One Time Pass Code?

Use this board for general non-cycling-related chat, or to introduce yourself to the forum.
User avatar
Sweep
Posts: 5810
Joined: 20 Oct 2011, 4:57pm
Location: London

Re: One Time Pass Code?

Postby Sweep » 3 Oct 2019, 9:51am

mercalia wrote:[b]Here PayPal is so useful as a wrapper for small cc payments ( but not large ones)


Can you explain the term "wrapper" mercalia.

Are you making that distinction in payment amounts because using paypal to process your credit card payment (is that what you mean by wrapper?) invalidates the protection the consumer credit card acts give you when using a credit card - ie - pretty easy refunds from the credit card company if there is anything amiss with the purchase from whoever?
Sweep

francovendee
Posts: 1020
Joined: 5 May 2009, 6:32am

Re: One Time Pass Code?

Postby francovendee » 3 Oct 2019, 10:30am

kwackers wrote:
francovendee wrote:As I get older I find it harder to remember all these details so resort to keeping them in a book :roll:

Lastpass (other systems exist)


I'll take a look but I'm assuming it's a site where you set up an account and put all you're passwords into it.
I wonder is this site secure?
As I said I'll take a look, but for now a book seems a fairly safe option, no hackers and only a break in as a risk and with my hand writing it's almost in code!

User avatar
661-Pete
Posts: 9184
Joined: 22 Nov 2012, 8:45pm
Location: Sussex

Re: One Time Pass Code?

Postby 661-Pete » 3 Oct 2019, 10:45am

Even when written in a book it's possible to encrypt passcodes. You could write things like "Uncle Jim's phone number" (Uncle Jim died in 1978) + "Auntie May's date of birth" (Auntie May died in 1983) etc. etc. One presumes that a prospective burglar or hacker will have no time to research these sometime and long-deceased relations - with only first names to go on....

We do something similar (though I should stress, the above are not actual examples from our book!).
Suppose that this room is a lift. The support breaks and down we go with ever-increasing velocity.
Let us pass the time by performing physical experiments...
--- Arthur Eddington (creator of the Eddington Number).

User avatar
mjr
Posts: 14156
Joined: 20 Jun 2011, 7:06pm
Location: Norfolk or Somerset, mostly
Contact:

Re: One Time Pass Code?

Postby mjr » 3 Oct 2019, 11:02am

francovendee wrote:
kwackers wrote:
francovendee wrote:As I get older I find it harder to remember all these details so resort to keeping them in a book :roll:

Lastpass (other systems exist)


I'll take a look but I'm assuming it's a site where you set up an account and put all you're passwords into it.
I wonder is this site secure?

Nope. Governments can compel them to hand over your access details. Not that it matters for stuff like banks where relevant governments can just freeze your assets anyway, or communications providers who are subject to other interception collaboration laws. Most security is only about stopping other plebs getting in.

francovendee wrote:As I said I'll take a look, but for now a book seems a fairly safe option, no hackers and only a break in as a risk and with my hand writing it's almost in code!

I prefer an encrypted notes app which doesn't save to the cloud, but a coded book is almost as good.
MJR, mostly pedalling 3-speed roadsters. KL+West Norfolk BUG incl social easy rides http://www.klwnbug.co.uk
All the above is CC-By-SA and no other implied copyright license to Cycle magazine.

kwackers
Posts: 13808
Joined: 4 Jun 2008, 9:29pm
Location: Warrington

Re: One Time Pass Code?

Postby kwackers » 3 Oct 2019, 11:37am

mjr wrote:Nope. Governments can compel them to hand over your access details. Not that it matters for stuff like banks where relevant governments can just freeze your assets anyway, or communications providers who are subject to other interception collaboration laws. Most security is only about stopping other plebs getting in.

That's not actually true.
Lastpass doesn't store your master password and afaik currently no government has jurisdiction over them so can't force them to fit a back door (they can also move their servers to whatever country ignores such daft requests anyway - something governments don't understand).
All a hacker (or the government) can get is a AES-256 encrypted file and good luck cracking that - if you can you'll be made for life.

Also the decryption is done on your device so man-in-the-middle attacks via your communication provider wont work either.
Obviously doesn't stop direct attacks on your bank, or the man freezing your assets, or you installing dodgy software that compromises your machine but that's not its job.

It's all a compromise but lastpass is vastly more secure than writing passwords down somewhere, is far easier to use and makes using unique unguessable passwords of the "*khH&-l!@j4lK9" type so easy there's no point not doing so.

Psamathe
Posts: 10606
Joined: 10 Jan 2014, 8:56pm

Re: One Time Pass Code?

Postby Psamathe » 3 Oct 2019, 11:39am

mjr wrote:....
francovendee wrote:As I said I'll take a look, but for now a book seems a fairly safe option, no hackers and only a break in as a risk and with my hand writing it's almost in code!

I prefer an encrypted notes app which doesn't save to the cloud, but a coded book is almost as good.

I keep all my PIN numbers (memorable names, etc.) on my phone buried in contacts but anybody nicking my phone would never get into the accounts without being locked-out (they are PIN codes, I don't do online banking - don't trust it). It's easy to hide such numbers where nobody would find them and if they did, so they'd lock out the card/account before getting anywhere (e.g. hide the real PIN and include a false PIN that is wrong).

The one big hole that would be so easy for card/PIN using companies to block is the "Express Kidnapping". Not a big risk in UK but it is a bigger risk in some other countries. There were apparently false rumours about entering your PIN backwards to lock your account and that would OK except it's untrue. But better to have a 2ndry PIN that automatically lowers your withdrawal limit to e.g. £100 and 1 withdrawal only so kidnappers get something but machine then starts saying "you have hit your withdrawal limit for this week". So you stand a better chance of getting away safely and preserve your account (minimal losses). I cannot understand why card companies (particularly those companies targetting/specialising in travel FX) don't implement such a scheme. It's not complex but would be a major security feature.

kwackers wrote:
mjr wrote:....
It's all a compromise anyway, lastpass is vastly more secure than writing passwords down somewhere, is far easier to use and makes using unique unguessable passwords of the "*khH&-l!@j4lK9" type so easy there's no point not doing so.
I have a number of "schemes" where my password is impossible to guess within millions of attempts but easy to remember (and they don't need writing down).

Ian

kwackers
Posts: 13808
Joined: 4 Jun 2008, 9:29pm
Location: Warrington

Re: One Time Pass Code?

Postby kwackers » 3 Oct 2019, 11:48am

Psamathe wrote:I have a number of "schemes" where my password is impossible to guess within millions of attempts but easy to remember (and they don't need writing down).

I used to have a great scheme for unique passwords prior to using lastpass, but then my milkman's website broke it.

Another good thing about lastpass is if I croak my missus can request access to my passwords. It sends me a message to say she's made the request and I have 2 hours to block it, after that she has access. Which I'm hoping would take away a lot of the hassle in the event of my demise (it would let her post on here though - so if you see any posts badmouthing me from me then I'm probs an ex-kwackers).

merseymouth
Posts: 1130
Joined: 23 Jan 2011, 11:16am

Re: One Time Pass Code?

Postby merseymouth » 3 Oct 2019, 12:37pm

Hi philvantwo, Cash is King with you? Bravo. But when shops have either gone, or their stock is pathetic one has to resort to on-line shopping, where cash is not an option! So what do you do then? I guess you just do without the necessary item! :wink:
Even old duffers like me have had to shift our preferences.
The model railway shop that I dealt with has move from Liverpool to the end of a death trap road, need a Ferret to get their! (Armoured Personel Carrier). TTFN MM

ambodach
Posts: 854
Joined: 15 Mar 2011, 6:45pm

Re: One Time Pass Code?

