firefox heads up

I run with the latest release of firefox from
https://www.mozilla.org/en-US/firefox/new/?scene=2#download-fx

Every time I install a new release my bank indicates it does not
recognize my device and requires a one time code and my password to
log into my account. Thereafter I only have to use my id/pw.

Since it seemed to only happen on major releases, I created a user.ps with

user_pref("general.useragent.override", "Mozilla/5.0 (X11; Linux x86_64; rv:200.0) Gecko/20100101 Firefox/200.0");

to set version at 200.0; after doing that bank did not send me through the
one time code screens. Lo and behold after firefox-98.0.2.tar.bz2
install I had to go through the one time code logic on all logins.

Helpless Desk droid indicated fix was to clear/delete cookies or use a
different browser. It did not phase the droid that I had cookies deleted
upon log out.

Installed chromium-browser, bank sent me through one time code and all
logins thereafter without going through one time code logic.

I went back to firefox and still had to go through the one time logic on
every login.

Just for fun and 30+ logins later screwing with using user.ps I decided
to delete the ~mozilla/firefox directory and Wa La the bank site no longer
required the one time code after the first firefox login.

Moral of this story is using one default profile directory can lead to
odd problems with some sites.

On 4/1/22 17:15, Bit Twister wrote:
> firefox heads up
>
> I run with the latest release of firefox from
> https://www.mozilla.org/en-US/firefox/new/?scene=2#download-fx
>
>
> Every time I install a new release my bank indicates it does not
> recognize my device and requires a one time code and my password to
> log into my account. Thereafter I only have to use my id/pw.
>
> Since it seemed to only happen on major releases, I created a user.ps with
>
> user_pref("general.useragent.override", "Mozilla/5.0 (X11; Linux x86_64; rv:200.0) Gecko/20100101 Firefox/200.0");
>
> to set version at 200.0; after doing that bank did not send me through the
> one time code screens. Lo and behold after firefox-98.0.2.tar.bz2
> install I had to go through the one time code logic on all logins.
>
> Helpless Desk droid indicated fix was to clear/delete cookies or use a
> different browser. It did not phase the droid that I had cookies deleted
> upon log out.
>
> Installed chromium-browser, bank sent me through one time code and all
> logins thereafter without going through one time code logic.
>
> I went back to firefox and still had to go through the one time logic on
> every login.
>
> Just for fun and 30+ logins later screwing with using user.ps I decided
> to delete the ~mozilla/firefox directory and Wa La the bank site no longer
> required the one time code after the first firefox login.
>
> Moral of this story is using one default profile directory can lead to
> odd problems with some sites.
>
Interesting. In general, I use the ESR version of Firefox from Mageia,
but have also used the latest release when sites don't recognize the ESR
as up-to-date, even when it is. Firefox requires different profiles for
each.

For some time, I'd say the last two years or so, my bank has required
password and one-time passcode(or security question) before it will log
me in - every single time.

When I asked people who know more about this sort of thing than I do, I
was told that I should be happy that the bank was requiring that extra
level of identity security before allowing access to my accounts. At
least one person indicated he wouldn't stay with a bank that allowed
just password-based authentication.

So, I just get along with it.

Knowing your published feelings about security, I'm surprised you don't
welcome that extra layer of protection, as well. Even though it's really
annoying.

TJ

On Sat, 2 Apr 2022 08:28:06 -0400, TJ wrote:
> On 4/1/22 17:15, Bit Twister wrote:
>> firefox heads up
>>
>> I run with the latest release of firefox from
>> https://www.mozilla.org/en-US/firefox/new/?scene=2#download-fx
>>
>>
>> Every time I install a new release my bank indicates it does not
>> recognize my device and requires a one time code and my password to
>> log into my account. Thereafter I only have to use my id/pw.
>>
>> Since it seemed to only happen on major releases, I created a user.ps with
>>
>> user_pref("general.useragent.override", "Mozilla/5.0 (X11; Linux x86_64; rv:200.0) Gecko/20100101 Firefox/200.0");
>>
>> to set version at 200.0; after doing that bank did not send me through the
>> one time code screens. Lo and behold after firefox-98.0.2.tar.bz2
>> install I had to go through the one time code logic on all logins.
>>
>> Helpless Desk droid indicated fix was to clear/delete cookies or use a
>> different browser. It did not phase the droid that I had cookies deleted
>> upon log out.
>>
>> Installed chromium-browser, bank sent me through one time code and all
>> logins thereafter without going through one time code logic.
>>
>> I went back to firefox and still had to go through the one time logic on
>> every login.
>>
>> Just for fun and 30+ logins later screwing with using user.ps I decided
>> to delete the ~mozilla/firefox directory and Wa La the bank site no longer
>> required the one time code after the first firefox login.
>>
>> Moral of this story is using one default profile directory can lead to
>> odd problems with some sites.
>>
> Interesting. In general, I use the ESR version of Firefox from Mageia,
> but have also used the latest release when sites don't recognize the ESR
> as up-to-date, even when it is. Firefox requires different profiles for
> each.

