I’m just scared that they’re saved with reversible encryption on the disk, then malware could steal them

  • Dehydrated@lemmy.world
    link
    fedilink
    arrow-up
    34
    ·
    9 months ago

    I recommend a password manager like Bitwarden, it has a great Firefox extension and it’s very secure.

    • lemming741@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      1
      ·
      9 months ago

      I self host vault warden, and the card auto-fill works ~70% of the time, and about half of those, the security code or the expiration doesn’t work. EBay is the first one that comes to mind. I know it’s the websites not following standards or conventions. It happens often enough that I remember the dates and codes now because I end up having to fill them in so often.

      • Moonrise2473@feddit.itOP
        link
        fedilink
        arrow-up
        26
        arrow-down
        1
        ·
        9 months ago

        Protip: if a field doesn’t populate, right click on it, then choose “copy name for bitwarden” (or something like that, not using FF in English), then add a custom field in the CC entry in bitwarden using that name in the clipboard. From now on on that specific page it will work

    • AnonStoleMyPants@sopuli.xyz
      link
      fedilink
      arrow-up
      4
      arrow-down
      2
      ·
      9 months ago

      It seems really bad at filling CC info though. Like, I don’t think it works at all. I always need to copy the number separately.

      I still use it but it is annoying.

  • viking@infosec.pub
    link
    fedilink
    arrow-up
    33
    arrow-down
    1
    ·
    9 months ago

    I trust it enough to use the feature, but I’ve got separate cards for online and in-person purchases. The online card is temporarily disabled in my bank app, and I only unblock it when I intend to use it. Takes like 30 seconds extra.

    The in-person card is permanently unlocked for NFC and regular store transactions, but region locked to the country where I’m currently at, and transactions over $30 require the PIN.

    • Suspiciousbrowsing@kbin.social
      link
      fedilink
      arrow-up
      3
      ·
      9 months ago

      Out of curiosity, would it not take less than 30 seconds to type your CC numbers in online each time? I mean the month and ?ccv are easily memorable

      • FireRetardant@lemmy.world
        link
        fedilink
        arrow-up
        9
        ·
        9 months ago

        It being blocked still helps protect them if the card number gets snatched during a transaction. By the time the scammers are ready to use the card numbers, the card would be locked.

      • viking@infosec.pub
        link
        fedilink
        arrow-up
        1
        ·
        9 months ago

        Yeah sure, but a keylogger could read it at any time then, while cracking the locally saved card is more complex. And locking the card down unless explicitly needed also means that even if my card card does get compromised, it can’t be used of very narrow and random windows, adding a nice layer of security.

          • viking@infosec.pub
            link
            fedilink
            arrow-up
            2
            ·
            9 months ago

            DKB, the credit card for online purchases and the debit card for in person stuff. The app allows quite some micromanagement for card permissions.

            On top of it I’ve got an account with wise.com where I can generate virtual cards, I do that frequently when traveling abroad to sign up for local taxi apps and other services I’ll never use again, then delete the card once I’m done.

            And as an ultimate backup I’ve got an N26 account, just in case someone only accepts MasterCard. I don’t trust them one bit though and only carry a balance of 150 EUR or so on the card and top it up only when it’s exhausted.

              • viking@infosec.pub
                link
                fedilink
                arrow-up
                2
                ·
                9 months ago

                Yep, been using both of them for ages. DKB for 20 years now, wise for almost 10. Never had a reason to complain, except for DKB as a broker, they are just way too expensive.

  • /home/pineapplelover@lemm.ee
    link
    fedilink
    arrow-up
    29
    arrow-down
    1
    ·
    9 months ago

    Please don’t save stuff in your browser. It’s very easy to rip those passwords and logins. If you must, keep it in a proper password manager like bitwarden or keepass.

        • sugar_in_your_tea@sh.itjust.works
          link
          fedilink
          arrow-up
          6
          arrow-down
          1
          ·
          9 months ago

          Well yeah, if you breach a password manager, you get tons of credentials. If you breach a person’s computer, you get one set of credentials. And most of those breaches are low impact, such as Okta:

          For 99.6% of customers, hackers accessed only full names and email addresses, according to Okta, though in some cases they may also have accessed phone numbers, usernames and details of some employee roles.

          Here’s an example of a browser attack (not necessarily password management, but related):

          These scams have been going on for months, and one YouTuber claims they work through fake sponsors reaching out to creators. The YouTubers are then convinced to download a file related to the sponsorship, which is just malware designed to steal cookies, remotely control PCs, and ultimately hijack YouTube accounts.

          Basically, any script that can run on your machine can compromise stored passwords and credit cards if there’s no master password set (typically the default behavior). If there is a master password, it could be brute forced (I’m guessing most attackers don’t bother). It’s just a lot harder to detect this kind of breach since it happens on end-user machines instead of an audited web service. I’m guessing a lot of people get hacked this way, but it doesn’t make the news because individuals don’t dig into the breach to find the cause.

          My understanding is that password managers are still way more secure than using your browser’s built-in PW management, and you can take it a step further and self-host (e.g. Bitwarden offers this) to require attackers to actually target you.

          • /home/pineapplelover@lemm.ee
            link
            fedilink
            arrow-up
            1
            arrow-down
            1
            ·
            9 months ago

            The thing with built in browser password manager like in chrome or firefox is even if it’s password peotected, you can still get those very easily.

            • sugar_in_your_tea@sh.itjust.works
              link
              fedilink
              arrow-up
              1
              ·
              9 months ago

              Sure, but it requires a more sophisticated attack, so risks are a bit lower. There are tons of easier targets, so an attacker will probably just go after them instead.

              But when it comes to a proper password manager, there are a ton of similarly protected accounts, so an attacker will either go for all the data or not bother. You’re more likely to get corporate accounts and whatnot than by hacking a built-in browser PW manager, which is a lot more lucrative than someone’s credit card info.

              But the core point I’m trying to make is that we won’t know how many people get hacked with built-in browser password managers because nobody is monitoring them. We do know about proper password manager breaches because someone is watching for them. In other words, absence of evidence is not evidence of absence, so the number of publicly reported breaches won’t tell you which is safer, it just tells you which are high profile.

              • brianary@startrek.website
                link
                fedilink
                arrow-up
                1
                ·
                9 months ago

                I guess I feel somewhat safer as relatively anonymous target of spearphishing as I have been for 20 years without incident, instead of as part of a much more valuable collective target, even though that data is probably better protected.

                • sugar_in_your_tea@sh.itjust.works
                  link
                  fedilink
                  arrow-up
                  2
                  ·
                  9 months ago

                  I’m guessing you practice relatively secure computing, meaning you don’t download suspicious stuff, keep your system updated, etc. But that’s not true security, you could always run into a browser vulnerability on a random website.

                  Also, there’s no guarantee that you haven’t been hacked, all we know is that you haven’t noticed your private information being used. Usually what happens is attackers get a bunch of data then sell it on the black market. Buyers of that data will probably only use a subset of that data, so your data could be sold, just not used. You can check if your passwords have been leaked by examining data sets of leaked latest ([e.g. Have I Been Owned; I recommend not actually sending important info here).

                  There are two routes to go here:

                  1. Use proper security - high quality password manager, self-host your data (Bitwarden allows this)
                  2. Reduce the impact of a breach (don’t use debit cards online, monitor credit card statements, etc)

                  The second is probably sufficient for most people though.

                  One important thing to note is that the main reason to go with a password manager is to have really secure passwords that are unique for each site. That way if one service gets breached, attackers can’t just use the same credentials on other sites. Browser password managers don’t do that, so you’re opening yourself up to that if you’re not careful in constructing good, unique passwords. I have >100 accounts, each with their own password, and that just wouldn’t be feasible without a password manager.

  • sugar_in_your_tea@sh.itjust.works
    link
    fedilink
    arrow-up
    25
    ·
    9 months ago

    reversible encryption

    All encryption is reversible, otherwise it wouldn’t be encryption, it would be a hash. If you don’t use a password, it’s easy to reverse the encryption. If you do use a password, the maximum security with a brute force attack is 112 bits, which is pretty weak.

    I recommend using a different password management service (which also handles credit card info), any password manager will be fine. I personally use Bitwarden, which uses 256 bits of encryption. That’s pretty standard across password managers, so you’re better of focusing on making a secure password.

    That said, if you’re only worried about credit card info and not storing passwords in Firefox, you’re probably fine. Credit cards have a ton of protection, so if someone steals your card info, call your bank to dispute the fraudulent transactions and get a new card, it doesn’t cost anything and has little hassle. Debit cards are another story, so I recommend just not using debit cards at all online.

    • WIZARD POPE💫@lemmy.world
      link
      fedilink
      arrow-up
      4
      arrow-down
      1
      ·
      9 months ago

      Prepaid debit cards for the win. You need to buy something online? Open your banking app, transfer the amount to the card, pay. After that the card is empty and cannot be used to pay flr anything until you need it again.

