We’ve been hit recently with credential stuffing attacks and several others.
Our favorite scam was when we’re were dealing with our ISP to resolve one issue, my spouse googled customer service and called them. But it wasn’t them. They talked to her and asked for her account ID then said they were sending a password reset code to her phone which indeed came from the legit ISP. They asked her to tell them the code - that was the problem. On their end they were typing the stuff in. That’s why the reset messages say “don’t tell anyone the code”. We reached out to the ISP (correctly) and they said they would go after the phone number on google.
The bigger issue for us were some old passwords. Given the massive breaches lately, everyone has to up their password game. This is where we are heading:
- Long pass phrases instead of short weird passwords since anything longer than ~15 characters can’t be cracked in a reasonable amount of time. Phrases make them easier to remember
- Zero password reuse, so, moving to a password manager
- multi factor authentication everywhere.
- In reading up on passkeys and other ways to encrypt.
The MFA is the hard part. Some sites don’t offer it (dropped twitter because 1. It’s gross and 2. they wanted me to pay for it). Other sites only use SMS. I’d like to move to Authenticator apps instead so they can’t spoof my cell. I was encouraged to see Google Gmail has changed its policy recently to allow easier MFA.
Any advice on authenticators and encryption?