Or here's an example, it's not clear how a security vulnerability worked, but it seems to me that they got to the keys - passwords - and made it a crime:

Yesterday, on January 3, Chrome extension stole $16 thousand in cryptographic currency!

A user of Ledger Secure malicious extension for Chrome lost $16 thousand in ZCash encryption. As it later became known, this little-known extension was disguised as Ledger's popular crypto wallet - the latter's developers had already disavowed the malware in the Chrome Web Store.
It is claimed that the Ledger Secure extension sends a passphrase to a third party, which allowed the attackers to steal 600 ZCashes from the victim's account. This user, nicknamed hackedzec on his Twitter account, also specified that he entered the passphrase on his computer only once 2 years ago and that it was stored as a scanned document.
Which storage option contributed to the theft of the crypt currency from the wallet is still unknown. How exactly the extension got into Chrome's browser also remains a mystery, but it was discovered when hackedzec found an unknown file on your computer with links to your Ledger Secure Twitter account. The account simulates the official representation of the French company Ledger.

Earlier MyCrypto detected similar malicious software in the Chrome Web Store. The extension, called Shitcoin Wallet, was freely distributed in Google's directory and stole private keys and authorization data from various cryptographic exchanges such as Binance.

What a twist!
Now we can't even trust the monsters the whole system relies on!

Tell me, where is the solid ground in this sea of uncertainty?

I'll tell you where, but few people will believe it - in systems without passwords and keys.

A paradox?
I don't think so.
It's a rescue.

It is not clear what is the point in reliable cryptography if no one is going to break it directly, but its keys are stolen.

Indeed, according to the same logic, it is unclear what the meaning will be in post-quantum cryptography or even post-post-quantum if the same keys are stolen.

The same security system holes remain and operate, regardless of the level of complexity of the system.

Maybe existing cryptography will not live long because of problems related to keys and the human factor? And not because of quantum computers?

I give an example of exploiting vulnerabilities that have remained a mystery:

-In 2014, it became known about the activities of a highly professional cybercriminal group called Carbanak, specializing in attacks on banks. It is assumed that the group managed to withdraw a total of more than $ 1 billion from various banks - while other cybercriminal groups failed to surpass this result.

Among the most noteworthy events, it is worth mentioning the large-scale hacking of the Italian company Hacking Team, specializing in the development and sale of hacker tools to special services of various countries. As a result, cyber attacks stole more than 400 GB of corporate data, which subsequently ended up on the Web.

But this is an organization that worked for the government, special services, which itself knows how to steal anything and from anyone - it itself has suffered!

But this is a real paradox.
If they did this to them, then what can they do to us?

Didn't the fundamentals of existing security systems based on keys and passwords compromise themselves completely and irrevocably?

How many more examples should humanity have to get in order to understand the inconsistency of the cyber security solutions that we are offered.

I remain a committed follower of new keyless encryption technologies and passwordless authentication methods.

There is a similar in this project: https://toxic.chat

The most sophisticated security system, any security system based on keys and passwords is vulnerable in these very places.
Individually, each of us can arrange secure storage of keys and passwords. But overall, it doesn't work well.

Here's the news again! The price of our security has dropped to a record $6. That's how much the program to hack into our accounts in one of the forums.

Check out the full text:
"Ring and Amazon have been sued for hacking into IoT video surveillance cameras.

The lawsuit charges the companies with breach of contract, invasion of privacy (!), negligence, unfair enrichment, and violation of the California Unfair Competition Act "by misrepresenting security".

Interesting wording: "by misrepresenting security".

In the same way, it is possible to formulate a claim against almost all companies that release all the software.

It's a sober view of our security situation.

But Ring has refused to comment on this situation.

Recall that in mid-December, credentials for thousands of Amazon Ring camera owners were published on the Internet, as well as 3,672 email addresses, passwords, time zone information and names assigned to specific Ring cameras (such as "front door" or "kitchen"). It has also become known that cyber criminals have created special programs to hack into company devices. In one of the forums, the user offered a tool to pick up Ring.com credentials for $6.
Here is the price for password and key security systems.