      • sugar_in_your_tea@sh.itjust.works
        link
        fedilink
        arrow-up
        5
        ·
        edit-2
        9 months ago

        That sounds like way more effort than a credit card, especially here in the US where transfers between banks take 2-3 days.

        If you really want to avoid credit, you can lock your debit card and unlock it when you make a purchase. That’s still annoying, but effective. But if you’re responsible, there’s really no reason to avoid credit, and you get rewards on top.

        • SirQuackTheDuck@lemmy.world
          link
          fedilink
          arrow-up
          5
          arrow-down
          1
          ·
          9 months ago

          especially here in the US where transfers between banks take 2-3 days.

          *Laughs in SEPA Instant Transfer*

          Anyhow, locking and unlocking is an option. Using “3D Secure” systems - which require a secondary approval via an app or website - works significantly better, and chargebacks are one tap in a banking app (modern apps, so US might again be fucked here).

          • sugar_in_your_tea@sh.itjust.works
            link
            fedilink
            arrow-up
            1
            ·
            9 months ago

            Chargebacks here are a little more complex, and usually not what you want to do since it costs vendors money (read: they may refuse to serve you in the future). Instead, you want to report the transaction as fraud (which is different from a chargeback), and the bank will investigate and work with vendors.

            So usually a quick call (mine took 5 min) and the transactions are put on hold pending the investigation (mine resolved in 2-3 days). A new card is sent immediately, and if you go to a branch, it can be printed immediately.

            Maybe not as smooth as the EU, but still decent. I’ve only had to do that once, each other time the fraud was caught by automated systems before I noticed.

          • setVeryLoud(true);@lemmy.ca
            link
            fedilink
            arrow-up
            2
            ·
            9 months ago

            If it gets stolen (i.e. scam, or breached website), you can’t charge back like with a credit card. That money is still gone, but you do limit your losses compared to using your main debit card.

            • WIZARD POPE💫@lemmy.world
              link
              fedilink
              arrow-up
              2
              arrow-down
              1
              ·
              edit-2
              9 months ago

              Oh yeah that is true. But at least if just your card details are stolen the card is unusable when empty. As I said it’s best to just keep it empty until you actually buy something and you just put on the exact amount you need.

              • setVeryLoud(true);@lemmy.ca
                link
                fedilink
                arrow-up
                2
                ·
                edit-2
                9 months ago

                Unrelated, I actually don’t know if prepaid Visa cards have the same protections as real credit cards. Something to look into, perhaps.

                • WIZARD POPE💫@lemmy.world
                  link
                  fedilink
                  arrow-up
                  2
                  arrow-down
                  1
                  ·
                  9 months ago

                  What would those be? I don’t have a xredit card so I have no idea what kind of protections they have? I know the prepaid does not work if the amount on the card is lower than the transaction you are trying to do.

  • Bob Robertson IX@lemmy.world
    link
    fedilink
    arrow-up
    20
    ·
    9 months ago

    If it’s a credit card then you should have pretty decent protection against fraud from the credit card company. I’ve had my card details stolen a few times (though never directly from my browser) and each time the credit card company has identified the fraud and reached out to me within minutes.

    Now if it’s a debit card, you should NEVER put those numbers into a computer. I only ever use my debit card to access the ATM, and even that is rare.

    • akaltar@programming.dev
      link
      fedilink
      arrow-up
      15
      arrow-down
      1
      ·
      9 months ago

      Sounds like a very US specific answer. In EU I only have a debit card and sometimes I have a hard time using it even myself because I need to pass 2fa and sometimes even that isn’t enough if I’m on a new browser

      • 2xsaiko@discuss.tchncs.de
        link
        fedilink
        arrow-up
        5
        arrow-down
        1
        ·
        9 months ago

        Credit cards work the same everywhere*, it’s not US-specific. My debit card actually only has my bank account number on it (but I think that actually is a Germany-only thing with our Girocards), so paying for stuff online is just a normal bank transfer, where yeah you do have to pass the bank’s 2FA (unless it’s via SEPA direct debit).

        * mostly, my card requires me to confirm some charges in a special phone app, I don’t think that’s a thing everywhere since it’s also fairly recent

      • GissaMittJobb@lemmy.ml
        link
        fedilink
        arrow-up
        2
        ·
        9 months ago

        This is on account of the concept of SCA (Strong Customer Authentication) from PSD2 (Payment Services Directive), an EU-regulation.

