"R.Wieser" <address@is.invalid> wrote

| > There is no privacy leaked.
| | I think you're the only one here bothered by that. Somehow I think that
| most, if not all others are more concerned by the possibility of seeing
| their bank accounts being drained.
|

Actually, this subthread started with Carlos attacking
Arlen for caring about privacy. Then I chimed in to detail
how 2FA with cellphones for email is specifically a Google
tracking method and has no relevance in terms of security
for email. I also said I avoid shopping online, partly in order to
reduce exposure to unprotected databases that get regularly
hacked. I was talking privacy AND security.

That got gradually converted to an argument about
Carlos and his 2FA when he banks online.

I'm thinking that maybe we're just all getting
too old for this. The bicker factor is becoming most of the
discussions. Frank used to be good natured. Carlos used to
be the most gracious among us. Now both just argue all day,
seemingly without thinking about what they're saying. Then
we have at least 3 people who just post nonsense or silly
questions. I never blocked anyone on Usenet for maybe
20 years. I now have several people blocked.

This morning at Slashdot I came across an interesting,
apropos article. It referred to a piece last year:

https://krebsonsecurity.com/2022/07/experian-you-have-some-explaining-to-do/

Scary stuff. Freezing your credit record doesn't necessarily
keep it frozen. In some cases people had to provide a
cellphone # for 2FA but it turned out that any old number
was fine and 2FA wasn't used....

I've frozen my own credit record to prevent
someone getting a charge card in my name. This is the first
I've heard that someone may be able to unfreeze it by simply
using my name to open a new account online! I never even
opened an account. I froze it over the phone and got a PIN
number that's supposed to be my security!

(In case you don't know about this in Europe, in the US there
are 3 credit reporting agencies that provide credit info to
businesses. By freezing one's records at all 3, there's no way
to get a new credit card in my name because issuing entities
can't confirm my creditworthy status.)

To my mind, the overall lesson here is that pure automation
just doesn't work, and it's getting worse. Increasingly, the process
of calling a company or agency to speak with a human just
results in an endless loop. They're trying to save money by
automating everything.

In my own case, I have my credit frozen and don't bank
online. But how safe am I? I wanted to block the ability to
have an online account. My bank says they can't do that.
They say not to worry because I'd have to open such an
account in person. Hopefully that's true.

Ads on TV claim that 13 million Americans had their identity
stolen last year. There's also been a growing problem of elderly
people being tricked out of their money. That isn't new, but
automation is making is worse. The idea of a stolen identity
should be absurd, but all it takes now is a few changes in
computerized recordkeeping. Which defeat the purpose of
credit altogether. Creditworthiness used to be a factor of
personal reputation. Now the personal part is removed!

Newyana2 <Newyana2@invalid.nospam> wrote:
> "R.Wieser" <address@is.invalid> wrote
>
> | > There is no privacy leaked.
> |
> | I think you're the only one here bothered by that. Somehow I think that
> | most, if not all others are more concerned by the possibility of seeing
> | their bank accounts being drained.
>
> Actually, this subthread started with Carlos attacking
> Arlen for caring about privacy. Then I chimed in to detail
> how 2FA with cellphones for email is specifically a Google
> tracking method and has no relevance in terms of security
> for email.

Which - needing 2FA (actually 2SV) for Gmail or/and needing a cellphone
for (Google) 2SV - are falsehoods, which you keep repeating and when
they're debunked for the umpteenth time, you silently ignore that.
Keeping silent in the face of evidence, doesn't make that evidence go
away.

[...]

> I'm thinking that maybe we're just all getting
> too old for this. The bicker factor is becoming most of the
> discussions. Frank used to be good natured. Carlos used to
> be the most gracious among us. Now both just argue all day,

I "argue all day", because you keep spreading known falsehoods and you
present them in such a way that it amounts to FUD.

There are enough *real* privacy or/and security risks, that the world
can do well without you spreading FUD and urban legends.

> seemingly without thinking about what they're saying.

<firmly sitting on hands>

FYI, I'm *still* "good natured" (as is evidenced in plenty of other
posts). I'm just not "good natured" with people who use dishonest or
even malicious tactics. Your choice whether you're in that set of people
or not.

If you want to keep people "good natured", you should refrain from
implying that people here are ignorant/cluess/stupid/<whatever> for not
realizing privacy/security risks. Many of us *do* realize the risks,
because we actually use and research/investigate the stuff, instead of
just talking - mostly FUD and urban legends - about it.

[Rewind/repeat:]

> Actually, this subthread started with Carlos attacking
> Arlen for caring about privacy.

Carlos didn't "attack" Arlen. He doesn't take Arlen seriously (who
does?), especially not on issues of alleged 'privacy' risks. The
example, paying NIN subscription, was yet another of such imaginary
privacy risks.

Yes, Arlen of course has a right to privacy, but how he goes (on)
about it, is totally unrealistic, to put it mildly.

Have a lovely day! :-)

[...]

Frank,

> You have a habit of *implying* these alleged wrongdoings, but
> never actually *point out* (i.e. quote) where these are supposed
> to have taken place.

Lol.

Re-read my post five post above yours (11-11 21:52) where I did so. I
didn't 'imply' anything, I *told* you that you dropped the important part of
what I said part.

No frank, you can deny and ignore it all you want, but its still there for
everyone to read.

And by the way : nice going by demanding from me that point out where I
'implied' that you did wrong, but than "forget" to support *your* accusation
with a quote that shows that I did such implying.

Hypocritical ? Yeah, abvsolutily. Rather transparant ? That too. :-)

> So, you can still backup your above veiled allegation(s)
> with specifics, instead of vague insinuations, but I doubt
> you will.

You only need to leaf back a few posts. 'but I doubt you will.'

> As to "You've just choosen to ignore it", what's *your* excuse
> for (snipping and) not answering my specific questions? (Clue-by-four:
> "BTW, ...")

