top | item 44100911

(no title)

Those on HN are considered extremely tech-savvy and security aware and yet we are still concerned about our accounts getting compromised like this. What can a random user like our moms or siblings do? They won't even notice these kind of attack.

It is such a pathetic state of affair where massive leaks like these are expected. I contend this is a result of lax regulation and lack of consequences. In healthcare, patient data are locked down so hard even people who need to work with them have problems getting to them. It is because of regulations. Everything is traceable, recorded, and maintained to the strictest standards possible. It costs a huge amount of money but as a result, we don't see many serious breaches.

Compared it to fintech and regular tech services, these guys make fuckton of profits and yet suffer almost no regulations. What a joke.

discuss

const_cast|9 months ago

> What can a random user like our moms or siblings do?

Install a password manager. It's the perfect piece of software. It's not only so much more secure, but it's just a more pleasant experience in every single way. It's very rare that the secure option is more convenient.

exiguus|9 months ago

Maybe they can't. But actually, you can install them a password manager and let them generate random password. Setup with them 2fa (FreeOTP or something). And change with them every password when you are at home for chrismas.

Also, when they now found themself on have i been powned, they have a bigger problem, because they have likely malware on the phone or computer.

charcircuit|9 months ago

Biometric authentication / passkeys / other forms of authentication which are not phishable and are backed by a random key.

Then proper OS security is needed to protect authentication tokens from being stolen by malware.

tialaramex|9 months ago

> What can a random user like our moms or siblings do?

Security Keys. Your mother and siblings have seen keys before right? They can understand the metaphor and use it. Several of the accounts listed, such as Google and Facebook allow Security Keys.

Bad guys can't steal the credentials out of Security Keys the way they'd steal say passwords or a TOTP code, they would need to physically obtain access to the keys, your mother and siblings almost certainly don't face adversaries who'll break into their homes or hold them at gunpoint, just ordinary online automated attacks.

galaxytachyon|9 months ago

You seriously overestimate the average user. There is a reason why 123456 is still a common password. I would not expect a grandma to know how to put a key on her phone and use it reliably.

And my main argument is that corporations can do better. We should not put the burden on the common folks when the ones who are in the positions to do something are not pulling their weight. Sure, this will reduce their profit, and probably their share prices, and as a result, dev's compensation. Maybe that is the hardest part to argue through.

ghusto|9 months ago

Legit question from someone who both wants their mum to stop getting hacked, and is not sure Security Keys are a good idea: What happens when they lose their phone?

My limited understanding is that the key is on their phone (let's say it's a Google key, on an Android phone). When their phone gets lost, stolen, or breaks, are they screwed? This worries me because the chances of the phone being lost is high.

mschuster91|9 months ago

> Security Keys. Your mother and siblings have seen keys before right? They can understand the metaphor and use it. Several of the accounts listed, such as Google and Facebook allow Security Keys.

The problem with these is, they can get lost, stolen, damaged or misplaced. With a physical key to the home, no problem - call up a locksmith and if you don't have an ID card also the police, he'll drill out the lock and you can enter your home back.

Google, Facebook, whatever - good luck trying to get into touch with a human to reset your "security key".

jsnell|9 months ago

What regulation are you proposing? Forcing all computers to be locked down so hard that users can't install malware?

6510|9 months ago

We would have to go outside to find dopamine. It wouldn't be safe. People would die.

edit:

I remember thinking in the 90's that it was weird as hell that the operating system sits in the same folder tree as the users documents, applications live there too! What a concept? Like keeping your socks in the same drawer as your bills and plumbing tools. Spare tire in the kitchen. Lawn mower under the bed.

galaxytachyon|9 months ago

Maybe we can start with heavy penalties for whoever responsible for these breaches? The users are irresponsible, but at the higher levels, the company can afford to tighten access and guard their data better.

Would these companies leak their own business critical documents? No. So why can't they be forced to treat sensitive customer's data the same way?

dogmatism|9 months ago

wait what?

CHS lost millions of records, was fined a few million (out of profit of 1.2 billion) UCLA similar. Bunch of others I don't think even got fined like Ascension recently lost all data in a ransomware attack

It's useful going after a rogue employee, but on an org level it's security theater

throw10920|9 months ago

> In healthcare, patient data are locked down so hard even people who need to work with them have problems getting to them. It is because of regulations. Everything is traceable, recorded, and maintained to the strictest standards possible. It costs a huge amount of money but as a result, we don't see many serious breaches.

...and one of the side-effects is that it contributes to the insane price of healthcare.

Effective regulation, like security, is about finding the sweet spot between security and efficiency. It's extremely easy to turn off your brain and say that nobody has access to the data (which makes it perfectly secure/private) - but obviously that's an insane approach. It's hard, but extremely important, to actually maximize the security-efficiency product.

PII should not have the regulations that are currently applied to healthcare/PHI - it'd massively increase the costs (both financial, and worker/individual productivity) of doing everything. It needs a better regulation model that is designed to maximize the security-efficiency product.

Most likely, the best model is one that focuses more on outcomes (huge penalties for leaking PII, along with a few things like chain of custody for user data (which I don't think that even HIPAA does) - not to exclude regulation of process of course) than processes (HIPAA describing in excruciating and unnecessary detail all of the ways that you have to process PHI - which include RESTRICTING THE WAYS THAT I CAN MANAGE MY OWN HEALTH DATA).

galaxytachyon|9 months ago

The cost of healthcare is unlikely due to data management cost. That is almost an absurd comment.

The cost to develop a drug is in the billions. Manufacturing costs are in the tens to hundreds of millions. Locking down some server and implement better security would be a drop in a bucket.

And even if it was more expensive, the biggest pharma megacorps are a fraction of the size of the like of tech megacorps. If the chumps down the street can do it as a side job, why can't the big boys whose entire business is supposedly about data and software can't do better?