2FA=NFW Really?

I’m not sure why you are studying network administration and taking a cyber security class – but I can tell that all your training has been from professional network administration teachers and cyber security teachers.

The way I can tell this is because you missed the major point of the firestorm.

There are several worthwhile takeaways from this firestorm, and you got one of them: “the general public is not always happy with having to change their habits” and you danced around one of the underlying issues: “A company/individual needs to determine if they want to be more secure at the cost of being less convenient or have a greater chance of being a target.”

The point where “cyber security experts” diverge from “physical security experts” is that cyber security experts rarely (if ever) consider any sort of cost/benefit analysis.

No physical security expert (outside the US federal government) would ever advise spending $1000 for a vault to secure property worth $100, but cyber security experts frequently do the equivalent by proposing to establish a high level of security on a system with little or no value.

You are in the process of being taught all about the “best practices” for cyber security, but implementing those “best practices” frequently comes with costs far exceeding their value - those costs are not just the direct financial cost, but the human costs and the unintended consequences, as well.

For many of us there is no real reason to worry about the security of our individual accounts. How much effort should a Wyze customer put into ‘securing’ the video feed of his cat litter box or his bird feeder, or even his front porch? How much security do I need for my Wyze scale? Yes, there are some Wyze customers who are [mis]using Wyse products in ways that deserve better security than will ever be accomplished with those products. I recently saw one such customer whining in the Wyze group on Facebook and a friend of mine got in trouble for calling her a Karen.

But to get back to the missed takeaway from this firestorm: people don’t like being told they are going to be forced to do something that is at least inconvenient (and in some cases impossible) for no good reason and they especially don’t like it when the change is announced as if all decisions have been made in a vacuum when it is obvious that many factors had not been considered.

2 Likes

[quote=“peterhting, post:60, topic:240514, full:true”]
Think of 2FA as locking your car door in a bad neighborhood, as the internet is now a bad neighborhood. Once bad actors are in your car, they can drive to your home and open the garage door. [/quote]

Completely invalid comparison.

NONSENSE! Unless you have some special knowledge that the developers behind Wyze are incompetent clowns, there is nothing that one ordinary customer can do that impacts other customers.

Yawn - Who cares?!? If someone wants to watch the view from my front porch to see when UPS drops off a package or when the mailman drops off my mail, they are welcome to watch.

3 Likes

I have only been in this class for about a week and a half but have done a bunch of computer mentorships with the poorly public school system here. Most of my tech skills were self-taught. I plan on going into a career that involves maintaining a network in a place of business and what I would recommend to them depends on the size of the business. If their file server gets breached, Who do you think they will blame and risk getting fired and losing their trust?

I do agree with you regarding the value of data over the cost to secure it. I would also like to add If that data were to be exposed and a lawsuit were to be filed. How much cost/time would it take to settle the lawsuit vs spending an adequate amount of protecting the customers’ data? It could make the business shut down, which has happened many times.

I agree that the best practices are almost never realistic practices. The I.T class that I am required to take is very annoying with that. They say that when you take apart a PC you have to wear an anti-static strap which is ridiculous.

I tend to disagree with this statement in certain situations.
For Wyze (I’m assuming in this instance), it depends on where you have your cameras facing. I would likely never put cloud-based cameras inside as that is a highly valued bit of information for me in my opinion. but others might not care and will expect a higher level of security over those that point outside.

In a broader sense, I think someone should care about the security of a bank account or social media for example. As that could cause real harm. and if a company does not invest resources for data security. I would question if I would still want to use them depending on how much that data is worth to me.

Perhaps I expect too much from corporations as my experiences have come from government-funded avenues and depending on where I might end up that perception may change.

As noted in the example in my post above, most hackers don’t need to resort to sim swapping or complex solutions to bypass MFA. I’d bet with the diversity of users on an app like Wyze, give me a 100 emails and I’ll get an account access, bypassing MFA.
You ask:

A lot, depending on what we’re talking about. However, if my security is dependent on other users, we’re all in trouble. As others mentioned, in relation to this app, it’s no big deal. While there is some limited value in accessing cams, it is dependent on a bad actor having access to a lot of information to make it worthwhile. The thieves that might benefit from it aren’t going to be doing in-depth analysis of a $30 front door cam.
The point we are making is not whether to give the ability to use MFA, but to give the user the option to decide for themselves. For this app, I’m happy with secure device level auth that doesn’t require a public key and lowers the man in the middle attack chances.

As others have noted in detail, that is a disingenuous summary at best.

We want Wyze and other “cloud” providers to secure all our information and access (not merely authentication methods and credentials) to the best of their abilities. Making me carry a phone and type additional auth codes (or enroll and trust in a third or fourth party authenticator company) doesn’t affect how Wyze is securing my information! It only reduces MY risk, and I want to continue to be able to make that assessment and trade off. Asking users to do more for little or no gain is NEVER okay. Technology companies have, effectively, magic at their disposal to solve a myriad of potential issues without burdening their users and customers. Too few of them do this.

2 Likes

You may be correct. I was accessing TinyCam pro from various devices including Chromebooks and Chromeboxes. ChromeOS devices can no longer install the Wyze Android app (Wyze needs to fix this) so that could be the reason??? Since I’m not concerned with somebody viewing my camera feeds I’m comfortable leaving 2 factor off.

