I agree with Evan here that it’s very likely that using the QR code and installing some app is probably the hack itself and you should have a computer security person you trust look at your computer to see if you have been compromised, which seems likely to me.
Please don’t log into your banking or investment accounts with this setup until after you have confirmed that you have not been hacked.
The hacks are getting more and more sophisticated all the time, and it’s easy to fall for them because they often seem quite real.
Sorry, I misunderstood your point. But to me this looks like one of those hacks where they convince you to install software that is actually software that is hacking your computer. The way he describes what it is doing sounds very suspicious to me, especially that it isn’t named software.
> Whenever I hear about a lot of passwords being stolen by a “hacker,” I think “inside job.” I figure that it must be much easier to break into a computer system with help from someone on the inside than it is to just cleverly hack your way in.
Because most users are really bad with password re-use, there are a lot of incentives for people to figure out the "cleverly hack your way in from the outside" so I don't think this inside job thinking is quite right. Generally the path is "find a users credentials on some system of little consequence with poor security" so that you can see if those same credentials work on important things like banking/email/online shopping
The authenticator app is just to make it harder for remote hackers --which can be expected to get frighteningly good in the next few years as AI becomes widely employed in the dark arts.
Device theft is a whole different can of worms.
I don't pretend to have the perfect solution to device theft but what I do is run the authenticator app on my phone and only use my laptop to access sensitive accounts. That way both phone and computer must be stolen to access my accounts. Slightly better.
But I do like the fact that the authenticator app replaces the text message 2-factor authentication, because phone numbers can be spoofed/hacked (mine was once).
Looking forward to the white-hat AI agent that will completely replace all of this rigmarole. Having an intelligent mind review every access to my sensitive accounts will make a big difference. Imagine no passwords, no 2-factor, no apps, just providing your user access code. The AI speaks through your phone and camera "Is this you trying to access"? Yes, you reply. It knows all the tricks and scams, and it knows you like a close friend.
The authenticator app is generally in addition to a password or passkey, not a replacement for them. It is for two factor authentication, a replacement for those times the website wants to text or email you an authentication code.
Yes. Normally such a site will still have to also have the password. An attacker therefore has to defeat two mechanisms with 2FA: in addition to your password, they also have to subvert your 2FA device.
I will grant that losing your personal computer is really bad from a security risk perspective, though. Either try not to do that, or else pray that your robber in physical space is no good at cyber attacks.
You can’t compare the threat of a hotel theft with website hacking the way you are. The threat models are very different. Your exposure surface at a physical site is whoever can get to your physical site. The threat models for a website is literally anyone in the world. Orders and orders of magnitude larger threat surface. That’s why online portals genuinely need two factor authentication on top of the normal internal controls you’re describing.
It’s worse than that. The abuse and over-use of KYC (know your customer) means that anytime a system with your credentials is hacked, the bad actors can very easily triangulate who you are, where you live, and a variety of other facts that you wouldn’t publish. The complete lack of respect for the concept of privacy in modern life is a massive problem. “Do you have something to hide?” Yes! How much money i have, where i live, the names of my family members, my voting record, my health condition, how i like my tea and what i think about you! Especially with government data collection - these are all massive, poorly secured honeypots for bad actors. Down with KYC, the bank secrecy act (classically misnamed), and the surveillance state.
I think what was accomplished is they have freed themselves from some or all risk of being hacked to steal a password list but made it easier for you to lose security by your computer being stolen which is not their problem.
Amen, brother. I am not convinced that anyone out there is a hacker who can seamlessly enter encrypted sites. Occam's razor is goin' with your hypothesis.
Name and shame. There are good ways to do 2FA, and it is genuinely more secure than passwords alone.
The part of your rant about limited scope of permissions is a bit oversimplified. principal-agent problems are rampant in all aspects of business, and the tradeoffs between "so locked down that we can't actually deliver value" vs "an employee mistake is costly" are very well known and not actually solved.
I plugged in the full text of Arnold’s self-described “rant” to Gemini and asked for a measured response on the validity of said rant. I suggest that Arnold should consider doing the same. It probably provided a better and more detailed response than anyone can provide here in the comments.
From my own experience, chat bots are also really good for rants or venting although I’ve never been required to download an authenticator and would never do so without verification of its legitimacy.
The two-hour struggle was likely due to a Desktop Authenticator. Most people use a mobile app (on their phone), which makes the "scan the QR code" part take two seconds because you just point the camera at the screen.
By trying to run the authenticator on the same device as the browser (the PC), they created a "circular" problem where the app couldn't "see" the screen it was currently on. Claude's suggestion to tile the windows was clever, but it’s a workaround for a clunky setup.