Postby ambodach » 3 Oct 2019, 12:59pm

Calmac ferry company have a system where the person taking your booking is not allowed to take your card details. You are instead transferred to a “ secure site” where you enter your details on your keypad. I only use this system when my local office is closed because I have never yet managed to complete a transaction as my key pad usually vanishes somewhere and I have never been able to get it back and end up transferred back to the call centre who then has to transfer my call to somebody else to take the card details. Convoluted nonsense. ( The system not my convoluted sentence.) The Area Manager says it is for “ security” but he is used to my complaints and cannot do anything anyway.

User avatar
mjr
Posts: 14156
Joined: 20 Jun 2011, 7:06pm
Location: Norfolk or Somerset, mostly
Contact:

Re: One Time Pass Code?

Postby mjr » 3 Oct 2019, 2:04pm

kwackers wrote:
mjr wrote:Nope. Governments can compel them to hand over your access details. Not that it matters for stuff like banks where relevant governments can just freeze your assets anyway, or communications providers who are subject to other interception collaboration laws. Most security is only about stopping other plebs getting in.

That's not actually true.
Lastpass doesn't store your master password and afaik currently no government has jurisdiction over them so can't force them to fit a back door (they can also move their servers to whatever country ignores such daft requests anyway - something governments don't understand).

We're talking about "Lastpass" which is run by LogMeIn, Inc., a US corporation, right? Clearly the US government does have jurisdiction and yes, they can move their servers, but do you believe their board and relevant workers are really willing to go to jail to protect your password? And is it even ethical to expect them to when there are alternative tools which you could use which wouldn't require it?

Plus, how do you know it doesn't store your master password? Have you (or someone you trust) got their app source code, checked it, built it yourself and compared it to their published app?

It's all a compromise but lastpass is vastly more secure than writing passwords down somewhere, is far easier to use and makes using unique unguessable passwords of the "*khH&-l!@j4lK9" type so easy there's no point not doing so.

I think we probably disagree about whether it's worth trusting what lastpass and similar corporations say about their security. Me, I trust a coded book more.
MJR, mostly pedalling 3-speed roadsters. KL+West Norfolk BUG incl social easy rides http://www.klwnbug.co.uk
All the above is CC-By-SA and no other implied copyright license to Cycle magazine.

User avatar
mjr
Posts: 14156
Joined: 20 Jun 2011, 7:06pm
Location: Norfolk or Somerset, mostly
Contact:

Re: One Time Pass Code?

Postby mjr » 3 Oct 2019, 2:11pm

Psamathe wrote:
kwackers wrote:
mjr wrote:....
It's all a compromise anyway, [...]

Misquote?
Psamathe wrote:I have a number of "schemes" where my password is impossible to guess within millions of attempts but easy to remember (and they don't need writing down).

But the issue is highlighted by (contains a bit of "language" you can read if you zoom it)

That reminds me of the time when I got a bit upset with a service provider refusing to accept my security details reset, so by the final attempts I was just typing abuse into the boxes. Then I phoned up. Unbeknownst to me, their website was accepting the resets but had a bug so it always displayed an error, so when it came to asking me for security details, their worker said "now, I'm not sure what to do about this, but I need to ask for the name of your first school, but if you say what's on my screen, company policy says I have to end the call immediately" :eek: "oh and all of the questions have that as an answer now" "yes. Please hold while I ask a supervisor" :lol: I don't remember how we got out of that. I think I did another security details reset while on the phone.
MJR, mostly pedalling 3-speed roadsters. KL+West Norfolk BUG incl social easy rides http://www.klwnbug.co.uk
All the above is CC-By-SA and no other implied copyright license to Cycle magazine.

kwackers
Posts: 13808
Joined: 4 Jun 2008, 9:29pm
Location: Warrington

Re: One Time Pass Code?

Postby kwackers » 3 Oct 2019, 3:11pm

mjr wrote:We're talking about "Lastpass" which is run by LogMeIn, Inc., a US corporation, right? Clearly the US government does have jurisdiction and yes, they can move their servers, but do you believe their board and relevant workers are really willing to go to jail to protect your password? And is it even ethical to expect them to when there are alternative tools which you could use which wouldn't require it?