1 Like

Thanks for a detailed and well reasoned reply, @Rareapple3 – I’d say we agree with each other very nearly 100% - with the minor differences only being a matter of degree or of which specific circumstances we are considering.

When I spoke of individual accounts not being worth much effort securing, yes, I was talking specifically about our Wyze accounts and talking about customers who show at least as much good sense as a rock (e.g. not having cloud-based cameras in sensitive areas).

I absolutely agree that businesses need to have adequate security for sensitive data – both their working data and whatever private data they choose to keep about customers (many businesses increase their risk by keeping too much data on their customers).

My objection to “excessive” security measures is primarily about individual accounts in what are simply social settings with no financial or other material connections. Look at how many online forums are implementing so many of those so-called “Best Practices” – I think of any that don’t require at least a so-called “strong” password - buy why? And how much does such “security” actually gain when complex passwords simply encourage reuse by so many users who have no desire to memorize twenty or thirty different combinations of pseudo-random MiXeD cAsE a1phanum3r1c characters just to log in to different platforms to discuss their analysis of the lyrics of some hit song that no one will remember next week.

There is (or at least should be) a sharp line between the security needed for business data and the trivial level of security needed for most non-commercial systems like social forums and games.

And, yes, I realize that the line between those has started to become blurred as we have a generation who cannot comprehend either the distinctions or the reasons why those distinctions are important.

1 Like

This is like a bunch of middle-aged (pejorative)'s acting like they’re fresh (body part)-ed virgins.

Commercial backdoors. Govt backdoors. Alien backdoors.

We’ve had more traffic through our backdoors than… :astonished:

Aside from that, secure.

Webcams are easily hackable. Thus 2 Factor Authentication is a MUST. The same applies to your Home Internet Router which comes with a default user name and password. Many people do not know that they should change the access to the router itself.

A webcam can be hacked without hacking the actual user acount. And I’m not sure that wyze’s implementation of 2FA applies to the actual camera. If everytime the camera got a firmware upgrade I also got a SMS text about 2FA for the camera I would be putting the camera out it’s misery by hittimg with a hammer.

2 Likes

Yeah that’s simply false. Newer “webcams” like Wyze’s don’t receive unsolicited traffic on open ports. Instead they sit behind consumer routers and make outbound connections ONLY. They essentially cannot be hacked without compromising the “actual user account”.

Obvious exception was the Wyze local network only vulnerability.

You mean hackers never use phishing attacks to compromise user devices connected to their local routers… Wyze 2FA only protects the app on the initial logon and if the app is not logged off and is never re-authenticated when the wyze app starts again there will never be a problem.

In that case your account was not hacked the customer just allowed wyze app to start and not re-authenticate.

Please elaborate on how cams are easily hackable.

The last few home routers I’ve seen don’t have a default uid/pwd and they all come with WAN access turned off, if it is even an option. Commercial routers often have default uid/pwd but they pretty much figure you should have a clue if you’re setting one up.

3 Likes

2FA doesn’t protect against phishing attacks that can take control of your device. The only thing that is 100% effective against those is an educated user.
Most breaches today are the result of phishing. Much easier to have someone give you access than it is to hack from the outside-in.

2 Likes

If you use a 2FA yubico authenticator app rather than Google, Lastpass, Authy, etc apps even if you ‘lose’ your phone nobody can get / use / see the generated codes on the app as it needs a USB / NFC key to activate it every time

Ok it takes a couple of seconds more but so so safe

1 Like

Think Wyze should set up two cloud partitions, one secure and the other not so secure. Those who choose to not use 2fa will be put into the less secure partition. Then if they later opt for 2fa, be charged an upgrade fee. Wyze will not be held liable WHEN the less secure account’s get hacked and their video and sound stream’s end up on the internet.

I use 4 different brands of cameras. They all connect to a remote server. Some companies have a lot of security that prevents support people, both customer support and system support, from accessing users devices. Others not so much. And for a long time many brands located these servers and/or support staff offshore.

Or I could tell you about a very, very large consumer electronics company that had it’s new product registration servers hacked this july. And the customer data harvested for 5 weeks. But since it didn’t include and SS or credit card data not so much of a problem.

Watch the Video in Article

Are you basing that on your comment of affecting other users? If so, then @t.currie s response was exactly correct:

Actually, I’m not sure incompetent clowns even covers that, unless they maybe used running a POS system at Mickey D’s a good qualification for a tech job.
The cases Wyze mentions aren’t “hacked”; they’ve been credential stuffed, which affects lazy users reusing passwords. I suppose you could call that hacked, but it’s their own fault. If anything, they should be charged for wasting support time.

1 Like

The video lays out (in reverse) how to be safe:

  • Don’t use or allow any device to use port forwarding through your router unless you really know what you’re doing
  • Don’t reuse passwords, ever.
  • Secure your home router and don’t allow WAN side access to it. It doesn’t really serve any purpose for a home router and they typically don’t have the security a commercial one does
  • Don’t give out your WiFi password and have connection notification set if it is an option
  • Don’t let people with antennas and a computer hang outside of your house :slight_smile:
1 Like