And the following news shows that such systems flow like a hole in a boat:

Provider of "smart" devices Wyze has leaked data to 2.4 million customers.

Smart Device Provider Wyze confirmed the data leak from the server.
Information such as client email addresses for Wyze accounts, names assigned by users to security cameras, WiFi network SSIDs and Alexa voice helper tokens used to connect Wyze devices to Amazon devices were leaked to the network.

Yes, I understand that stealing passwords (or keys) is not literally breaking cryptography, but it is a measure of the unsuitability of such technologies in today's reality. Yes, we've learned how to attack. More successfully than 10 years ago. And the techniques of such attacks are constantly being improved.

I am convinced that real superiority over swindlers can be achieved only through the introduction of new keyless encryption technologies and authentication methods without using a password, by variable digital identifiers (we are not talking about biometric identifiers), stealing and reusing variable identifiers makes no sense.

-------------------
There's always been a problem with cryptography.
The story even 10-20 years ago tells us that.

There are problems in cryptography now, except for symmetric encryption systems.

The problems that we see in cryptography are much more serious than the problems that a quantum computer will create.

Just before the quantum computer, the problems were known to a narrow circle of people and only to special organizations.

The advent of quantum computing has added new problems, which are now readily shared with everyone, in order to hide the real problems in cryptography.

Information for thought, even a theoretical very large quantum computer will not do anything with the number 256 bits in a binary system. And if you increase the key length in AES to 512 bits - you can forget about any fantastic calculations at all.

And if you increase the key length in AES to 1024 bits, even the idea of quantum computing becomes ridiculous.

In this case, the load on calculations will increase only 2-4 times, which is not a problem.

And the key length in post quantum systems with the length of 32 000 bits is considered small at all. There are systems with the key length up to 1,000,000 bits.
So what?
Or do you think these systems are afraid of a quantum computer with that much key length?

Therefore, a quantum computer is a terrible "Halloween" for the uninformed about the present state of affairs in modern cryptography.

Modern asymmetric cryptography (the one that is being replaced) is a temporary phenomenon based on unproven hypotheses.

The same is true for the security of the block-chain technology, a precisely temporary phenomenon, precisely based on assumptions that cannot be verified.

Details here (second post of December 4):
https://bitcointalk.org/index.php?topic=5204368.40.   

Well, phishing can be left in question whose problem it is.
The whole world has put that responsibility on the user.
I strongly disagree with this, and I'm putting this responsibility on the security organizers.
There's no point in arguing.

But it makes sense to look at the root of the problem.

As none of the times I have pointed out that until the basis of modern security system changes - the reliability of any new security system will not change.

In other words, all the upgrades and sewing up of holes will not stop the appearance of new problems in a system with an unreliable basis.

An unreliable basis for all security systems is keys and passwords.

It's a bold statement, but it's thoughtful.  You need to look at the essence, not the form.

I'll give you a fresh example to defend your position.

 You are a user. There is a manufacturer. The manufacturer is in trouble. You use it without suspecting that there are vulnerabilities that affect the Intel Platform Trust (PTT) technology and STMicroelectronics' ST33 TPM chip.
What do you and I (users) have to do with this?
Well, here's the answer.
 Vulnerabilities in TPM chips allow stealing cryptographic keys. A team of researchers from the Worcester Polytechnic Institute (USA), the University of Luebeck (Germany) and the University of California at San Diego (USA) discovered two vulnerabilities in TPM processors. Exploiting problems commonly referred to as TPM-FAIL allows an attacker to steal cryptographic keys stored in the processors.
This chip is used in a wide variety of devices (from network equipment to cloud servers) and is one of the few processors that have received CommonCriteria (CC) EAL 4+ classification (comes with built-in protection against attacks through third-party channels).