Until hackers as a group have significant numbers of their membership publically flogged and hanged until dead, you and I who once enjoyed the benefits of a high trust society will be made to grovel to “Claude” for our digital security.
"...it must be much easier to break into a computer system with help from someone on the inside than it is to just cleverly hack your way in." I believe that hypothesis is incorrect, but others will know better than I. Artificial intelligence is quite powerful at finding its way around computer systems, finding passwords, and the like. Quantum computers in the wrong hands could be even more effective at it. (As an important aside, someone much more knowledgeable than I am about computers told me that quantum computers and A.I. work in different ways and won't be easily combined. So, perhaps, we don't have to worry about A.I. obtaining superpowers on quantum computers.)
When I first needed a Google login, I balked. Instead of using my primary email, I created one I rarely use for anything else. Great. Except when someone sends me something linked to my primary email. I also have a Google login for that email but rarely use it. Somehow I lost my password and Google has decided it can't verify who I am (nor any of my devices) and won't even send a reset code to the email I created the login with. And it won't let me create a new account using that email.
Obviously they aren't protecting anything because I have virtually no content under that login.
Am I the only one who doesn't get scared when there's a password theft incident? I'm no expert, so correct me if I'm wrong: If the company's computer security is halfway decent, then the passwords weren't stored in the first place (instead hashed/encrypted versions were) and they were salted on top of that. Even if they're not salted, then you should be fine if you used a strong password. Am I off-base here?
I have read of password dictionaries, where all "common" passwords are hashed, so no decryption is necessary, just a simple lookup. Download millions of passwords, look them all up; even if you only get 1% hits (ha!), that's a lot of accounts you've gained access to.
It’s been a long long time since I knew about salting. How many big are salts? How many variations on one hashed password would you need to cover all salting possibilities? If it’s less than, say, 256, a dictionary might still work. If it’s as big as hashes, it would be useless.
Surely you've followed the 25-year saga of fake two-factor identification? This is just a refinement of that. The reusable bag of security theater.
I agree with Evan here that it’s very likely that using the QR code and installing some app is probably the hack itself and you should have a computer security person you trust look at your computer to see if you have been compromised, which seems likely to me.
Please don’t log into your banking or investment accounts with this setup until after you have confirmed that you have not been hacked.
The hacks are getting more and more sophisticated all the time, and it’s easy to fall for them because they often seem quite real.
To be clear there is no evidence here of the all being fake in the sense of inauthentic, I'm saying the security provided is illusory
Sorry, I misunderstood your point. But to me this looks like one of those hacks where they convince you to install software that is actually software that is hacking your computer. The way he describes what it is doing sounds very suspicious to me, especially that it isn’t named software.
> Whenever I hear about a lot of passwords being stolen by a “hacker,” I think “inside job.” I figure that it must be much easier to break into a computer system with help from someone on the inside than it is to just cleverly hack your way in.
Because most users are really bad with password re-use, there are a lot of incentives for people to figure out the "cleverly hack your way in from the outside" so I don't think this inside job thinking is quite right. Generally the path is "find a users credentials on some system of little consequence with poor security" so that you can see if those same credentials work on important things like banking/email/online shopping
> If someone gets hold of my computer
The authenticator app is just to make it harder for remote hackers --which can be expected to get frighteningly good in the next few years as AI becomes widely employed in the dark arts.
Device theft is a whole different can of worms.
I don't pretend to have the perfect solution to device theft but what I do is run the authenticator app on my phone and only use my laptop to access sensitive accounts. That way both phone and computer must be stolen to access my accounts. Slightly better.
But I do like the fact that the authenticator app replaces the text message 2-factor authentication, because phone numbers can be spoofed/hacked (mine was once).
Looking forward to the white-hat AI agent that will completely replace all of this rigmarole. Having an intelligent mind review every access to my sensitive accounts will make a big difference. Imagine no passwords, no 2-factor, no apps, just providing your user access code. The AI speaks through your phone and camera "Is this you trying to access"? Yes, you reply. It knows all the tricks and scams, and it knows you like a close friend.
The authenticator app is generally in addition to a password or passkey, not a replacement for them. It is for two factor authentication, a replacement for those times the website wants to text or email you an authentication code.
Yes. Normally such a site will still have to also have the password. An attacker therefore has to defeat two mechanisms with 2FA: in addition to your password, they also have to subvert your 2FA device.
I will grant that losing your personal computer is really bad from a security risk perspective, though. Either try not to do that, or else pray that your robber in physical space is no good at cyber attacks.
