Incidentally, while the cryptocurrency community provides easy one-stop-shopping for high-value targets, once criminals develop a business process to exploit this they could plausibly expand into adjacent markets. This *very much* includes startup founders, etc.
-
-
Show this thread
-
Ideally you do business with financial institutions which will not just give all the money irreversibly to anyone capable of spoofing your cell phone but strongly consider defense-in-depth against attacks like this. Some friends/acquaintances of mine had near misses to similar.
Show this thread -
At the risk of getting close to socially contentious topics: there exist *some* banks and brokerages which will respect an account note "No account actions or transfers above
$Xk unless I am standing in front of you in the office." You may want that service level someday.Show this thread -
"Can you recommend any?" Socially contentious because of the nature of my job, but in most futures where you wake up with atypical amounts of money in an account you'll also know at least one person who has been dealing with your threat model for years. Ask them for a rec.
Show this thread
End of conversation
New conversation -
-
-
We use TOTP exclusively at
@BankMercury and it’s worked out fairly well so far. Still I think the 2FA offerings need improvement: 1. Google Authenticator doesn’t do backup, which surprises people and makes getting a new phone a pain in the butt -
Lifecycle management at scale is the hardest problem in 2FA, a point which Stamos made a million times and which technologists underappreciate.
End of conversation
New conversation -
-
-
Google Authenticator is a TOTP, so acceptable for this purpose, as long as you can't end-run it with an SMS/etc.
End of conversation
New conversation -
-
-
SIM/number-porting fraud is horrific and i really do hope phone companies come up with some seriously effective technical countermeasures against it; the idea that impersonating me via mobile-phone is O(finding a sufficiently gullible/rushed customer service agent) is terrifying
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
... SMS verification is effective against random / automated attacks, but not considered particularly useful against targeted attempts. Google itself recommends hardware-based 2FA for anyone likely to be the subject of a targeted attack. -
Another low-hanging fruit: Gmail should not allow certain account recovery emails to be deleted for N days.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.