How Corporate Security Sloppiness Threatens Your Online Life and How You Can Reduce Your Risk

2024-01-30 • SEND FEEDBACK |
Related: Apple, Apple iOS, Apple iPhone and iPad, external articles by Lloyd, iOS, Other World Computing, OWC articles by Lloyd, passphrase, password manager, Sebastian B, security

re: security
re: OWC articles by Lloyd

...

Click title to read more.

How Corporate Security Sloppiness Threatens Your Online Life and How You Can Reduce Your Risk

2024-01-30

It’s hard enough protecting yourself, but too many big corporations out there put you at risk.

There is not a lot you can do about it other than looking elsewhere, which is often impractical. This article discusses some of the most common Worst Practices and offers some ways to minimize the risks.

Corporate Security Worst Practice #0: The really dumb stuff

Believe it or not, many companies out there are still doing really dumb stuff with security. Hopefully, no company still stores cleartext passwords, but some probably do. Some store hashed passwords—passwords that are run through a hashing algorithm to convert the password text itself into letters and numbers—but fail to ‘salt’ them, making a brute force password cracker’s job easy. That’s the really dumb stuff.

...

How Corporate Security Sloppiness Threatens Your Online Life and How You Can Reduce Your Risk

Reader comments

Anon (requested to be) writes:

In case you think I am doing something stupid, please let me know. I am 76 years old and might be using bad practice.

Here are some thoughts on passwords and login credentials and account security.

I have a Mac Studio M2 Ultra and run BiteDefender anti-virus software on it.

I maintain a password file for 275 or so accounts in an excel spreadsheet. The spreadsheet is stored in a 256K encryption sparse image file on my Mac. The closed sparse image can be passed around and based upon everything I know, it is very secure. The spreadsheet is protected by a 20 character password. I have been using this approach for 25-30 years or so, before password managers existed. I keep a copy of this file and the password in my safe deposit box so my kids can unravel my online world if I get hit by a beer truck.

I do not use the same password on more than one site. KeyChain nags one if you do.

I like Apple’s Keychain for automatic password entry on sites where there is no real or a minimal threat to me if the password or credentials are stolen. Keychain is really only as good as the weakest entry door to it on any of your devices, which can be 4 or 6 digit entry code for your iPhone or iPad (or if one is smart a real password on the iPhones and iPads) and once that entry has been made all of one’s passwords are visible without limitation as long as you know the 4 or 6 digit passcode. To circumvent this, we (my wife and I) have gone to a passphrase on our iPads and iPhones and a screen time password before any account info can be changed. So the passwords stored in KeyChain are reasonably secure.

Some years ago I read where several password manager systems were compromised at black-hat security challenge conference events. Maybe I should look harder at a Keychain alternative, but stories are a plenty about some of these password outfits being hacked doing dumb-ass stuff storing and/or handling the password and ID credentials as you noted in your recent article. So I have never gone down the road of a password manager other than KeyChain - I figure, Apple has a higher probability of not hosing up KeyChain than Joe Password does, but who knows. And everybody probably leaves data remnants in memory for mining.

Some sites do not allow any user names other than one’s e-mail address. On those, you have no choice other than to use a lesser used email address. And you should think about if you really want to do business with such a bonehead site.

All banks, credit unions, insurance companies, credit card issuers, grandkid 529 plans and important accounts where a bad guy getting access can steal my money have the following:

• The user name does not contain any reference to may real name it looks like a 20-28 character password. So a bad guy looking to see if I have an account with say Bank of America, will have to bang around for an awful long time to find if I have an account there.
• The password is also 20-28 characters long. I don’t care what it is and make no efforts to remember it or the user name, I login to these accounts on my desktop or laptop and copy and paste the password from the password file to the browser login screen. User names on these accounts are not re-used on multiple accounts.
• If one wants to hack into my accounts, in affect they need to come up with two long passwords - one for my identity/user name and one for actual account access.
• I do not use Keychain for bank, credit card, or other similar types of sites where my real money or important info can be stolen.

I have found that banks, credit unions, and two of the largest investment firms in the US require one to:

• Turn off all browser safety precautions to work with their sites such as Preventing Cross Site Tracking - must be turned off for most financial institutions bill pay systems to work
• Allow them total access to all files on your machine - especially where the investment firm has a stock tracking and account management software application they load onto your machine. And I can name them.
• So the folks who should care the most about your security are the absolute worst at helping you protect it - go figure! They do this because it is easier to set up their software to run on your machine if they don’t have to care about normal security precautions - my opinion.

