Worst thing? Someone with access to your password can now break into the associated account, and use that access to snoop or potentially permanently lock you out. E2EE data could be lost forever if they change the password and 2FA.
More likely? Unless you reuse passwords, or the associated site has been recently compromised, pretty low odds of compromise. If you suspect your 2FA has leaked, just get a new secret, easy peasy. Most reputable sites should alert you to a login on a new device, potentially giving you time to react or alerting you of snooping.
If your secret leaks without context on what site it’s associated with, then unless your name is Taylor Swift, odds of someone associating it to a site, let alone the matching password, are astronomical.
capture the generated codes and time of input in some way, then brute force hashes until they generate one that produces the correct codes at x time
Given a TOTP key is usually at least 18 characters for a 6-digit code, having only one data point sticks you with something on the order of 10^28 possible keys for a given singular code (way more if case sensitive). You’d need to be regularly intercepting TOTP codes to brute force your way to the right key, and even then it’d only be valid for a single site. At that point it probably means you’ve fully compromised the connecting device or server, at which point, why do you even need the TOTP again?
The bank is hoping to combine insights from its large customer base and 6 million small business customers as part of its efforts to build out its own two-sided commerce platform and bring in benefits to both business clients and banking customers.
And don’t shop at any of the 6 million small businesses that utilize Chase?
Probably for the exact same reason this backdoor was introduced. Users complain about slow feature rollouts so (unpaid) devs (maintaining software in their spare time out of the kindness of their hearts) cut corners. In some situations that looks like bringing on a second maintainer without thorough vetting, in others it looks like importing upstream packages without thorough vetting.
Don’t blame the Termux devs here, blame the community that keeps pushing them to move faster.
You don’t have to share your number to get spam messages - I get weekly spam texts for “Susan” (not my name), which I never interact with but have been coming from random numbers for years.
Once your # is on a list, whether you put it there or not, it never leaves.
I’m the only one who has ever had this phone no., but if I were to swap now, 99% chance I’d get a reused number, which would probably come already loaded on a million different spam lists. There’s no winning.
Not sure about that, maybe that’s the an approach for one OS, but most of the devices I have almost exclusively hit the first DNS.
Looking right now my primary DNS has ~29k queries across 17 clients with a fairly even spread across the top 5-6, while secondary shows 2.5k queries across 7 clients, with one client alone (a Mac) representing 2k of those queries.
My understanding is the first one is the primary one, and will be used most of the time.
This depends on your OS. Many do it this way, but some (I think Windows is included here) periodically check and use the “fastest” one. I run 2 local DNS, and my windows devices tend to represent about 99% of the the queries showing up on the second DNS (which sees much lower traffic overall).
I have no idea what happens when you have 2 different blocklists though - it feels like you could open yourself up to a scenario where you only get content blocked if it’s blocked on BOTH lists, which would be the worst of both worlds in a sense.
Even car sat nav is an iffy subject. If you car has a data connection, there’s good odds that someone is harvesting that data.
For example, I’ve heard GMC happily sells OnStar data to the lowest bidder - it comes anonymized and aggregated but it’s hard to believe they aren’t collecting it in a less anonymous fashion.
Are you perhaps an LLM in disguise?