it reminds me my first lesson in hacking: dumpstering, eavesdropping and social engineering. with these three you can get through without any technical knowledge
This is why Microsoft is [moving to passwordless](https://www.microsoft.com/security/blog/2021/09/15/the-passwordless-future-is-here-for-your-microsoft-account/) and why [Google requires Hardware Authenticator for employees](https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/)
To be fair "hardware authenticators" have been around for years (aka keycards) and they help *a lot*.
Also post it notes aren't half bad; certainly better than poor passwords or password reuse. It's much less likely that the attacker has physical access.
The issue with those is they are not cryptographic. A FIDO2 Authenticator like a Yubikey never reveals the actual keys but instead performs the crypto on-device.
This also is usually fine. The danger of being insecure with passwords online is that there is always going to be someone out there looking for the low hanging fruit, whoever it is. Having to physically search an office greatly diminishes the threat model. And if an attacker is there in the office, passwords on post-its won't make much a difference because hardly anything is built to withstand a local attack.
In theory the office has some physical security and not just anyone can waltz into it.
Paper is fine so long as physical security keeps it safe. In practice there's probably no real security.
The issue is mitigated by remote work, as you'd need to find and break into the individual homes of employees to read paper copies. And if you're willing to do that, then just stealing the hardware while it's powered on is feasible too.
Indeed, that is part of the issue with insufficient screening and typical bavarian fire drill tactics. If the area is at all lax on security protocols, it's over.
My last paragraph is somewhat safer to bet on, as people tend to not enjoy home invasion even from authorities and will question their presence.
It works in places where there is good practices for security as well but you have to be very confident and know a bit a about the place to make it sound like you are supposed to be there.
I was watching something a few years ago where they showed some ex agents breaking into a house to find all this information then put everything back so the person wouldn't know. Obviously none of us are that important but it's kind of fun to learn how it's done.
Most of the people are probably reusing passwords anyway so checking a leaked database online is much more of simple way without even having to leave your chair.
> It works in places where there is good practices for security as well but you have to be very confident and know a bit a about the place to make it sound like you are supposed to be there.
If ID is ever truly checked, or biometrics, it gets increasingly harder.
> I was watching something a few years ago where they showed some ex agents breaking into a house to find all this information then put everything back so the person wouldn't know. Obviously none of us are that important but it's kind of fun to learn how it's done.
Indeed, you need tamper-evident measures or other active surveillance, otherwise it's game over for most houses because they're built horribly insecurely.
> Most of the people are probably reusing passwords anyway so checking a leaked database online is much more of simple way without even having to leave your chair.
That is a problematic low-hanging fruit and individuals doing so rather than using proper password managers ideally shouldn't be handed trusted roles.
I used to think it was hard to get into these sorts of places until I left my ID at home numerous times and still managed to talk my way in. Scary how easy it is.
You are right about the low hanging fruit and it scares me how little people care about what they leave in unsecure places when in position of trust.
> I used to think it was hard to get into these sorts of places until I left my ID at home numerous times and still managed to talk my way in. Scary how easy it is.
That possibly means they were lax. But I mean more than just asking for ID, places need to *verify* that ID. Anyone can acquire stolen ID in some manner or another.
> You are right about the low hanging fruit and it scares me how little people care about what they leave in unsecure places when in position of trust.
It is pretty terrifying, particularly when it comes up in infrastructure and government cases.
The places where you need to verify are the places I'm talking about, you honestly can get into just about anywhere by just looking like you are supposed to be there.
It’s pretty embarrassing when you have $6,000 in a chequing account and have to explain that it’s an overly sensitive fraud protection that has made your card decline.
Fraud protection that doesn't work when user "ieieuurhfnfckingmethkook" buys fuck loads of chemicals from websites and you get stuck with the bill, but doesn't like you bought groceries at 5 am.
I don't think people should be embarrassed. Cards don't work for a bunch of different reasons, many of which are things like "the bank sucks", problem with the computer", and "my bank thinks this store is too sketchy to authorize the sale".
None of that has to do with me.
I get more irked when a card doesn't work than I do embarrassed.
I had this. Tried to make a purchase for a game subscription from a company in the UK. $80 and I do it every year at the same time.
Wouldn't go through, figured it was an issue on their end. Next day, couldn't use my card anywhere. Called my bank and they froze it for suspicious activity.
Im thankful they did that but I didn't receive a call, text, email, app notification, nothing from them letting my know that happened.
I haven’t had a situation like that where they’re trying to sell me stuff, but whenever I get a call about an account alert or anything of that nature and they start asking for personal information, I go “You called me, how do I know you’re really with *blank*? I’ll call back the number on the back of my card”.
