On 4/2/22 16:34, Bit Twister wrote:
On Sat, 2 Apr 2022 08:28:06 -0400, TJ wrote:
On 4/1/22 17:15, Bit Twister wrote:
firefox heads up
I run with the latest release of firefox from
https://www.mozilla.org/en-US/firefox/new/?scene=2#download-fx
Every time I install a new release my bank indicates it does not
recognize my device and requires a one time code and my password to
log into my account. Thereafter I only have to use my id/pw.
Since it seemed to only happen on major releases, I created a user.ps with >>>
user_pref("general.useragent.override", "Mozilla/5.0 (X11; Linux x86_64; rv:200.0) Gecko/20100101 Firefox/200.0");
to set version at 200.0; after doing that bank did not send me through the >>> one time code screens. Lo and behold after firefox-98.0.2.tar.bz2
install I had to go through the one time code logic on all logins.
Helpless Desk droid indicated fix was to clear/delete cookies or use a
different browser. It did not phase the droid that I had cookies deleted >>> upon log out.
Installed chromium-browser, bank sent me through one time code and all
logins thereafter without going through one time code logic.
I went back to firefox and still had to go through the one time logic on >>> every login.
Just for fun and 30+ logins later screwing with using user.ps I decided
to delete the ~mozilla/firefox directory and Wa La the bank site no longer >>> required the one time code after the first firefox login.
Moral of this story is using one default profile directory can lead to
odd problems with some sites.
Interesting. In general, I use the ESR version of Firefox from Mageia,
but have also used the latest release when sites don't recognize the ESR
as up-to-date, even when it is. Firefox requires different profiles for
each.
Sounds like you might want to try the user.ps trick/kludge :)
No, I'm perfectly OK with the separate profiles. I have my reasons. One
of them, though not the only one, is that as part of QA I've always
considered it valuable to use Mageia in a way I believe most of our less experienced users would be using it, with minimal customization. That
way, perhaps I can see if Mageia starts slipping away from being
relatively easy for newbies before it becomes something too difficult to
fix.
For some time, I'd say the last two years or so, my bank has required
password and one-time passcode(or security question) before it will log
me in - every single time.
When I asked people who know more about this sort of thing than I do, I
was told that I should be happy that the bank was requiring that extra
level of identity security before allowing access to my accounts. At
least one person indicated he wouldn't stay with a bank that allowed
just password-based authentication.
So, I just get along with it.
Knowing your published feelings about security, I'm surprised you don't
welcome that extra layer of protection, as well.
I am not that sure it is that more secure. Current setup is a separate Linux account, that aborts if browser is running on my system telling me to
close them. Then launch browser with my index.html with the https link to bank. I am running my own DNS server instead of using router/isp DNS server. With this setup I would assume only way to catch id/pw would be on bank
web site or malware in router. Upon logout I tar in a pristine browser
setup and check for new directories/files.
I have set "above 10 cent" change alarms on my accounts to email me any change so I have a chance to stop any bogus charges. I also get an email about the success code authorization. Bank id is not my name and pw
is random Alpha numeric and special chars over 10 characters long.
I have hourly cron job checking for new logins.
I have the Advanced Intrusion Detection Environment​ (aide rpm)
installed to warn of any file changes.
But the bank probably doesn't know about your personal setup. For all
they know, you're like 95+% of their users, who use insecure passwords
that are easily hacked by someone with skills that rival your own. So,
they apply the same protocols to everyone. As, IMO, they should - for
their own protection if nothing else.
Personally, I would hate to see news headlines that my bank had been compromised because they gave special logon treatment to someone that
later came back to bite them in the a$$.
Even though it's really annoying.
Really Annoying is very true. Recent change on bank site no longer provides email code delivery, just phone. Covid has caused organ and very mild brain damage.
Mild stroke earlier this year has affected my coordination.
Had to practice writing my name just to get a semblance of my previous signature let alone numbers. The computer voice giving me the
code spits out the numbers, two at a time, faster than I can write them down. Two at a time means _very_ slight pause between every two digits.
I have to remember the last four of eight to complete writing down code number.
I never had a good, short time memory to start with.
I get it, I really do. My bank offers the choice of me answering a
"security question" or getting a phone call or text with the multi-digit passcode. I remember lying on most of the security questions to make it
harder for others to answer them, but I never wrote the lies down and
have since forgotten them.
For a while, I had them call on my landline with the code. I'd type it
in on my keypad as the disembodied female voice recited the digits. That worked, much of the time, but being a farmer and over 70, my hearing
isn't quite what it once was, and sometimes I'd mistake one digit for
another. When that happened I'd have to request a new code, and another
phone call. Messy.
So, I started having them text my cell phone with it. That works much
better, because I can take my time and read the digits. Not as secure as
the landline, but not as bad as it could be. The one-time passcode
doesn't last beyond that login, of course. And I don't use my cell phone
much, so it spends about 90% of its time powered down. That should make
it less likely to be hacked than most.
TJ
--- MBSE BBS v1.0.8 (Linux-x86_64)
* Origin: A noiseless patient Spider (2:250/1@fidonet)