Re: WTF Bites (My longest running banking :wtf: to date)
-
@PleegWat Depends on the way the protocol works (binding of the MAC address for a particular route pair might work I guess) and how you're synching any state between the servers.
-
@dkf said in Re: WTF Bites (My longest running banking to date):
@boomzilla said in Re: WTF Bites (My longest running banking to date):
there are multiple systems operating behind some kind of load balancing scheme
That's great… until the load balancer itself needs maintenance.
Yeah but not having redundancy on the load balancer is a bit silly.
Which I assume means it's how things work in a lot of places.
-
@loopback0 said in Re: WTF Bites (My longest running banking to date):
@dkf said in Re: WTF Bites (My longest running banking to date):
@boomzilla said in Re: WTF Bites (My longest running banking to date):
there are multiple systems operating behind some kind of load balancing scheme
That's great… until the load balancer itself needs maintenance.
Yeah but not having redundancy on the load balancer is a bit silly.
Which I assume means it's how things work in a lot of places.Yeah, this is way above my pay grade. I can barely spell VPN but I don't recall getting notifications about it not being available for scheduled maintenance.
-
@dkf said in Re: WTF Bites (My longest running banking to date):
That's great… until the load balancer itself needs maintenance.
Load balancing systems can be made highly available. Easily so.
-
@dkf said in Re: WTF Bites (My longest running banking to date):
Depends on the way the protocol works (binding of the MAC address for a particular route pair might work I guess) and how you're synching any state between the servers.
Why would protocol matter? You can run multiple load balancers and any piece of hardware can have a hot failover standing by. It all depends on what SLA you require and how deep your pockets are.
-
@dkf said in Re: WTF Bites (My longest running banking to date):
@PleegWat Depends on the way the protocol works (binding of the MAC address for a particular route pair might work I guess)
That's not really necessary. In general, you stick a switch in front of the active-passive doobrie (firewall, load balancer, whatever) and the doobrie forces the original active device's MAC addresses onto the original passive's interfaces. When they switch over, the new active continues using its current MAC addresses and broadcasts a gratuitous ARP request to tell the switch that the MAC address has moved. (VRRP routers use G-ARP, but ESX clusters use a similar mechanism using RARP when they migrate a VM to a new member of the cluster.)
how you're synching any state between the servers.
That's a whole other kettle of fish. For a pure load balancer (no NAT, no filtering, no IPS), if you use a static algorithm to distribute load (e.g. hashing source and destination IP/port), you don't actually need to distribute any state because there's no meaningful state to distribute.
If the load-balancer is doing NAT, filtering, IPS type stuff and so on, then yes, it needs to synchronise state, which is a black art, especially if you want it to do IPS work. (In the ideal case, you have to synchronise the full state of the IPS data (protocol state, that sort of thing) and that gets very hairy very quickly. The alternative is to provide a way for the analysis modules to recover their state from the protocol traffic, which, while it isn't as hairy, does have long stubble.)
For an actual server, the general principles are similar, although synchronising connection state becomes critical, and generally requires some special interactions between the application and the kernel to e.g. synchronise the state of TCP connections, open sockets, blah blah blah.
Why, yes, I do work for a company that makes products that can do active-passive failover IPS analysis, and NAT, and filtering. Why do you ask?
-
@Steve_The_Cynic said in Re: WTF Bites (My longest running banking to date):
Why, yes, I do work for a company that makes products that can do active-passive failover IPS analysis, and NAT, and filtering. Why do you ask?
I wish we could have a few beers and discuss shop. This seems like it would all make for a very interesting conversation.
-
-
@JBert That is awesome! Security (of a bank login!) by custom font and autocorrect.
-
I believe I mentioned that I stopped using my bank's mobile app because they asked for too many permissions. I gave it another look today and I can deny permission to everything except "Nearby Devices" and it seems to still work.
Can anyone think of any reason that a banking app would need access to this? I believe that permission just allows them to scan for bluetooth devices, correct? So why would that be needed? Seems unnecessary to me.
-
@Polygeekery Access to NFC for doing pay-by-bonk?
-
@Polygeekery said in Re: WTF Bites (My longest running banking to date):
So why would that be needed?
Hard-core dumbfuckery, relying on NFC to init for some kinda device ID maybe, but more likely by accident.
