OK Linkt, do you think you could fuck this up any further?
You've got your "Stay safe online" message, with a reminder that you'll always direct you to log in via linkt.com.au, but your email has a fucking link to a click tracking website instead of a login.
For fuck's sake, are you actually trying to train us to click on scam links, or just incompetent?
How about your favourite scammers who are out there scamming toll notices send them out from https : // click.digittal.linktt.com.au/?qs=c21af a fucking long string of numbers because how many people will spot the extra t in linkt after the click.digittal?
Today, in #infosec fail of the day, I bring you more (aka Tangerine) - part owned by Commonwealth Bank - who are reducing their security by allowing anyone who has any of the hundreds of thousands, if not millions of emails combined with mobile numbers out there in breach lists, who happens to get control of an email inbox that contains communications from more (or a phone) the ability to instantly take over the account.
How, you ask?
Easy: they've done away with passwords and 2FA, and gone to 0FA. If you have the email or the mobile, you're in. Just like that.
You don't need the password, or the account number. Just the email and the mobile.
For example the email with the mobile bill.
Because they send the confirmation code to both the email and the mobile.
Sure, you need to know both, but that's the easy part.
Text below, and image attached.
Dear Bernard,
We’re excited to share that we are making some improvements to the way you access the Self Care Portal by simplifying the login process.
We know you're not a fan of complicated stuff, and neither are we. We’ve listened to your feedback and have recognised that the current Portal login process is a hassle: We ask you to remember your account number and password as well as you email – that’s far from being simple. So, let's make things simple!
From Friday 12 April 2024, you’ll be able to log in to the Self Care Portal by only entering your email and mobile number. We’ll then send a one-time verification code to your mobile and email – this is our way of double-checking it’s really you (a similar verification process already happens when you speak with our team over the phone).
I'm not a fan of SMS 2FA at all, but it at least requires you know secrets (my password) too rather than just needing to compromise one (central) component - it's hard not to view it as providers trying to outsource liability for compromise
Michael Barnard explains why Ted O'Brien and his #lnp bros are pro #nuclear in a prescient article written back in November 2023 before they announced their policy (spoiler - but you know this already - it is because being pro nuclear == pro-fossil fuel) which includes an absolutely delicious slap to #hydrogen bros: 'Why, by the way, do I keep putting “hydrogen ready” in quotes? Because most of the time natural gas burning units are hydrogen ready like your driveway is Lamborghini ready. That it’s possible to park a fictitious future and very expensive Lambo in it does not in any way mean that you will be able to afford to do so.'
#InfoSec fail: Budget Direct used to let you log in with a username and complex password - I had no issues setting up a 32-character password with a standard password manager generator including random letters, numbers and symbols.
They had no limitations on characters or symbols.
A while ago the allowed you to start logging in using your mobile and D.O.B., but also allowed you to continue to log in using your username and password.
They have removed the ability to log in using your username and password.
Now it is mobile and D.O.B. only.
Why the fuck would you go for less secure?
I guess they value less calls for password resets over security.
It seems to me that the threat of SIM swapping is Country dependent. In Germyn the digitalisation is SO far that you still get a piece of paper mailed to your postal address if you change the SIM (AFAIK).
@realn2s Yeah, in Australia it is supposed to be secure, and normally requires confirmation that you still control the device.
But the "I've lost my phone" or "I've broken my phone" or "I've had my phone stolen" can still work.
Especially if you add to that "I'm overseas in <pick location where pickpockets are known to operate> and my phone was stolen and I'm calling from <friends phone> and here's all my details to prove that I am who I say I am.
That's the thing, if you've had all of your data stolen in three separate breaches (which has happened to a lot of people in Australia, where one of the breaches was the second largest telco), the risk is not non-existent.
Is it possible that #brs was just a fall guy in Kerry Stokes plan to cost Nine-Fairfax some money? Well, I guess the allegations of war crimes were also proven as part of the defendant's defence, so there is that.
@BernardSheppard This is the part I've never really understood - why has Stokes backed him to the hilt? I know Stokes is infatuated with all things military, but still ...
And it was a hell of a risky way to try and poke rival media orgs in the eye.