The researchers have developed a number of attacks, which they call "timing leakage". The technique is that the attacker can determine the time difference when performing TPM repetitive operations, and "view" the data processed inside the protected processor. This technique can be used to extract 256-bit private keys in TPM used by certain digital signature schemes based on elliptical curve algorithms such as ECDSA and ECSchnorr. They are common digital signature schemes used in many modern cryptographically secure operations, such as establishing TLS connections, signing digital certificates and authorizing system logins.

So this is the subject of our disagreement - keys and stealing them.

It turns out, "A local attacker can recover an ECDSA key from an Intel fTPM in 4-20 minutes, depending on the access level. Attacks can also be carried out remotely on networks by recovering the VPN server authentication key in 5 hours," the researchers note.

This news would not be revealing to our discussion,
if news like this hadn't come from all over the world like rain.

There's no cybersecurity, it's a software salesman's myth.
Think of the number of critical updates released by Microsoft (or rather microscopic software) to their operating systems, exactly like a storm... 

--------------------
I fully agree with that opinion.
 But I do not agree that stealing password and other personal information by means of phishing is not a technical problem and it is the problem of inattentive user.
It's not just your opinion, it's a public opinion.
Moreover, I think this opinion has been softly imposed on society by those who cannot and do not want to solve this problem using technical methods.
I'm sure that society will change soon.
Phishing is possible only when you do not authenticate the website, but only the website authenticates you. Only with one-way authentication.
Moreover, once you are caught in phishing, you lose a lot, you do not know that you are already attacked, or you will never know about it.
The security system makes this problem our problem.
And I think it's an old, wrong opinion imposed on us.
I think it's technically possible to do two-way authentication.
 But there's more to it than that. We need to ban authentication with permanent identifiers, as it is now.
These technical measures will completely eliminate phishing as a method, as a phenomenon.
And instead, we are offered to "look closely" at the site and remember in detail how it looks.
This is in the 21st century! This is ridiculous! It means that the whole old security system is unsuitable in our time.
I recently read how phishing attackers deceive the most attentive users - they take high-quality photos of the site and put the necessary active windows to enter the login and password.
What to do in this case? To be very attentive is not a method, it is a complete failure of password authentication technology.

-----------------------------
You correctly noticed that this is really a problem.

Speaking directly, but not counting on the support of a large number of people, the problem with any key encryption system is the keys.

We develop thought in this direction.
The problem with any password authentication system is passwords.
Once upon a time, this was not so noticeable.
This problem emerged over time, after a statistical analysis of the causes of successful cybercrimes.

For this reason, I advocate only new passwordless authentication methods that are based on the new keyless cryptography. Interestingly, in this field of knowledge, there are almost no publications and studies.
https://bitcointalk.org/index.php?topic=5204368.0

The whole world sees no alternative to either keys or passwords.

In a wonderful world we live, we find it hidden from our eyes, but we don’t notice the obvious on the surface.

---------------------
Dear opponent!
This is the first qualitative version of the discussion with my participation.  I am very pleased that there are interesting interlocutors on this business cryptographic platform.

When I wrote my posts on this topic, I thought that superficial knowledge was more successful than deeper knowledge.

But after reading your post, I realized that I was wrong.

But you know, I read a lot of opinions on "what cryptography we will need".

Of course, quantum cryptography is a technical, scientific, technological step forward. Although, in fact, nothing new is observed from the knowledge that we had 40 years ago.

Let me tell you something else.  Quantum cryptography, not only in my opinion, is it a big, powerful mechanism that needs to lift a big load. Simple, not tricky, the engineer's reasoning is this:
- if the load is 10 times heavier, then you need a crane 10 times more powerful. Scrap against scrap. It works. It's convincing. But it's not exactly an engineering approach, I think. It's force versus force.

I'm a supporter of beautiful engineering, I'm a supporter of ingenuity and cunning, intelligence and innovation - and against brute force.

For this reason, I don't like the solution of the problem with quantum cryptography, but I'd really like the solution with post quantum mathematical, logical, unusual solutions.

No matter how actively quantum encryption methods are developed, if a solution is found in the direction of post quantum (mathematical) cryptography, this solution will be cheaper, simpler, more elegant, more attractive, and will have a much greater commercial success than physical quantum cryptography.

Especially since quantum methods (actually old photonic systems, but words are always ahead of the curve, it's the golden law of advertising) plan to be used as a transport protocol, not as encryption itself.
Or as an encryption key exchange system for reliable mathematical symmetric encryption systems.
As a replacement for cryptography with a pair of open and private keys.
No more than that.
Especially since quantum cryptography is ABSOLUTELY not protected from information theft. It simply informs the recipient how much information is lost, but does not protect against theft!!!

Unlike some post quantum (mathematical) encryption systems.

Weighing all of the above, I am in favor of a future dominated by post quantum cryptographic systems, not quantum cryptography.
 
Otherwise, it is the surrender of progressive human thought to brute physical force.

And if you look even deeper, I am a supporter of new geometric principles of encryption, without a key, and principles of new authentication without a password.
It's my theme:
https://bitcointalk.org/index.php?topic=5204368.0.
и
https://bitcointalk.org/index.php?topic=5209297.0   

----------------------
In my opinion, post quantum cryptography should not be confused with cryptography based on the mutual relation of quantum states of photons.
Post-quantum cryptography uses mathematical coding methods.
Physical laws of the quantum world are used in quantum cryptography.

Post quantum systems, most of them, were developed 10-20 years ago. Some of them are new, developed recently. But they're all based on mathematics.

They should not be confused with related quantum states, it's a completely different approach to the problem.

We are not interested in quantum cryptography, it is not our level, it is not intended for ordinary users.
And it's not even planned for us.

It's post quantum mathematical cryptography that we are planning.

You are very mistaken about the length of the key if you think that a quantum computer can solve the problem of a complete search for a key only 256 bits long. No quantum computer can do that. That's why the AES-256 remains a post quantum system.

If cryptography on elliptical curves, as well as any other cryptography with a public and private key was reliable, and everything depended only on the length of the key, then no search for post quantum systems would be done by mankind.

Moreover, a large number of cryptographic systems that were candidates for post quantum encryption systems were not cracked by quantum computers, but by good old cryptanalysis, mathematical methods.

The key which is not broken by full search in system AES length 256 bits - corresponds to a key 15300-16400 bits in system RSA. If it were only for the speed of quantum computing, you could use an RSA with a key length of 16400 bits or more, or cryptography on elliptical curves (ECC) with a length of 512 bits.

Instead, AES-256 with only 256 bits of key is definitely left (it's a symmetric system), but all our asymmetric systems (including RSA and ECC) are not.

Moreover, for serious secrets 5 years ago they were forbidden to use, this is only what has already leaked to the press.
Neither ECC, nor RSA have ever been used in serious cases 10 years ago.
Details here, post dated December 04, see:
https://bitcointalk.org/index.php?topic=5204368.0.

Therefore, there is only one conclusion - all modern asymmetric systems with a pair of public and private keys - do not fit with any length of the key precisely because they are weak, but the details of this circumstance are not specified and few people know.

----------------------------------------------
It's the complexity of machine translation, all attacks are illegal, that's right.

Including attacks on cryptography using quantum computing (using a quantum computer).

And by "more dangerous" attacks, I mean exploiting for criminal purposes the weaknesses of cryptography itself on elliptic curves.

I don't understand it, why one part of people consider it reliable, and officials of special organizations categorically prohibit its use.

I do not understand why there is one cryptography for all of us, it is like household cryptography, and why there is another cryptography for special organizations and government agencies.

I don't understand why for so many years, long before the quantum computer was going to be built, so many serious people and organizations around the world are looking for a replacement for existing encryption methods.

After all, from an attack with quantum computing, it is enough to simply increase the length of the key.

