![]() At some point you just have to hope for the best that application, OS, drivers are not compromised because you realistically can't review them all individually. If they need the 2FA, they just need you to eventually login on that machine and then hijack your session.Īs developers, I think we'd spend about 100x as long setting up any machine or updating -anything- if we needed to manually review the many open source script and applications we use daily. If someone has installed a trojan horse on your machine, they can hijack any account. I want to make the point that it doesn't matter as much that an unknown application is related to finance/2fa (like this) or is any other application. You're certainly right that one should be concerned about running any unknown application on your computer. While still a much better idea than one-password-for-everything or writing-everything-on-post-its, I am always concerned a compromised machine will give the 'kitchen sink' to a bad actor. ![]() I'm generally much more concerned about someone installing a trojan horse on one of my machines and gaining access to my password database. I guess I'd say I'm a lot less worried about just the 2FA being compromised for the exact reason one should use 2FA. I was being a bit flippant with that statement. To your second point, if you aren’t worried about someone having access to your 2FA keys, why have 2FA enabled? ![]() I was happy to find the workaround I posted as a way to have even one less app (or proprietary implementation) to worry about and have a uniform and standard way to protect accounts. It's already complicated with oath, totp, keepass, challenge-reponse, etc. I recently have started a personal security revamp where I'm using a Yubikey to enhance security into my password database. Not taking anything as a stab, I appreciate a debate - especially about security which is near and dear to me. I hope you aren’t taking everything I am saying as a stab at you, I just want people to be cautious when it comes to things like this - I have seen a few horror stories on this subreddit of peoples’ accounts getting hijacked and purchasing random Chinese securities, or wiring money to accounts that don’t belong to them. I agree that E*Trade’s 2FA system is garbage, and sometimes I have to make multiple attempts with VIP Access, however I would take that slight inconvenience over a potential security threat any day of the week. When it comes to money, I think it’s safe to say that trusting a third party with the security of it isn’t the best of ideas. ![]() All it would take is the reviewer to overlook a single line and those 2FA codes could be sent directly to a bad actor. In its current state, it is safe, however there have been various instances of obfuscated malicious code being pulled into open source projects via multiple pull, and that code going right under the original author’s nose because separately the code is entirely benign. I am a developer both professionally and as a hobby and read through the code.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |