The Briefing Room
General Category => Economy/Business => Topic started by: catfish1957 on June 06, 2021, 05:22:33 pm
-
(https://www.omacomp.com/wp-content/uploads/2015/07/Computer-Hacking.jpg)
https://www.marketwatch.com/story/americans-face-mounting-risk-of-hackers-taking-over-brokerage-accounts-regulators-say-11622826205?mod=mw_latestnews (https://www.marketwatch.com/story/americans-face-mounting-risk-of-hackers-taking-over-brokerage-accounts-regulators-say-11622826205?mod=mw_latestnews)
<snipit>
t’s not just corporations that are facing an epidemic of cyber attacks — American retail investors are also struggling to contend with a surge in hackers taking over their investment accounts, regulators warn.
The Financial Industry Regulatory Authority, the brokerage industry’s self-regulatory body, said in a recent notice that it has “received an increasing number of reports regarding customer account takeover incidents, which involve bad actors using compromised customer information, such as login credentials, to gain unauthorized entry to customers’ online brokerage accounts.”
Ari Jacoby, chief executive and co-founder of cybersecurity firm Deduce, backed up this statement with data showing that account-takeover fraud increased by roughly 250% from 2019 to 2020. He told Security.org that account-takeover prevention is a $15 billion market that is “growing significantly year-over-year. “
=================================================================================
Growing concern, and everyone especially needs to be cognizant and dilegent in these three items and areas of safety
1. Keep paper or electronic backup of statements (USB, etc.)
2. Only use brokerages, banks, etc with "Two Factor Authentication". This is critical.
3. Long and frequently changed passwords.
-
Let the user beware.
Anyone using a password manager or lock app?
That seems the easiest way to get hacked.
I do know that anything that I have financially related has at least 30 characters.
-
Let the user beware.
Anyone using a password manager or lock app?
That seems the easiest way to get hacked.
Excellent point. I don't claim to be a cyber security expert, or anything close, but the thought of relinqueshing control in the case you state seems with risk. I do know that anything i have financially related has at least 30 characters in the pass word.
-
Excellent point. I don't claim to be a cyber security expert, or anything close, but the thought of relinqueshing control in the case you state seems with risk. I do know that anything i have financially related has at least 30 characters in the pass word.
30?
I need to beef things up
-
30?
I need to beef things up
I am a tad paranoid though. In fact I quickly delete my 2FA texts after logging in.
-
Let the user beware.
Anyone using a password manager or lock app?
That seems the easiest way to get hacked.
I do know that anything that I have financially related has at least 30 characters.
How the heck do you do that w/o a password manager?
I mean, my passwords are unique, computer generated, 16+ chars, and there is no way I can remember them.
It is already cumbersome, keeping critical passwords in a dedicated manager, and out of browser retention.
At some point, it is an absurdity, since if you are doing anything online, you are feeding those passwords into a browser at some point anyway. Who is to say Google as an instance, ain't recording them anyway? Or the servers that receive the password... a server side attack seems to be far more the norm.
-
How the heck do you do that w/o a password manager?
I mean, my passwords are unique, computer generated, 16+ chars, and there is no way I can remember them.
It is already cumbersome, keeping critical passwords in a dedicated manager, and out of browser retention.
At some point, it is an absurdity, since if you are doing anything online, you are feeding those passwords into a browser at some point anyway. Who is to say Google as an instance, ain't recording them anyway? Or the servers that receive the password... a server side attack seems to be far more the norm.
Your IT experience is pretty extensive. Got any best practices to share to help us "air tight" our brokerage accounts?
-
Your IT experience is pretty extensive. Got any best practices to share to help us "air tight" our brokerage accounts?
Not without trusting some sort of manager. Who is going to remember 30 random chars?
I surely would not be using Chrome or Edge - Both Microsoft and Google already known for privacy issues...
And Firefox is not much better, simply from the POV that EVERY browser must deliver those passwords, and that transmission must remain suspect.
However, all y'all no doubt use your phones for transactions, which are either Google or Apple, so you have to figure that someone is recording what you do no matter what. And that cannot be beat except with eyeball transactions at the counter of a local brokerage... Outside of that, you are hanging out somewhere.
As to critical passwords - I use an open source manager called KeyPass (https://keepass.info/)
It offers foremost an open source - Every line of its code can be examined.