@error_bot !xkcd we are all very bad at our jobs
-
-
-
@Arantor said in Re: WTF Bites (My longest running banking to date):
@Polygeekery Access to NFC for doing pay-by-bonk?
That isn't an option with their mobile app, or if it is I am not aware of it. Their website mentions using Google or Apple services for that.
-
@Polygeekery then it's the usual reason - you can't spell incompetence without IT.
-
@Karla said in Re: WTF Bites (My longest running banking to date):
I use LastPass just because easier. It does 2FA and the authenticator is on a cell phone
I want a LastPass For Families that works with 2FA. I'm the techy one, my wife will go along with whatever, but when I need to update a password on a site (because it has asinine ideas about expiring, or they upgraded their crypto scheme, or whatever), I want that to automatically update both spots. For the moment, that means having just one account, and no 2FA. (And I'll confess that 2FA isn't all that convenient, and I may be trying to make up excuses to avoid doing it.)
Bonus: with only one LastPass account between us, my wife and I are each holding guns to each others' heads, as far as "running off with the money" goes! One password change, and the keys to the kingdom are gone!
-
@Arantor said in Re: WTF Bites (My longest running banking to date):
@Polygeekery Access to NFC for doing pay-by-bonk?
I too visit TDWTF to learn new technical terms.
-
@PotatoEngineer said in Re: WTF Bites (My longest running banking to date):
@Karla said in Re: WTF Bites (My longest running banking to date):
I use LastPass just because easier. It does 2FA and the authenticator is on a cell phone
I want a LastPass For Families that works with 2FA. I'm the techy one, my wife will go along with whatever, but when I need to update a password on a site (because it has asinine ideas about expiring, or they upgraded their crypto scheme, or whatever), I want that to automatically update both spots. For the moment, that means having just one account, and no 2FA. (And I'll confess that 2FA isn't all that convenient, and I may be trying to make up excuses to avoid doing it.)
Bonus: with only one LastPass account between us, my wife and I are each holding guns to each others' heads, as far as "running off with the money" goes! One password change, and the keys to the kingdom are gone!
The way I setup 2FA is complicated with my lack of mobility. I use a separate for for the 2FA than my main phone and I don't necessarily carry the second phone.
My husband and do share some passwords.
-
@Polygeekery said in Re: WTF Bites (My longest running banking to date):
Can anyone think of any reason that a banking app would need access to this?
Android permissions are a bit weird. In particular, they are fine-grained, but not that fine grained — they're for access to a chunk of API that is usually used together — and sometimes you need something odd in the permissions to get access to something else. In this case, I'm guessing they want access to an unforgeable device ID, and the one they're using is one that is usually only handed out for use with NFC? I don't know why they didn't go for the IMEI, but maybe they'd need the “make calls” permission to get that, and that'd seem even scarier to users?
I found this out when I was looking up why a different app needed a weird permission (it was so it could do an unusual kind of Bluetooth discovery for pairing with devices with an unusual profile).
-
@Gribnit said in Re: WTF Bites (My longest running banking to date):
It really is blank. And that page was strange even originally.
-
@dkf said in Re: WTF Bites (My longest running banking to date):
@Gribnit said in Re: WTF Bites (My longest running banking to date):
It really is blank. And that page was strange even originally.
At least it wasn't even the right one to begin with
-
@PotatoEngineer said in Re: WTF Bites (My longest running banking to date):
Bonus: with only one LastPass account between us, my wife and I are each holding guns to each others' heads, as far as "running off with the money" goes! One password change, and the keys to the kingdom are gone!
My wife controls the bank accounts but only I can change my direct deposit. It's division of labor. I make the money and she spends it.
-
@dkf said in Re: WTF Bites (My longest running banking to date):
I'm guessing they want access to an unforgeable device ID, and the one they're using is one that is usually only handed out for use with NFC?
I'd bet that you are correct. Good call.
-
@boomzilla said in Re: WTF Bites (My longest running banking to date):
It's division of labor. I make the money and she spends it.
When we got married, my (ex-)wife and I made an agreement. Any (non-routine) expenditure over $100 required mutual agreement. I mostly abided by that agreement. Her, not so much.