Where you asked which model phone I had ? How was that of any importance to
this thread ? Besides that you lost my trust by your "interresting" quoting
there.

>> :-) You must have totally missed where I did spell exactly that out to
>> you two posts back.
>
> If you mean the "the chickens and the fox" thing:

Lol, no. You *really* have a problem of understanding what you're reading,
don't you ?

But granted, that "the chickens and the fox" comparision didn't quite come
out as clear as I would have liked. I realized that a bit later. :-\

> Yes, it's probably best to try to avoid eachother.

Agreed.

And to make sure I'm not too easily tempted to do otherwise I'm going to put
you into my "ignore" list.

Goodbye.

Regards,
Rudy Wieser

On 2023-11-12 17:18, Frank Slootweg wrote:
> Newyana2 <Newyana2@invalid.nospam> wrote:
>> "R.Wieser" <address@is.invalid> wrote
>>
>> | > There is no privacy leaked.
>> |
>> | I think you're the only one here bothered by that. Somehow I think that
>> | most, if not all others are more concerned by the possibility of seeing
>> | their bank accounts being drained.
>>
>> Actually, this subthread started with Carlos attacking
>> Arlen for caring about privacy. Then I chimed in to detail
>> how 2FA with cellphones for email is specifically a Google
>> tracking method and has no relevance in terms of security
>> for email.
>
> Which - needing 2FA (actually 2SV) for Gmail or/and needing a cellphone
> for (Google) 2SV - are falsehoods, which you keep repeating and when
> they're debunked for the umpteenth time, you silently ignore that.
> Keeping silent in the face of evidence, doesn't make that evidence go
> away.
>
> [...]
>
>> I'm thinking that maybe we're just all getting
>> too old for this. The bicker factor is becoming most of the
>> discussions. Frank used to be good natured. Carlos used to
>> be the most gracious among us. Now both just argue all day,
>
> I "argue all day", because you keep spreading known falsehoods and you
> present them in such a way that it amounts to FUD.
>
> There are enough *real* privacy or/and security risks, that the world
> can do well without you spreading FUD and urban legends.
>
>> seemingly without thinking about what they're saying.
>
> <firmly sitting on hands>
>
> FYI, I'm *still* "good natured" (as is evidenced in plenty of other
> posts). I'm just not "good natured" with people who use dishonest or
> even malicious tactics. Your choice whether you're in that set of people
> or not.
>
> If you want to keep people "good natured", you should refrain from
> implying that people here are ignorant/cluess/stupid/<whatever> for not
> realizing privacy/security risks. Many of us *do* realize the risks,
> because we actually use and research/investigate the stuff, instead of
> just talking - mostly FUD and urban legends - about it.
>
> [Rewind/repeat:]
>
>> Actually, this subthread started with Carlos attacking
>> Arlen for caring about privacy.
>
> Carlos didn't "attack" Arlen. He doesn't take Arlen seriously (who
> does?), especially not on issues of alleged 'privacy' risks. The
> example, paying NIN subscription, was yet another of such imaginary
> privacy risks.

He attacked me, basically saying I'm stupid because I don't follow his
way of understanding privacy. In this case, considering that paying NIN
for using their NNTP server is a breach of privacy.

Of course, he goes here under fake names and changes them routinely.
This would go out of the window when an Usenet server identifies clients
uniquely and we could filter him out on that. Even, perhaps, find out
who he is really :-D

>
> Yes, Arlen of course has a right to privacy, but how he goes (on)
> about it, is totally unrealistic, to put it mildly.
>
> Have a lovely day! :-)
>
> [...]

--
Cheers,
Carlos E.R.

R.Wieser <address@is.invalid> wrote:
> Frank,
>
> > You have a habit of *implying* these alleged wrongdoings, but
> > never actually *point out* (i.e. quote) where these are supposed
> > to have taken place.
>
> Lol.
>
> Re-read my post five post above yours (11-11 21:52) where I did so. I
> didn't 'imply' anything, I *told* you that you dropped the important part of
> what I said part.

I said *quote*! Don't try to describe what you think happened, but
*prove* what happened by providing the actual quote(s).

Referring to a whole posting, which in itself is full of unclear/
unnspecific comments, doesn't help. But you do not want to be specific,
do you? You want to remain vague, so you can imply/claim anything you
like.

> No frank, you can deny and ignore it all you want, but its still there for
> everyone to read.

But strange that you can't actually quote any of these dreadful things
I've supposedly done. Odd that.

> And by the way : nice going by demanding from me that point out where I
> 'implied' that you did wrong, but than "forget" to support *your* accusation
> with a quote that shows that I did such implying.

It was of course quoted directly above my response, but when replying
you snipped it, like you snip next to everything. But here it's again:

<RW>
But it however /does/ say that its someone who demands others to (not)
do something, while doing the opposite themselves.
</RW>

> Hypocritical ? Yeah, abvsolutily. Rather transparant ? That too. :-)

Stop talking to the mirror.

> > So, you can still backup your above veiled allegation(s)
> > with specifics, instead of vague insinuations, but I doubt
> > you will.
>
> You only need to leaf back a few posts. 'but I doubt you will.'

I did. I said:

<FS>
In the snipped part you talked about "a smartphone for authentication".
</FS>

I said "In the snipped part", so I was not just talking about the
smartphone part. If you'd bother to read (instead of just snip) my
earlier response in that thread, you'd see that I quoted your full
paragraph:

<FS>
> As for a smartphone for authentication ? I always found that odd. You have
> exactly *zero* control over what is going on on it, and if you make sure you
> can (rooting it) you are flagged as "insecure".
</FS>

So I did *read* your paragraph, *quoted* it and *responded* to it.

So your (non-)backup of your allegation still/again fails.

> > As to "You've just choosen to ignore it", what's *your* excuse
> > for (snipping and) not answering my specific questions? (Clue-by-four:
> > "BTW, ...")
>
> Where you asked which model phone I had ? How was that of any importance to
> this thread ?

