Jump to content
Why become a member? ×
Please Support Basschat

Nearly got scammed on here!!

RikiB

By RikiB,
in General Discussion

 Share

Recommended Posts

tauzero Grand Master

tauzero

Posted
Posted
23 minutes ago, jimmyb625 said:

Here's some advice from the grown-ups

 

https://www.ncsc.gov.uk/collection/passwords/updating-your-approach

 

Which seems primarily concerned with making passwords hard to guess - which would be irrelevant if the primary form of attack was brute force. After all, "Pa$$word" and "Grea7 Gr33n 4rke$eizure£" would be equivalent in terms of a brute force attack, but I would guess that the NCSC would be rather more critical of the first than the second. For brute force attacks to be successful, the attacker needs two things - first, the actual password hash file, and second, enough time before the leaking of the hash file is discovered to go through the file and generate the hashes. If the organisation being attacked is honest and releases the information that the password file is out there as soon as it knows, the time between the initial leak and users changing their passwords is all that the hacker has.

 

As an extra precaution to slow down the attacker, the hash file could also contain a high proportion of dummy users with password hashes generated at random. That would throw an extra bit of grit in the hacker's works.

  • Like 1
Link to comment
Share on other sites
chyc Experienced

chyc

Posted
Posted
1 hour ago, tauzero said:

 

Which seems primarily concerned with making passwords hard to guess - which would be irrelevant if the primary form of attack was brute force. After all, "Pa$$word" and "Grea7 Gr33n 4rke$eizure£" would be equivalent in terms of a brute force attack

According to Wikipedia, the time to crack using brute force increases exponentially with the key length. Using your example above, and assuming upper and lower case letters, numbers and a few symbols for a password, that's around 95 characters available, so average number of tries for the first password is 95⁸/2, or 3.3 × 1000000000000000 tries. For the latter, it's 1.5 x 10⁴⁷, In perspective, if the first took one second to crack, the latter would take around 100000000000000 times the age of the known universe.

 

In other words, even for brute force attacks, password length really matters.

  • Like 1
Link to comment
Share on other sites
Woodinblack Grand Master

Woodinblack

Posted
Posted
33 minutes ago, Downunderwonder said:

How is a quantum computer any different from what we use today aside from being faster?

 

Not really a question of speed, its because a quantum computer can be in many states at the same time. So it can have all passwords at once

  • Haha 3
Link to comment
Share on other sites
prowla Grand Master

prowla

Posted
Posted
On 05/06/2023 at 23:28, RikiB said:

How do people normally pay on here then?

I’ve sold stuff and they’ve paid friends and family

 

On 05/06/2023 at 23:30, daveybass said:

I actually said I’d pay the PayPal fees and then when the scammer said no then he was told to run and jump.

it’s only a few percent extra to protect you

I would strongly recommend never using PayPal F&F unless the person actually is your friend or family.

If they insist, just step away.

I had it happen in an FB group just this week; someone had something in the UK which I wanted and would have otherwise cost me double from the US after shipping & fees.

The seller would not budge on F&F, even when I said I'd cover the fees for G&S, so I didn't go through with it.

Just don't pay for goods using F&F.

  • Like 3
Link to comment
Share on other sites
Rich Grand Master

Rich

Posted
Posted
8 minutes ago, prowla said:

 

I would strongly recommend never using PayPal F&F unless the person actually is your friend or family.

If they insist, just step away.

I had it happen in an FB group just this week; someone had something in the UK which I wanted and would have otherwise cost me double from the US after shipping & fees.

The seller would not budge on F&F, even when I said I'd cover the fees for G&S, so I didn't go through with it.

Just don't pay for goods using F&F.

I agree wholeheartedly. I sold something a while back and the buyer offered F&F, which I accepted. We've both been here for a loooong time and he was satisfied that my ad & PMs were genuinely me. I'd certainly never dream of demanding F&F. I think bank transfer is probably my choice for the future.