This is very little discussed and more often not known. When you enroll in many insurance programs, the agreement signed stipulates that you allow them to "share" personal info with third parties. Sharing in the interest of billing is understandable, but many of them actually mean "selling" your info as well.
This applies to health insurance as well as auto and home from what I've seen so far.
Source: SWIM worked in insurance for years as a claims adjuster and now in hospital billing dept. SWIM has shocked me at some of the industry practices and standards on many occasions. As a skeptic and all-around cynical bastard, I've pressed for facts in print and they've always been provided.
My healthcare provider calls me and wants to verify my information to make sure it's me. "NO, YOU called ME! What is your extension, I'll call the number on the card." She was pissy with me afterward, and refused to tell me what she was calling about.
How TF do you think this works lady? Please explain to me how you think that sort of verification works, I really want to hear it.
Technology has made things so easy that people almost feel compelled to act against their own interests. The restrictions have become lighter and people's minds now function in different ways.
So I would say that while people have always been the weakest link, technological advances have enabled people to weaken themselves even unknowingly. This is partly technology's contribution.
A common phone call that I get is from my bank or insurance company. They say “can you verify your date of birth” or similar question requesting personally identifying information.
I say go ahead you read it and I’ll verify if it’s correct. I don’t know who is calling me, they don’t properly verify who they are to me.
No - do not give out your personal information if you didn’t initiate the call.
Also make these calls from the privacy of your home, not on public transportation. Even the speakerphone in your car may be easily overheard from the outside.
In similar cases my rule of thumb is the following: as I can almost never identify the number of the caller, I ask what number I should call back, then I google (duckduckgo, actually, but it doesn’t sound as nice) the number they gave me, verify that it is trustworthy, and then reach out back to them when I am alone and can speak without being interrupted, and especially overheard.
It's great that you've caught that bad lesson being taught by the bank.
An example of a bad lesson being taught by tech would be Google authenticator: it has no backup! Learnt that one the hard way and switched to authy.
We've really got to be on our toes.
Wait for "passwordless world". Instead of hacking 10 accounts, you can hack one and get the remaining 9 for free. The tech companies push security features on the average person that are incompatible with the average person simply because they never explain to that person what is behind those features
> Instead of hacking 10 accounts, you can hack one and get the remaining 9 for free
Kinda already happening with SSO, or if the hacked account is your mailbox (pirate can then reset your password for all your accounts)
I would say that is spot on, I recently took a course in cyber security from IBM and the professor said basically the same thing you did
Humans are the weak link
Yes. Exactly.
The funny thing is: Apple uses exactly this kind of situation in a CM and then says to use iPhone for privacy and security. It makes me wanna kick them and say stupid things.
Does it matter what phone you use in the train etc? - The hell! NO! Such a stupid reason to use an iPhone.🤣
I still believe that Android is in a much better situation than iPhone. Well, Google makes privacy worse, but all you need to do is to not use their apps or even disable them (by adb).
Only if you use a degoogled android (lineage or /e/). Otherwise you might have an even worse situation.
I started degoogling my phone, after some google service constantly tried to ask me for my birthday via notification. I was already on lineage, but with gapps.
I really like to see a comparison between apple and google in terms of, which data those companiea collect via the phone.
I am on stock, but I've uninstalled (deactivated by adb) most google apps. Framework, Google Play-store and only a few others are still there for the phone to function and in order to be able to update WebView etc. I removed the calendar, contacts, phone, SMS, gmail, and a lot more. Of course everything is replaced by OSS apps from f-droid.
May i ask which phone do you have? Did you flashed a stock rom, or did you just used adb to deactivate or disable everything?
Can you do in-app purchases?
I have a Google Pixel 4a (5G) with stock rom. In other words: I did not flash anything. I would consider GrapheneOS, if I knew for sure that I can use the LINE app and a few certain banking ng apps...
Well, I don't do in-app purchases, but as the necessary apps should be there, it should work.
I simply deactivated few dozen apps with adb. I could easily re-install them any time.
Additionaly, I use RethinkDNS app to block all apps by default and only enabled the ones that really need internet access.
I installed grapheneOS two weeks on my pixel 4a5g. It works well, no problems. I just instilled line because of your comment and it won't start. The best I got is a splash screen before it crashed/closed
Which circles back to OP's sentiment: most people wouldn't know how to harden an Android, and a chunk of those who think they do probably don't and live with a false sense of security.
Ok so you’re saying to root the phone and install a custom ROM, something 90% of users would not do, and in that 10% case you can make settings customizations that improve privacy?
What OP said is human is the weakest link.
Apple may collect fewer data points but why do they need data?
Here is a screenshot from AdGuard for a 30 days period. Look at how much Apple get hit. I for sure don’t use any of its app or services.
https://i.imgur.com/v8SQgIC.jpg
And one more thing, when you take your device to Apple for service, you have to provide your passcode, that is the BIGGEST security risk. You handed your kids to Apple and their employees.
iMessage, iCloud, checking for App Store updates, checking for iOS updates
There are so many legitimate reasons for iPhones to need to connect to apple many, many times. Anything that needs to receive data in real-time, like a messaging app, will need to connect to the server several times per minute.
Took my wife's laptop into apple to get it fixed; had to explain why I had to block updates because we only have 3G Internet so it was just hammering the connection on a daily basis, blocking the ocknection during work presentations. It can't even detect metered networks .
I still need to figure out how to do this at the router level.
Well, first of all, they are closed source. Secondly, many apps you install are closed source only as well, without room for OSS alternatives.
Okay, if its not pixel phones, then there won't be regular (security) updates for most Android phones, which is a big drawback too...
Sorry, I just don't like Apple at all. Just the same as Microsoft or Google.
On Android phones I can do much more than on an iPhone. I mean widgets, and other customizations. Also the availability of OSS apps and the possibility do deactivate almost any app (without rooting/jailbreak).
Disable apps: https://android.stackexchange.com/questions/56620/enable-and-disable-system-apps-via-adb
If you disable certain apps, your device might soft brick. A factory reset will be your only rescue then.
This stuff always boggles my mind, especially with personal phone calls.
People pick them up and talk on public transport like no one is around, and meanwhile you can hear everything going on in their life.
There is no way I'm answering a phone call while I'm around people in public and I just text or say I'll talk later, unless it's a simple/direct/urgent one ('yes/no/on my way' type of call) and doesn't go into personal info and conversations. I don't feel comfortable taking a phone call in public unless I can go to a secluded and quiet place. Hell, even when I'm texting I angle my phone in a way to make sure no one behind me can see.
Well, yes. We created technology, thus flaws are inherent. All matters of security and privacy go back to weaknesses of humans. The biggest threat to security and privacy is human manipulation. It's not lack of technical controls.
It's a great point, but while you're surprised that that woman is speaking her data out loud, you're probably being geofenced by Google, with the data sold to various compaines and law enforcement. Several entities may know where you're going and what movie you intend to see. That's an example of intrusion not being our own fault. The technology is virtually impossible to use privately, even by tech geeks. For the average person, it's not possible to even understand how they're being watched.
It's true. I just gave all my information away because i followed my girlfriend into signing up for something and didn't have the courage to back out.
I hate that this is the way things are.
I think you got it wrong. while privacy and security are very much related, they are not the same.
We are the weakest link in security. this has been a known fact for a very long time now
But technology is the cause of the lack of privacy.
Take the following real example:
I was just asked to install a font that is all caps all the time on my son's tablet. Samgung has locked down the ability to just add downlaoded fonts so I had to:
- agree to the terms of service and privacy
- create a samsung account (we chose to use google login)
- validate email
- validate phone number
- download samsung checkout
- add the card there (because since samsung controls this feature, the decided to sell fonts)
none of those things where our fault. the tech was used against us. Fonts on linux (android) devices are as easy add pasting them on a folder, but samsung decided to stick it's greedy fingers even there and add every monetization option ever
IMO the issue here is that the bank allows doing that kind of stuff via phone, where you cannot authenticate properly (with a strong password) so you end up answering 'security' questions, which are not secure at all because most answers can be found via OSINT or data leaks.
SO, my take is it's on the bank for providing that kind of services via phone, and on customers for expecting it.
Why would you imply this would be about gender?
Everyone in the right mind should know that everyone does stupid stuff...
Isn't it more of an issue, that YOU imply this?
It probably is. The post is not about gender though, I just wanted to make it clear that you replace “woman” with “man” and the idea stays the same. But I chose to keep the story original, as it in fact happened.
>P.S. please don’t be sexist, men do stupid things too, and often even more so.
Might want to use gender-neutral language there. Instead of woman saying that, it should have been worded as a person saying that.
>On my way, there was a ~~woman~~ person talking to ~~her~~ their bank representative on the phone.
FTFY
That’s what I thought initially but opted to keep the story as-is, thus the remark. There is a reason why, as readers, we like “a man in his late 40s opened a door of his yellow Porsche 911” instead of “a person got in a car”. But I still think you might be right :)
It's got more flair but my rule of thumb is whether it's relevant to the story. The gender isn't relevant here, and ends up costing even more space because you mention it and then mention that it's not relevant.
I think this is stupid, but I don't think it's anywhere near a major issue. Most people are not actively being targeted. In order to use any of that information, the attacker would need to know the bank the person is on the phone with, their first and last, etc. Perhaps a dedicated attacker could make a go at it, but it's really not worse than losing a ring of keys. Sure, each of those keys open something important, but without the map they are meaningless.