It was of extreme relevance, because you were talking about all the
dreadful things that can/do happen with smartphones, but don't give the
impression that you're talking from actual experience/knowledge/
expertise.

So yes, it was extremely relevant, but no, I wasn't at all surprised
that you dodged the questions, it only reconfirmed your dishonest MO.

And for the record, I did *not* ask for the model, but that's what you
get for not reading, snipping and losing track.

> Besides that you lost my trust by your "interresting" quoting
> there.

Can you translate that into plain English? What interresting" quoting
did I do and why did that make you lose trust? The mind boggles.

> >> :-) You must have totally missed where I did spell exactly that out to
> >> you two posts back.
> >
> > If you mean the "the chickens and the fox" thing:
>
> Lol, no. You *really* have a problem of understanding what you're reading,
> don't you ?

Yeah, I *really* need to brush up my Bollocks.

> But granted, that "the chickens and the fox" comparision didn't quite come
> out as clear as I would have liked. I realized that a bit later. :-\

Wow! A concession. Stop the press!

> > Yes, it's probably best to try to avoid eachother.
>
> Agreed.
>
> And to make sure I'm not too easily tempted to do otherwise I'm going to put
> you into my "ignore" list.

Wise decision. I'm not there yet, but maybe soon.

> Goodbye.

Good luck.

Carlos,

> First, my comment was regarding privacy, not security. You are moving the
> goalposts.

[quote=you]
In the EU, even knowing the bank account data of someone doesn't allow
anyone to extract money from it.
[/quote]

You said ? That certainly looks like something thats related to security
to me ...

Also, how many posts are we apart from there ? And you only now think to
complain about it ? Yeah, right. :-)

> Then it is not a phone call, it is an encrypted message sent to the bank
> application, so seeing the message requires one or two passwords.

Again : how can you be sure that one of those apps (you no doubt have put on
it) isn't malicious and interferes with it ?

Also, as, IIRC, has been mentioned here, having a message encryped *in
transit* doesn't mean squat for the sender and receiver. Both of them will
have the origional.

>> You did ? Where ?
.....
> Date: Thu, 9 Nov 2023 20:20:58 +0100

Thats odd ... The only post of yours that I can find on that date is not
even close to that that time, and only contains two sentenses of yours, the
second one being "And I don't live in Germany."

The ones after (10-11) and before (8-11) do not contain anything like it
either. Heck, Apart from your current one there seems to be /no/ message,
in this thread or otherwise, which contains the phrase "The point of two
factor authentication is to".

Try again.

And by the way, if that quote quote is from this thread its again where you
talk about security, not privacy ...

> So imagine I use the app in the phone to connect to the bank. The bank
> sends a code by SMS to the *same* phone, the app reads automatically the
> message and logins.
>
> Now suppose my phone is stolen...

I was not talking about a physical robbery (moving tho goal posts yourself
here, hmmm?). Just about hijacking phone numbers, or an malicious software.

Regards,
Rudy Wieser

Newyana2,

> That got gradually converted to an argument about
> Carlos and his 2FA when he banks online.

And at a point he doubted that people could "just" take money outof other
peoples accounts. Which is where I came in - and added a bit of a rant
about the smartphones and how they are used in general.

> I'm thinking that maybe we're just all getting
> too old for this.

Too old ? Nah. A bit tired ? indeed.

> Now both just argue all day, seemingly without thinking about
> what they're saying.

That, even though its a nuisance, is one thing. Denying that they do is
something I do not suffer all to well - as you might have noticed here. :-\

> I never blocked anyone on Usenet for maybe
> 20 years. I now have several people blocked.

Until a couple of years back I didn't even know how to 'killfile' someone.
But yes, I now got a few in there too.

> This morning at Slashdot I came across an interesting,
> apropos article. It referred to a piece last year:
>
> https://krebsonsecurity.com/2022/07/experian-you-have-some-explaining-to-do/

Yep, I read that too. Not funny at all.

> To my mind, the overall lesson here is that pure automation
> just doesn't work, and it's getting worse.

The automation can work well. Its the implemented method thats flawed.

Or its just an implementation which does not want to stand in the way of
convenience and thinks that problems with that won't occur (or cost less
than more stringent measures).

> I wanted to block the ability to have an online account.
> My bank says they can't do that.

Pretty-much the same here. Over the years I've asked about stuf to keep my
bank account a bit more secure /without/ having to go over my banks
statements with a fine tooth comb, but the answer was always the same : we
don't offer that (like the single-use account numbers some banks do offer).

Heck, I can't even get a bank card which /doesn't/ have NFC anymore. In my
case they have just 'administrative blocked' it - meaning that it stil works
(and a gaffe with it has recently been unearthed).

> ... That isn't new, but automation is making is worse.

Not the automation itself, but that it allows someone anywhere on earth can
log in to a bank on the other side of the world and do their business. Its
a blessing to some, and a curse to others.

> The idea of a stolen identity should be absurd, but all it takes
> now is a few changes in computerized recordkeeping.

Its the result of the US of A giving everyone a unique* personal ID number
*which can't be changed*.

* not /that/ unique, there have been situations known where different people
got the same one. Fun times all around.

> Creditworthiness used to be a factor of personal reputation.
> Now the personal part is removed!

As far as I can tell they have just turned it a 180 degrees : now your
reputation *is* you. :-|

Regards,
Rudy Wieser

R.Wieser <address@is.invalid> wrote:
> Carlos,
>
>> In the EU, even knowing the bank account data of someone doesn't allow
>> anyone to extract money from it.
>
> Yeah, you need to have proof that you are a company to be able to do that.
> And registering yourself as a company is quite hard here, you only have to
> pay a nominal fee and you're one (been there, done that).
>
> ... which is exactly what happened a number of years ago. People who
> noticed unknown companies dipping into their accounts, and had to act
> themselves to get that money back.