It is not famous other than in tech and open source circles - so any fault there might be in the way of exploit is offset by its relative obscurity (hackers tend to put their efforts toward popular means), so my choice in that is intentional. It does store passwords in an encrypted container, with several means of access design.
Anything in that password can is super critical to me, and are only accessed with one machine, and that machine is normally offline, and hard wired when it is online. It holds critical bank account passwords, critical serverside passwords, both for my site and my local server access. It also holds all my passwords for encrypted containers.
But all of that really means nothing in daily use - Because I must operate electronically. So like everyone else I have to rely on the means available, which are not all that secure. But it DOES offer me a God-Mode solution, regardless of how I am hacked, except for a direct physical attack here at my house, or at one of two more locations where ancillary access is maintained wholly by sneaker-net, one of which is highly portable, but seldom used beyond the need to keep the device(s) registered as legit access devices to various accounts with time restrictions...
In every critical place, there are TWO users, one that I use in the typical fashion, and another that is only accessed by that highly guarded secondary system - Which is actually the primary system. Every administrative account is made there, with the more promiscuous user not having access to administration of the accounts. So I can operate in the user level account normally, but I NEVER access account administration anywhere except from that singular system.
I have been hacked, and I will be hacked again. So far, those GodMode accounts have been the solution. But that is because of what I am, and what I attract, so I don't know if such steps are practical for the average Joe.
Beyond something like that, you must have some reliance on the systems in common use... So buy machines that offer encrypted operation with fingerprint access, especially so wrt portable devices, and primary access devices. Limit access to those devices strictly. Change passwords often, and use random computer generated passwords, and 2FA. That is really all you get. Beyond that, you must trust browsers, brokerages, and authenticators. Not much for it.
OR stay away from electronics, and pick a broker/bank with walk-up eyeball service, and only use it that way, no matter how convenient the app might be. It is all about convenience and that convenience is what always becomes the exploit.
-
Not without trusting some sort of manager. Who is going to remember 30 random chars?
I surely would not be using Chrome or Edge - Both Microsoft and Google already known for privacy issues...
And Firefox is not much better, simply from the POV that EVERY browser must deliver those passwords, and that transmission must remain suspect.
However, all y'all no doubt use your phones for transactions, which are either Google or Apple, so you have to figure that someone is recording what you do no matter what. And that cannot be beat except with eyeball transactions at the counter of a local brokerage... Outside of that, you are hanging out somewhere.
As to critical passwords - I use an open source manager called KeyPass (https://keepass.info/)
It offers foremost an open source - Every line of its code can be examined.
It is not famous other than in tech and open source circles - so any fault there might be in the way of exploit is offset by its relative obscurity (hackers tend to put their efforts toward popular means), so my choice in that is intentional. It does store passwords in an encrypted container, with several means of access design.
Anything in that password can is super critical to me, and are only accessed with one machine, and that machine is normally offline, and hard wired when it is online. It holds critical bank account passwords, critical serverside passwords, both for my site and my local server access. It also holds all my passwords for encrypted containers.
But all of that really means nothing in daily use - Because I must operate electronically. So like everyone else I have to rely on the means available, which are not all that secure. But it DOES offer me a God-Mode solution, regardless of how I am hacked, except for a direct physical attack here at my house, or at one of two more locations where ancillary access is maintained wholly by sneaker-net, one of which is highly portable, but seldom used beyond the need to keep the device(s) registered as legit access devices to various accounts with time restrictions...
In every critical place, there are TWO users, one that I use in the typical fashion, and another that is only accessed by that highly guarded secondary system - Which is actually the primary system. Every administrative account is made there, with the more promiscuous user not having access to administration of the accounts. So I can operate in the user level account normally, but I NEVER access account administration anywhere except from that singular system.
I have been hacked, and I will be hacked again. So far, those GodMode accounts have been the solution. But that is because of what I am, and what I attract, so I don't know if such steps are practical for the average Joe.
Beyond something like that, you must have some reliance on the systems in common use... So buy machines that offer encrypted operation with fingerprint access, especially so wrt portable devices, and primary access devices. Limit access to those devices strictly. Change passwords often, and use random computer generated passwords, and 2FA. That is really all you get. Beyond that, you must trust browsers, brokerages, and authenticators. Not much for it.
OR stay away from electronics, and pick a broker/bank with walk-up eyeball service, and only use it that way, no matter how convenient the app might be. It is all about convenience and that convenience is what always becomes the exploit.
Thanks.... great write up.