Sounds like you might want to try the user.ps trick/kludge :)

> For some time, I'd say the last two years or so, my bank has required
> password and one-time passcode(or security question) before it will log
> me in - every single time.
>
> When I asked people who know more about this sort of thing than I do, I
> was told that I should be happy that the bank was requiring that extra
> level of identity security before allowing access to my accounts. At
> least one person indicated he wouldn't stay with a bank that allowed
> just password-based authentication.
>
> So, I just get along with it.
>
> Knowing your published feelings about security, I'm surprised you don't
> welcome that extra layer of protection, as well.

I am not that sure it is that more secure. Current setup is a separate Linux
account, that aborts if browser is running on my system telling me to
close them. Then launch browser with my index.html with the https link to
bank. I am running my own DNS server instead of using router/isp DNS server.
With this setup I would assume only way to catch id/pw would be on bank
web site or malware in router. Upon logout I tar in a pristine browser
setup and check for new directories/files.

I have set "above 10 cent" change alarms on my accounts to email me any
change so I have a chance to stop any bogus charges. I also get an email
about the success code authorization. Bank id is not my name and pw
is random Alpha numeric and special chars over 10 characters long.

I have hourly cron job checking for new logins.

I have the Advanced Intrusion Detection Environment​ (aide rpm)
installed to warn of any file changes.

> Even though it's really annoying.

Really Annoying is very true. Recent change on bank site no longer provides
email code delivery, just phone. Covid has caused organ and very mild brain damage.
Mild stroke earlier this year has affected my coordination.

Had to practice writing my name just to get a semblance of my previous
signature let alone numbers. The computer voice giving me the
code spits out the numbers, two at a time, faster than I can write them down.
Two at a time means _very_ slight pause between every two digits.

I have to remember the last four of eight to complete writing down code number.
I never had a good, short time memory to start with.

On 3/4/22 06:34, Bit Twister wrote:

> I have to remember the last four of eight to complete writing down code number.
> I never had a good, short time memory to start with.

I was always very impressed by US movies whereby some one in a payphone
booth (remember them) would ask the operator for a phone number -
usually about 10 digits in length.
Then ring off and dial the number from memory.
Totally unbelievable, but it looked good

Sorry to hear you've been ill, especially the covid
It clearly left its mark.

regards
--
faeychild
Running plasmashell 5.20.4 on 5.15.32-desktop-1.mga8 kernel.
Mageia release 8 (Official) for x86_64 installed via Mageia-8-x86_64-DVD.iso

On 4/2/22 16:34, Bit Twister wrote:
> On Sat, 2 Apr 2022 08:28:06 -0400, TJ wrote:
>> On 4/1/22 17:15, Bit Twister wrote:
>>> firefox heads up
>>>
>>> I run with the latest release of firefox from
>>> https://www.mozilla.org/en-US/firefox/new/?scene=2#download-fx
>>>
>>>
>>> Every time I install a new release my bank indicates it does not
>>> recognize my device and requires a one time code and my password to
>>> log into my account. Thereafter I only have to use my id/pw.
>>>
>>> Since it seemed to only happen on major releases, I created a user.ps with
>>>
>>> user_pref("general.useragent.override", "Mozilla/5.0 (X11; Linux x86_64; rv:200.0) Gecko/20100101 Firefox/200.0");
>>>
>>> to set version at 200.0; after doing that bank did not send me through the
>>> one time code screens. Lo and behold after firefox-98.0.2.tar.bz2
>>> install I had to go through the one time code logic on all logins.
>>>
>>> Helpless Desk droid indicated fix was to clear/delete cookies or use a
>>> different browser. It did not phase the droid that I had cookies deleted
>>> upon log out.
>>>
>>> Installed chromium-browser, bank sent me through one time code and all
>>> logins thereafter without going through one time code logic.
>>>
>>> I went back to firefox and still had to go through the one time logic on
>>> every login.
>>>
>>> Just for fun and 30+ logins later screwing with using user.ps I decided
>>> to delete the ~mozilla/firefox directory and Wa La the bank site no longer
>>> required the one time code after the first firefox login.
>>>
>>> Moral of this story is using one default profile directory can lead to
>>> odd problems with some sites.
>>>
>> Interesting. In general, I use the ESR version of Firefox from Mageia,
>> but have also used the latest release when sites don't recognize the ESR
>> as up-to-date, even when it is. Firefox requires different profiles for
>> each.
>
> Sounds like you might want to try the user.ps trick/kludge :)
>
No, I'm perfectly OK with the separate profiles. I have my reasons. One
of them, though not the only one, is that as part of QA I've always
considered it valuable to use Mageia in a way I believe most of our less
experienced users would be using it, with minimal customization. That
way, perhaps I can see if Mageia starts slipping away from being
relatively easy for newbies before it becomes something too difficult to
fix.