Not possible in the UK. Your bank details can only used to pay into the
account. There's no way to *pull* money without your knowledge. To pay a
company directly from your account is only possible with a Standing Order
or Direct Debit or a one-off transaction authorised by you over the
phone/in the app.

>
> As for a smartphone for authentication ? I always found that odd. You have
> exactly *zero* control over what is going on on it, and if you make sure you
> can (rooting it) you are flagged as "insecure".

What "control" do you want by rooting?

> Besides that, its a *non-secure* chain, in the sense that pretty-much any
> helpdesk employee can transfer your phone number to another physical phone
> (social engeneering).

That's illegal without your knowledge.

> As for using a smartphone to order *and* do MFA ? Thats like having your
> (four-digit?) bank code writen on the card itself. IMHO thats just /asking/
> for it...

I mean, the CVV is literally printed on cards for security so not sure what
point you're trying to make.

>
> Yes, I do think most people with smartphones are stupid.

That's nothing to do with smartphones. Most people don't care about tech
and just do what's simplest.

> Besides the
> "smartphone zombie" problem (darwin award contestants) I mean. Most all of
> them have no clue what that mobile 'puter runs/is doing and/or playing the
> "that won't ever happen to me" gamble, but all praise it into high heavens.
> While installing all kinds of malware-free - because of "walled garden" -
> apps on it. Yeah, right.
>
> When I was younger I was taught that running random executables on a 'puter
> was taking a risk of getting malware.

That's because it was.

> Nowerdays you're regarded a weirdo if
> you do *not* allow random executables (ranging from apps thru active-content
> documents thru JS on browsers) on it. Go figure.

App Stores are not sourced of random executables.

>
> As an old saying goes, "Just because you're paranoid doesn't mean they
> aren't after you."
>
> Although full-blown paranoids see danger /everywhere/, I have been called
> called paranoid for pointing the above out.
>
> Regards,
> Rudy Wieser
>
>
>

Wally J <walterjones@invalid.nospam> wrote:
> "R.Wieser" <address@is.invalid> wrote
>
>> As an old saying goes, "Just because you're paranoid doesn't mean they
>> aren't after you."
>>
>> Although full-blown paranoids see danger /everywhere/, I have been called
>> called paranoid for pointing the above out.
>
> To your point, Rudy Weiser, Carlos didn't define "where" the paranoia lies.
> And, more importantly when talking about faraday hats, is the threat mode.
>
> What's the threat?
> a. Is your biggest threat your own wife and children at home?

For serious crime, yes. All the statistics back that up.

> b. Or is your biggest threat some ransom hacker on the Internet?

c. you are your own biggest threat. Hence the high success of phishing and
other social engineering attacks.

People need protection from themselves.

> My argument, sensible as it is, is that logically your friends aren't the
> big threat - so why do people spend so much energy "securing" their phone?

Because you're wrong. Victims of serious crime are very likely to know
their attacker.

Chris wrote:

> R.Wieser wrote:
>
>> People who noticed unknown companies dipping into their accounts,
>> and had to act themselves to get that money back.
>
> Not possible in the UK. Your bank details can only used to pay into the
> account. There's no way to *pull* money without your knowledge.

You might want to check that with Jeremy Clarkson

<http://news.bbc.co.uk/1/hi/7174760.stm>

Of course the person who set-up the direct debit didn't get their hands
on his money, but the charity did and JC would have been entitled to a
refund, but as I understand he didn't ask for one as it wouldn't exactly
be a good look ...

Chris,

> Not possible in the UK. Your bank details can only used to pay into
> the account. There's no way to *pull* money without your knowledge.
> To pay a company directly from your account is only possible with a
> Standing Order or Direct Debit or a one-off transaction authorised
> by you over the phone/in the app.

Thats quite the diffence with how it works here. To create a "standing
order" I have give the *company* a permission slip, and they use that to
prove (when asked!) that they are allowed to take money from me.

Worse, when you want to stop such a permission You have to *ask* the company
to stop billing you - and the bank is pretty-much refusing to be a party in
it, even when stopping the permission is due to bad behaviour (the only
thing you can do is to block that company).

And oh yeah, there is no way here to limit what a company using such a
"standard order" is allowed to take per month. IOW, if they (by accident)
bill you twice the second will go thru just like the first. Very funny when
larger sums of money are involved. :-\

The only thing you could do is to tell the bank to send a fixed sum to that
company, which (ofcourse)doesn't work all that well when small fluctuations
or yeary adjustments are involved.

>> As for a smartphone for authentication ? I always found that odd. You
>> have
>> exactly *zero* control over what is going on on it, and if you make sure
>> you
>> can (rooting it) you are flagged as "insecure".
>
> What "control" do you want by rooting?

Take a wild guess. But I'll give you a hint : I allready mentioned it in
this thread.

>> Besides that, its a *non-secure* chain, in the sense that pretty-much any
>> helpdesk employee can transfer your phone number to another physical
>> phone
>> (social engeneering).
>
> That's illegal without your knowledge.

Yes, and crooks are known to be lawfull citizens. /s

>> As for using a smartphone to order *and* do MFA ? Thats like having
>> your
>> (four-digit?) bank code writen on the card itself. IMHO thats just
>> /asking/
>> for it...
>
> I mean, the CVV is literally printed on cards for security so not sure
> what
> point you're trying to make.

Lol ? So anyone who finds a lost card can just pay with it ? Fantastic.
:-(

No, the "bank code" here is something that isn't on the card and is regarded
the users "password", to be guearded with its life.

I had no idea what a CVV was, so I looked it up and got this :

https://www.nerdwallet.com/article/credit-cards/find-credit-card-cvv-number

The most humorous part (in a very sad way) of it was this :

"When you provide this number for an online or phone purchase, the merchant
will submit the CVV when it authorizes the transaction. It's an attempt to
verify that you have the physical card in your possession and that you're
not just using stolen card information."

I cannot imagine how the merchant, on the other side of an online or phone
connection, will be able to see that you have the bank card in your hands,
and are infact "not just using stolen card information".

