Cell Phones

Social engineering is the new method of choice for hackers. Here's how it works

  • Last Updated:
  • Feb 11th, 2019 10:59 am
Deal Expert
Aug 22, 2006
24043 posts
9555 upvotes
FrancisBacon wrote:
Feb 9th, 2019 10:27 pm
What would you recommend as a recovery option for your email account?
I'm trying to figure out why you'd need one at all.

Assuming you have a good password manager, you should never ever forget your passwords.
And your password manager password should be committed to memory.
Deal Addict
Aug 18, 2018
1737 posts
1305 upvotes
Bay Area
FrancisBacon wrote:
Feb 9th, 2019 10:27 pm
What would you recommend as a recovery option for your email account?
Pen and paper. :D

Or keep an encrypted master PDF on your computer, and make sure the key is committed to memory. (not that hard actually, just pick an event/name/number from 15 years ago that nobody else except you would know)
Deal Addict
May 12, 2014
2064 posts
1542 upvotes
Montreal
death_hawk wrote:
Feb 9th, 2019 10:48 pm
I'm trying to figure out why you'd need one at all.

Assuming you have a good password manager, you should never ever forget your passwords.
And your password manager password should be committed to memory.
I don't trust any password managers, I actually use a simple text file encrypted with VeraCrypt. But perhaps there's an advantage to password managers?

Your answer definitely gives food for thought though, and may be the best answer.

Let me suggest reasons however and get your feedback:

1- in case your password manager crashes/is deleted and its backup fails.

2- to prevent the web service itself from being "social engineered": ie if the cracker calls company X and attempts to get access to your account and there's no cellphone recovery method, some employee might fall for it.

3- if somehow your account does get back, getting control back might be easier if a cellphone was previously associated with the account.
Newbie
Dec 21, 2018
10 posts
2 upvotes
This is not new at all.
They likely target crypto because its nearly impossible to get a paper trail with. (Unlike bank accounts with EFT those can be traced back)
Email phishing is more common I think.
Deal Expert
Aug 22, 2006
24043 posts
9555 upvotes
FrancisBacon wrote:
Feb 10th, 2019 6:00 am
1- in case your password manager crashes/is deleted and its backup fails.
I mean... this is a concern even for text files.
In the unlikely event of let's say a lightning strike exactly when your text editor is saving?
Plus you should be testing your backups regularly.
2- to prevent the web service itself from being "social engineered": ie if the cracker calls company X and attempts to get access to your account and there's no cellphone recovery method, some employee might fall for it.

I'm not entirely sure how easy it would be to social engineer a web service (as in I've never tried) but for me personally this is not applicable since everything is hosted locally on my own hardware.
The only time my password database leaves the premise is under another layer of encryption.
3- if somehow your account does get back, getting control back might be easier if a cellphone was previously associated with the account.
Using something like a password manager (that doesn't forget) you technically shouldn't lose your account in the first place.
Unless the account itself was blocked by other means (eg attempts at brute force in another location)
But the good thing about a password manager is that you can not only record the password, but any random password like strings that replace "Security" questions like "What's your Mom's maiden name"
My mom's maiden name just happens to be (example) "tNSX87pgqt". It's an old historic name used only one time and must never be uttered because it brings with it a deadly curse. Or I just made the whole thing up which is probably more plausible.
Deal Addict
User avatar
Jan 16, 2011
3307 posts
2695 upvotes
The NORTH
His one is so easy to protect against on the carrier side. No new sim unless ID verification is physically shown. Go to a carrier outlet and show ID to get a new sim.

Hell, setup 2 step verification... Send a text to the phone and require 24 hours wait with no response before a new sim can be issued....

Doing ANYTHING would be better then doing NOTHING. Buy carriers won't do anything until they get hit in the bottom line. A couple lawsuits where they are culpable for damages might move the needle...
Deal Addict
May 12, 2014
2064 posts
1542 upvotes
Montreal
death_hawk wrote:
Feb 10th, 2019 4:27 pm
I mean... this is a concern even for text files.
...
Using something like a password manager (that doesn't forget) you technically shouldn't lose your account in the first place.
...the good thing about a password manager is that you can not only record the password, but any random password like strings that replace "Security" questions ...
Yes, I could lose my text file, which is one of the reasons I use a recovery phone number. I do have backups, but ... Maybe something else could happen? Maybe I'm too paranoid, or trying to protect against the wrong thing.

For losing your account with a password manager, I was also thinking what if your PC gets cracked (ie rootkit malware takeover) and they therefore get access to your password manager (encryption doesn't help here).

Finally, yes, my text file contains both passwords and other info. I use a different DoB, maiden name, etc for every single website.

One advantage of a text file over a password manager is that I understand that some rootkits have specifically targeted password managers. While my text file is just another file which can't be figured out unless a human is watching me use the computer "live".
Deal Expert
Aug 22, 2006
24043 posts
9555 upvotes
FrancisBacon wrote:
Feb 10th, 2019 9:37 pm
For losing your account with a password manager, I was also thinking what if your PC gets cracked (ie rootkit malware takeover) and they therefore get access to your password manager (encryption doesn't help here).
This is probably one of the bigger security issues to be honest.

Top