One chestnut from my history in lottery game development:

While our security staff was incredibly tight and did a generally good job, oftentimes levels of paranoia were off the charts.

Once they went around hot gluing shut all of the “unnecessary” USB ports in our PCs under the premise of mitigating data theft via thumb drive, while ignoring that we were all Internet-connected and VPNs are a thing, also that every machine had a RW optical drive.

  • neveraskedforthis@lemmy.world
    link
    fedilink
    arrow-up
    151
    ·
    1 year ago

    Banned open source software because of security concerns. For password management they require LastPass or that we write them down in a book that we keep on ourselves at all times. Worth noting that this policy change was a few months ago. After the giant breach.

    And for extra absurdity: MFA via SMS only.

    I wish I was making this up.

    • JackGreenEarth@lemm.ee
      link
      fedilink
      arrow-up
      88
      arrow-down
      2
      ·
      1 year ago

      Banning open source because of security concerns is the opposite of what they should be doing if they care about security. You can’t vet proprietary software.

      • DKP@lemmy.world
        link
        fedilink
        English
        arrow-up
        38
        ·
        1 year ago

        It’s not about security, it’s about liability. You can’t sue OSS to get shareholders off your back.

    • JigglySackles@lemmy.world
      link
      fedilink
      arrow-up
      16
      ·
      1 year ago

      I tried so hard to steer my last company away from SMS MFA. CTO basically flat out said, “As long as I’m here SMS MFA will always be an option.”

      Alright, smarmy dumbass. I dream of the day when they get breached because of SMS.

      • Aceticon@lemmy.world
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        If I remember it correctly, in GSM it’s perfectly possibly to spoof a phone number to receive the SMS using the roaming part of the protocol.

        The thing was designed to be decently safe, not to be highly secure.

    • Hobart_the_GoKart@lemm.ee
      link
      fedilink
      arrow-up
      16
      arrow-down
      1
      ·
      1 year ago

      Care to elaborate “MFA via SMS only”? I’m not in tech and know MFA through text is widely used. Or do you mean alternatives like Microsoft Authenticator or YubiKey? Thanks!

      • Funwayguy@lemmy.world
        link
        fedilink
        arrow-up
        37
        arrow-down
        1
        ·
        1 year ago

        Through a low tech social engineering attack referred to as SIM Jacking, an attacker can have your number moved to their SIM card, redirecting all SMS 2FA codes effectively making the whole thing useless as a security measure. Despite this, companies still implement it out of both laziness and to collect phone numbers (which is often why SMS MFA is forced)

      • Appoxo@lemmy.dbzer0.com
        link
        fedilink
        arrow-up
        12
        ·
        1 year ago

        Sim swap is quite easy if you are convincing enough for support at an ISP doing phone plans.
        Now imagine if I sim-swapped your 2FA codes :)

        Exactly this. Instead you should use a phone app like Aegis or proprietary solutions like MS Authenticator to MFA your access because it’s encrypted.