After all the key in AES 256 bits long is not afraid of quantum computers (it is left as a working mechanism on post quantum period) because the method of encryption itself is very successful.

And cryptography on elliptical curves with any key length is not suitable.
And that's with the fact that the key length of even 512,000 bits or more - post quantum cryptography suits everyone!!!

So there's something wrong with ECC?

-----------
Anonymity of any user on the Internet is a myth, and the further the Internet becomes more transparent, but only for specially trained people.
Anonymity in cryptov currencies is, but also has its own price, has its own technology of access to information.

If you own 500 bitcoins, nobody will be interested in you, too small, if you have 10 000 - you are on the hook, no matter what you want.
And what's between those limits - I don't know, anything can be found if they really want it.

The TOR network - has lost its anonymity, this year tracking technologies appeared (to be more exact, this year they wrote about it, and when this technology appeared - I do not know).

VPN - became transparent for owners of certain technologies, this was recently reported in the press, moreover, with the loss of anonymity there was a loss of traffic privacy.

Anonymity is a myth that has its price.

-------------------------
Verifying the existence, or belonging to us, of our crypto assets must be verified, but not in this way.  Technically, it can be done by the bitcoin owner every second, every hour, or every day.
But that part of the technology is not yet available to us.
And that's a significant flaw that should be corrected soon.

---------------------
As for improving the IT security sector, my opinion is that we are always trying to be inspired by the idea that the new security product you buy or use is better than the old one.
But it is not always the case.
More often than not, it is a myth that is spread by the sellers of products for our security.
History knows a lot of cases when new top IT products were hastily made and were inferior to the old proven software solutions.
We live in a world of public opinion.
And as long as huge efforts are made to support this public opinion, there is no way to find out if the new is better than the old until time itself settles the dispute between the disputing parties.

And now, about the facts of time.

Try to look at statistical studies, about successful attacks today compared to what happened 5 years ago.
This is the right indicator of how our IT security is evolving. 

Yes, you will find that many of the bugs of the past have been fixed, and seem to be reliable.
You will also find that cheaters are developing very much ahead of the security industry.
You will also find that security administrators will find out about their bugs once they are detected by scammers.

And you're always told, like this:
- a dangerous vulnerability has been discovered, so urgently install the latest update;
- or so: the vulnerability cannot be fixed with an update, you need to change the software;
- or so (as with the vulnerability of almost all Apple iPhones since model 7): this vulnerability cannot be corrected programmatically, a hardware replacement is required...

And beyond that is the paradox of our perception:
- the first group thinks it's okay, because the vulnerability was discovered and warned about it (the question remains behind the scenes, but what security holes weren't warned about?);
- the second group, more courageous, believes that in such cases, the security system fails to perform its duties, especially when the found shortcomings have already been exploited by criminals.

The pseudo-security industry does everything to make the first group of users dominate the second.

And what group do you think you belong to?

P.S.
Given that, year after year, the financial and reputational losses from cybercriminals are steadily increasing, not decreasing.

Another example of how quietly and for a very long time it is possible to exploit the vulnerability of banking security systems.

It should be noted that these are not the last banks in the world.

And yet, it is impossible to keep silent that phishing, which is the basis of many attacks, is possible only in password authentication systems, in systems with a permanent client ID.

These improperly built security systems guarantee the existence of such facts.

14 Canadian banks were affected, among others:
1. CIBC bank;
2. TD Canada Trust;
3. Scotiabank;
4. Royal Bank of Canada (RBC);
5. other banks.
 - were the victims of a large-scale phishing campaign that lasted for two years.

What good is it if fraudsters worked without problems for 2 years.

As noted by researchers from Check Point in their report, in the case of RBC attackers simply took a screenshot of the official site and added invisible text fields over the input fields to collect the credentials of the victim.

If you start collecting these facts, it's very quick to get a very thick and sad book... 

Scammers who specialize in hacking into bank security systems are not just looking for access to their victims' money.
It's complicated and thoughtful on their part.
They're hunting for the information they need.
Fraud not only involves using the money in the accounts themselves, but also often opens the door for further fraudulent activity. Criminals may use information obtained as a result of the successful theft of your personal data to further manipulate other financial products, such as consumer loans or credit cards.

Criminals have found and continue to find many opportunities for their illegal activities.

Do not believe advertisements about the boundless reliability of banking security systems. If this were the case, you wouldn't spend a lot of effort constantly modernizing such systems.

In general, a security system cannot be more reliable than the elements of which it consists.
I'm interested in its most important element - cryptographic.
A system built on key cryptography and password authentication methods will always be in danger.
Probably the only way out is with keyless encryption and passwordless authentication.

These options are discussed here:
https://bitcointalk.org/index.php?topic=5204368.0.

And the possible first implementation of such a fundamentally new security system may be in this project:
https://toxic.chat/

Not only quantum computing is dangerous.

The development of illegal attack techniques on networks and the large finances of cybercrime are much more dangerous.

Although the most famous specialists put quantum computing first.

I don't agree with them.

The further technology develops, the less privacy becomes for both a decent user and a cheater. 
Not so long ago, the VPN was anonymous.
Not anymore today.
Not so long ago, the TOR network was anonymous.
Not anymore.
There are strong players on the Internet, they can do anything.
The usual users are left - they can keep their anonymity less and less. We need to be more and more careful when we use the network.

And this process is developing.

We lose our anonymity and security.
Others are gaining unlimited power.

Why is this happening?
What's wrong with the basics of modern security systems?

Cryptography in bank security systems is common, household, conditionally reliable.

Attacking a bank's security system through a cryptographic attack itself is not necessary.

Cyber security in banks is so low that there are many other, more effective means of attack. And scammers always choose the easiest way.

Very strange solved the issue of cryptography, without our consent, in the protection systems of all banks. 

Cryptography, the technology of information management, for a long time already allows to have mechanisms of protection of owners of bitcoins from theft on exchanges, from worrying about it the owner of the asset - a crypto-asset.
Somehow do not reach hands at administrators - to start these mechanisms excluding theft, basically and forever.

Here is an interesting example of how the security system is organized for ordinary currencies, in banks of fiat assets.

--------------------
They (I do not know who these people are) make a distinction between "commercial" or general cryptography (this is the one for us) and state cryptography.

Commercial cryptography must be based on the same standards throughout the world, because modern business, let alone banking, often goes beyond the borders of a single country.

But state standards for cryptography are much better, they cannot be distributed anywhere, they will only be used within government structures and as is done in the United States.

And despite this high level (relative to "our" bank cryptography), they must be updated every five years (at the algorithmic level).

Then it is even more interesting.

Commercial structures should not have access to this algorithm itself. Thus, it will be possible to apply simultaneously public "commercial" algorithms - for us, the simple and naive, and for the celestials - to ensure the normal preservation of state secrets and other important secrets.

We, bank customers, ordinary customers, not VIPs, are confronted by organized cybercrime, which has a huge, well-organized business that operates billions of dollars annually around the world.

Far from cyberattacks are not always protected by antivirus programs or data protection technologies, because hackers' technologies are always and constantly being improved.

---------------------
Cryptography in bank security systems is common, household, conditionally reliable.

Attacking a bank's security system through a cryptographic attack itself is not necessary.

Cyber security in banks is so low that there are many other, more effective means of attack. And scammers always choose the easiest way.

Very strange solved the issue of cryptography, without our consent, in the protection systems of all banks. 

They (I do not know who these people are) make a distinction between "commercial" or general cryptography (this is the one for us) and state cryptography.

Commercial cryptography must be based on the same standards throughout the world, because modern business, let alone banking, often goes beyond the borders of a single country.

But state standards for cryptography are much better, they cannot be distributed anywhere, they will only be used within government structures and as is done in the United States.

