Tech warning - Norton Password Manager breached

[Flopsweat]

Brown-cloaked Padawan, Jedi apprentice in Arts of the Force.
View attachment 1874518
Brown-coated Pandermahn, Stinkeye apprentice in Arts of the Farce.
View attachment 1874517

@Mono1 you are totally Panderwan.

 

[Alexx1401]

Wife told me last night one of her sibling just found this out the hard way. While back they were shopping for a relative. Went to pay at one store and sibling had left their phone in the car was going to run back to get it as all payment methods are on the phone. This alone sounded scary to me. Wife just said I will pay and you can pay me back since there was a line behind them rolling their eyes. They get back to the car and sibling wants to pay her back with Venmo. Wife told her she does not have that and sibling looked at her like she said she did not have electricity at home. Well now sibling is on the phone in full break down. Someone in another state managed to get BofA to let them start an account, got Venmo, and drained the siblings account with it. Sibling was in full melt down.
Now I "suspect" her sibling will be able to get the money back, at least I hope. Meanwhile bills need to be paid, direct deposit from the job has to be stopped, HUGE PITA. I told Wife "aren't you sad you don't have Venmo?"

 

[Flopsweat]

Wife told me last night one of her sibling just found this out the hard way. While back they were shopping for a relative. Went to pay at one store and sibling had left their phone in the car was going to run back to get it as all payment methods are on the phone. This alone sounded scary to me. Wife just said I will pay and you can pay me back since there was a line behind them rolling their eyes. They get back to the car and sibling wants to pay her back with Venmo. Wife told her she does not have that and sibling looked at her like she said she did not have electricity at home. Well now sibling is on the phone in full break down. Someone in another state managed to get BofA to let them start an account, got Venmo, and drained the siblings account with it. Sibling was in full melt down.
Now I "suspect" her sibling will be able to get the money back, at least I hope. Meanwhile bills need to be paid, direct deposit from the job has to be stopped, HUGE PITA. I told Wife "aren't you sad you don't have Venmo?"

No offense to any of your relatives, but the same kind of person who would leave valuables in the car would have a Venmo account.

 

[Nosferatu]

No offense to any of your relatives, but the same kind of person who would leave valuables in the car would have a Venmo account.

And the same kind of person who would click on a phishing link in an email giving access to said Venmo account.

 

[lucusloc]

NGL, the resurrection of this thread made me do a doubletake. I like to think I am fairly up to date on tech industry goings-on, so when I read this title I thought "Again?! How did I not hear about this already?" Then I read the OP and saw it was the breach from over a year ago and one of you guys just decided the thread was relevant again for some reason.



Masterful troll. 10/10.

Also don't forget sim-hacking is a thing, so if you are using SMS as your second factor someone who is deliberately targeting you can intercept that text just by spoofing your sim info to the network. SMS challenge/response is really only effective against random attacks.

 

[Nosferatu]

Also don't forget sim-hacking is a thing, so if you are using SMS as your second factor someone who is deliberately targeting you can intercept that text just by spoofing your sim info to the network. SMS challenge/response is really only effective against random attacks.

Yep, that's why I hate using that method for 2FA. It irks me to no end that banks have adopted this as their preferred method.

 

[Alexx1401]

Yep, that's why I hate using that method for 2FA. It irks me to no end that banks have adopted this as their preferred method.

When my work started doing this years ago they do it with an App you have to put on your phone. The first thing I thought when setting this up is how long will it take till some scum will find a way to get into this and get around it ?
When the banks started doing the two factor with text I was thinking the same thing. How long will this really stop the scum. The online banking is great but, of course those wanting to steal will of course work hard to use it to steal.

 

[Nosferatu]

When my work started doing this years ago they do it with an App you have to put on your phone. The first thing I thought when setting this up is how long will it take till some scum will find a way to get into this and get around it ?

This is the preferred method right now and is extremely secure. Without going too far into the weeds, those tokens are encrypted, and time-based and includes no information about the user, so no single token can be tracked back to anyone.

The insecure part is the squidgy bit holding the device. Social engineering is the hardest thing to nail down in the IT world.

We spend about $20k a year on training for our users and continuously test them. The constant failure rate is astonishing.

 

[Flopsweat]

When my work started doing this years ago they do it with an App you have to put on your phone. The first thing I thought when setting this up is how long will it take till some scum will find a way to get into this and get around it ?
When the banks started doing the two factor with text I was thinking the same thing. How long will this really stop the scum. The online banking is great but, of course those wanting to steal will of course work hard to use it to steal.