    • pearsaltchocolatebar@discuss.online
      link
      fedilink
      arrow-up
      7
      ·
      9 months ago

      That’s only true for debit cards that aren’t backed by master card or visa. When you use your debit card that is online, it’s run as a credit card and has the same fraud protections.

    • makeasnek@lemmy.ml
      link
      fedilink
      English
      arrow-up
      4
      ·
      edit-2
      9 months ago

      I don’t use debit cards anywhere for this exact reason. Don’t even have one. When I have in the past, I’ve had the card linked to a seperate bank account with a small balance and no overdraft protection to limit damage. What I’d found though is that even when you tell the bank not to enable overdraft protection, they conveniently forget that and it stays possible to overdraft your account and get hit with fees,

      I do the same strategy for crypto wallets, there’s only a small amount in my browser wallet so that if somebody gets it, they can’t steal much. From there you can have varying degrees of storage security for larger amounts: multi-sig so you have to sign transactions using multiple devices, hardware wallets, and cold storage.

      I see all these articles about people getting thousands of dollars stolen from their crypto wallet and I’m like, you put $3,000 on the same computer you play Zombie Run 4 on? Knowing there was no fraud protection? And that a hardware wallet costs $100? Or that multi-sig is free? If you are storing that much in crypto, you need to either educate yourself on safe storage or use a custodian you can trust (exchange, multi-sig with family member, etc) who can.

  • BiggestBulb@kbin.run
    link
    fedilink
    arrow-up
    16
    arrow-down
    1
    ·
    9 months ago

    I don’t even trust Steam, let alone Mozilla. I don’t think I’ve ever had any credit card auto-fill on any browser I’ve ever had

  • jet@hackertalks.com
    link
    fedilink
    English
    arrow-up
    11
    ·
    9 months ago

    With credit cards any fraud is the responsibility of the credit card processor not the individual. So the risk isn’t on your side.

  • lattrommi@lemmy.ml
    link
    fedilink
    中文
    arrow-up
    10
    ·
    9 months ago

    I simply use my credit card number for my password on every site. it makes it so much easier to remember both. back in the day i would use my social security number. thanks to that simple trick, i never get robocalls or spam and i’ve been removed from most mailing lists because no one will ever issue credit or do business of any kind with me. a hacker stole my identity once and my credit score quadrupled. he even gave my identity back a week later!

    • Moonrise2473@feddit.itOP
      link
      fedilink
      arrow-up
      2
      ·
      9 months ago

      You joke but back in the 90s when I first used the internet in the library I had to choose a password for the email. And the requirements were weird. Needs to be an exact length, letters, numbers, and so on. Then I realized my country SSN was a perfect match with the requirements! “Wow that’s perfect, so I gonna use that as a password, nobody gonna guess that” - the naïve boy thought. Of course it was hacked by some other classmate that got the same conclusion and I realized that it wasn’t that perfect and that almost everyone had the same idea due to the strict exact length requirements. (SSN in my country can be easily found again if you know name and DOB)

  • Maoo [none/use name]@hexbear.net
    link
    fedilink
    English
    arrow-up
    9
    ·
    9 months ago

    The number being somewhere on your computer isn’t something I’d worry about. The real risk is from a liberal autocomplete that might throw it into website forms where you don’t want it to be, including hidden ones. Maybe there are protections in place since I last let Firefox save anything like this, but it used to try pasting address and CC info whenever it could.

  • AntiOutsideAktion [he/him]@hexbear.net
    link
    fedilink
    English
    arrow-up
    8
    ·
    9 months ago

    I don’t trust saving my CC numbers anywhere. And considering how many times retailers have been hacked and had that kind of information stolen I wish it were law that no one could save them.

  • NotNotMike@programming.dev
    link
    fedilink
    arrow-up
    8
    ·
    9 months ago

    I do trust it well enough, but I don’t use it.

    For starters, I don’t want it to be too easy to spend money. If I want something, I should want it enough to pull my card out and type the number again.

    Second, the auto-fill often doesn’t work perfectly, so you need the card anyway.

    Third, there’s the slim chance it could be hacked. So why even take that chance when the only benefit is convenience

  • akilou@sh.itjust.works
    link
    fedilink
    arrow-up
    7
    ·
    9 months ago

    I don’t save them in Firefox, not because I don’t trust Firefox, just because keeping them in a password manager is more convenient. I don’t think there’s a reason not to trust Firefox.