You can’t compare the threat of a hotel theft with website hacking the way you are. The threat models are very different. Your exposure surface at a physical site is whoever can get to your physical site. The threat models for a website is literally anyone in the world. Orders and orders of magnitude larger threat surface. That’s why online portals genuinely need two factor authentication on top of the normal internal controls you’re describing.
It’s worse than that. The abuse and over-use of KYC (know your customer) means that anytime a system with your credentials is hacked, the bad actors can very easily triangulate who you are, where you live, and a variety of other facts that you wouldn’t publish. The complete lack of respect for the concept of privacy in modern life is a massive problem. “Do you have something to hide?” Yes! How much money i have, where i live, the names of my family members, my voting record, my health condition, how i like my tea and what i think about you! Especially with government data collection - these are all massive, poorly secured honeypots for bad actors. Down with KYC, the bank secrecy act (classically misnamed), and the surveillance state.
I think what was accomplished is they have freed themselves from some or all risk of being hacked to steal a password list but made it easier for you to lose security by your computer being stolen which is not their problem.
Amen, brother. I am not convinced that anyone out there is a hacker who can seamlessly enter encrypted sites. Occam's razor is goin' with your hypothesis.
Name and shame. There are good ways to do 2FA, and it is genuinely more secure than passwords alone.
The part of your rant about limited scope of permissions is a bit oversimplified. principal-agent problems are rampant in all aspects of business, and the tradeoffs between "so locked down that we can't actually deliver value" vs "an employee mistake is costly" are very well known and not actually solved.
I plugged in the full text of Arnold’s self-described “rant” to Gemini and asked for a measured response on the validity of said rant. I suggest that Arnold should consider doing the same. It probably provided a better and more detailed response than anyone can provide here in the comments.
From my own experience, chat bots are also really good for rants or venting although I’ve never been required to download an authenticator and would never do so without verification of its legitimacy.
Long story short:
The two-hour struggle was likely due to a Desktop Authenticator. Most people use a mobile app (on their phone), which makes the "scan the QR code" part take two seconds because you just point the camera at the screen.
By trying to run the authenticator on the same device as the browser (the PC), they created a "circular" problem where the app couldn't "see" the screen it was currently on. Claude's suggestion to tile the windows was clever, but it’s a workaround for a clunky setup.
Until hackers as a group have significant numbers of their membership publically flogged and hanged until dead, you and I who once enjoyed the benefits of a high trust society will be made to grovel to “Claude” for our digital security.
"...it must be much easier to break into a computer system with help from someone on the inside than it is to just cleverly hack your way in." I believe that hypothesis is incorrect, but others will know better than I. Artificial intelligence is quite powerful at finding its way around computer systems, finding passwords, and the like. Quantum computers in the wrong hands could be even more effective at it. (As an important aside, someone much more knowledgeable than I am about computers told me that quantum computers and A.I. work in different ways and won't be easily combined. So, perhaps, we don't have to worry about A.I. obtaining superpowers on quantum computers.)
When I first needed a Google login, I balked. Instead of using my primary email, I created one I rarely use for anything else. Great. Except when someone sends me something linked to my primary email. I also have a Google login for that email but rarely use it. Somehow I lost my password and Google has decided it can't verify who I am (nor any of my devices) and won't even send a reset code to the email I created the login with. And it won't let me create a new account using that email.
Obviously they aren't protecting anything because I have virtually no content under that login.
"...not a computer security professional, just a disgruntled user."
Still analysed the problem better than most professionals who get paid to think about this stuff. Well done, Sir!
At this stage, with much struggle, I’ve gotten even my elderly parents on a passwords manager (apple’s though before 1Password)
They will handle unique passwords, MFA codes, and passkeys. Nobody should be memorizing more than a few key passwords anymore (that are not reused)
On Windows I imagine Google or 1P is your best bet, whatever has good sync to your phone
Am I the only one who doesn't get scared when there's a password theft incident? I'm no expert, so correct me if I'm wrong: If the company's computer security is halfway decent, then the passwords weren't stored in the first place (instead hashed/encrypted versions were) and they were salted on top of that. Even if they're not salted, then you should be fine if you used a strong password. Am I off-base here?
I have read of password dictionaries, where all "common" passwords are hashed, so no decryption is necessary, just a simple lookup. Download millions of passwords, look them all up; even if you only get 1% hits (ha!), that's a lot of accounts you've gained access to.
Right, but if you have a strong password, or if the stolen list of hashed passwords were salted first, do you have anything to worry about?
It’s been a long long time since I knew about salting. How many big are salts? How many variations on one hashed password would you need to cover all salting possibilities? If it’s less than, say, 256, a dictionary might still work. If it’s as big as hashes, it would be useless.