As that website doesn't seem to have a clue to how the protection-by-CVV is
supposed to work, can you explain ?

>> Yes, I do think most people with smartphones are stupid.
>
> That's nothing to do with smartphones. Most people don't care about tech
> and just do what's simplest.

Thats pretty-much what I said. They have *no* idea what their phone is
capable of, but they trust their whole lives to it.

>> When I was younger I was taught that running random executables on
>> a 'puter was taking a risk of getting malware.
>
> That's because it was.

Yep. But the thing you overlooked is that it still is.

>> Nowerdays you're regarded a weirdo if you do *not* allow random
>> executables (ranging from apps thru active-content documents thru
>> JS on browsers) on it. Go figure.
>
> App Stores are not sourced of random executables.

As far as I'm concerned, they are.

As long as you pay for a "developer license" you can dump anything you want
in it. And yes, "App stores" (walled gardens) have been known to have
quite a bunch malicious apps in them, particulary pretty-much copies of
popular ones.

And thats apart from the well-working non-malicious apps that get sold to
some other "developer", who than make use of the automatic updating
mechanism of an established app to replace it with their own malicious
version of it.

Regards,
Rudy Wieser

Chris <ithinkiam@gmail.com> wrote:
> R.Wieser <address@is.invalid> wrote:
> > Carlos,
> >
> >> In the EU, even knowing the bank account data of someone doesn't allow
> >> anyone to extract money from it.
> >
> > Yeah, you need to have proof that you are a company to be able to do that.
> > And registering yourself as a company is quite hard here, you only have to
> > pay a nominal fee and you're one (been there, done that).
> >
> > ... which is exactly what happened a number of years ago. People who
> > noticed unknown companies dipping into their accounts, and had to act
> > themselves to get that money back.
>
> Not possible in the UK. Your bank details can only used to pay into the
> account. There's no way to *pull* money without your knowledge. To pay a
> company directly from your account is only possible with a Standing Order
> or Direct Debit or a one-off transaction authorised by you over the
> phone/in the app.

Ah! I'm going to sit down, relax and enjoy the show!

And 'we' haven't even *started*! (See my 'exchange' with Rudy.)

[Even worse stuff to come.]

Chris <ithinkiam@gmail.com> wrote:
> R.Wieser <address@is.invalid> wrote:
[...]

> > As for a smartphone for authentication ? I always found that odd.
> > You have exactly *zero* control over what is going on on it, and if
> > you make sure you can (rooting it) you are flagged as "insecure".
>
> What "control" do you want by rooting?
>
> > Besides that, its a *non-secure* chain, in the sense that pretty-much any
> > helpdesk employee can transfer your phone number to another physical phone
> > (social engeneering).
>
> That's illegal without your knowledge.

This time Rudy more or less dismissed your argument.

Earlier, I mentioned that most 2SV/2FA does not use a phone number. It
may use the phone *itself*, but not the phone *number*. Rudy snipped and
ignored those comments, which is rather telling.

As usual, the context is vague, but it is mostly about banking, the EU
and The Netherlands ("here"). I wouldn't know any reputable bank in NL
which uses a phone number - i.e. SMS message - for 2SV/2FA. It's
probably the same in most of the rest of the EU (and the UK).

AFAICT, it's just more FUD. Yes, if you use a shitty company with
shitty security, then you're at risk. Duh! News at eleven.

> > As for using a smartphone to order *and* do MFA ? Thats like
> > having your (four-digit?) bank code writen on the card itself. IMHO
> > thats just /asking/ for it...
>
> I mean, the CVV is literally printed on cards for security so not sure what
> point you're trying to make.
>
> > Yes, I do think most people with smartphones are stupid.
>
> That's nothing to do with smartphones. Most people don't care about tech
> and just do what's simplest.

AFAICT, it's becoming more and more likely that he not just thinks
that "most people with smartphones are stupid", but that he does not
*have* a smartphone, but still implies to be some kind of expert on
them.

I specifically asked if he had a smartphone, and if so, what platform
(Android/iPhone) and he snipped and dodged that question.

[...]

Newyana2 <Newyana2@invalid.nospam> wrote:
> "Carlos E. R." <robin_listas@es.invalid> wrote
>
> | I don't recall Google T&C saying they track bank apps, so I doubt they
> | do it. Even with SMS there are limits to what they do.
> |
>
> I don't mean that Google records your banking
> transactions, though nothing would surprise me.
>
> What I meant was that the very idea
> of a cellphone for authentication is a way for Google's
> gmail, or other services, to connect your cellphone
> to a confirmed personal ID and location tracker.

2FA/MFA is in no way dependent on google.

> You seem to be enitrely in the dark about even
> standard tracking. This is what I was talking about
> with the links, such as the Kochava story. Kochava is
> just one dataminer, buying spy data from "free"
> cellphone app makers and other sources to create a full
> record of you: your religion, politics, shopping, and your
> exact location in real time, all the time. Google does
> similar. They also share data with credit card companies.
>
> https://www.washingtonpost.com/news/the-switch/wp/2017/05/23/google-now-knows-when-you-are-at-a-cash-register-and-how-much-you-are-spending/

This is a uniquely US issue. In europe where we have proper data privacy
laws this is abhorrent to us.

This is why Carlos is "in the dark". Your scenario is strictly illegal in
sensible countries.

> All of these snoops are selling data and exploiting data.
> Forcing you to have and use a cellphone connected to
> your email is esentially making you tie on a tracking collar.
> But Google are very clever. All of their products and
> spying are so convenient and seamless and functional
> that once you're in the Google zoo it's far too much
> hassle to consider leaving.

Simple solution: don't use google. Or if you do turn off ALL the tracking,
it's not that hard and works well.

Chris,

> This is a uniquely US issue. In europe where we have proper data privacy
> laws this is abhorrent to us.
>
> This is why Carlos is "in the dark". Your scenario is strictly illegal in
> sensible countries.