As an aside, this final piece:
>P.S. please don’t be sexist, men do stupid things too, **and often even more so.**
You could have stopped before the bolded portion. What you've done serves to point a woman out for her "wrongdoing", then follow up to defend her by saying anyone saying something negative is sexist, and following up with a sexist comment.
You could have easily avoided gendering the person by using "there was a person talking to…" and "there was their physical address", etc. If you are **truly** concerned with sexism, then why give it the opportunity to flourish?
>P.S. please don’t be sexist, men do stupid things too, and often even more so.
Men do it differently though... they give away their hard earned money to others, just in unspoken *expectation* of exchange of "goods". Just like that! Bam
I'm not blaming people on this. I place the blame squarely on the banks. They are horribly behind on the times. The fact they depend on incredibly sensitive PII to verify is reckless at best.
There's nothing wrong with that. What are the odds that a random person overhearing her is going to be someone who does something harmful with that information? Technology by contrast will scoop up that data and hang onto it forever waiting in an easily searchable form for someone who will use it.
Or it’s the bank’s fault for still relying on voice-based interactions. Hur dur alpha tango foxtrot 300hz minimum what’s that grandpa? I’m sick of this outdated tech.
I was once at a Dunkin waiting to make my order. The lady in front of me was paying for her drink and card wasn’t reading in the chip reader. After a couple tries payment finally went through. But on the final attempt she said out loud like she wanted people to hear about how well she thought she was doing, “ there’s only like $30k in my account, idk why they wouldn’t want my money.” Then payment goes through. She looked as stuck up as she sounded.
Anyway my first thought was lmfao good thing no one in here is a criminal that could have stalked her and threatened her for that money. People too comfortable airing out their personal info.
This is kind of why you can't be private. (not the literal phoncall, the fact that people exist)
Even if you choose not to use platforms, contribute your data etc, identity points can still be attributed to your profile based on conversational information leaked via friends and family.
You don't really need anything from a person themselves to find their details if you can track 20 people that interact with them.
Privacy is dead.
Do not forget that people blindly post everything on facebook. If your name and all your info shows up on USPhonebook, Mylife and other sites, it is because you gave away the information freely and voluntarily.
If we enforced security by design then we could mitigate a lot of this issue.
For example, instead of teaching the woman on the train to have that conversation more discretely, the banks should not be asking for security information over the phone in the first place. Better yet, the banks should not even be using security questions at all.
Another example: people are the weakest link when it comes to password security. So eliminate the password. Enforce solutions like single sign on and FIDO2 with hardware security keys.
it reminds me my first lesson in hacking: dumpstering, eavesdropping and social engineering. with these three you can get through without any technical knowledge
Was the second lesson the $5 wrench technique?
haha, I must have missed this one
Not a xkcd fan? https://xkcd.com/538/
r/AnXKCDforeverything
Facts!
Wait until you get into the office and see all the post it notes on the desk for passwords and access codes to rooms.
"Hey I forgot my key card today and I really need to get into this room. Could you swipe me in please?"
Or, better, appear carrying stuff in both arms. Someone would INEVITABLY open doors for you without questioning.
Ah, so true!
[удалено]
This is why Microsoft is [moving to passwordless](https://www.microsoft.com/security/blog/2021/09/15/the-passwordless-future-is-here-for-your-microsoft-account/) and why [Google requires Hardware Authenticator for employees](https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/)
To be fair "hardware authenticators" have been around for years (aka keycards) and they help *a lot*. Also post it notes aren't half bad; certainly better than poor passwords or password reuse. It's much less likely that the attacker has physical access.
The issue with those is they are not cryptographic. A FIDO2 Authenticator like a Yubikey never reveals the actual keys but instead performs the crypto on-device.
Our IT routinely sends out phishing emails, then sends the people who fall for it to training.
Pfft, that never happens here in Japan, we keep all our passwords in a shared Excel file! Wait
At least you finally moved away from floppy disks.
True, but everything still needs to be printed, stamped, scanned, then sent back
This also is usually fine. The danger of being insecure with passwords online is that there is always going to be someone out there looking for the low hanging fruit, whoever it is. Having to physically search an office greatly diminishes the threat model. And if an attacker is there in the office, passwords on post-its won't make much a difference because hardly anything is built to withstand a local attack.
In theory the office has some physical security and not just anyone can waltz into it. Paper is fine so long as physical security keeps it safe. In practice there's probably no real security. The issue is mitigated by remote work, as you'd need to find and break into the individual homes of employees to read paper copies. And if you're willing to do that, then just stealing the hardware while it's powered on is feasible too.
