… in addition to being by design susceptible to SS7 shenanigans.)

Now, a properly made authenticator application on a phone-type device that is reasonably secure in itself (and cannot be broken into via just SMS, call or SIM-based authentication…), that’s actually surprisingly good… still not as good as a dedicated security device but anyway.

Oh well. Somehow I keep being surprised by how little we have in the way of actual authentication and verification in normal life…

Reply | Quote

2FA via SMS is fine if the service requires credentials, a password and an SMS. Even if your phone company stuffs up the attackers won’t have your user/pass as well. If they have then you had lost your stuff long ago.

cheers, Paul

Reply | Quote

@mn-

Oh well. Somehow I keep being surprised by how little we have in the way of actual authentication and verification in normal life…

100% true. There is no authentication and verification in normal life. I had my credit card info stole and hackers made purchases in Europe, Asia, and Africa without credit card company denying the charges. I made a purchase at my local supermarket store and charges were denied. I called and spend years clearing this mess up with credit card company. Even today still have problems since had to lock down all credit card report agency but hackers still are able to open credit cards with my info. There is no security anywhere.

@Paul T

There are  many “2FA” SMS options allow password reset via cell phone, which makes them susceptible to SIM swap attacks.

Reply | Quote

Paul T wrote:

2FA via SMS is fine if the service requires credentials, a password and an SMS. Even if your phone company stuffs up the attackers won’t have your user/pass as well. If they have then you had lost your stuff long ago.

cheers, Paul

Unfortunately, many “2FA” SMS options allow password reset via SMS code as part of the bargain, which makes them susceptible to SIM swap attacks.

1 user thanked author for this post.

AlexEiffel

Reply | Quote

anonymous wrote:

system

Susan Bradley wrote:

So the other day I upgraded my Dad’s Windows 7 computer to Windows 10.  And I totally forgot that one thing lost in the update was his start pages.  H
[See the full post at: Patch Lady – check those extensions]

Any chance your dad was using Internet Explorer with Windows 7?  Your upgrade would have buried IE and Edge probably wouldn’t have imported those home pages.

Reply | Quote

It seems under the new patch list system the Excel file for June 30 for Office/Exchange requires a password. The pdf is accessible, but not the Excel. Did I miss something?

Reply | Quote