185
top 50 comments
sorted by: hot top controversial new old
[-] atzanteol@sh.itjust.works 58 points 1 week ago

That's great when my bank only uses sms for mfa though.

Seriously, bank and credit card companies need to get with the program more than me and my friends.

Steam. The store front I get my video games from. Has 2-factor authentication with a short time rotating code. To secure my Steam account.

My bank uses SMS and "security questions" aka personal trivia questions.

[-] Eezyville@sh.itjust.works 2 points 1 week ago

Easy to guess with some social engineering

[-] toynbee@lemmy.world 3 points 1 week ago

While I agree with you, some people answer these questions with deliberately incorrect answers. If my closest friend tried to compromise my bank account with my security questions, he'd get them all wrong (and even he doesn't know my wrong answers).

Still a bad design, though.

[-] Draconic_NEO@sh.itjust.works 3 points 1 week ago

Or literally anyone who knows you. It's based on the idea that strangers are the ones who will try to screw you over but everyone knows that it's people who you know that end up screwing you over in most cases. So security questions are basically useless in all those cases.

[-] Chais@sh.itjust.works 9 points 1 week ago

Right? Had a bank account once, where the login password could only have up to 8 characters. And only digits.

[-] MTK@lemmy.world 9 points 1 week ago

Lucky, mine is 6 (yes, right now in 2024)

[-] Chais@sh.itjust.works 5 points 1 week ago

I just checked my KeePass and turns out I still have the entry in the recycle bin.
It was 5 digits. Admittedly, that was "back in 2012," but still. For shame, Bank Austria!

[-] xapr@lemmy.sdf.org 3 points 1 week ago

Swiss (Cheese) Bank?

That's a huge part of why I use my brokerage, Fidelity, as my main bank, they support Symantec VIP TOTP. I prefer my regular TOTP solution, but this us miles ahead of literally every other bank I've used.

[-] Eezyville@sh.itjust.works 2 points 1 week ago

The only bank that allowed me to use totp was a credit union. You'd think the rich ass banks could afford to hire a developer to set up good MFA.

Yeah, and just for a few months. TOTP really isn't that complicated...

[-] Evotech@lemmy.world 1 points 1 week ago

That's wild

[-] Thcdenton@lemmy.world 27 points 1 week ago

Ok FBI, let me know which ones to use

[-] skeezix@lemmy.world 12 points 2 weeks ago

Are there still apps that arnt encrypted?

[-] Supernova1051@sh.itjust.works 31 points 1 week ago

Telegram, for all their security claims, is basically not actually encrypted at all.

[-] randomperson@lemmy.today 6 points 1 week ago

This is incorrect. Telegram is not end to end encrypted by default. But it is encrypted to and from their servers.

[-] vrighter@discuss.tchncs.de 9 points 1 week ago

yeah, that means not encrypted. When speaking to a web server, you are one end, and the server is the other. Tls ensures that there isn't a man-in-the-middle.

In case of telegram, you are one end another user is the other end. Telegram themselves are, by design, a man-in-the-middle in this case. I'm not concerned about a different middleman intercepting communications between me and telegram. I'm concerned about any middleman (which includes telegram themselves) intercepting communications between me and my friend.

So no, telegram chats are not encrypted by default. Telegram can read them.

[-] jlh@lemmy.jlh.name 9 points 1 week ago

TLS isn't sufficient for messaging apps in 2024

[-] Opisek@lemmy.world 9 points 1 week ago

Except Telegram doesn't use TLS :) They use MTProto.

This is not me endorsing Telegram. I'm just pointing out your mistake. Telegram has other issues but it definitely does have transport encryption.

[-] jlh@lemmy.jlh.name 7 points 1 week ago* (last edited 1 week ago)

The above commenter said that their end-to-end MTProto protocol is not enabled by default.

Defaulting to just using transport encryption like TLS on a messaging app isn't sufficient in 2024.

[-] Opisek@lemmy.world 6 points 1 week ago

MTProto is not end-to-end. MTProto is their obfuscated client-server transport encryption.

What the commenter above is referring to is Telegram defaulting to saving your messages on the server in plaintext. You can use a "secret chat" which enables end-to-end encryption, but that is separate from MTProto.

Your sentiment is correct though. Messages should not be visible in plaintext to the server.

[-] jlh@lemmy.jlh.name 2 points 1 week ago

I dont know much about it, but Wikipedia says that MTProto is specifically for "secret chats":

For encrypted chats (branded as Secret Chats), Telegram uses a custom-built symmetric encryption scheme called MTProto.

https://en.m.wikipedia.org/wiki/Telegram_(software)#Architecture

Maybe Wikipedia is misleading here

[-] Opisek@lemmy.world 2 points 1 week ago* (last edited 1 week ago)

You're right, it is misleading. There are different "flavours" of MTProto. See here:

https://core.telegram.org/mtproto

This page deals with the basic layer of MTProto encryption used for Cloud chats (server-client encryption). See also:

  • Secret chats, end-to-end-encryption

  • End-to-end encrypted Voice Calls

(The major difference is simply whether the server and client share a key or two clients)

[-] Appoxo@lemmy.dbzer0.com 2 points 1 week ago* (last edited 1 week ago)

Luckily I misuse Telegram only as a system notification program.

load more comments (8 replies)
[-] Zachariah@lemmy.world 7 points 1 week ago

There are many where the server owners can see the messages, just not anyone else between the sender and receiver.

Threema and Signal are good options that don’t do this.

[-] breadcat@sh.itjust.works 3 points 1 week ago
[-] Zachariah@lemmy.world 1 points 1 week ago

Signal being an American company is also problematic.

These two are the best balance of security/convenience, however.

[-] breadcat@sh.itjust.works 2 points 1 week ago

server location and legal jurisdiction shouldn't matter for any truly secure messenger

load more comments (4 replies)
[-] Anticorp@lemmy.world 2 points 1 week ago

You can create and run your own Signal server if you don't trust Signal.

[-] Zachariah@lemmy.world 2 points 1 week ago

Interesting. Are the server and client open source? Is a self-hosted server interoperable with the main ones?

[-] Supernova1051@sh.itjust.works 2 points 1 week ago

Signal is completely open source and auditable by anyone: https://github.com/signalapp

if you were to create your own clone, it would not interoperate with the real one.

[-] samus12345@lemmy.world 4 points 1 week ago

1/20/25: FBI Orders Americans to Use Unencrypted Messaging Apps

[-] imblue@feddit.org 2 points 1 week ago

Why not Matrix ? Its E2E nit just TLS and also it prevents vendor lock in. This way chosing a providor is really about trust and not also about having to chose the same thing what your friends use

[-] allo@sh.itjust.works 1 points 1 week ago

silly question maybe but after researching China a bit for a few days, I'm genuinely curious: I like supporting the LGBTQ cause, which I could see making me want to avoid Trump probing, but from what I researched, China gov is not against LGBTQ. So is there any specific reason I should fear China looking at my stuff?
Is it basically if I have account info in messages they would hack my accounts?

load more comments
view more: next ›
this post was submitted on 05 Dec 2024
185 points (97.9% liked)

Cybersecurity

5834 readers
196 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Community Rules

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub

Notable mention to !cybersecuritymemes@lemmy.world

founded 2 years ago
MODERATORS