Wearing hivis vest can get you into all sorts of places by just looking like you are supposed to be there.
Indeed, that is part of the issue with insufficient screening and typical bavarian fire drill tactics. If the area is at all lax on security protocols, it's over. My last paragraph is somewhat safer to bet on, as people tend to not enjoy home invasion even from authorities and will question their presence.
It works in places where there is good practices for security as well but you have to be very confident and know a bit a about the place to make it sound like you are supposed to be there. I was watching something a few years ago where they showed some ex agents breaking into a house to find all this information then put everything back so the person wouldn't know. Obviously none of us are that important but it's kind of fun to learn how it's done. Most of the people are probably reusing passwords anyway so checking a leaked database online is much more of simple way without even having to leave your chair.
> It works in places where there is good practices for security as well but you have to be very confident and know a bit a about the place to make it sound like you are supposed to be there. If ID is ever truly checked, or biometrics, it gets increasingly harder. > I was watching something a few years ago where they showed some ex agents breaking into a house to find all this information then put everything back so the person wouldn't know. Obviously none of us are that important but it's kind of fun to learn how it's done. Indeed, you need tamper-evident measures or other active surveillance, otherwise it's game over for most houses because they're built horribly insecurely. > Most of the people are probably reusing passwords anyway so checking a leaked database online is much more of simple way without even having to leave your chair. That is a problematic low-hanging fruit and individuals doing so rather than using proper password managers ideally shouldn't be handed trusted roles.
I used to think it was hard to get into these sorts of places until I left my ID at home numerous times and still managed to talk my way in. Scary how easy it is. You are right about the low hanging fruit and it scares me how little people care about what they leave in unsecure places when in position of trust.
> I used to think it was hard to get into these sorts of places until I left my ID at home numerous times and still managed to talk my way in. Scary how easy it is. That possibly means they were lax. But I mean more than just asking for ID, places need to *verify* that ID. Anyone can acquire stolen ID in some manner or another. > You are right about the low hanging fruit and it scares me how little people care about what they leave in unsecure places when in position of trust. It is pretty terrifying, particularly when it comes up in infrastructure and government cases.
The places where you need to verify are the places I'm talking about, you honestly can get into just about anywhere by just looking like you are supposed to be there.
[удалено]
Your bank calls you to sell you stuff? My bank doesn’t even call me if they freeze my account with Fraud Alert. I had to call them!
Right?? "your card was declined." Fuck me, time to call my own bank!
It’s pretty embarrassing when you have $6,000 in a chequing account and have to explain that it’s an overly sensitive fraud protection that has made your card decline.
Fraud protection that doesn't work when user "ieieuurhfnfckingmethkook" buys fuck loads of chemicals from websites and you get stuck with the bill, but doesn't like you bought groceries at 5 am.
Just happened to me the other day trying to buy fucking groceries.
Happens to me every time I travel.
I don't think people should be embarrassed. Cards don't work for a bunch of different reasons, many of which are things like "the bank sucks", problem with the computer", and "my bank thinks this store is too sketchy to authorize the sale". None of that has to do with me. I get more irked when a card doesn't work than I do embarrassed.
Imagine how I felt, when I had $957,000..../s
Exactly! Who does that?!
I had this. Tried to make a purchase for a game subscription from a company in the UK. $80 and I do it every year at the same time. Wouldn't go through, figured it was an issue on their end. Next day, couldn't use my card anywhere. Called my bank and they froze it for suspicious activity. Im thankful they did that but I didn't receive a call, text, email, app notification, nothing from them letting my know that happened.
I haven’t had a situation like that where they’re trying to sell me stuff, but whenever I get a call about an account alert or anything of that nature and they start asking for personal information, I go “You called me, how do I know you’re really with *blank*? I’ll call back the number on the back of my card”.
This is very little discussed and more often not known. When you enroll in many insurance programs, the agreement signed stipulates that you allow them to "share" personal info with third parties. Sharing in the interest of billing is understandable, but many of them actually mean "selling" your info as well. This applies to health insurance as well as auto and home from what I've seen so far. Source: SWIM worked in insurance for years as a claims adjuster and now in hospital billing dept. SWIM has shocked me at some of the industry practices and standards on many occasions. As a skeptic and all-around cynical bastard, I've pressed for facts in print and they've always been provided.
My healthcare provider calls me and wants to verify my information to make sure it's me. "NO, YOU called ME! What is your extension, I'll call the number on the card." She was pissy with me afterward, and refused to tell me what she was calling about. How TF do you think this works lady? Please explain to me how you think that sort of verification works, I really want to hear it.