It mignt be illegal, but for how long have companies in Europe and elsewhere
been dragging their feet *beyond* the "must be implemented by {some date}"
time ? IIRC multiple years. Multiple companies here cried crocodile
tears because they "did not know" - for something that was at least five
years in the making.

And than we have "cookie walls" (illegal) and "if you pass beyond this point
you agree" banners on websites (also illegal). And only "recently" the EU
has made it clear that a pair of "accept all" and "manage your preferences"
buttons (with the latter leading to a large list of tickmarks that had to be
changed one-by-one) is illegal too (putting hurdles in the choice they don't
want).

And the last time I looked at it Google found it *has to* store a Cookie
with undecipherable data so it can remember that you choose (which is
violating your choice). Not just a "no", or "Yes", but this :
"CONSENT=YES+cb.20220723-7-p0.nl+FX+251;" Mind you, that was after
rejecting /everything/, meaning *no* consent whatsoever.

I don't know what a Google consent cookie looks like nowerdays, but I
suggest you take a peek and see for yourself.

> Simple solution: don't use google.

I know a few other simple solutions :
if you do not want to get mugged just don't leave your house.
if you do not want to get stolen from just don't deal with other people.
etc.

> Or if you do turn off ALL the tracking, it's not that hard and works well.

Lol. If you use one of Googles servers they can, and likely do, already
track you.

In that regard, I just searched for something using Google. I got *four*
cookies, besides a "consent=pending+..." one, also a "__secure-enid" one -
which, according to the web, is connected to creating profiles of people.
Ofcourse, I throw away all the cookies when I close the browser, but fact is
that they /still/ try, even though I selected the "reject everything"
button.

And yes, I know that cookies that are needed to keep the website running are
excluded in the cookie law. But I have no idea why many websites, including
Googles search, need to use a session variable, but they still do.

And lets not forget that Google *still* tries to track which result I'm
clicking on. I sought for "foobar", and extracted the below from the
resulting wikipedia link :

<a
href="/url?q=https://nl.wikipedia.org/wiki/Foobar&amp;sa=U&amp;ved=2ahUKEwiHxvztg8SCAxXPyqQKHZ5jCJYQFnoECAQQAg&amp;usg=AOvVaw2dJZ29FhBPCskK5__MdLCr"
data-ved="2ahUKEwiHxvztg8SCAxXPyqQKHZ5jCJYQFnoECAQQAg">

Yes, thats right : when I click the wikipedia link the whole thing gets fed
into Google again (with them gaining the "sa=", "ved=" and "data-ved="
parts - guess what they are for) and only than redirect me to the actual
website. And AFAIK thats, under the "cookie law", illegal too. But who
is going to tell them that ?

Though this method has changed in newer browsers, which now understand a
"ping back" tag :

https://www.w3schools.com/TAGs/att_a_ping.asp

Mind you, that tag does *nothing* for the user, so why it got into the HTTP
spec is anybodies guess (ha!,just joking there. I can make an easy educated
guess...)

And for the chance that you're thinking of disabeling certain JS scripts
than you will need to understand what those scripts do first, and only
disable the tracking ones or parts thereof, otherwise your webpage won't
work. And lets hope none of that JS is obsfucated, otherwise you will
spend quite a bit of time at deciphering it - but still be left with the
possibility that the next time you visit the tracking JS has changed. As
code as well as which file its located in and where.

So yes, disableing *all* tracking /is/ hard. Especially when you want to
use certain services of a company (Google or otherwise).

Regards,
Rudy Wieser

On 2023-11-14 16:08, Frank Slootweg wrote:
> Chris <ithinkiam@gmail.com> wrote:
>> R.Wieser <address@is.invalid> wrote:

....

> Earlier, I mentioned that most 2SV/2FA does not use a phone number. It
> may use the phone *itself*, but not the phone *number*. Rudy snipped and
> ignored those comments, which is rather telling.
>
> As usual, the context is vague, but it is mostly about banking, the EU
> and The Netherlands ("here"). I wouldn't know any reputable bank in NL
> which uses a phone number - i.e. SMS message - for 2SV/2FA. It's
> probably the same in most of the rest of the EU (and the UK).

Banco de Santander.

....

--
Cheers,
Carlos E.R.

Carlos E. R. wrote:

> Frank Slootweg wrote:
>
> I wouldn't know any reputable bank in NL
>> which uses a phone number - i.e. SMS message - for 2SV/2FA. It's
>> probably the same in most of the rest of the EU (and the UK).
>
> Banco de Santander.

Santander UK also sends one-time codes to SMS number.

Barclays sends a confirmation question directly to their app, even when
one of their staff is dealing with you in-branch.

Andy Burns <usenet@andyburns.uk> wrote:
> Carlos E. R. wrote:
>
> > Frank Slootweg wrote:
> >
> > I wouldn't know any reputable bank in NL
> >> which uses a phone number - i.e. SMS message - for 2SV/2FA. It's
> >> probably the same in most of the rest of the EU (and the UK).
> >
> > Banco de Santander.

I probably worded it badly: A bank which offers *only* SMS for 2SV,
i.e. no other method, especially no other method for a *smartphone*,
which is the context of the discussion. Is there *such* a *reputable*
bank?

> Santander UK also sends one-time codes to SMS number.
>
> Barclays sends a confirmation question directly to their app, even when
> one of their staff is dealing with you in-branch.

We have three main banks, 'system banks'. All three can do 2FA with
their respective smartphone apps. Two (the ones I use) - Rabobank and
ABN-AMRO - can use their hardware TOTP (Time-based one-time password)
generator, so you can use online banking on a computer and do not need a
phone/phone-number. The third, ING, seems to only have a smartphone app,
which you also need to use when doing online banking on a computer.
There seems to be no no-smartphone option, which seems a bit strange.