And despite this high level (relative to "our" bank cryptography), they must be updated every five years (at the algorithmic level).

Then it is even more interesting.

Commercial structures should not have access to this algorithm itself. Thus, it will be possible to apply simultaneously public "commercial" algorithms - for us, the simple and naive, and for the celestials - to ensure the normal preservation of state secrets and other important secrets.

We, bank customers, ordinary customers, not VIPs, are confronted by organized cybercrime, which has a huge, well-organized business that operates billions of dollars annually around the world.

Far from cyberattacks are not always protected by antivirus programs or data protection technologies, because hackers' technologies are always and constantly being improved.

The case has gone so far in the bad direction that:

1) American banks and online lenders Citigroup, Kabbage, Depository Trust & Clearing Corporation, Hewlett Packard and Swiss Zurich Insurance Group announced the creation of a consortium on cyber security - it will be managed by the World Economic Forum.

2) SWIFT management has sent a letter to client banks warning of the growing threat of cyber attacks. A similar document was made available to Reuters editorial staff.
The letter from SWIFT also says that hackers have improved their cyberattack techniques on local banking systems. One new tactic involves using software that allows hackers to access technical support computers.
"Threats are constant, sophisticated and have a good degree of adaptability - and are already normal," says the letter SWIFT.
 Unfortunately, we continue to see cases in which some of our clients are now compromised by thieves who then send out fraudulent payment instructions via SWIFT.

3) Check Point: The number of attacks on mobile banking has doubled in the first half of the year:

On August 1, 2019 Check Point Software Technologies released Cyber Attack Trends: 2019 Mid-Year Report. Hackers continue to develop new toolsets and methods aimed at targeting corporate data stored in the cloud infrastructure; personal mobile devices; various applications; and even popular email platforms. Researchers note that none of the sectors is fully protected against cyber attacks.


4) The Neutrino Trojan once again confirms that cyber threats are constantly evolving. New versions of known spies are becoming more complex, their functionality is expanding, and appetites are growing. And as the number of different digital devices grows, malware areas are also becoming wider.

5) Cyber criminals have learned how to steal data by distributing malicious plug-ins from over 80,000 sites on the Internet.

By installing unproven malicious plug-ins, the user gives cybercriminals access to passwords, logins and bank card data.

6) German banks refuse to support authorization via one-time SMS code
Several German banks announced in July 2019 that they planned to abandon the use of one-time SMS passwords as a method of authorization and transaction confirmation.

Over the past few years, the number of attacks using the "SIM swapping" method has increased, thanks to which a fraudster can deceive a telecom operator and transfer a user's phone number to another SIM card, gaining access to the user's online accounts with banks and crypt currency exchanges.

Cyber security specialists have been warning against using one-time SMS passwords for several years, but not because of "SIM swapping" attacks. The problem lies in the inherent and unrecoverable weaknesses of the protocol (SS7), which is used to configure most telephone exchanges around the world. Vulnerabilities in this protocol allow attackers to steal a user's phone number invisibly, even without the knowledge of a provider, allowing them to track the owner of the phone and authorize online payments or login requests.

And banks use this and impose it on their users as an "additional" security measure. A paradox?


7) 97% of large banks are vulnerable to cyber attacks.
On July 10, 2019 it became known that only three banks out of a hundred received the highest score in terms of ensuring the security of their sites and implementation of SSL encryption.
The vast majority of large financial institutions in the S&P Global rating are vulnerable to hacker attacks. This conclusion was made by the experts of the Swiss company ImmuniWeb on the basis of a large-scale study, which examined 100 sites owned by large banks, 2,336 subdomains, 102 Internet banking applications, 55 mobile banking applications and 298 mobile banking APIs.

Positive Technologies: All online banks are under threat of unauthorized access to bank secrecy.
On April 5, 2019 Positive Technologies reported that its experts assessed the level of security of online banks in 2018 and found that 54% of the surveyed systems allow attackers to steal money, and all online banks are under threat of unauthorized access to personal data and bank secrecy. According to the analysis, most of the online banks studied contain critical vulnerabilities. As a result of the online bank security assessment, vulnerabilities were identified in each system studied, which could lead to serious consequences.