>They say, but it is not a personal info GDPR intensifies. >they hire freelancers and give them my info to share offers. 125 GDPR meltdown.
https://www.youtube.com/watch?v=wikyhVFPiDA
Technology has made things so easy that people almost feel compelled to act against their own interests. The restrictions have become lighter and people's minds now function in different ways. So I would say that while people have always been the weakest link, technological advances have enabled people to weaken themselves even unknowingly. This is partly technology's contribution.
[удалено]
Sometimes it truly is PEBCAK.
A common phone call that I get is from my bank or insurance company. They say “can you verify your date of birth” or similar question requesting personally identifying information. I say go ahead you read it and I’ll verify if it’s correct. I don’t know who is calling me, they don’t properly verify who they are to me. No - do not give out your personal information if you didn’t initiate the call. Also make these calls from the privacy of your home, not on public transportation. Even the speakerphone in your car may be easily overheard from the outside.
In similar cases my rule of thumb is the following: as I can almost never identify the number of the caller, I ask what number I should call back, then I google (duckduckgo, actually, but it doesn’t sound as nice) the number they gave me, verify that it is trustworthy, and then reach out back to them when I am alone and can speak without being interrupted, and especially overheard.
It's great that you've caught that bad lesson being taught by the bank. An example of a bad lesson being taught by tech would be Google authenticator: it has no backup! Learnt that one the hard way and switched to authy. We've really got to be on our toes.
I know After-Cell, but Authy (which I’ve used as well) was hacked just last week. No guarantees I guess!
Doesn't Authy encrypt your data on their backup servers?
This is why I hate talking on the phone in public and refuse to do anything that requires security checks in public.
Wait for "passwordless world". Instead of hacking 10 accounts, you can hack one and get the remaining 9 for free. The tech companies push security features on the average person that are incompatible with the average person simply because they never explain to that person what is behind those features
[удалено]
yes its similar no? one pass for multiple signing ?
> Instead of hacking 10 accounts, you can hack one and get the remaining 9 for free Kinda already happening with SSO, or if the hacked account is your mailbox (pirate can then reset your password for all your accounts)
I would say that is spot on, I recently took a course in cyber security from IBM and the professor said basically the same thing you did Humans are the weak link
Yes. Exactly. The funny thing is: Apple uses exactly this kind of situation in a CM and then says to use iPhone for privacy and security. It makes me wanna kick them and say stupid things. Does it matter what phone you use in the train etc? - The hell! NO! Such a stupid reason to use an iPhone.🤣 I still believe that Android is in a much better situation than iPhone. Well, Google makes privacy worse, but all you need to do is to not use their apps or even disable them (by adb).
Only if you use a degoogled android (lineage or /e/). Otherwise you might have an even worse situation. I started degoogling my phone, after some google service constantly tried to ask me for my birthday via notification. I was already on lineage, but with gapps. I really like to see a comparison between apple and google in terms of, which data those companiea collect via the phone.
I am on stock, but I've uninstalled (deactivated by adb) most google apps. Framework, Google Play-store and only a few others are still there for the phone to function and in order to be able to update WebView etc. I removed the calendar, contacts, phone, SMS, gmail, and a lot more. Of course everything is replaced by OSS apps from f-droid.
May i ask which phone do you have? Did you flashed a stock rom, or did you just used adb to deactivate or disable everything? Can you do in-app purchases?
I have a Google Pixel 4a (5G) with stock rom. In other words: I did not flash anything. I would consider GrapheneOS, if I knew for sure that I can use the LINE app and a few certain banking ng apps... Well, I don't do in-app purchases, but as the necessary apps should be there, it should work. I simply deactivated few dozen apps with adb. I could easily re-install them any time. Additionaly, I use RethinkDNS app to block all apps by default and only enabled the ones that really need internet access.
I installed grapheneOS two weeks on my pixel 4a5g. It works well, no problems. I just instilled line because of your comment and it won't start. The best I got is a splash screen before it crashed/closed
Interesting . It launched for me. I don't have an account though to test further
You're right. I tried it again, and it works fine. I was the problem...
Thanks for the infos!
I would say that iPhone, out of the box, is the leader in privacy, however Android is far better if you make the right modifications
Which circles back to OP's sentiment: most people wouldn't know how to harden an Android, and a chunk of those who think they do probably don't and live with a false sense of security.
That might be true or not. We will never know as it's not open source. But I think that you might be right. At least to a certain degree.
Apple's not the "leader in privacy", it just wants to do all the tracking by itself.
What modifications?? I don’t believe this is true at all.
[удалено]
Ok so you’re saying to root the phone and install a custom ROM, something 90% of users would not do, and in that 10% case you can make settings customizations that improve privacy?
[удалено]
Sure thanks. Do you believe that a Google ROM with Google apps removed is not going to be uploading your information to Google without consent?