On 2023-11-14 21:00, Frank Slootweg wrote:
> Andy Burns <usenet@andyburns.uk> wrote:
>> Carlos E. R. wrote:
>>
>>> Frank Slootweg wrote:
>>>
>>> I wouldn't know any reputable bank in NL
>>>> which uses a phone number - i.e. SMS message - for 2SV/2FA. It's
>>>> probably the same in most of the rest of the EU (and the UK).
>>>
>>> Banco de Santander.
>
> I probably worded it badly: A bank which offers *only* SMS for 2SV,
> i.e. no other method, especially no other method for a *smartphone*,
> which is the context of the discussion. Is there *such* a *reputable*
> bank?

I have the Santander (aka BSCH) app, and yet I get the SMS. I just
opened the app, and looked for a configuration area. It is difficult to
find, in fact I was giving up when I noticed a "more options" in the
menu close to "bizum" and "contracts", and when tapping there I noticed
a "personal area" with a cog wheel (there is another "personal area" in
the main menu with different things inside).

Here I saw "configure the app". [...] I don't see anything about the sms
messages. I have notifications active (so I get warnings about
witdrawals or payments), but nothing about sms.

So they intentionally use SMS and it is not a choice, unless there is
some entry on the web application.

Notice that the method of entry is a 4 digit PIN, which can be increased
to 8 digits (I did). Another bank uses 4 digits and can not be increased.

>
>> Santander UK also sends one-time codes to SMS number.
>>
>> Barclays sends a confirmation question directly to their app, even when
>> one of their staff is dealing with you in-branch.
>
> We have three main banks, 'system banks'. All three can do 2FA with
> their respective smartphone apps. Two (the ones I use) - Rabobank and
> ABN-AMRO - can use their hardware TOTP (Time-based one-time password)
> generator, so you can use online banking on a computer and do not need a
> phone/phone-number. The third, ING, seems to only have a smartphone app,
> which you also need to use when doing online banking on a computer.
> There seems to be no no-smartphone option, which seems a bit strange.

--
Cheers,
Carlos E.R.

Frank Slootweg <this@ddress.is.invalid> wrote:
> Chris <ithinkiam@gmail.com> wrote:
>> R.Wieser <address@is.invalid> wrote:
> [...]
>
>>> As for a smartphone for authentication ? I always found that odd.
>>> You have exactly *zero* control over what is going on on it, and if
>>> you make sure you can (rooting it) you are flagged as "insecure".
>>
>> What "control" do you want by rooting?
>>
>>> Besides that, its a *non-secure* chain, in the sense that pretty-much any
>>> helpdesk employee can transfer your phone number to another physical phone
>>> (social engeneering).
>>
>> That's illegal without your knowledge.
>
> This time Rudy more or less dismissed your argument.
>
> Earlier, I mentioned that most 2SV/2FA does not use a phone number. It
> may use the phone *itself*, but not the phone *number*. Rudy snipped and
> ignored those comments, which is rather telling.
>
> As usual, the context is vague, but it is mostly about banking, the EU
> and The Netherlands ("here"). I wouldn't know any reputable bank in NL
> which uses a phone number - i.e. SMS message - for 2SV/2FA. It's
> probably the same in most of the rest of the EU (and the UK).

Sadly too many orgs still use SMS as the only 2FA option, including banks.
Some banks can use their smartphone app as the TOTP token, but they're the
exception.

I wish I could use Authy for more things.

R.Wieser <address@is.invalid> wrote:
> Carlos,
>
>> The service that wants me to identify already knows that I'm going to
>> identify through the phone *and it is me*.
>
> How ? By them calling your number and asking if the person answering is
> you ? Yeah, that'll certainly work ... Number hijacking isn't a thing.
> Nosirree.

Number jacking isn't enough to get through security verification with the
bank. They ask you for specific information you set up with them and/or
something only known by you.

If you're smart you create pretend answers to the "memorable questions".

> Also most, if not all 2FA is computerised. Besides the user, no actual
> persons involved..
>
> And so you have a smartphone which sends a request for transfer of funds,
> and the same smartphone receiving a request to allow that transfer. If you
> get malware on your phone which can initiate (or manipulate!) the transfer,
> what do you think is the chance that the same malware can intercept and
> answer that 2FA request and handle it (either by replay, thru manipulating
> the 2FA app or just by social engeneering the user itself) ?

I mean, all that is quite a reach even if it were feasible. Much, much
easier to phish someone to give you their information willingly and
directly.

Andy Burns <usenet@andyburns.uk> wrote:
> Chris wrote:
>
>> R.Wieser wrote:
>>
>>> People who noticed unknown companies dipping into their accounts,
>>> and had to act themselves to get that money back.
>>
>> Not possible in the UK. Your bank details can only used to pay into the
>> account. There's no way to *pull* money without your knowledge.
>
> You might want to check that with Jeremy Clarkson
>
> <http://news.bbc.co.uk/1/hi/7174760.stm>
>
> Of course the person who set-up the direct debit didn't get their hands
> on his money, but the charity did and JC would have been entitled to a
> refund, but as I understand he didn't ask for one as it wouldn't exactly
> be a good look ...

That was 15 years ago.

On 2023-11-14 22:54, Chris wrote:
> R.Wieser <address@is.invalid> wrote:
>> Carlos,
>>
>>> The service that wants me to identify already knows that I'm going to
>>> identify through the phone *and it is me*.
>>
>> How ? By them calling your number and asking if the person answering is
>> you ? Yeah, that'll certainly work ... Number hijacking isn't a thing.
>> Nosirree.
>
> Number jacking isn't enough to get through security verification with the
> bank. They ask you for specific information you set up with them and/or
> something only known by you.
>
> If you're smart you create pretend answers to the "memorable questions".

The context of the conversation was loss of privacy, not security. This
is the full post - notice that parts were removed to change the
goalposts to security instead:

+++-----------------------------
On 2023-11-12 01:17, Newyana2 wrote:
> "Carlos E. R." <robin_listas@es.invalid> wrote
>
> | Because the context is using something on the phone as second
> | factor to authorize banking operations.
> |
>
> I was talking about the privacy problem of 2FA through
> a phone for anything.

