Google Passkeys - The solution to phishing? - Will LL implement this?

[Caeruleiae]

7 hours ago, Caeruleiae said:

 In first grade we started going to the computer lab. In first grade  I was taught not to click random links. It's not that difficult of a concept. 

For reference sake-and those not familiar with school ages in the US-I was 6. At six years old I started learning-and understanding-the basics of why we need to be careful on the internet. I have the luxury of having had the internet my entire life which means I've had slightly more time than some to get used to the fact that people with bad intentions are everywhere on the internet. But if I can learn at the ripe young age of 6 not to click random links-adults who have been around a lot longer than me have no excuse whatsoever. I was still learning how to type at age 6 and didn't even yet have an email address and I still knew. It's a people problem plain and simple. 

Just because technology-including the internet-can make our lives easier that doesn't mean we stop trying to protect ourselves. Your front door not only keeps out the elements and the wilds of nature but also people with bad intentions-which is a great convenience as much as it is protection. Do you leave it open or unlocked 24/7 just because you expect the world around to respect that this is your space and nothing else is allowed in it unless you say? No you lock it and close it when necessary as a form of protection for you your family and your stuff. Don't be ignorant with you your family and your stuff on the internet. Use both common sense and methods of protection you know are available-that information isn't hidden behind some secret wall it is basic knowledge. 

[Aiyumei]

11 minutes ago, Caeruleiae said:

For reference sake-and those not familiar with school ages in the US-I was 6. At six years old I started learning-and understanding-the basics of why we need to be careful on the internet. I have the luxury of having had the internet my entire life which means I've had slightly more time than some to get used to the fact that people with bad intentions are everywhere on the internet. But if I can learn at the ripe young age of 6 not to click random links-adults who have been around a lot longer than me have no excuse whatsoever. I was still learning how to type at age 6 and didn't even yet have an email address and I still knew. It's a people problem plain and simple. 

Just because technology-including the internet-can make our lives easier that doesn't mean we stop trying to protect ourselves. Your front door not only keeps out the elements and the wilds of nature but also people with bad intentions-which is a great convenience as much as it is protection. Do you leave it open or unlocked 24/7 just because you expect the world around to respect that this is your space and nothing else is allowed in it unless you say? No you lock it and close it when necessary as a form of protection for you your family and your stuff. Don't be ignorant with you your family and your stuff on the internet. Use both common sense and methods of protection you know are available-that information isn't hidden behind some secret wall it is basic knowledge. 

You can google what phishing and social engineering are in the IT field and find out why grown adults can be fooled.

[Caeruleiae]

15 minutes ago, Aiyumei said:

You can google what phishing and social engineering are in the IT field and find out why grown adults can be fooled.

I don't need to google it. I work in IT. I see it every day. 

That still doesn't excuse not using the most basic of precautions. Most people who find themselves on the wrong side of a phishing attack didn't get fooled by something elaborate. I can't even tell you how many instances of phishing I have encountered-or how many systems I have had to fix because others have encountered and done not even the most basic of things to protect themselves. It's not rocket science and the information about phishing is readily available for anyone. They teach the basics of internet safety in every public school I know of-I can assume most private schools as well.  A simple not even two second search will bring up countless websites that teach people internet safety-what to look out for what to avoid and how to protect yourself. 

Edited May 31, 2023 by Caeruleiae

[Richardus Raymaker]

Nope. Bad idea. Why do people want to link accounts to google. Very bad idea. Never going to use it. 2FA is better if you can use it. Also because the auth app you can backup the account without google.

Passkeys sounds for me, you lose your google account. Your screwed.

Also, never store passwords in the cloud !

Edited May 31, 2023 by Richardus Raymaker

[Silent Mistwalker]

1 hour ago, Caeruleiae said:

For reference sake-and those not familiar with school ages in the US-I was 6. At six years old I started learning-and understanding-the basics of why we need to be careful on the internet. I have the luxury of having had the internet my entire life which means I've had slightly more time than some to get used to the fact that people with bad intentions are everywhere on the internet. But if I can learn at the ripe young age of 6 not to click random links-adults who have been around a lot longer than me have no excuse whatsoever. I was still learning how to type at age 6 and didn't even yet have an email address and I still knew. It's a people problem plain and simple. 

