Hacker News new | past | comments | ask | show | jobs | submit login

Thats a crazy level of risk assessment for an average user.

> how does your password manager help you if your email password gets leaked?

You still need my TOTP codes in my case at least, which conveniently are stored in my password manager. Is it perfectly secure? No, of course it's not, but frankly my risk profile isn't worrying about a targeted attack on me and my password manager, it's worrying about leaked shared credentials.

Side note, I also get a push notification on my phone whenever a new device logs on, so unless the attack is _extremely_ targeted, well timed and they know what they want, Its not a risk for me.




> Thats a crazy level of risk assessment for an average user.

It really isn't. Think about it for a second: how hard is it to spot phishing attempts when they are sent to an email address you know for a fact you're not using with a service?

And how vulnerable are you to phishing if your special-purpose email address that you only use for one specific purpose receives zero spam?

To claim that the most basic and easy internet security precautions are at a "crazy level", first you need to somehow believe that no one is targeted by these schemes. But somehow there's a whole international industry that thrives on stuff like Western Union transfers. Why is that?


>>Think about it for a second

Perhaps instead of telling everyone to think on things for a second, you should think on things for longer than a second?

>And how vulnerable are you to phishing if your special-purpose email address that you only use for one specific purpose receives zero spam?

This would depend on how you setup the email address, if it truly a separate email address i.e a separate account not just an alias then phishing is not the concern but management of the accounts becomes a huge problem

I use separate alias's for every service against my own custom domain that has a single email account. This is not to prevent phishing but to detect when a breach occurred or when my info is sold, you assume that when you sign up for a service only that service will ever have access to your info, many many many companies and service sell your email address to marketers.


Do you think youre going to get scammed and send a fraudulent Western Union transfer? What do you think the venn diagram overlap between "uses a specific email for each service" and "gets phished" is? The people that even have the capacity to do the first aren't going to fall into the second. If someone is sending fraudelent transfers to scammers, they're not going to be smart enough to create multiple emails.


> Do you think youre going to get scammed and send a fraudulent Western Union transfer?

I know for a fact that there are targeted phishing campaigns aimed at users of specific services such as LinkedIn and GitHub and Twitter and etc, primarily because I've been targeted by them.

> What do you think the venn diagram overlap between "uses a specific email for each service" and "gets phished" is?

I know for a fact that the Venn diagram of phishing attempts sent to email accounts that are not used by those services is practically zero.

Do you understand how trivial it is to identify and filter out these attacks when they are sent to addresses that are already known beforehand that are not used for that purpose?


> To claim that the most basic and easy internet security precautions are at a "crazy level",

Basic and easy internet precautions are not "register and run a domain and host your mail yourself". Basic and easy precautions are don't reuse passwords/use a password manager, use a reputable email provider, enable 2fa with totp, and dont click links from your emails

> first you need to somehow believe that no one is targeted by these schemes.

I don't see how you come to that conclusion at all. The assumption is that _everyone_ is targeted by those schemes.

> But somehow there's a whole international industry that thrives on stuff like Western Union transfers. Why is that?

Because they're low risk high reward, easy to set up, and you only need to make one mistake.


In 2022 nobody actually clicks links in emails, right?


You are right of course in one sense, but look at the comments here! If the HN crowd is still sending verification links rather than codes to be copy and pasted, that implies regular folks are still clicking the links..




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: