FIDO2
- Thread starter Harry Bloomfield
- Start date
Sponsored Links
The data is stored on Lastpasses server encrypted, but the data is useless without the key to decrypt it. Only the owner of the data has the key. The data is pulled from the server, and decrypted by your own system, using the key you provide.
So hacking the data, from the server, simply isn't enough - the key is needed as well.
- Joined
- 7 Sep 2022
- Messages
- 3,269
- Reaction score
- 866
- Country
It seems increasingly unlikely as security software improves. The security is quite clever and contains multiple tricks beyond "does the camera see something that looks like user X" - for example a camera can see the change in skin colour caused by the flush of blood from the pressure surge when your heart beats, and FR security checks for it to make sure it's "looking" at a living thing
- Joined
- 25 Apr 2023
- Messages
- 585
- Reaction score
- 129
- Country
I'm only saying what the "expert" said, I haven't tried it myself.
Sponsored Links
If LastPass or whatever other company can be hacked, so can the rest of their infrastructure including the app.
Hacker types modify the app, shove those modifications to production, everyone with it gets auto-updated without knowing or caring what or why because that's how app updates work.
Then after a month or four the true purpose of the hack is revealed - that app update contained a minor adjustment where the key is sent to the remote servers.
Now the hackers have both the encrypted data and the keys for pretty much every user, and therefore every password for every account and device those users have.
By the time such an attack is discovered it's already far too late, the damage has been done. Game over.
- Joined
- 22 Aug 2006
- Messages
- 5,875
- Reaction score
- 724
- Country
I like the idea of locking some apps into a hidden phone folder. I've never heard of it . Doable on Android?
I haven't heard of someone's pc or phone being stolen and the owner being cleared out, but I and I'd guess many others don't know how much damage could be done.
If you were out of the house, and someone reloads Windows on your pc which removes the passwords to it, have some personal details about you, they say the phone's been stolen and try all the financial institutions you use (not hard to find)..... Could access a lot.
Usually my phone's on maximum stay-awake time. Some apps don't ask for a finger print every time.
For high-net-worth individuals the potential for theft or fraud is eyewatering. A trader chap I know dropped his phone on the golf course. His financial investments are worth 9 figures. His was handed back, but...
You could target someone like that, pocket pick his phone and replace it with a non-functional identical copy. (Latest iPhone, natch). You'd have a few hours to play.
You can lift a usable finger print from a clean glass with super-glue fumes, laser print it to build up thickness , and use that.
Hmmm, maybe I'll get a going-out phone and keep the normal one locked in the safe.
I haven't heard of someone's pc or phone being stolen and the owner being cleared out, but I and I'd guess many others don't know how much damage could be done.
If you were out of the house, and someone reloads Windows on your pc which removes the passwords to it, have some personal details about you, they say the phone's been stolen and try all the financial institutions you use (not hard to find)..... Could access a lot.
Usually my phone's on maximum stay-awake time. Some apps don't ask for a finger print every time.
For high-net-worth individuals the potential for theft or fraud is eyewatering. A trader chap I know dropped his phone on the golf course. His financial investments are worth 9 figures. His was handed back, but...
You could target someone like that, pocket pick his phone and replace it with a non-functional identical copy. (Latest iPhone, natch). You'd have a few hours to play.
You can lift a usable finger print from a clean glass with super-glue fumes, laser print it to build up thickness , and use that.
Hmmm, maybe I'll get a going-out phone and keep the normal one locked in the safe.
The readers, don't work like that - read up on it.
- Joined
- 22 Aug 2006
- Messages
- 5,875
- Reaction score
- 724
- Country
I see it's evolving - I didn't know about the ultrasonic types. Knowing how they work makes it easier to simulate of course.
The blood-pulse complication someone mentioned (originally developed for blood oximeters which detect the change in blood colour of the oxygenated blood pulse) was beaten by simply putting another finger behind the fake one at one time.
I bet a fancy 3D printer could be brought to action, or a mould in skinlike material.
Granted, it's all getting better. Are they gonna put a dna sensor on a phone??
Last edited:
Hidden folders would be of no use, as all apps can be found in the app drawer regardless of where they have been placed elsewhere.
Other things which everyone should have done already are turning off notifications on the lock screen, removing most of the things from the quick settings menu, and ensuring that all apps of relevance have their own PIN or other lock in place which is NOT the same as what's used to unlock the phone.
As for fingerprints - most people have more than one finger. Don't use the obvious one to open the phone.
Biometrics such as fingerprint or facial recognition work on "meh it is 90% OK" (I made that figure up). All phones require you to enter your PIN when you reboot- why? Because a PIN has to be 100% correct. There is no "it is a bit close".
My Android is skinned to look like Windows10 Mobile (I pay about £0.50 pm). I can make apps not appear in the (swipe from the right) alphabetical app list. If I want to access those apps, I can type the name into the search box to find them.
I don't allow any apps to flash up messages on the lock screen.
The figure is much higher than that, but the big difference is, someone could sit and try all the combinations of codes and could eventually get in, with bio, they would need to be extremely, extremely lucky to get a match, or have an endless number of friends willing to try to log in. Photos/photocopies will not work, and no one has an endless number of friends, willing to try without dropping them in it. Therefore, bio is more secure.
With (genuine) respect, I do not agree with you. Bio plus a PIN is in, my (lay) opinion, more secure. However, Bio is not 100%, only a PIN is 100%.
With regards to PIN numbers, phones will often lock you out for X minutes after X incorrect attempts. There are 10,000 possibilities. Granted, products such as GreyKey can brute force PIN combinations- but that will set you back £30,000
My current Samsung will let me unlock the phone via facial recognition. My windows phone (Lumia 950XL) had an iris scanner- that said, it was far from perfect.
Not on Android devices - there is a limit of around 10 or less attempts, after which you either have to wait for an extended time, or in some cases it will erase all of the phone data or require authentication via some other method such as a Google account.
Only if people are foolish enough to use a 4 digit PIN.
Sponsored Links