Link to comment
Share on other sites
jrixn1 Mentor

jrixn1

Posted
Posted
30 minutes ago, prowla said:

The seller would not budge on F&F, even when I said I'd cover the fees for G&S, so I didn't go through with it.

Just don't pay for goods using F&F.

 

Perhaps the seller is concerned that if they accept PayPal goods and services, they become open to payment reversal scams or disputes that the item was not as described.  Ultimately when making an online transaction with strangers, there is no way for both buyer and seller to be 100% protected.  Like you I too would not proceed if for any reason I wasn't feeling comfortable.

  • Like 1
Link to comment
Share on other sites
Woodinblack Grand Master

Woodinblack

Posted
Posted
40 minutes ago, Rich said:

I agree wholeheartedly. I sold something a while back and the buyer offered F&F, which I accepted. We've both been here for a loooong time and he was satisfied that my ad & PMs were genuinely me. I'd certainly never dream of demanding F&F. I think bank transfer is probably my choice for the future.

 

When I bought my chapman stick, the guy I got it off seemed a great guy, had a reasonable social media presense including pics of him playing the stick so I could have gone F&F, but I didn't because fundamentally it was a lot of money and the extra money was just insurance for it. Turned out, he was a great guy anyway, but the thing is, a lot of scammers seem like great guys, and there really isn't a way to tell the difference.

 

Like those people who meet some girl online and then pay for them to come over and it turns out it was just a scam and they lost their money. Well, I have been married to my one for 25 years on last monday, so you really can't tell.

  • Like 2
Link to comment
Share on other sites
TimR Grand Master

TimR

Posted
Posted

Don't banks offer fraud protection?

 

Mine has signed up to voluntary protection so paying via transfer should be fine. All you do is get their AC details or send them yours. There's not a lot they can do with an AC number and Sort code but if its protected against fraud again you should be fine.

 

If you do a lot of trading it's wise to have a separate bank account to your working bank account to protect your payments for mortgage etc.

 

I thought I also saw a way to pay via credit card that attracts a cash payment charge, not sure if that's protected. Check your CC provider. 

 

Ultimately if the banks want you to be using transfer, they need to make it much less risky. 

 

Link to comment
Share on other sites
Skinnyman Grand Master

Skinnyman

Posted
Posted
7 hours ago, Downunderwonder said:

How is a quantum computer any different from what we use today aside from being faster?

Current encryption technology relies on it taking so long to try and break the encryption that it’s not a practical approach. The promise of quantum computers is that, among other things, they will be orders of magnitude faster, making it practical to try many different key combinations. There seem to be legitimate concerns that the encryption approaches we use today will no longer protect the things we want protected. 

  • Thanks 1
Link to comment
Share on other sites
paul_c2 Mentor

paul_c2

Posted
Posted
26 minutes ago, Skinnyman said:

Current encryption technology relies on it taking so long to try and break the encryption that it’s not a practical approach. The promise of quantum computers is that, among other things, they will be orders of magnitude faster, making it practical to try many different key combinations. There seem to be legitimate concerns that the encryption approaches we use today will no longer protect the things we want protected. 

 

But (I think) the argument goes, that as computers get more powerful, the encryption can be done quicker and its a linear increase, for an exponential increase in decrypting time required. So, so long as encryption also keeps up with computer hardware development (and things like companies stores of personal information are updated with better encryption at rest, rather than sitting idle on aging systems) then the increase of hardware performance is actually a benefit to security.

 

In 99.9% of these data breach etc cases you hear about on the news, once the root cause analysis is done, its always something a bit stupid or lackadaisical that an employee has done, like ignore or not plan for the need to update software, leave a backdoor open, leave a connection open, etc. So its a human problem, not a computer problem really.