-
@Karla said in Re: WTF Bites (My longest running banking to date):
@PotatoEngineer said in Re: WTF Bites (My longest running banking to date):
@Karla said in Re: WTF Bites (My longest running banking to date):
I use LastPass just because easier. It does 2FA and the authenticator is on a cell phone
I want a LastPass For Families that works with 2FA. I'm the techy one, my wife will go along with whatever, but when I need to update a password on a site (because it has asinine ideas about expiring, or they upgraded their crypto scheme, or whatever), I want that to automatically update both spots. For the moment, that means having just one account, and no 2FA. (And I'll confess that 2FA isn't all that convenient, and I may be trying to make up excuses to avoid doing it.)
Bonus: with only one LastPass account between us, my wife and I are each holding guns to each others' heads, as far as "running off with the money" goes! One password change, and the keys to the kingdom are gone!
The way I setup 2FA is complicated with my lack of mobility. I use a separate for for the 2FA than my main phone and I don't necessarily carry the second phone.
My husband and do share some passwords.
I'll admit that my use-case is complicated by the fact that my family only has one full-sized computer that my wife and I share. Since we're still on the same machine that we don't bother to log out of, if we had separate LastPass accounts, we'd still be using each others' LastPass logins.
Convenience over security!
-
@HardwareGeek said in Re: WTF Bites (My longest running banking to date):
When we got married, my (ex-)wife and I made an agreement. Any (non-routine) expenditure over $100 required mutual agreement. I mostly abided by that agreement. Her, not so much.
My wife and I solved that by agreeing at the start of our marriage to always budget for "blow money".
At the time we agreed that it should be a rough percentage of each person's salary. She asked for this because at the time she was making more money than I was and blah blah blah.
Well, the tides have shifted a skosh since then and she has occasionally said something about it but I always shut it down by pointing out that I have never even come close to spending the agreed upon percentage and that I wasn't the one that wanted that stipulation anyway. I am old now. These days my "blow money" goes into investing. And cocaine.
-
@Polygeekery said in Re: WTF Bites (My longest running banking to date):
"blow money"
I was gonna make the obvious joke, but you're married, so...
-
@lolwhat said in Re: WTF Bites (My longest running banking to date):
I was gonna make the obvious joke, but you're married, so...
The obvious joke is:
A guy asks for a tattoo of a $100 bill on his dick. Curious, the tattoo artist asks him why he would possibly want that. He replies, "Three reasons: I like to play with my money, I like to watch my money grow, and $100 seems to be the only thing my wife will blow these days."
-
Is this the banking thread? It's either that or resurrecting an even older one (or shudder create a new thread! ).
Anyway, a story of and and
:pulling_hairs:
.I just registered to a conference.
Since it's a professional one, it's paid by my company. There's a nice option for that on the conference website, I can get an invoice. But that would mean sending the invoice to finance, get it approved, get the conference organisers put on whatever billing system we use internally, and mayyybe then get them paid. I did that once and it took me literally hours of my time, spread over days, and someone from finance had to come and walk me through their arcane system (which may make sense, I'm not a finance guy, but it looked like a huge mess). So yes but no. I'll pay myself, make an expense claim and that's it.
So what's the next option on the conference website? "Pay by credit card" looks great! Enter CC number, confirm... nope. At least I get an error message, but it's something like (I didn't write it down) "payment denied." Uh. I'm guessing that my bank isn't too keen on a large-ish payment in a foreign currency (at least it's USD, not ₦). I know I had issues with that in the past, especially since the website isn't using the 2FA stuff that banks are in love with nowadays.
Don't fear, I happen to have another account in another bank, that is usually much, much more accommodating with this kind of things! So enter other CC number, confirm... nope again. With a slightly different message, which makes me wonder what's happening behind the scene, but it's again "denied." Damn.
Moving on, next option? "Paypal," OK, I'm not a great fan, but I have an account, so let's go. I haven't used it for years so I'm scratching my head to remember the login when I see the Paypal page has an option to pay directly (without creating an account), great! Fill in everything again, submit, yay no error message, "processing..." spinner spins, page reloads and... blank page. Uh. So, did that go through? Who knows?
I spent the next half hour checking email account, bank account, conference website... it looks like it has not gone through but I don't see anything, which could mean, well, anything...
