Jump to content

Sign in to follow this  
John Setzler

Two-Factor Authentication / Credit Card Security

Recommended Posts

Over the last year or so, I have started using this everywhere possible.  Some of my regular accounts that allow it are Google, Amazon, Paypal, my credit union, Facebook, twitter, and others.  It minimizes my chances of getting hacked significantly.  If someone obtains my password they will be unable to log in to any of those accounts unless they have access to my second factor of authentication, which in most cases is my cell phone where I receive a text message with a six digit code to complete the transaction or login.  

 

I am still disappointed that credit/debit card transactions can not be secured in this day and time.  How often are we seeing stories about credit card data being compromised because some company (ie Target and Yahoo) getting hacked?  I am tired of having to replace a debit card and then go change all my automatic drafts each time it happens.  I tend to get issued a new debit card by my bank every six months or so because 'my data may have been compromised.'  

 

A couple jobs back, I had this device that worked with my network login for that company.  I had a login ID and password, but I was forced to supply a six digit code attached to my password.  That six digit code changed every 60 seconds and it was displayed on a small key fob device that I had to have with me in order to access the network.  I would LOVE to have a credit / debit card that required a PIN number for use that changed every 60 seconds in this fashion.  

 

I think most credit card fraud actually happens online where the seller never sees/swipes/inserts the actual card for the transaction to take place.  This type of fraud could be eliminated with the use of a pin or some other metric that is not tied physically to the card.  

 

How long is it going to take in the information age to secure credit and debit transactions?  I like the two-factor authentication.  Someone else could physically have my card in their hand and not be able to use it.  That's how it should be.

 

</endrant>

 

Share this post


Link to post
Share on other sites

2 factor is the way to go.  I also use a password generator / manager so that my passwords can't be cracked.  I never use the same password twice and I only have to remember the one hard password.

My bank password looks something like this:  lA:|P:'A$%[KjmX7BTd`o37;vBg.j$v,9:Xx36f?c7V:,2|}_$Z/9Rxc@V1u%e>

 

Good luck with guessing that :-D

Share this post


Link to post
Share on other sites
26 minutes ago, T Yelta said:

2 factor is the way to go.  I also use a password generator / manager so that my passwords can't be cracked.  I never use the same password twice and I only have to remember the one hard password.

My bank password looks something like this:  lA:|P:'A$%[KjmX7BTd`o37;vBg.j$v,9:Xx36f?c7V:,2|}_$Z/9Rxc@V1u%e>

 

Good luck with guessing that :-D

 

I use Lastpass which works pretty well for me.  I am trying to decide how complex my password needs to be when I'm using two-factor authentication.  I have a password that I use that would be considered strong in most cases and I use variants of the same password based on where I am using it.

Share this post


Link to post
Share on other sites

Last week my debit card  number was jacked. Fortunately it was right before payday so the funds in the checking account were low. They tried a few different times to charge against my account and got denied. So the bank eventually put a hold on the debit card but not before they finally hit on $155,  the company name was Zumiez #600. Zumiez is a clothing retailer  with an online presence. Zumiez #600 is a scam that has nothing to do with the clothing retailer.  How many unsuspecting husband's look up plain Zumiez and just figure the wife was Internet shopping again. 

 

In the end I had to cancel the debit card - total pain in the rear. They never did get the $155 out of the account. Just glad it didn't happen right after payday or their first attempt at $500 would have worked. 

 

Share this post


Link to post
Share on other sites

Cash is king....

Some banks allow you to get a onetime CC # online for purchases, you tell it the amount for the purchase and they issue you a valid one time use card right there on the spot.  Check and see if your bank does it. 

Share this post


Link to post
Share on other sites

2factor authentication (2FA) by SMS is better than nothing else, but it is not durable.  FYI your phone number is not securely in your possession by default.  There are many extreme examples of number-porting from high-value targets, that essentially steal your phone number to receive your 2FA texts  It's been too easy to do, up to this point, and phone companies have been slow to recognize this threat to their customers.  As long as you have a smartphone, tablet or PC then you can generate a durable second-factor (TOTP based) that cannot be easily ported away.  I suggest Authy (android, iphone, Chrome extension and app) for this approach but there are several others.  Google Authenticator is the standard, but it's barebones with no backup - it is more work when you get a new phone and you'd better have a good record.  

 

The phone app/TOTP code generator on the phone, replaces the one-purpose hardware gadget you had.  Very convenient.

 

There are techniques to prevent number porting orders, but phone companies can still screw it up.

 

As for the debit card, you can get one that is normally locked until you need to ring out, then unlock it with the smartphone, and relock every time.   Some banks do it, some don't.

 

I agree credit cards are still hard to secure.   An automatic one-time-use card# would be best - that is essentially what you get with Android Pay, or Apple Pay, or Samsung (whateverPay), but not many stores that I use, will do those.   

Share this post


Link to post
Share on other sites

Good info. I travel a lot. When I spend somewhere I think may be the slightest vulnerable I use cash.

 

As we know, there are times when plastic is the only option. That said,  am discussing this with my wife who handles many many money transactions a day-she is aware of most of the card pitfalls-there is always a new twist. Will report back.

Share this post


Link to post
Share on other sites

2 factor is great, can be hacked like anything else as has been stated but is worth the extra effort when its offered as you are no longer a low hanging fruit. While i am at it if anyone in this community attends defcon let me know. The one other piece i would like to add is set up alerting on all your accounts that offer it. I get immediate alerts for anything charged over 1.00. This way i can call out or dispute anything immediately if something pops up that i do not recognize. Also note though that some vendors dont process transactions until the next day.

Share this post


Link to post
Share on other sites

Talked to wife. We are taken care of-I thought so. (I just follow directions) She is all for, and is glad, that the Kamado Gurus have awareness and security in place. 

 

M.

 

 

 

 

Share this post


Link to post
Share on other sites
2 hours ago, ifican said:

2 factor is great, can be hacked like anything else as has been stated but is worth the extra effort when its offered as you are no longer a low hanging fruit. While i am at it if anyone in this community attends defcon let me know. The one other piece i would like to add is set up alerting on all your accounts that offer it. I get immediate alerts for anything charged over 1.00. This way i can call out or dispute anything immediately if something pops up that i do not recognize. Also note though that some vendors dont process transactions until the next day.

Agreed on the account alerts. That’s how mine are set up. We know enough people who’s CC has been stolen that the wife doesn’t mind when I forward her emails asking if she purchased xxxxxxx

Share this post


Link to post
Share on other sites

I do 2FA where I can. I'm also using Android Pay where I can. It's faster than a chip card, and uses a pseudo account, so your real card details are not out there in retail-space.

 

A security practice that bugs me is the "mother's maiden name" security questions. Sites should migrate away from those. Much of that data is 1) on the web, and 2) too easy to use on multiple sites.

Share this post


Link to post
Share on other sites
44 minutes ago, Clayton_Haapala said:

I do 2FA where I can. I'm also using Android Pay where I can. It's faster than a chip card, and uses a pseudo account, so your real card details are not out there in retail-space.

 

A security practice that bugs me is the "mother's maiden name" security questions. Sites should migrate away from those. Much of that data is 1) on the web, and 2) too easy to use on multiple sites.

Make up a name for your mother. No one but you will know it is not really hers. :)

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...