🍍David Longenecker🍍

In March, crooks made off with personal information on around 100,000 taxpayers by breaching a website tool intended t help with the FAFSA.

This letter sent by the IRS to affected taxpayers implies the crooks made off with far more than just income data. Credit monitoring is OK for detecting fraudulent new accounts - but does nothing if the crook has enough information to social engineer your bank.

https://www.securityforrealpeople.com/2017/04/a-letter-from-irs.html

Apr 19, 2017 at 1:10amWeb
Show thread🍍David Longenecker🍍Apr 19, 2017

I just heard that USAA is adding multifactor authentication for human-to-human customer service calls. Nice move!

Anyone know of any other banks that do this?

Show threadMunin, Keeper of LoreApr 19, 2017
@dnlongen That sounds nice, but....what factors? Please say KBIs aren't included.
Show thread🍍David Longenecker🍍Apr 19, 2017
@munin not KBI. A code sent via SMS or email. It's not ideal by any stretch of the imagination, but it's a significant step up from anyone else I have heard of.
Show thread🍍David Longenecker🍍Apr 19, 2017
@munin And yes, I have given feedback privately to that effect :-)
Show threadterribleplanApr 19, 2017
@dnlongen Do they have a way to authenticate themselves before you give them the multifactor info?
Show thread🍍David Longenecker🍍Apr 19, 2017
@terribleplan that's a great question. Authenticating myself is more meaningful if I'm the one initiating the call. If the call originates from them, truth be told I am likely to hang up and call back through a trusted channel.
Show threadterribleplanApr 19, 2017
@dnlongen so then not over a cell-carrier then?
Show thread🍍David Longenecker🍍Apr 19, 2017
@terribleplan Depends on how paranoid I am. Definitely not over a cell carrier in the vicinity of a security conference ;-)
Show threadterribleplanApr 19, 2017
@dnlongen Yeah. I'm just saying I think a mutually authenticated channel would be neat. Is there such a thing as diffie-hellman for humans?