ID theft in UK hits record high as crooks shift to more vulnerable targets

What makes a good security question?

Tomorrow's security question should definitely not be about your past, your habits, your family or your hobbies. So no memorable information.

I too have to write down 150 plus account details, and then keep them on paper in case my computer is stolen where I have stored my passwords. What about if they steal my piece of paper? So I have to have several copies, hidden, just in case. Copies of copies of copies.

A total 'MARE!!!!!!!!!!!!!!!!!!!!

No Dice

Lots of places still don't allow diceware password, insisting that

X&%fg%$d is more secure than

Some set of Random words

Pisses me off no end

Aren't they all...

...just using the info harvested from Equifax?

I used to contract and my umbrella company was NASA Group. They seemed OK, friendly. I left, asked for my P45. Got it, got new job. About 2 weeks later I got an e-mail from them again about my P45. I followed the link in the e-mail because I assumed they were trying to be more secure, mentioned DocuSign. And that the P45 was encrypted on a encrypted file store now.

The site showed several e-mail clients you maybe using below. Pick one and sign in. I assumed for a few seconds, stupidly (was tired), that this was for security also so they knew you hadn't just been given the link from someone. Luckily however, I noticed the main site itself wasn't HTTP. The site URL was totally different from anything related to NASA or any file sharing site. Upon clicking the provider I was with I noticed their login page wasn't the login page of that client. If you clicked the Google one it looked exactly the same as Google's login. I however noticed all those links pointed to HTTP versions of those logins.

I e-mailed them back asking why they'd linked me to insecure HTTP pages because anyone can sniff those logins.

They replied telling me to ignore all e-mails with links in that day because it was a spam and their IT were aware. I checked the headers of the e-mail with the bullshit link. It was coming from their exchange, it wasn't spoofed. So clearly it was more than a spam attack, they'd clearly had a breach and were keeping quiet about it. The person sending the e-mail either sent out on mass e-mails about P45s in the hope they'd get someone or they'd actively looked through past e-mails and then specifically targeted people with what they'd requested or talked about.

I haven't heard anything about it since, despite reporting it to the ICO who don't give a shit unless it's in the thousands of people affected.

I'm pretty sure NASA Group have kept that breach quiet. It only happened a couple of months ago. Granted they put a message on their site but haven't admitted to a breach yet.

makes me happy

I only login to handful of sites so not got mny credentials to remember (and no online banking, loans etc)

Thoug if anyone purchased my identity for the 820 squids quoted they would have made a bad move as my net worth is massively negative (stares at mortgage & cries) & no chance of getting loan in my name with that loan being max size possible

Truth in the old joke ...

Two friends are camping in Africa.

One night they are woken by a lion prowling.

Immediately one starts to put his trainers on.

"What are you doing ?" his friend says. "You'll never outrun a lion."

"No" his friend replies. "But I can outrun you ...."

My online security strategy - hell my entire life security strategy - has been to concentrate on not being the lowest fruit on the tree. As with most things the 20/80 split applies to security.

it's fraud by misrepresentation you dolts, get it right.

What if I identify as gender fluid? Can't steal my ID if I don't even know what it is.

Beware quizes on social media

Most commentards probably already know about this, but for the few that don't...

There was a fad on social media about "porn star names." It encouraged people to share their porn star name created from their first pet's name and mother's maiden name. Example: Fido Smith.

Two common security questions used to be first pet's name and mother's maiden name.

*sigh*

"More than a third of bank account takeover victims were over 60 years old. That was put down to the increasing popularity of online banking, and more fraudsters phoning victims claiming to be from the bank and asking to "verify" online passwords."

It's not necessarily popular. It's just enforced by shutting down more and more branches.

Some companies go out of their way to help phishers. See for example here where someone tries to verify a 'phone number.

"fraudsters phoning victims claiming to be from the bank and asking to "verify" online passwords."

Which would not work if the banks used 2 factor authentication. *Sigh*.