Link to comment
Share on other sites
tauzero Grand Master

tauzero

Posted
Posted
49 minutes ago, Skinnyman said:

Current encryption technology relies on it taking so long to try and break the encryption that it’s not a practical approach. The promise of quantum computers is that, among other things, they will be orders of magnitude faster, making it practical to try many different key combinations. There seem to be legitimate concerns that the encryption approaches we use today will no longer protect the things we want protected. 

 

This still requires that the hacker can get hold of the file of password hacks.

Link to comment
Share on other sites
paul_c2 Mentor

paul_c2

Posted
Posted
26 minutes ago, tauzero said:

 

This still requires that the hacker can get hold of the file of password hacks.

 

Yes, a good secure system will have "defence in depth" - it will have many layers, all of which alone, ought to be impenetrable. For example, the building itself will have secure access, then the individual rooms where the servers are will each have further access needed, then the computers themselves are locked, CCTV, no network ports left open, maybe even cabinets locked, etc. And for remote attacks, a similar bunch of layers eg a firewall with tightly-formed rules, then the database is secured to only certain accounts to have access, then data has encryption at rest, etc. And all the relevant systems are kept up-to-date.

 

I believe its now possible to have monitoring software sufficiently intelligent to sense when unusual activity occurs, for example an employee copies a large database file, or puts it onto a USB stick, or similar.

Link to comment
Share on other sites
Stub Mandrel Grand Master

Stub Mandrel

Posted
Posted
On 09/06/2023 at 17:21, paul_c2 said:

 

Yes, a good secure system will have "defence in depth" - it will have many layers, all of which alone, ought to be impenetrable. For example, the building itself will have secure access, then the individual rooms where the servers are will each have further access needed, then the computers themselves are locked, CCTV, no network ports left open, maybe even cabinets locked, etc. And for remote attacks, a similar bunch of layers eg a firewall with tightly-formed rules, then the database is secured to only certain accounts to have access, then data has encryption at rest, etc. And all the relevant systems are kept up-to-date.

 

I believe its now possible to have monitoring software sufficiently intelligent to sense when unusual activity occurs, for example an employee copies a large database file, or puts it onto a USB stick, or similar.

 

I have anti-ransomeware protection. It gives a warning if I start copying a disk to new backup.

Link to comment
Share on other sites
paul_c2 Mentor

paul_c2

Posted
Posted

It was more in a corporate setting I was thinking of. Many of the breaches historically, can trace their origin to a disgruntled employee with some high-level security access making a copy of some important database or two, then either putting it onto a CD-R, DVD-R, USB key or emailing or otherwise transferring it off premises. Many companies now have robust procedures for denying access AFTER an employee has left, a few pro-actively monitored what they were doing before they left (ie, everyone....) and guarded against this type of scenario - which is otherwise quite hard to manage.

 

I know Bank of America used to use desktop PCs WITHOUT a CD-R drive, when pretty much every other computer had one. The IT guys had to remove the drives, then fit the blanking plate (which ironically, cost more than the drive itself). And they were HP desktops with a BIOS password and a case lock, which was always fun to get around with a dead one.

Link to comment
Share on other sites
prowla Grand Master

prowla

Posted
Posted
3 hours ago, paul_c2 said:

It was more in a corporate setting I was thinking of. Many of the breaches historically, can trace their origin to a disgruntled employee with some high-level security access making a copy of some important database or two, then either putting it onto a CD-R, DVD-R, USB key or emailing or otherwise transferring it off premises. Many companies now have robust procedures for denying access AFTER an employee has left, a few pro-actively monitored what they were doing before they left (ie, everyone....) and guarded against this type of scenario - which is otherwise quite hard to manage.

 

I know Bank of America used to use desktop PCs WITHOUT a CD-R drive, when pretty much every other computer had one. The IT guys had to remove the drives, then fit the blanking plate (which ironically, cost more than the drive itself). And they were HP desktops with a BIOS password and a case lock, which was always fun to get around with a dead one.

I once worked for a company which had an employee sell customer details (it made the news); all of the contract staff were marched off site.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...