• __@fedia.io
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    I call BS - with notable exceptions for a particular omnipresent retail chain whose ToS was recently updated so they could do substantial tracking of your traffic.

    A company I work with is wholesale migrating both internal and external accounts to a third-party auth provider in whom I have very little faith. That is a concerning security risk.

    Using open wifi hotspots is hardly a best practice in any world, of course, but I’m hard-pressed to believe that it takes precedence over, say, ticking the boxes on NIST CSF or PCI compliance. Or just plain old “shoulder surfing” which has always been a risk in public, but becomes much more concerning given we all have a computer screen in our hand constantly and it’s often full of data useful to someone with ill intent.

    They might not get your pw or 2FA codes, but knowing your username is plenty for them to convincingly call you later, pretending to be from the bank. “Now that you’ve changed your pw, the system will send one extra 2FA code to your device as a test. Please read me the code when the text message comes in.”