What problem?

The service that wants me to identify already knows that I'm going to
identify through the phone and it is me. There is no privacy leaked.
-----------------------------++-
Message-ID: <krap8eF7runU1@mid.individual.net>

--
Cheers,
Carlos E.R.

R.Wieser <address@is.invalid> wrote:
> Chris,
>
>> Not possible in the UK. Your bank details can only used to pay into
>> the account. There's no way to *pull* money without your knowledge.
>> To pay a company directly from your account is only possible with a
>> Standing Order or Direct Debit or a one-off transaction authorised
>> by you over the phone/in the app.
>
> Thats quite the diffence with how it works here. To create a "standing
> order" I have give the *company* a permission slip, and they use that to
> prove (when asked!) that they are allowed to take money from me.
>
> Worse, when you want to stop such a permission You have to *ask* the company
> to stop billing you - and the bank is pretty-much refusing to be a party in
> it, even when stopping the permission is due to bad behaviour (the only
> thing you can do is to block that company).

I can cancel any direct debit or standing order purely from my banking app.

> And oh yeah, there is no way here to limit what a company using such a
> "standard order" is allowed to take per month. IOW, if they (by accident)
> bill you twice the second will go thru just like the first. Very funny when
> larger sums of money are involved. :-\

Mistakes happen, but it's easy to rectify.

> The only thing you could do is to tell the bank to send a fixed sum to that
> company, which (ofcourse)doesn't work all that well when small fluctuations
> or yeary adjustments are involved.

That's what direct debits allow say for paying off the minimum payment
required on a credit card. It varies a lot month by month. That's a useful
feature.

>>> As for a smartphone for authentication ? I always found that odd. You
>>> have
>>> exactly *zero* control over what is going on on it, and if you make sure
>>> you
>>> can (rooting it) you are flagged as "insecure".
>>
>> What "control" do you want by rooting?
>
> Take a wild guess. But I'll give you a hint : I allready mentioned it in
> this thread.

But not prepared to mention again?

>>> Besides that, its a *non-secure* chain, in the sense that pretty-much any
>>> helpdesk employee can transfer your phone number to another physical
>>> phone
>>> (social engeneering).
>>
>> That's illegal without your knowledge.
>
> Yes, and crooks are known to be lawfull citizens. /s

Everything has to be foolproof to be useful, right?

>>> As for using a smartphone to order *and* do MFA ? Thats like having
>>> your
>>> (four-digit?) bank code writen on the card itself. IMHO thats just
>>> /asking/
>>> for it...
>>
>> I mean, the CVV is literally printed on cards for security so not sure
>> what
>> point you're trying to make.
>
> Lol ? So anyone who finds a lost card can just pay with it ? Fantastic.
> :-(

That's always been true. Nowadays it's easy to block a lost card.

> No, the "bank code" here is something that isn't on the card and is regarded
> the users "password", to be guearded with its life.

No idea what that is.

> I had no idea what a CVV was, so I looked it up and got this :
>
> https://www.nerdwallet.com/article/credit-cards/find-credit-card-cvv-number
>
> The most humorous part (in a very sad way) of it was this :
>
> "When you provide this number for an online or phone purchase, the merchant
> will submit the CVV when it authorizes the transaction. It's an attempt to
> verify that you have the physical card in your possession and that you're
> not just using stolen card information."
>
> I cannot imagine how the merchant, on the other side of an online or phone
> connection, will be able to see that you have the bank card in your hands,
> and are infact "not just using stolen card information".

CVV codes are by definition not stored anywhere so cannot be stolen.

> As that website doesn't seem to have a clue to how the protection-by-CVV is
> supposed to work, can you explain ?

CVV are, by design, not stored anywhere and so will only be known by the
card holder.

>>> Yes, I do think most people with smartphones are stupid.
>>
>> That's nothing to do with smartphones. Most people don't care about tech
>> and just do what's simplest.
>
> Thats pretty-much what I said. They have *no* idea what their phone is
> capable of, but they trust their whole lives to it.
>
>>> When I was younger I was taught that running random executables on
>>> a 'puter was taking a risk of getting malware.
>>
>> That's because it was.
>
> Yep. But the thing you overlooked is that it still is.

No it isn't.

>>> Nowerdays you're regarded a weirdo if you do *not* allow random
>>> executables (ranging from apps thru active-content documents thru
>>> JS on browsers) on it. Go figure.
>>
>> App Stores are not sourced of random executables.
>
> As far as I'm concerned, they are.
>
> As long as you pay for a "developer license" you can dump anything you want
> in it. And yes, "App stores" (walled gardens) have been known to have
> quite a bunch malicious apps in them, particulary pretty-much copies of
> popular ones.

More or less than "random executables"?

> And thats apart from the well-working non-malicious apps that get sold to
> some other "developer", who than make use of the automatic updating
> mechanism of an established app to replace it with their own malicious
> version of it.

Sounds very theoretical and unrealistic. Any real examples?

> Regards,
> Rudy Wieser
>
>
>

Carlos E. R. <robin_listas@es.invalid> wrote:
> On 2023-11-14 22:54, Chris wrote:
>> R.Wieser <address@is.invalid> wrote:
>>> Carlos,
>>>
>>>> The service that wants me to identify already knows that I'm going to
>>>> identify through the phone *and it is me*.
>>>
>>> How ? By them calling your number and asking if the person answering is
>>> you ? Yeah, that'll certainly work ... Number hijacking isn't a thing.
>>> Nosirree.
>>
>> Number jacking isn't enough to get through security verification with the
>> bank. They ask you for specific information you set up with them and/or
>> something only known by you.
>>
>> If you're smart you create pretend answers to the "memorable questions".
>
>
> The context of the conversation was loss of privacy, not security.

Ah yes. True.