Just because technology-including the internet-can make our lives easier that doesn't mean we stop trying to protect ourselves. Your front door not only keeps out the elements and the wilds of nature but also people with bad intentions-which is a great convenience as much as it is protection. Do you leave it open or unlocked 24/7 just because you expect the world around to respect that this is your space and nothing else is allowed in it unless you say? No you lock it and close it when necessary as a form of protection for you your family and your stuff. Don't be ignorant with you your family and your stuff on the internet. Use both common sense and methods of protection you know are available-that information isn't hidden behind some secret wall it is basic knowledge. 

When I was 6 the internet didn't exist, and it wasn't necessary to lock our doors to keep people out.

[Caeruleiae]

4 hours ago, Silent Mistwalker said:

When I was 6 the internet didn't exist, and it wasn't necessary to lock our doors to keep people out.

It probably didn't when most people alive today were 6-at least not what we have today. But it does exist today and the knowledge necessary to protect ourselves on it does too.  My grandparents didn't lock their doors either and my grandmother was assaulted by someone that just came in her house (she healed, he was sent to jail-all is right with the world) and even after that still sometimes didn't out of pure habit. It wasn't done because there were less bad people-though people might believe so. Bad people have existed since the dawn of man. We hear more about them now but they have always existed. My grandparents aren't really old either so it hasn't been all that long since it happened. Now they're a bit safer with themselves but that has more to do with protecting my grandpa who behaves more like a curious toddler these days since he wanders. 

Just because bad things don't always happen doesn't mean we should ignore safety risks. When we know better-or are faced with worse-we do better right?

Today isn't yesterday and tomorrow won't be today. There is still plenty of information out there for people to use in order to protect themselves and it's right at their fingertips. If they make the choice to not use it-they are at risk. That's the simple and hard truth of just about anything regarding safety. You can't prevent everything-but there's lots you can. 

Edited May 31, 2023 by Caeruleiae

[Rowan Amore]

And before.cars,.there were no car accidents but people soon learned not to walk in front of them.  Before there were phones, there weren't telephone scams either.  Some people, to this day, fall victim to those.  I hear about new phone scams all the time. Can't blame it on the phone.  People need to be more aware, everywhere.

[Love Zhaoying]

5 minutes ago, Rowan Amore said:

And before.cars,.there were no car accidents but people soon learned not to walk in front of them.  Before there were phones, there weren't telephone scams either.  Some people, to this day, fall victim to those.  I hear about new phone scams all the time. Can't blame it on the phone.  People need to be more aware, everywhere.

When I was a cub, we didn't have these fancy modern conveniences.  But we'd still get trampled in prey herd stampedes!

About the only way to console yourself after THAT embarrassment, was to chow down on a filthy early hoo-mon in his dingy cave.

Get off my lawn!
 

[Qie Niangao]

A truly successful phishing incident doesn't compromise an account but rather it compromises hundreds of thousands of accounts. One of those may be mine, no matter how carefully I've protected myself.

For that matter, it's simply delusional to imagine "being smart" can protect against one-on-one phishing. It's the kind of delusion "street smart" New Yorkers discover on their first Jakarta visit: Not the same streets. Sure, the perpetrators have a script, but the ones at the edge of the threat envelope spend literally all day every day devising new scripts.

How many times have you used generative AI to refine your security strategy? You can be sure the threats have used it for days on end, devising new ways to defeat defenses. It is their "job" after all.

MFA / 2FA is tablestakes now. Passkeys are one way to streamline MFA and reduce the inherent vulnerability of passwords.

That's all temporary; the threats keep evolving. Responding with obsolete strategies ("protect your password", "don't visit bad sites") protects against an obsolete threat.

[Caeruleiae]

3 hours ago, Rowan Amore said:

And before.cars,.there were no car accidents but people soon learned not to walk in front of them.  Before there were phones, there weren't telephone scams either.  Some people, to this day, fall victim to those.  I hear about new phone scams all the time. Can't blame it on the phone.  People need to be more aware, everywhere.

That was my point too thanks. At some point we have to hold people accountable for their own actions or inaction. If people aren't willing to learn how to protect themselves and then put that into place-I can't be bothered to care if they get phished. 

