Ask HN: What's a security risk you think people should be more aware of?

16 points by Yawrehto ↗ HN
Here's mine: QR codes. They're a terrible idea, especially when there's no URL attached. They remove someone's ability to verify that yes, this is the correct site, and are easy to bypass - a scammer can literally just put a different QR code over the intended one, and ta-da! Done.

20 comments

[ 3.2 ms ] story [ 65.8 ms ] thread
(comment deleted)
The camera app shows you what URL the QR code is going to before you click it.

I don't think it's really much of a risk because an attacker has to not only go to a physical location and replace the QR code, but they need to make some kind of replacement website that looks genuine to fool someone.

It's actually harder to pull off than a credit card skimmer.

Example: QR codes at a restaurant, I need to put the QR codes on every single menu (how am I going to do that discreetly without visiting the restaurant multiple times?) and then I also have to create a functioning website that mimics the restaurant's website. And then what happens when the customer doesn't get any food when the order via QR code and the server doesn't see any order being placed? Everyone involved would be immediately suspicious.

First of all, yes, restaurants would be a bit harder than typical. Second of all, I was thinking more along the lines of gas stations, where the QR codes can be applied in one visit and it could be as simple as having them fill out data and then redirecting them to the correct website. I doubt that gas station employees are regularly checking and ensuring the QR codes are accurate.

And given the fairly muted, simple, design of many websites that require you to enter financial data, and the lack of information on what it should look like, then it would be relatively easy to create a website that mimics the correct website.

[flagged]
(comment deleted)
Boring one, but if you get a work email with bank account details be suspicious. Maybe book a face call before using such details and confirm them.
Now I have to unfortunately inform you that some company got scammed via AI video of some high level executing demanding money be transfered.
Posting on social media that you are out-of-town. Nothing more than a "my house is empty and you should steal all my stuff" advertisement.
on big festivities like new years i always leave one light on because burglars probably expect a lot of people to leave their house.
another trick, leave a "wireless" running too.
Your mobile provider stores your location data for 1 (Verizon), 2 (Tmobile), or 7 (AT&T) years. Tower dumps long term, granular advanced timing/ranging to within meters for ~90 days.

Don’t think too fondly of Verizon’s short retention schedule though, they sell your location to data brokers.

Ambient Authority... it's the computer equivalent of giving the full electrical grid, unrestricted in any way, to every single outlet in your house. No fuses, circuit breakers, or other protection.

Yet this is the underlying design that Linux, Windows, MacOS are all based on.

We have ways to default to NO authority, and still make computers just as easy to use, but we don't do it. Because it would require reconfiguring everything, and porting a lot of code to new OSs.

Physical security, specifically encryption and backups for after an incident occurs.
Even if there were a URL attached, then the scammer would just ensure that their (different) URL is attached to the different QR code they are putting over the intended one, so that doesn't solve anything.

I do rather agree that using QR codes from untrusted sources is not a smart way of entering URLs. It makes sense for wifi codes or payloads _within_ some trusted app, but as a way of hitting whatever URL someone has obfuscated into an unverifiable QR code... not so much.

I’ll go with the obvious: scam phone calls and “your computer is borked, call 1-800-PAY-SCAMMER to fix it”.

There are a lot more boomer generation people out there that fall for this every day than complicated or highly technical scams. There should be PSA’s shown during Jeopardy! and Wheel Of Fortune commercial breaks that simply state: “The IRS will never call you. Neither will the USPS. Microsoft won’t either. They won’t text either. If you get something that says your computer is hacked and to call that is also a SCAM. Turn it off immediately and take it to a local professional.”

Edit to add: I know all of us in here will end up being the “local professional”, be nice and help the elderly.

I always follow the more general adage of “never provide information to people who reach out to you”; call back to a known-good number before handing over info.

I do feel like a PSA would be a good measure; we lose enough to fraud that it may pay for itself. I don’t think we’ll see one, though. That would be a tacit admission that the government has completely lost control of a key communication technology.

Physical security: On MacOS, there's several network and disk level protections built in to the OS. But nothing stops someone from walking up and punching you in the face and taking your $3000 laptop.

On Linux this is less of an issue. They'll usually come back after a few hours asking for help with a driver.

As many have said, definitely physical security. Especially when shopping in stores.

"Do you have rewards?"

"Oh, yes. My number is 555-555-5555", the customer blurts out loud while there's 10 people behind them.

I imagined the person walking out and getting hit with a "Thank you for shopping at Macys. Here's $500 on us!" text message. I think most would definitely fall for this, especially if they just left the store.

People not locking their computers before they leave their desks also drives me crazy.

People who share their screen over a zoom call and have a desktop cluttered with documents with insightful names, open tabs in browsers, or messenger applications open when switching windows.

I’ve even seen this in screen recordings that are permanently published on Video platforms.

It’s a gold mine for social engineering attacks.