[20:33] <hads> So someone sent me an email saying there is a security issue with my website which emails you a termporary password. "I keep my email account open 24/7 on my cellphone, so if someone had stolen my phone they would have access to the account."
[20:33] <hads> morning
[21:05] <thumper> morning
[21:27] <mwhudson> morning
[21:44] <G> hads: then I think that guy has bigger problems, like with just about every other website he uses :P
[21:44] <G> morning
[21:45] <hads> Indeed, I tried to be polite about it.
[21:56] <mwhudson> you should suggest he uses his phone as a 2fa device
[22:36] <ojwb> morning
[22:36] <ojwb> hads: boggle
[22:37] <ojwb> the assumption that email is a secure way to reset a website password is problematic, but it's pretty much ubiquitous
[22:39] <ojwb> the sites I really have a problem with are those which send you back your password itself
[22:39] <ojwb> like mailman, which insists on doing that monthly
[22:40] <hads> Yeah, these are all salted hashed so a temporary short lived plain text one is generated.
[22:40] <ojwb> yeah, that's arguably current best practice
[22:41] <ojwb> is this for nicegear?  presumably that would allow them to see things like his previous orders, which you presumably also emailed to him...
[22:42] <hads> Yeah
[22:42] <hads> Nevermind the rest of the things on the phone.
[22:42] <ajmitch> or being able to reset any other account out there that doesn't use 2fa (though the 2nd factor is probably on the phone)
[22:44] <ojwb> there's a bank ad currently which touts being able to send payments to your facebook friends
[22:45] <ojwb> so there's now a clear monetary incentive for scammers to get you to friend them on facebook
[22:46] <ojwb> some days i think I'm just getting old and cranky, other days the world seems to have lost the plot
[22:47] <ojwb> like credit cards you just need to wave at the till to pay with...
[22:52] <G> ojwb: the ASB one?
[22:52] <chilts> morning
[22:52] <ojwb> G: maybe - it has Brian Blessed in
[22:53] <G> that is actually what I like about Westpac's mobile platform, they have a 'Cashtank' app, it does one thing, and one thing only, and that is show me how much money is in my main account, it can't do anything else - lose my phone no biggy on that department, my money is safe
[22:53]  * ajmitch feels like such a luddite without a modern phone
[22:53] <chilts> G: "NO BIGGY!    YEEE BIGGIE!!!!"
[22:54] <chilts> +S
[22:54] <chilts> damn
[22:54]  * chilts likes Brian Blessed
[22:55] <G> chilts: well they'd still be able to read my e-mail, but the main thing is that my savings are safe because there is no way to get from the cashtank app to any other banking function (unless Westpac has a pretty big hole in their API)
[22:55] <chilts> yeah, sounds like a good app that Cashtank one
[22:55] <chilts> I was merely commenting on the ASB adverts :)
[22:56] <chilts> (the one where the farmer saves the sheep and says "no biggie"
[22:56] <chilts> I'd prolly install something like that, ie. a read-only interface to my accounts
[22:56] <G> oh right, I skip the ASB ads, they bug me
[22:56] <chilts> heh
[22:57] <chilts> they used to for me, but this series is ok
[22:57] <chilts> on the other hand, I moved away from ASB 'coz they were crap
[22:57] <chilts> for not as bad as ANZ
[22:57] <chilts> s/for/but/
[22:57] <chilts> interesting typo
[22:58] <G> Westpac does some pretty silly things, they appear to be more spammy than any other bank (in terms of marketing/offers with statements/credit card bills etc)
[22:59] <G> my favourite is I get e-mails from a Branch Manager, i've only ever visited his branch once
[23:02] <ojwb> probably lonely
[23:04] <G> yeah, I kinda wish there was a mainstream bank that just didn't suck (they are all sell-outs)