My boss' office manager got fired last month for constantly putting the systems at risk after repeat warnings. Not because there wasn't proper security in place-the fact that there was is how he got caught repeatedly- but because he was a moron that refused to change. It might sound harsh to some but I don't know at what point those people would start to blame him for being a moron and stop blaming technology for being the technology that it is. 

Edited May 31, 2023 by Caeruleiae

[Aiyumei]

15 hours ago, Caeruleiae said:

I don't need to google it. I work in IT. I see it every day. 

Guess what? I also work in IT.

 

4 hours ago, Caeruleiae said:

My boss' office manager got fired last month for constantly putting the systems at risk after repeat warnings. Not because there wasn't proper security in place-the fact that there was is how he got caught repeatedly- but because he was a moron that refused to change. It might sound harsh to some but I don't know at what point those people would start to blame him for being a moron and stop blaming technology for being the technology that it is. 

My point exactly, people lack the knowledge about how to protect themselves. They don't teach that kind of stuff in school and while you and I have the technical knowledge and experience I assure you the majority of people who use computers in their daily lives don't know what malware is, why it's good to have 2FA, why they have to use vpn at work or what the ISO standards are. The majority of people blindly accept the cookie prompts when visiting websites without knowing what they do and the fact they can collect your information and worse if the site is malicious.

I don't need to go into details how most commercial orientated websites lack basic security measures and you can see the user data in the web requests, no validations on backend level where you can do an SQL injection and get what you want, that's security testing 101. From there a more knowledgeable  person about penetration testing can go with url interception, session hijacking or even DNS spoofing(it's why you DON'T connect to random public wifi networks).

Currently the most secure password method I've seen on the market is passwordless login where you use the biometry of your mobile device as authentication along with integration with government system where your citizen ID is stores. The two are then combined to create two keys(public and private) which are hidden behind custom 256 bit encryption. In other words, what the guy on the video talks about but significantly better and more secure.

[Caeruleiae]

27 minutes ago, Aiyumei said:

My point exactly, people lack the knowledge about how to protect themselves.

But they have every opportunity to learn-the information isn't hidden-no one needs a degree or even a high school diploma to understand it. The information is even more prevalent today than it was when I was still a child-which was less than ten years ago. 

28 minutes ago, Aiyumei said:

They don't teach that kind of stuff in school

Yes they actually do. I don't know when you were last in school-but as I stated earlier they literally taught me this at 6 years of age. They were teaching it before I was in first grade as well. They may not have taught it to everyone in grade or even high school especially in years before I was even born-but that doesn't change my point that the information about the most basic of protections-like don't click random links and use strong passwords is all over the place. There are no excuses unless someone doesn't have the mental capacity to understand it-in which case they probably don't have the mental capacity to function on the internet very well at all either. Most people have more than enough mental capacity to understand basic safety. If they choose not to use that information it's on them. 

30 minutes ago, Aiyumei said:

The majority of people blindly accept the cookie prompts when visiting websites without knowing what they do and the fact they can collect your information and worse if the site is malicious.

Just because people do it doesn't mean we accept it as ok or expected behavior. I expect more from grown adults if children can even manage it. Again-please don't act like the dangers of the internet is some unknown-it is too widely available in this day and age. Yes it is still taught in school-if yours didn't and you grew up with the internet too that was a failing on their part. People likely do know it-they just ignore it. People know the dangers on the road too-even if they don't always protect themselves and others the way they should. Ignorance of the law is never accepted as an excuse-neither should ignorance of basic internet safety. No one needs to know the exact ins and outs of everything to understand basic safety. It's not that difficult or complicated. 

I also don't need all the information you posted-although I am certain some people do so it can be quite helpful for them. I don't want that to sound arrogant but I am very well versed in all of those subjects much like I suspect you are. None of that changes my opinion. The idiot that got fired knew the dangers of not protecting his device and our network. He went through the same training and meetings-he got all the same memos everyone else in the company did. He got fired because like many he chose to stay ignorant and continue doing what he was doing. I do not feel bad for him-just as I didn't feel bad for him when one of his devices got bricked because of his actions. 

I said nothing at all about websites using security measures-I'm aware many are lacking. Individual internet safety should never be left up to the websites one visits or services one uses. There are some expectations of course but basic internet safety starts with an individual-period.