this post was submitted on 13 Aug 2024

-6 points (45.2% liked)

Mildly Infuriating

35077 readers

421 users here now

Home to all things "Mildly Infuriating" Not infuriating, not enraging. Mildly Infuriating. All posts should reflect that.

I want my day mildly ruined, not completely ruined. Please remember to refrain from reposting old content. If you post a post from reddit it is good practice to include a link and credit the OP. I'm not about stealing content!

It's just good to get something in this website for casual viewing whilst refreshing original content is added overtime.

Rules:

1. Be Respectful

Refrain from using harmful language pertaining to a protected characteristic: e.g. race, gender, sexuality, disability or religion.

Refrain from being argumentative when responding or commenting to posts/replies. Personal attacks are not welcome here.

...

2. No Illegal Content

Content that violates the law. Any post/comment found to be in breach of common law will be removed and given to the authorities if required.

That means: -No promoting violence/threats against any individuals

-No CSA content or Revenge Porn

-No sharing private/personal information (Doxxing)

...

3. No Spam

Posting the same post, no matter the intent is against the rules.

-If you have posted content, please refrain from re-posting said content within this community.

-Do not spam posts with intent to harass, annoy, bully, advertise, scam or harm this community.

-No posting Scams/Advertisements/Phishing Links/IP Grabbers

-No Bots, Bots will be banned from the community.

...

4. No Porn/Explicit

Content

-Do not post explicit content. Lemmy.World is not the instance for NSFW content.

-Do not post Gore or Shock Content.

...

5. No Enciting Harassment,

Brigading, Doxxing or Witch Hunts

-Do not Brigade other Communities

-No calls to action against other communities/users within Lemmy or outside of Lemmy.

-No Witch Hunts against users/communities.

-No content that harasses members within or outside of the community.

...

6. NSFW should be behind NSFW tags.

-Content that is NSFW should be behind NSFW tags.

-Content that might be distressing should be kept behind NSFW tags.

...

7. Content should match the theme of this community.

-Content should be Mildly infuriating.

-At this time we permit content that is infuriating until an infuriating community is made available.

...

8. Reposting of Reddit content is permitted, try to credit the OC.

-Please consider crediting the OC when reposting content. A name of the user or a link to the original post is sufficient.

...

Also check out:

Partnered Communities:

1.Lemmy Review

2.Lemmy Be Wholesome

3.Lemmy Shitpost

4.No Stupid Questions

5.You Should Know

6.Credible Defense

Reach out to LillianVS for inclusion on the sidebar.

All communities included on the sidebar are to be made in compliance with the instance rules.

founded 1 year ago

MODERATORS

[email protected]

-6

We're in a very verify-happy era of technology (kbin.melroy.org)

submitted 1 month ago by [email protected] to c/[email protected]

24 comments fedilink hide all child comments

And god do I hate every second of it. My bank is the worst offender, because they allow me to log in, look at my balances and everything. It is until I decide to transfer funds from savings to checking, do they suddenly decide "WAIT! VERIFY YOUR IDENTITY!". All the while that I'm logged in!

Trying to call customer support to a car dealership to discuss changing dates on your lease? Welp, be prepared to know your child's name, your state, your blood sample and all other shit just to reach an agent so you can ask one simple question.

Google sucks balls for this too, obviously. Can't just simply sign in anymore, nope, gotta go find your phone and tell that, that it's you trying to log in and then you can go in.

Not to mention the amount of fucking codes we have to enter along the way. This shit piles up, people. We waste minutes to hours, collectively, on doing this shit.

top 24 comments

sorted by: hot top controversial new old

[–] [email protected] 32 points 1 month ago (1 children)

It sounds like your bank is doing MFA (multi-factor authentication) correctly, and that’s a good thing, because it sure would be obnoxious to have to verify all that information just to view your balances, and it’s a higher risk activity to allow someone to transfer funds than to view your balances.

If the dealership didn’t verify your identity and someone else made changes to your lease, would you have a problem with that?

You don’t have to use an authenticator on your phone. You can use a password manager like Bitwarden (their $10/year premium plan, or their $40/year family plan) that supports saving TOTP and auto-filling them from a browser extension (click to copy or you can have it automatically copied to the clipboard after you auto-fill the password). It also supports passkeys and you can avoid getting locked into a single ecosystem that way.

[–] [email protected] 12 points 1 month ago

adding on to this, the bank isn't doing just mfa, it's likely also doing risk-based authentication. logging in and viewing funds isn't that risky, but moving money around is much riskier, even in the same account. so you have to provide stronger evidence that it's you requesting the action.

[–] [email protected] 17 points 1 month ago (3 children)

On the matter of information security, but also security in general:

convenient
effective
inexpensive

Pick two.

[–] [email protected] 4 points 1 month ago (3 children)

A government issued ID card with a signed certificate on it could do all three pretty well.

[–] [email protected] 3 points 1 month ago (1 children)

Try to campaign for and get up and running such a nationwide government issued ID system and then tell me how inexpensive it was to do. :P

[–] [email protected] 1 points 3 weeks ago (1 children)

Some countries already have this.

[–] [email protected] 1 points 3 weeks ago (1 children)

Most countries already have roads. That doesn't make them inexpensive, just means the cost was already paid.

[–] [email protected] 1 points 3 weeks ago* (last edited 3 weeks ago)

Yes, it’s like infrastructure. Roads have running costs as well, you don’t just build them once and are set then.

Most countries have some form of national ID already.

[–] [email protected] 2 points 1 month ago (2 children)

Do you really trust a Government to keep your data secure?