So in the end I decided that at worst I would get the double-charge refunded (I'm fairly confident the conference organisers wouldn't have any issue with that), and tried again. This time I managed to remember my Paypal account, and this time it worked, I got to pay, with 2FA message from my bank, confirmation email, the whole lot, so that one is good.
-
@Polygeekery My last job implemented "2FA". It was a code that they sent to your email address. The email address was also your username. It was also where a password reset request would get sent.
When I pointed this out, they responded that it was just to keep the corporate overlords happy :/
-
@dkf said in Re: WTF Bites (My longest running banking to date):
@Polygeekery said in Re: WTF Bites (My longest running banking to date):
Can anyone think of any reason that a banking app would need access to this?
Android permissions are a bit weird. In particular, they are fine-grained, but not that fine grained — they're for access to a chunk of API that is usually used together — and sometimes you need something odd in the permissions to get access to something else. In this case, I'm guessing they want access to an unforgeable device ID, and the one they're using is one that is usually only handed out for use with NFC? I don't know why they didn't go for the IMEI, but maybe they'd need the “make calls” permission to get that, and that'd seem even scarier to users?
I found this out when I was looking up why a different app needed a weird permission (it was so it could do an unusual kind of Bluetooth discovery for pairing with devices with an unusual profile).
After giving @dkf's theory some thought I have since started using their mobile app because I can decline all the other permissions that they were requesting.
Today I go to use the mobile app and it requests 2FA authentication by either calling or texting a number associated with the account. I select my cell phone and request the 2FA code by text. The app hangs. At first I assume that it is waiting for a text to come in and perhaps it would read the code itself as some apps attempt to do but then no text ever comes in. I swipe to get back to the home screen and check, nothing, no texts came in. I open the app back up and it is hung. I kill it and attempt to login again. Same shit, hangs again. Third times the charm and it allows me to login without the 2FA.
So where's the biggest ? That they implement some harebrained dumbass 2FA scheme that never sends a text and then hangs the app? Or that you can circumvent the 2FA by just having the process fail a few times?
-
@Polygeekery said in Re: WTF Bites (My longest running banking to date):
So where's the biggest ? That they implement some harebrained dumbass 2FA scheme that never sends a text and then hangs the app? Or that you can circumvent the 2FA by just having the process fail a few times?
No, that is the 2FA, they figure no thief will be that persistent.
-
2 Fails, Authorize!
-
@Polygeekery so, they tried to implement 1.5FA by having the phone the app is installed on send an SMS to save on using a service for that instead, and then herpaderped the listening somehow because both pieces of code use the same resource, causing some kind of deadlock?
-
@Carnage I do not know for certain. Here is what I do know:
- The mobile banking app wants all the permissions (phone, SMS, location, address book, camera, nearby devices, files and media, etc.)
- I only allowed nearby devices (after considering what @dkf said) and camera (to facilitate mobile deposits)
- I was prompted for 2FA and attempted to do so via the text option
- The app hung
- I never received a text
- After attempting to do the 2FA twice, and restarting the app twice, I was allowed in without needing to complete 2FA
So, my guess is that the app was hanging because it was waiting to read a SMS 2FA code that never came. I am also guessing that there is something in their app that says if it fails to receive a 2FA code twice to allow a bypass. Maybe for edge cases where you might be in an area where you have wifi but no cell reception?
-
@Polygeekery said in Re: WTF Bites (My longest running banking to date):
Maybe for edge cases where you might be in an area where you have wifi but no cell reception?
You mean like in my living room?
-
@Polygeekery said in Re: WTF Bites (My longest running banking to date):
So, my guess is that the app was hanging because it was waiting to read a SMS 2FA code that never came.
Or trying to read an SMS it didn't have permission to, even if it had arrived.
-
@dkf said in Re: WTF Bites (My longest running banking to date):
You mean like in my living room?
I know those feels. Years ago we were with Verizon and were living near the center of a major metropolitan area (~1 million population) and at our home we had extremely spotty cell service. This was before carriers started implementing secondary VoIP connections when on wifi so it got annoying.
In America Verizon is generally known for having the best overall coverage and in my experience definitely has the best coverage once you get off the beaten path. When my wife and I started dating we would go to wine festivals and other stuff that were out where men are men and sheep are nervous and she was with Verizon and my service was with ATT and later Sprint. She was almost never without service and I was often dead in the water.
