What's a security risk you think people should be more aware of?

Question

Here's mine: QR codes. They're a terrible idea, especially when there's no URL attached. They remove someone's ability to verify that yes, this is the correct site, and are easy to bypass - a scammer can literally just put a different QR code over the intended one, and ta-da! Done.

solardev · Accepted Answer

Physical security: On MacOS, there's several network and disk level protections built in to the OS. But nothing stops someone from walking up and punching you in the face and taking your $3000 laptop.On Linux this is less of an issue. They'll usually come back after a few hours asking for help with a driver.

whatamidoingyo · Answer

As many have said, definitely physical security. Especially when shopping in stores.
"Do you have rewards?"
"Oh, yes. My number is 555-555-5555", the customer blurts out loud while there's 10 people behind them.
I imagined the person walking out and getting hit with a "Thank you for shopping at Macys. Here's $500 on us!" text message. I think most would definitely fall for this, especially if they just left the store.
People not locking their computers before they leave their desks also drives me crazy.

tacostakohashi · Answer

Even if there were a URL attached, then the scammer would just ensure that their (different) URL is attached to the different QR code they are putting over the intended one, so that doesn't solve anything.I do rather agree that using QR codes from untrusted sources is not a smart way of entering URLs. It makes sense for wifi codes or payloads _within_ some trusted app, but as a way of hitting whatever URL someone has obfuscated into an unverifiable QR code... not so much.

marapuru · Answer

People who share their screen over a zoom call and have a desktop cluttered with documents with insightful names, open tabs in browsers, or messenger applications open when switching windows.
I’ve even seen this in screen recordings that are permanently published on Video platforms.
It’s a gold mine for social engineering attacks.

toomuchtodo · Answer

Your mobile provider stores your location data for 1 (Verizon), 2 (Tmobile), or 7 (AT&T) years. Tower dumps long term, granular advanced timing/ranging to within meters for ~90 days.Don&rsquo;t think too fondly of Verizon&rsquo;s short retention schedule though, they sell your location to data brokers.

mikewarot · Answer

Ambient Authority... it's the computer equivalent of giving the full electrical grid, unrestricted in any way, to every single outlet in your house. No fuses, circuit breakers, or other protection.
Yet this is the underlying design that Linux, Windows, MacOS are all based on.
We have ways to default to NO authority, and still make computers just as easy to use, but we don't do it. Because it would require reconfiguring everything, and porting a lot of code to new OSs.

MountainMan1312 · Answer

Posting on social media that you are out-of-town. Nothing more than a "my house is empty and you should steal all my stuff" advertisement.

dangus · Answer

The camera app shows you what URL the QR code is going to before you click it.
I don't think it's really much of a risk because an attacker has to not only go to a physical location and replace the QR code, but they need to make some kind of replacement website that looks genuine to fool someone.
It's actually harder to pull off than a credit card skimmer.
Example: QR codes at a restaurant, I need to put the QR codes on every single menu (how am I going to do that discreetly without visiting the restaurant multiple times?) and then I also have to create a functioning website that mimics the restaurant's website. And then what happens when the customer doesn't get any food when the order via QR code and the server doesn't see any order being placed? Everyone involved would be immediately suspicious.

previousjs · Answer

Boring one, but if you get a work email with bank account details be suspicious. Maybe book a face call before using such details and confirm them.

giantg2 · Answer

Physical security, specifically encryption and backups for after an incident occurs.

matt_s · Answer

I&rsquo;ll go with the obvious: scam phone calls and &ldquo;your computer is borked, call 1-800-PAY-SCAMMER to fix it&rdquo;.There are a lot more boomer generation people out there that fall for this every day than complicated or highly technical scams. There should be PSA&rsquo;s shown during Jeopardy! and Wheel Of Fortune commercial breaks that simply state: &ldquo;The IRS will never call you. Neither will the USPS. Microsoft won&rsquo;t either. They won&rsquo;t text either. If you get something that says your computer is hacked and to call that is also a SCAM. Turn it off immediately and take it to a local professional.&rdquo;Edit to add: I know all of us in here will end up being the &ldquo;local professional&rdquo;, be nice and help the elderly.