How is such a card anything other than a universal identification card, which can then be stored by all and sundry as "proof", right until one of them gets hacked and your card needs replacing .. everywhere.

I think I'll pass.

[–] [email protected] 2 points 1 month ago (1 children)

The OPM hack a few years ago says they already can't.

[–] [email protected] 2 points 1 month ago (1 children)

https://en.m.wikipedia.org/wiki/Office_of_Personnel_Management_data_breach

[–] [email protected] 3 points 1 month ago

Lol, thanks! I knew what I meant, so clearly everyone must know what I meant! :face palm:

[–] [email protected] 1 points 3 weeks ago (1 children)

The government already knows my name and where I live, so if I trust them or not isn’t important.

To alleviate the issue with copied cards, cryptographic signatures and certificates can be used. The certificate is on your card and it’s signed by the government. Your certificate contains a private and a public key. The private key never leaves the card, only the public key. The public key is signed by the government.

So if a service wants to ensure your identity, they will give you a cryptographic challenge. That is then signed using your private key on your card. The service then can verify your signature by using your public key. The service can then verify your public key by contacting a government server. That way you can prove to anyone that you’re in possession of the physical ID card. The private key on the card can be further protected by a pass phrase.

So if someone wants to steal your identity, they would need your physical card and your passphrase.

If your physical card and passphrase gets stolen, you report it to the government and they revoke their signature of your public key. So if a service wants to verify your identity, the government server will reply that the ID is not valid.

This is how SSL and public private key cryptography works in general. The issuing authorities don’t have to be governments.

[–] [email protected] 1 points 3 weeks ago

I understand your point. I'm not sure that you understood mine.

Let's say that we do as you say. To issue the signature, the Government would need to verify your identity, which as you point out, they already can. Here's the kicker. After verification, the signature is now linked to those same details in their systems. This makes them a massive target. One that they are ill-equiped to deal with.

That's why I am not a fan of this idea.

[–] [email protected] 2 points 1 month ago

Ugh no I hate logging in with my government issued id card and that weird custom certificate that needs to be manually installed. Plus i would need to get up, search for my wallet, take out the card and insert it in the reader

[–] [email protected] 2 points 1 month ago

The exception is password managers. It's a very rare tool that makes things more secure and easier.

Your OS probably comes with one, and if not there are cheap or even free ones available.

[–] [email protected] 1 points 1 month ago

That would be fine, I can live with choosing two of those for any given account.

What I hate is when the company offering the service forces its choice on me. I may be reliant on logging into some specific account without access to my phone, but then along comes company X and says "NOPE! Your account security is more important than you being able to access your own stuff. We're completely on board with locking you out of your own accounts in the name of security."

To be clear, I'm talking about personal accounts. Those on a network where I'm responsible for preventing a breach are another matter of course.

[–] [email protected] 7 points 1 month ago

I'm surprised you're getting downvoted so heavily: Is it really that controversial of an opinion that I want to be able to make the choice between reliable accessibility, efficiency, and hardened security for my personal stuff?

Of course: On a corporate network I have a responsibility to have a very secure account so that I'm not a weak point, I'm not talking about scenarios where my account being breached exposes others that I'm responsible for.

I'm talking about my personal accounts. I may want to choose to have a password and no 2FA, for the simple reason that I may want to be able to access my account from a library computer or internet cafe without having access to any of my devices. That reliable access may be more important to me than having heavier security, and nobody has any business asking me why, because it's my data that I'm choosing how to protect. However, that's become pretty much an impossibility by now, with everyone shoving 2FA and whatnot down my throat, regardless of what I want.

If I happen to lose/break my laptop and phone simultaneously, which is not unthinkable given that I carry both on me pretty much every day, I'm pretty much locked out of everything.

[–] [email protected] 7 points 1 month ago (1 children)

It's interesting that you're getting downvoted. There's plenty of evidence that things are getting worse in this field, not the least of it caused by ignorant policymakers who are hellbent on protecting their arse by being seen to be doing something, anything.

Then there's the ambulance chasers who amplify the fear factor up to eleven just so they can justify their retainers.

Finally, there's Microsoft who in my opinion shows the whole world, time and again, how not to do security whilst all the while preaching to its victims, uh, customers, what "best practice" looks like, whilst chanting"Do as I say, not as I do".

Security is about education above all else. The vast majority of breaches start by social engineering, getting a target to inadvertently install something or reveal something that gives an attacker a toehold into a system. It might be an unexpected PDF, a clicked link, a weak password, or personal information retrieved from someone who has no business storing your passport and driving licence on a system.

[–] [email protected] 9 points 1 month ago (1 children)

Are you advocating for less security, and identity checks when dealing with your bank?

[–] [email protected] 3 points 1 month ago

A bank should not need to store your passport and driving licence after you've opened the account.

It should never have to phone you to verify your identity.

It should not use a random mobile phone number to send an SMS request to confirm a credit card transaction.

Each of those things are security theatre and actually make the whole system less secure.

As for 2FA, it should not be SMS based and it should be when you login, not when you transfer funds between your own accounts as the OP mentioned.

[–] [email protected] 5 points 1 month ago

I just feel like they verify it in the dumbest ways. I'm tryna log into Outlook from my phone and the verification goes to... my phone. Clearly whoever is breaking into my phone app has my phone!

[–] [email protected] 2 points 1 month ago

Then don't sign in

[–] [email protected] 2 points 1 month ago

Also my banking app is coded stupidly.

You login, it asks the fingerprint, then it asks "do you want to allow login to user xxx"?