So then we switched to Sprint because of near lack of coverage at our home. But although Sprint has probably the best coverage in metropolitan areas their coverage in rural areas is fairly shit. We had to pick the lesser poison and we spend more time at home than traveling cunt-ry roads.
Since then we have switched to Google Fi and I have yet to go anywhere that I do not have voice service but there are lots of areas where data reception is shitty. I also discovered that they must egress all their data connections on the west coast because every fucking shopping site thinks I am in California except for those times when they think for some fuck reason that the zip code of my location is a random 4 digit number (our zip codes are 5 digits with an option +4). In those cases they either choose a seemingly random assumed location for me or they think I am close to Belle Fourche, South Dakota or Lebanon, Kansas. The first person to guess why it chooses those locations will get a .
Yes, I know that bit of trivia is almost a gimme for lots of people but I still find it amusing.
-
@loopback0 said in Re: WTF Bites (My longest running banking to date):
Or trying to read an SMS it didn't have permission to, even if it had arrived.
I thought that I had implied that but perhaps I did so too subtly. Or I could have forgotten to imply it at all. CRS and all that.
-
@Polygeekery said in Re: WTF Bites (My longest running banking to date):
The first person to guess why it chooses those locations will get a .
I would guess these are either major Internet backbone locations or prime CDN-type colocation locations (or both).
-
@Polygeekery said in Re: WTF Bites (My longest running banking to date):
The first person to guess why it chooses those locations will get a .
MaxMind GeoIP locations for "somewhere in North America, we don't know where" and "somewhere in the US, we don't know where", respectively.
-
@TwelveBaud said in Re: WTF Bites (My longest running banking to date):
@Polygeekery said in Re: WTF Bites (My longest running banking to date):
The first person to guess why it chooses those locations will get a .
MaxMind GeoIP locations for "somewhere in North America, we don't know where" and "somewhere in the US, we don't know where", respectively.
No, but good guess.
-
@e4tmyl33t said in Re: WTF Bites (My longest running banking to date):
@Polygeekery said in Re: WTF Bites (My longest running banking to date):
The first person to guess why it chooses those locations will get a .
I would guess these are either major Internet backbone locations or prime CDN-type colocation locations (or both).
No, and shitty guess.
-
Am I in the minority for knowing this trivia?
-
@Polygeekery said in Re: WTF Bites (My longest running banking to date):
In those cases they either choose a seemingly random assumed location for me or they think I am close to Belle Fourche, South Dakota or Lebanon, Kansas. The first person to guess why it chooses those locations will get a .
Their profile on you says you're an insurrectionist and thus the default location is in the middle of District 13.
-
@izzion said in Re: WTF Bites (My longest running banking to date):
@Polygeekery said in Re: WTF Bites (My longest running banking to date):
In those cases they either choose a seemingly random assumed location for me or they think I am close to Belle Fourche, South Dakota or Lebanon, Kansas. The first person to guess why it chooses those locations will get a .
Their profile on you says you're an insurrectionist and thus the default location is in the middle of District 13.
Not even close, but I give you an "E" for effort.
-
@Polygeekery said in Re: WTF Bites (My longest running banking to date):
@izzion said in Re: WTF Bites (My longest running banking to date):
@Polygeekery said in Re: WTF Bites (My longest running banking to date):
In those cases they either choose a seemingly random assumed location for me or they think I am close to Belle Fourche, South Dakota or Lebanon, Kansas. The first person to guess why it chooses those locations will get a .
Their profile on you says you're an insurrectionist and thus the default location is in the middle of District 13.
Not even close, but I give you an "E" for effort.
Can I trade the "E" for a basket of 24 rolls? Or maybe some wire I can use to short out the Hunger Dome?
-
@Polygeekery said in Re: WTF Bites (My longest running banking to date):
The first person to guess why it chooses those locations will get a .
Zip code 0000 or 9999?
-
@Polygeekery said in Re: WTF Bites (My longest running banking to date):
The first person to guess why it chooses those locations will get a .
Those places are fairly close to the middle of the country (depending on if you count Alaska) — is it trying to put you in the centre of the US?