Exactly there are alternative tools.
Ultimately they're a tech company that relies on selling you security and ethics. If for any reason some dirt turned up on the it's only a few minutes work to switch.
If it really bothers you then use them to provide the first part of a password and (say) delete the last 4 characters and replace them with a pin number or some such.
mjr wrote:Plus, how do you know it doesn't store your master password? Have you (or someone you trust) got their app source code, checked it, built it yourself and compared it to their published app?

Like most things I have to take their word for it.
When you're selling security your business model would be very shaky though if they're lying through their teeth - particularly when there's no need for them to do so.
mjr wrote:I think we probably disagree about whether it's worth trusting what lastpass and similar corporations say about their security. Me, I trust a coded book more.

That conjures up an amusing image of a 'Columbo' alike trying to use their phone, digging out their trusty notepad and screwing their face up as they try to decode and enter the information thus contained just so they can order a replacement notebook on Amazon...
(Obviously I've no idea of the reality)
Coded book though - that sounds horrifically clunky. I trust you have a backup(s).
Do you carry it around with you all the time or just if you think you might need to access a website?
A quick check on lastpass suggests I have 230 passwords - a lot of which are nonsense sites like this, but that's still a lot of messing about with a notebook. Particularly if you change the passwords regularly.

kwackers
Posts: 13808
Joined: 4 Jun 2008, 9:29pm
Location: Warrington

Re: One Time Pass Code?

Postby kwackers » 4 Oct 2019, 10:45am

Related to all this (and the security of apps like LastPass) is Facebooks plan to offer end to end encryption on its messages.
Despite being a US company (like LastPass) they've asserted that they're not going to offer a backdoor into the encryption.
I think you can be fairly sure a company that sells itself as a security company like LastPass isn't going to offer backdoor's without both the required legislation and a fight.

It's all nonsense anyway, a real crim isn't going to send messages via FB, there are lots of alternatives these days you can even knock up your own from the various components widely available.

User avatar
661-Pete
Posts: 9184
Joined: 22 Nov 2012, 8:45pm
Location: Sussex

Re: One Time Pass Code?

Postby 661-Pete » 4 Oct 2019, 3:00pm

Back to the online banking issue. Twice in the past two days I've had to log in online to my current account. The first time was to make a transfer, for which - understandably - I was asked to use my card reader. The second time was simply to check my statement.

Both times I was sent a challenge code to my mobile, which I then had to type in. This is a recent development, apparently the norm now, and to my mind both a nuisance and an unnecessary layer of 'security' - especially seeing as it's suggested above that SMS's to mobile phones are not all that secure!

What bothers me is, what if I lose my phone or it becomes inoperable in some way? Yes I know the phone company should be able to send me a PAC code (to transfer the same number to a different SIM) - but in my case they've been most 'awkward' whenever I've contacted them - for various reasons. Yes I can change the assigned mobile number when online to the banking site - but in order to get online I have to enter a challenge code sent to my old mobile....

Catch-22? Hopefully someone will explain to me that there are ways around this.
Suppose that this room is a lift. The support breaks and down we go with ever-increasing velocity.
Let us pass the time by performing physical experiments...
--- Arthur Eddington (creator of the Eddington Number).

brooksby
Posts: 385
Joined: 21 Aug 2014, 9:02am
Location: Bristol

Re: One Time Pass Code?

Postby brooksby » 4 Oct 2019, 3:06pm

661-Pete wrote:What really bugs me is the egregious "Captcha". "Click on every picture containing a [bit of a] car"? How am I supposed to recognise a 1mm strip off the edge of a wing mirror, as a car? :( :(


All of those Recaptcha ("Click on every bridge / every traffic light / every crosswalk / etc") are allegedly being used to help Google's driverless cars tech. The company that runs them is a Google subsidiary.