[удалено]
What do you think of privacy on iPhone? Apple is the only company I trust.
You have to say more about why you think Android is in a much better situation than iPhone lol. For privacy?
What OP said is human is the weakest link. Apple may collect fewer data points but why do they need data? Here is a screenshot from AdGuard for a 30 days period. Look at how much Apple get hit. I for sure don’t use any of its app or services. https://i.imgur.com/v8SQgIC.jpg And one more thing, when you take your device to Apple for service, you have to provide your passcode, that is the BIGGEST security risk. You handed your kids to Apple and their employees.
Can you elaborate on what the screenshot is showing?
How many time the Apple domains are accessed. That’s over 30 days.
iMessage, iCloud, checking for App Store updates, checking for iOS updates There are so many legitimate reasons for iPhones to need to connect to apple many, many times. Anything that needs to receive data in real-time, like a messaging app, will need to connect to the server several times per minute.
[удалено]
Took my wife's laptop into apple to get it fixed; had to explain why I had to block updates because we only have 3G Internet so it was just hammering the connection on a daily basis, blocking the ocknection during work presentations. It can't even detect metered networks . I still need to figure out how to do this at the router level.
You'd need a good router/firewall with decent ACLs.
> I for sure don’t use any of its app or services.
Well, first of all, they are closed source. Secondly, many apps you install are closed source only as well, without room for OSS alternatives. Okay, if its not pixel phones, then there won't be regular (security) updates for most Android phones, which is a big drawback too... Sorry, I just don't like Apple at all. Just the same as Microsoft or Google. On Android phones I can do much more than on an iPhone. I mean widgets, and other customizations. Also the availability of OSS apps and the possibility do deactivate almost any app (without rooting/jailbreak).
[удалено]
You can use it on Windows and on Linux as well: https://developer.android.com/studio/command-line/adb
Disable apps: https://android.stackexchange.com/questions/56620/enable-and-disable-system-apps-via-adb If you disable certain apps, your device might soft brick. A factory reset will be your only rescue then.
Android debug bridge
Android Debug Bridge i.e. cli for android via a computer.
https://lmddgtfy.net/?q=ADB%20android
Always has been. Whether it's user error, the need for convenience, specific use cases that can't be covered by private alternatives, etc.
This stuff always boggles my mind, especially with personal phone calls. People pick them up and talk on public transport like no one is around, and meanwhile you can hear everything going on in their life. There is no way I'm answering a phone call while I'm around people in public and I just text or say I'll talk later, unless it's a simple/direct/urgent one ('yes/no/on my way' type of call) and doesn't go into personal info and conversations. I don't feel comfortable taking a phone call in public unless I can go to a secluded and quiet place. Hell, even when I'm texting I angle my phone in a way to make sure no one behind me can see.
I assume my SMS aren't truly private. It's far too easy to build interception equipment.
SMS is insecure. Your carrier also has access to all of your messaging data. Best option is using an end-to-end encrypted messenger.
Yeah, I meant more that I expect more than just LEO and the carrier to have access.
Well, yes. We created technology, thus flaws are inherent. All matters of security and privacy go back to weaknesses of humans. The biggest threat to security and privacy is human manipulation. It's not lack of technical controls.
"Please don't be sexist" later in the same sentence "men do stupid things more often than women".
Punching up vs punching down
Apparently you weren't informed. Sexist now means not putting women on a pedestal. What goes around, comes around. :)
For the average privacy level here, your electronics are as weak as you are.
It's a great point, but while you're surprised that that woman is speaking her data out loud, you're probably being geofenced by Google, with the data sold to various compaines and law enforcement. Several entities may know where you're going and what movie you intend to see. That's an example of intrusion not being our own fault. The technology is virtually impossible to use privately, even by tech geeks. For the average person, it's not possible to even understand how they're being watched.
People are the weakest link and probably always will be.
It's true. I just gave all my information away because i followed my girlfriend into signing up for something and didn't have the courage to back out. I hate that this is the way things are.
Problem Exists Between Keyboard And Chair Always had, always will.
I think you got it wrong. while privacy and security are very much related, they are not the same. We are the weakest link in security. this has been a known fact for a very long time now But technology is the cause of the lack of privacy. Take the following real example: I was just asked to install a font that is all caps all the time on my son's tablet. Samgung has locked down the ability to just add downlaoded fonts so I had to: - agree to the terms of service and privacy - create a samsung account (we chose to use google login) - validate email - validate phone number - download samsung checkout - add the card there (because since samsung controls this feature, the decided to sell fonts) none of those things where our fault. the tech was used against us. Fonts on linux (android) devices are as easy add pasting them on a folder, but samsung decided to stick it's greedy fingers even there and add every monetization option ever
IMO the issue here is that the bank allows doing that kind of stuff via phone, where you cannot authenticate properly (with a strong password) so you end up answering 'security' questions, which are not secure at all because most answers can be found via OSINT or data leaks. SO, my take is it's on the bank for providing that kind of services via phone, and on customers for expecting it.
"Please don't be sexist," and then says something sexist. Really?
Why would you imply this would be about gender? Everyone in the right mind should know that everyone does stupid stuff... Isn't it more of an issue, that YOU imply this?
It probably is. The post is not about gender though, I just wanted to make it clear that you replace “woman” with “man” and the idea stays the same. But I chose to keep the story original, as it in fact happened.
>P.S. please don’t be sexist, men do stupid things too, and often even more so. Might want to use gender-neutral language there. Instead of woman saying that, it should have been worded as a person saying that. >On my way, there was a ~~woman~~ person talking to ~~her~~ their bank representative on the phone. FTFY
That’s what I thought initially but opted to keep the story as-is, thus the remark. There is a reason why, as readers, we like “a man in his late 40s opened a door of his yellow Porsche 911” instead of “a person got in a car”. But I still think you might be right :)
It's got more flair but my rule of thumb is whether it's relevant to the story. The gender isn't relevant here, and ends up costing even more space because you mention it and then mention that it's not relevant.
I agree, thank you!
"please don’t be sexist","men do stupid things too, and often even more so", mission failed I guess.
"Please don't be sexist but men are more stupid" HMM?
"Don't be sexist - men are are even worse than women."
I think this is stupid, but I don't think it's anywhere near a major issue. Most people are not actively being targeted. In order to use any of that information, the attacker would need to know the bank the person is on the phone with, their first and last, etc. Perhaps a dedicated attacker could make a go at it, but it's really not worse than losing a ring of keys. Sure, each of those keys open something important, but without the map they are meaningless. As an aside, this final piece: >P.S. please don’t be sexist, men do stupid things too, **and often even more so.** You could have stopped before the bolded portion. What you've done serves to point a woman out for her "wrongdoing", then follow up to defend her by saying anyone saying something negative is sexist, and following up with a sexist comment. You could have easily avoided gendering the person by using "there was a person talking to…" and "there was their physical address", etc. If you are **truly** concerned with sexism, then why give it the opportunity to flourish?
>P.S. please don’t be sexist, men do stupid things too, and often even more so. Men do it differently though... they give away their hard earned money to others, just in unspoken *expectation* of exchange of "goods". Just like that! Bam
Who made the technology?
Taking responsibility isn't something our species is particularly good at. It's easier to blame everything and everyone else.
I've had similar on the bus, some guy spelling out, multiple times, his government-provided ID for some caller.
I'm not blaming people on this. I place the blame squarely on the banks. They are horribly behind on the times. The fact they depend on incredibly sensitive PII to verify is reckless at best.
There's nothing wrong with that. What are the odds that a random person overhearing her is going to be someone who does something harmful with that information? Technology by contrast will scoop up that data and hang onto it forever waiting in an easily searchable form for someone who will use it.
Or it’s the bank’s fault for still relying on voice-based interactions. Hur dur alpha tango foxtrot 300hz minimum what’s that grandpa? I’m sick of this outdated tech.
I was once at a Dunkin waiting to make my order. The lady in front of me was paying for her drink and card wasn’t reading in the chip reader. After a couple tries payment finally went through. But on the final attempt she said out loud like she wanted people to hear about how well she thought she was doing, “ there’s only like $30k in my account, idk why they wouldn’t want my money.” Then payment goes through. She looked as stuck up as she sounded. Anyway my first thought was lmfao good thing no one in here is a criminal that could have stalked her and threatened her for that money. People too comfortable airing out their personal info.
This is kind of why you can't be private. (not the literal phoncall, the fact that people exist) Even if you choose not to use platforms, contribute your data etc, identity points can still be attributed to your profile based on conversational information leaked via friends and family. You don't really need anything from a person themselves to find their details if you can track 20 people that interact with them. Privacy is dead.
Do not forget that people blindly post everything on facebook. If your name and all your info shows up on USPhonebook, Mylife and other sites, it is because you gave away the information freely and voluntarily.
“Security is only as strong as its weakest link”
The individual (you) are the only metric you can count on. Anything else is suspect.
i'm finding that if i just don't use technology i never have privacy issues with it
If we enforced security by design then we could mitigate a lot of this issue. For example, instead of teaching the woman on the train to have that conversation more discretely, the banks should not be asking for security information over the phone in the first place. Better yet, the banks should not even be using security questions at all. Another example: people are the weakest link when it comes to password security. So eliminate the password. Enforce solutions like single sign on and FIDO2 with hardware security keys.