For the reasons above, I do not use any financial apps on my iPhone or iPad. There is no reason to do so. Why put your financial data on a device that if stolen and kept open for a bit potentially allows a thief to get a peek at one's financial situation. And keep in mind that a lot of these outfits creating these apps are selling the apps to numerous banks, credit unions, etc.. And they are the same folks that write software for your desktop that wants total access to everything you own. If they don’t let me use good computing practices on my laptop or desktop, what makes me think they will use good practices on my iPhone or iPad? Why go there?

I don’t leave credit cards on any sites (except for Amazon and PayPal) so there is fairly limited ability to cause me any real financial pain if these site credentials are somehow stolen. When purchasing I usually use a one time credit card entry or PayPal.

We don’t use debit cards because there is little protection if your info is hacked.

My credit accounts at the three major credit rating agencies have been frozen for 10 years or so and are opened up for a day or so as required for a car loan or credit card application.

Security questions are answered with nonsense answers. What school did I attend? "Reform school in Anchorage Pakistan on Mars”. These nonsense answers are stored in the password spreadsheet.

We have several bank accounts. I only allow a very limited set of vendors to pull money from a bank account. And we keep a limited amount of funds in the “pull” account to avoid a number of potential exposures.

Bills are paid online with Online Bill Pay to prevent paper checks being stolen and check washing, which is a growing fraud issue.

Periodically I check if the passwords on major money accounts and e-mails have been pawned.

I have about 6 passwords memorized and that is it.

Maybe there is a nugget in here somewhere.

I enjoy reading you articles and insights on various issues. Thanks for the effort you put into it.

MPG: this is overall an outstanding approach.

One thing I would emphasize: if you copy/paste passwords for logins, after pasting immediately copy something else in order to clear the clipboard of the password.

Some brief comments:

• I do not recommend anti-virus for Mac as it causes various problems. And I am not aware of any actual benefits.
• It is not my experience that cross site tracking is needed for financial sites, but that could well be. It is one of the Worst Practices that corporations engage in. I deem it irresponsible incompetence in design.
• Excepting utility software whose core function requires access to all files (eg backup software, IntegrityChecker, etc), no software should need more than strictly limited access to your files. Do NOT grant “everything” access to such files. Usually you can deny access to all sorts of places with no downside.
• Sadly, most web sites require email as a login ID. Avoid it if you can, as per the notes above.

Sebastian B writes:

A few notes/thoughts on your reader's security practices:

– I've used basically the same approach (encrypted disk image with spreadsheet inside) before switching to 1Password when that became a thing. I agree it's generally a good approach, and your reader is obviously very thoughtful about handling sensitive information in general, so kudos to him.

– As you emphasized already, copy/paste is a risk, not only because passwords might remain in the clipboard indefinitely (which, mind you, may now be auto-synced by Apple to all your iDevices!) but also because you might inadvertently paste a password into an unsafe place (think some unsecure text box on the web— or paste into the address bar to send it directly to Google!). Good password managers offer restoring previous clipboards contents after a minute or so (beyond largely obviating the need for copy-pasting anyway), greatly mitigating this risk.

– With disk images, passwords are there for everyone to see as long as the disk image and your device are open/unlocked. There's no readily available way to close a disk image after, say, an hour of inactivity short of remembering to do so. You might inadvertently leave it open indefinitely, in which case it becomes no more secure than an unprotected spreadsheet. Again, password managers reduce this risk by automatically locking the database after a given period of time or when, e.g., the device is locked or goes to sleep. Considerably less potential for human error. (Actual impact varies greatly depending on how and where the device is used—maybe not a big issue with a stationary computer at home, but possibly a huge issue with mobile devices in public places.)

– If the macOS keychain is (at least partially) used for easy website password filling, all risks of the keychain apply. Those used to be low, but now keychains are synced to your iCloud account and all your iDevices by default, greatly expanding the attack surface and likely introducing much weaker links into your security chain. I would strongly recommend turning off iCloud Keychain/Password syncing on all devices (eliminating storage of your passwords in iCloud), and thinking twice about manually storing them in the keychains of mobile devices (esp. phones) at all.

– I don't know how it is with Excel these days, but with Apple's Numbers there are basically yearly app updates with file format changes that are usually backward-incompatible, and the latest-and-greatest Numbers is often exclusive to the latest-and-greatest macOS version. Thus, unless all devices are running the latest version of everything, an "innocuous" app update on one device may make the spreadsheet unreadable on all others. (Though manual syncing of the file eases this risk.)

Of course, password managers also have drawbacks (forced cloud syncing, possibly with insufficient security, and never-ending subscription costs being two important ones).

WIND: solid advice.