News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Patch Lady – check those extensions

    Posted on Susan Bradley Comment on the AskWoody Lounge

    Home Forums AskWoody blog Patch Lady – check those extensions

    This topic contains 13 replies, has 10 voices, and was last updated by

     jaman57 2 weeks, 5 days ago.

    • Author
      Posts
    • #1860413 Reply

      Susan Bradley
      AskWoody MVP

      So the other day I upgraded my Dad’s Windows 7 computer to Windows 10.  And I totally forgot that one thing lost in the update was his start pages.  H
      [See the full post at: Patch Lady – check those extensions]

      Susan Bradley Patch Lady

      4 users thanked author for this post.
    • #1860465 Reply

      GoneToPlaid
      AskWoody Plus

      Here is what I additionally recommend:

      Some banks allow you to create a verbal password. This requires a visit to a bank branch to set up, after they have verified who you are. The idea is that, whenever you call your bank to talk to a representative in order to make any kind of changes to your bank accounts, the bank representative will ask you for your verbal password. If you don’t provide it, that is where the call ends.

      I also recommend turning on email alerts for any card purchases and for any money transfers to or from your bank accounts. Configure the email alerts for card purchases to zero dollars (or $1 if zero dollars is not allowed) so that you will receive an email alert for all card purchases or card charges.

      I also recommend not saving any banking login passwords in web browsers or in mobile devices. It is safer to have to type in the login passwords every single time.

      I also recommend using strong passwords which have additional characters other than A-Z and 1-9.

       

    • #1860688 Reply

      Michael432
      AskWoody_MVP

      I too have seen non-techies get tricked into installing malicious browser extensions. The security around extensions is miserable, many of them can see and modify every word on
      every web page. A compromised browser also compromises text message based 2FA.

      The safest environment for non-techies doing financial stuff  is thus a Chromebook running in Guest mode where extensions are prohibited. Or, an iOS browser that likewise does not support extensions.

      Get up to speed on router security at RouterSecurity.org

      1 user thanked author for this post.
    • #1860779 Reply

      anonymous

      I don’t see what else can be done without harming legitimate users. The extensions are already locked to the Chrome webstore, where they have to be vetted. They have a special permission system for the things they can do, which they warn you about before you install. Plus, if an extension doesn’t actually need full permissions, it should be rejected by Chrome entirely

      My parents aren’t tech savvy, so they previously would wind up with that sort of thing, but not any time recently. Not since they didn’t get automatically added by downloading some game they wanted to try. Mom can’t even figure out how to open a new window or tab, but she never runs into problems.

      I’m not sure this problem is that widespread. Maybe there’s a subset of users who need some sort of extra security, like the ability to lock out the ability to add extensions by default. Not something super secure, just something they’d have to go out of their way to undo. It could be like a parental lock system.

      I use extensions all the time, and already some proposals for the new extension model make me nervous, not providing a way to run userscripts, and limiting adblockers for “performance reasons.” I already have to be ready to jump ship to a different browser if they ever force extensions to use the next version of the API instead of the WebExtensions compatible model they use now.

    • #1860839 Reply

      anonymous

      Hackers now use sim swap cell phone to bypass two step. My family just went thru it. Verizon could not stop hackers from taking and swamping the sim even thought told them not to do. Six times Verizon let hackers take over the cell phone.

      Moderator note: Edited for content. Please read forum rules.

      • #1861035 Reply

        LHiggins
        AskWoody Plus

        So is two factor authentication not a good idea? How can one safeguard against this kind of SIM card hacking?

        • #1861047 Reply

          jabeattyauditor
          AskWoody Lounger

          So is two factor authentication not a good idea? How can one safeguard against this kind of SIM card hacking?

          SMS-based 2FA is a bad idea but there are alternatives. If your financial institution supports one of time-code authenticators (Google Authenticator, Microsoft Authenticator, etc.) use that instead. It’s simple to install the app on your cellphone, then launch it when you need access. Key in your username, password, and (when prompted) then the code generated by the app.

          Authenticator-based access can’t easily be acquired via a SIM swap.

          1 user thanked author for this post.
    • #1861036 Reply

      anonymous

      The two step verification with cell phone is useless. Sprint gave out my sim three times to hackers, who broke into several accounts. Plus I read an article on Zdnet that it happen to Matt aswell. There is zero protection in this world from hackers. This is why my grandparents had all their money in the matters in the basement under cement blocks. Might have to start thinking of doing the same.

      https://www.zdnet.com/article/sim-swap-horror-story-ive-lost-decades-of-data-and-google-wont-lift-a-finger/

      • #1861139 Reply

        mn–
        AskWoody Lounger

        Well, just a SMS or call without authentication really is insecure in many ways. Properly designed MFA/2FA should not rely on just SMS delivery or call being picked up.

        (SMS may take up to several days to be delivered in case of certain otherwise very simple transport-layer error conditions, too… in addition to being by design susceptible to SS7 shenanigans.)

        Now, a properly made authenticator application on a phone-type device that is reasonably secure in itself (and cannot be broken into via just SMS, call or SIM-based authentication…), that’s actually surprisingly good… still not as good as a dedicated security device but anyway.

        Oh well. Somehow I keep being surprised by how little we have in the way of actual authentication and verification in normal life…

    • #1861159 Reply

      Paul T
      AskWoody MVP

      2FA via SMS is fine if the service requires credentials, a password and an SMS. Even if your phone company stuffs up the attackers won’t have your user/pass as well. If they have then you had lost your stuff long ago.

      cheers, Paul

      • #1861200 Reply

        anonymous

        @mn-

        Oh well. Somehow I keep being surprised by how little we have in the way of actual authentication and verification in normal life…

        100% true. There is no authentication and verification in normal life. I had my credit card info stole and hackers made purchases in Europe, Asia, and Africa without credit card company denying the charges. I made a purchase at my local supermarket store and charges were denied. I called and spend years clearing this mess up with credit card company. Even today still have problems since had to lock down all credit card report agency but hackers still are able to open credit cards with my info. There is no security anywhere.

        @paul T

        There are  many “2FA” SMS options allow password reset via cell phone, which makes them susceptible to SIM swap attacks.

    • #1861169 Reply

      jabeattyauditor
      AskWoody Lounger

      2FA via SMS is fine if the service requires credentials, a password and an SMS. Even if your phone company stuffs up the attackers won’t have your user/pass as well. If they have then you had lost your stuff long ago.

      cheers, Paul

      Unfortunately, many “2FA” SMS options allow password reset via SMS code as part of the bargain, which makes them susceptible to SIM swap attacks.

      1 user thanked author for this post.
    • #1861303 Reply

      td97402
      AskWoody Lounger

      system

      So the other day I upgraded my Dad’s Windows 7 computer to Windows 10.  And I totally forgot that one thing lost in the update was his start pages.  H
      [See the full post at: Patch Lady – check those extensions]

      Any chance your dad was using Internet Explorer with Windows 7?  Your upgrade would have buried IE and Edge probably wouldn’t have imported those home pages.

    • #1868978 Reply

      jaman57
      AskWoody Plus

      It seems under the new patch list system the Excel file for June 30 for Office/Exchange requires a password. The pdf is accessible, but not the Excel. Did I miss something?

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Patch Lady – check those extensions

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.