>> For some time, I'd say the last two years or so, my bank has required
>> password and one-time passcode(or security question) before it will log
>> me in - every single time.
>>
>> When I asked people who know more about this sort of thing than I do, I
>> was told that I should be happy that the bank was requiring that extra
>> level of identity security before allowing access to my accounts. At
>> least one person indicated he wouldn't stay with a bank that allowed
>> just password-based authentication.
>>
>> So, I just get along with it.
>>
>> Knowing your published feelings about security, I'm surprised you don't
>> welcome that extra layer of protection, as well.
>
> I am not that sure it is that more secure. Current setup is a separate Linux
> account, that aborts if browser is running on my system telling me to
> close them. Then launch browser with my index.html with the https link to
> bank. I am running my own DNS server instead of using router/isp DNS server.
> With this setup I would assume only way to catch id/pw would be on bank
> web site or malware in router. Upon logout I tar in a pristine browser
> setup and check for new directories/files.
>
> I have set "above 10 cent" change alarms on my accounts to email me any
> change so I have a chance to stop any bogus charges. I also get an email
> about the success code authorization. Bank id is not my name and pw
> is random Alpha numeric and special chars over 10 characters long.
>
> I have hourly cron job checking for new logins.
>
> I have the Advanced Intrusion Detection Environment​ (aide rpm)
> installed to warn of any file changes.
>
But the bank probably doesn't know about your personal setup. For all
they know, you're like 95+% of their users, who use insecure passwords
that are easily hacked by someone with skills that rival your own. So,
they apply the same protocols to everyone. As, IMO, they should - for
their own protection if nothing else.

Personally, I would hate to see news headlines that my bank had been
compromised because they gave special logon treatment to someone that
later came back to bite them in the a$$.

>> Even though it's really annoying.
>
> Really Annoying is very true. Recent change on bank site no longer provides
> email code delivery, just phone. Covid has caused organ and very mild brain damage.
> Mild stroke earlier this year has affected my coordination.
>
> Had to practice writing my name just to get a semblance of my previous
> signature let alone numbers. The computer voice giving me the
> code spits out the numbers, two at a time, faster than I can write them down.
> Two at a time means _very_ slight pause between every two digits.
>
> I have to remember the last four of eight to complete writing down code number.
> I never had a good, short time memory to start with.

I get it, I really do. My bank offers the choice of me answering a
"security question" or getting a phone call or text with the multi-digit
passcode. I remember lying on most of the security questions to make it
harder for others to answer them, but I never wrote the lies down and
have since forgotten them.

For a while, I had them call on my landline with the code. I'd type it
in on my keypad as the disembodied female voice recited the digits. That
worked, much of the time, but being a farmer and over 70, my hearing
isn't quite what it once was, and sometimes I'd mistake one digit for
another. When that happened I'd have to request a new code, and another
phone call. Messy.

So, I started having them text my cell phone with it. That works much
better, because I can take my time and read the digits. Not as secure as
the landline, but not as bad as it could be. The one-time passcode
doesn't last beyond that login, of course. And I don't use my cell phone
much, so it spends about 90% of its time powered down. That should make
it less likely to be hacked than most.

TJ

On 4/4/22 00:49, TJ wrote:

> I get it, I really do. My bank offers the choice of me answering a
> "security question" or getting a phone call or text with the multi-digit
> passcode. I remember lying on most of the security questions to make it
> harder for others to answer them, but I never wrote the lies down and
> have since forgotten them.

The ultimate security :-)

--
faeychild
Running plasmashell 5.20.4 on 5.15.32-desktop-1.mga8 kernel.
Mageia release 8 (Official) for x86_64 installed via Mageia-8-x86_64-DVD.iso