OMG the stuff I've had employers install on my phone or work laptop. The laptop I don't mind because they always supply it, but the phone? And then some of the networks I logged into were like the Get Smart intro to get into. Chip reader on the laptop, different security cards and accounts for different domains, and just as you get used to it there's something new.

 

[Alexx1401]

No offense to any of your relatives, but the same kind of person who would leave valuables in the car would have a Venmo account.

LOL, I have zero idea how Vennmo works and have no desire to find out. Have heard enough stories of people getting money stolen to keep me from really wanting one. The sibling who got hit, since ALL their payment options are on the damn phone I have to guess the thing is not normally left in the car. What scared me more was that all cards are stored on the damn phone. I am FAR from "tech savvy" but that sounds scary to me. A SHOCKING number of guys I know leave their wallet in their car.
When I have asked why in hell anyone would do this I get a list of reasons the wallet causes them problems and they see nothing wrong with leaving it in the vehicle. Have not lost my wallet in decades so don't know if its still a hassle. I know I don't want to have to deal with it so no way in hell would I leave it in my vehicle. Again though if that's their "thing"?
LONG ago when I first used Ebay I had a PayPal account and even back then I was NOT about to give them access to my account. So I started a free checking account at another bank and tied the PP to that. Only putting enough money in there when I sold something and taking it back out. So I guess if for some reason I ever felt there was some advantage to these online payment things I keep hearing so many say they love? I would do this again. Set up a separate checking account just for that.

 

[PiratePast40]

NGL, the resurrection of this thread made me do a doubletake. I like to think I am fairly up to date on tech industry goings-on, so when I read this title I thought "Again?! How did I not hear about this already?" Then I read the OP and saw it was the breach from over a year ago and one of you guys just decided the thread was relevant again for some reason.

View attachment 1874876

Masterful troll. 10/10.

Also don't forget sim-hacking is a thing, so if you are using SMS as your second factor someone who is deliberately targeting you can intercept that text just by spoofing your sim info to the network. SMS challenge/response is really only effective against random attacks.

Can you elaborate on sim hacking? I don't know what that means, but do know that I needed to enter something about SMS in order to use a comcast email address in Outlook.

 

[lucusloc]

This is the preferred method right now and is extremely secure. Without going too far into the weeds, those tokens are encrypted, and time-based and includes no information about the user, so no single token can be tracked back to anyone.

The insecure part is the squidgy bit holding the device. Social engineering is the hardest thing to nail down in the IT world.

We spend about $20k a year on training for our users and continuously test them. The constant failure rate is astonishing.

Yep, phone MFA apps =/= SMS text verification, despite both being on the same device. Technology really is complicated for people unfamiliar with how it all works, and I am just as guilty as anyone else in assuming everyone knows all the details when I talk about some specific aspect of it all. (and then people wonder why I default to the most verbose explanations when I get rolling on a topic. . . )

 

[Alexx1401]

This is the preferred method right now and is extremely secure. Without going too far into the weeds, those tokens are encrypted, and time-based and includes no information about the user, so no single token can be tracked back to anyone.

The insecure part is the squidgy bit holding the device. Social engineering is the hardest thing to nail down in the IT world.

We spend about $20k a year on training for our users and continuously test them. The constant failure rate is astonishing.

Well that's good to know at least. Since I have ZERO clue how any of this works I was wondering how well this would really work. The things they let me access from home are limited which works for me. They have offered to let me access the same things at home I have access to at work but, said to do so I would have to set the phone up with encryption. Since I can see the things I really need with just the App log in I never bothered. Figured the stuff that I have to be on the work network to access I can wait till I am at work to do. Again though I know almost nothing of how this all works. Seems a constant battle between the do bads and those who are trying to stop them

 

[Flopsweat]

LOL, I have zero idea how Vennmo works and have no desire to find out. Have heard enough stories of people getting money stolen to keep me from really wanting one. The sibling who got hit, since ALL their payment options are on the damn phone I have to guess the thing is not normally left in the car. What scared me more was that all cards are stored on the damn phone. I am FAR from "tech savvy" but that sounds scary to me. A SHOCKING number of guys I know leave their wallet in their car.
When I have asked why in hell anyone would do this I get a list of reasons the wallet causes them problems and they see nothing wrong with leaving it in the vehicle. Have not lost my wallet in decades so don't know if its still a hassle. I know I don't want to have to deal with it so no way in hell would I leave it in my vehicle. Again though if that's their "thing"?
LONG ago when I first used Ebay I had a PayPal account and even back then I was NOT about to give them access to my account. So I started a free checking account at another bank and tied the PP to that. Only putting enough money in there when I sold something and taking it back out. So I guess if for some reason I ever felt there was some advantage to these online payment things I keep hearing so many say they love? I would do this again. Set up a separate checking account just for that.

I remember giving a neighbor a ride to the bank and around town after a particularly bad snowstorm. She couldn't get out of her driveway and had some pressing matters to attend to. At the first stop, she leaves this giant purse in the footwell. I told her that it wasn't safe and she still wanted to leave it there. She couldn't quite grasp that her lack of care for her purse didn't negate my concern for my car window. This is the same woman who had a car stolen from her driveway the year before because she left it running to charge her phone.

 

[Nosferatu]

Well that's good to know at least. Since I have ZERO clue how any of this works I was wondering how well this would really work. The things they let me access from home are limited which works for me. They have offered to let me access the same things at home I have access to at work but, said to do so I would have to set the phone up with encryption. Since I can see the things I really need with just the App log in I never bothered. Figured the stuff that I have to be on the work network to access I can wait till I am at work to do. Again though I know almost nothing of how this all works. Seems a constant battle between the do bads and those who are trying to stop them

You would probably be shocked at how much money even a small organization like the one I currently work for (~1500 users) spends on keeping bad doobies out of our data. It's even more baffling that money is also spent on keeping our own users from helping them!

It's not even their fault, really. Bad actors learn and get better all the time. It can be very difficult to know what's legit and what's a scam.

 

[Alexx1401]

You would probably be shocked at how much money even a small organization like the one I currently work for (~1500 users) spends on keeping bad doobies out of our data. It's even more baffling that money is also spent on keeping our own users from helping them!

It's not even their fault, really. Bad actors learn and get better all the time. It can be very difficult to know what's legit and what's a scam.

That part seems par for the course. I am sure we spend the combined GDP of some small countries tying to keep health care info secure. They now and then send out "fake" e-mails to try to teach people what to not open. So now and then they get bent out of shape when they send something they want read and many of us delete it without opening because it did not look "right".

 

[lucusloc]

Well that's good to know at least. Since I have ZERO clue how any of this works I was wondering how well this would really work. The things they let me access from home are limited which works for me. They have offered to let me access the same things at home I have access to at work but, said to do so I would have to set the phone up with encryption. Since I can see the things I really need with just the App log in I never bothered. Figured the stuff that I have to be on the work network to access I can wait till I am at work to do. Again though I know almost nothing of how this all works. Seems a constant battle between the do bads and those who are trying to stop them

My biggest battle is with my users who are constantly finding ways to circumvent security systems. They are just trying to do their jobs in the only ways they know how, and when they hit a roadblock they rarely stop to ask themselves why that block is there and just start flailing about until they find a way around it. And I cannot even blame them, not everyone can be a security expert, or else they would not need to hire me to run all those systems for them. I really do try to make actual business processes as simple and clear of obstruction as possible, but there are always edge cases that pop up. It is a constant headache, because the solution really can't be "teach everyone to be a security engineer".

But at the same time you have the bad guys, and they have figured out that social engineering will always be the weak point, since, well, you can't teach everyone to be security engineers. you just need an attack convincing enough to motivate a user to circumvent some security policy or other, and bam, you have a breach.

 

[Flopsweat]

That part seems par for the course. I am sure we spend the combined GDP of some small countries tying to keep health care info secure. They now and then send out "fake" e-mails to try to teach people what to not open. So now and then they get bent out of shape when they send something they want read and many of us delete it without opening because it did not look "right".

I opened a test email like that once, while I worked with a bunch of networking and security people. As a developer. I didn't click on anything, and all that happened was I got an email from security saying that was a test and don't open stuff like that. My boss never said anything. But I felt like a complete idiot. I totally knew better.

 

[Nosferatu]

. I am sure we spend the combined GDP of some small countries tying to keep health care info secure.

Ugh...don't even get me started on Providence. You'd think with the money they have they could sink a bit more into data connectors that effing work most the time.

We have a health clinic that relies on parts of Providences' systems. Unreliable is being polite.

 

[Flopsweat]

Ugh...don't even get me started on Providence. You'd think with the money they have they could sink a bit more into data connectors that effing work most the time.

We have a health clinic that relies on parts of Providences' systems. Unreliable is being polite.

Ugh, medical software.