9) Trojan under the name Android.BankBot.149.origin is distributed as harmless programs. After downloading to your smartphone, tablet and installation, it requests access to the mobile device administrator functions to make it harder to remove it. It then hides from the user by removing its icon from the home screen.

Then the virus connects to the management server and waits for commands.
It can do the following:
1. Send SMS messages;
2. to intercept SMS messages;
3. to request administrator rights;
4. to execute USSD requests;
5. Receive a list of the numbers of all available contacts from the phone book;
6. To send SMS with the text received in the command to all numbers from the telephone book;
7. To track the location of the device via GPS satellites;
8. to request additional permission to send SMS messages on devices with modern versions of Android OS,
9. making calls,
10. access to the phone book
11. Working with a GPS receiver;
12. obtaining a configuration file with a list of bank applications under attack;
13. display of phishing windows.

What do you think he can do with your "bank security"? 
Whatever he wants to do!!!

And beyond that:

14. the Trojan steals confidential information from users, tracking the launch of "bank-client" applications and software to work with payment systems.
15. controls the launch of over three dozen such programs.
16. as soon as the virus detects that one of them has started working, it downloads from the management server the corresponding phishing form for entering the login and password to access the bank account and shows it on top of the attacked application.
17. In addition to stealing logins and passwords, the Trojan attempts to steal information about the bank card of the owner of an infected mobile device.

To do this, the virus monitors the launch of popular applications such as Facebook, Viber, Youtube, Messenger, WhatsApp, Uber, Snapchat, WeChat, imo, Instagram, Twitter, Play Market and shows a phishing window of the payment service settings on top of them.

18. Upon receipt of SMS, the Trojan turns off all sound and vibration signals, sends the content of messages to attackers and tries to remove intercepted SMS from the list of incoming ones.

As a result, the user may not only fail to receive notifications from credit organizations with information about unplanned money transactions, but also fail to see other messages that come to his number.

Conclusion:
- The imperfect security system (first of all, the bank system) does not allow us to use the mobile phone, which receives one-time SMS-passwords, for other purposes!
It should not be used for online banking (mobile banking)!
It is necessary to allocate a separate device (computer, smartphone, tablet) from which you can access and manage your bank account.

Moreover, this device should not be used for any other purposes other than online banking, including it should not be used for any other purpose:
- browsing the Internet;
- social networks;
- email;
- the device must be equipped with special software implementing the "default ban" function.

These are the restrictions that each of us has to apply - if we want to use banking products that are very vulnerable to attack, not cryptographic nature.

It is possible to live well and quietly, but only when you don't know this information.
The banking security system is a false myth, in our time.

That's why it's dangerous to use, even the most secure devices to encrypt secrets, fresh news:

Way to crack passwords from email in iOS 13.3 has been found

Elcomsoft has released iOS Forensic Toolkit, which extracts data from the locked iPhone on all versions of the system starting from iOS 7.

It will require a Checkra1n jailbreak. It uses the checkm8 vulnerability, which is present in many Apple processors. There is no way to fix it.

The list of supported devices is impressive:
▪ iPhone 5s▪ iPhone 6▪ iPhone 6s▪ iPhone 7▪ iPhone 8▪ iPhone X▪ iPad mini 2▪ iPad mini 3▪ iPad mini 4▪ iPad Air▪ iPad Air 2▪ iPad 2017▪ iPad 2018▪ iPad 2019▪ iPad Pro 10,5▪ iPad Pro 12,9

The company claims that its software works even when the device is in BFU mode. It activates after the gadget is rebooted, when the user has not yet entered the password.

With iOS Forensic Toolkit, you can copy your iPhone and iPad file system, access your call history, access accounts for a variety of services including messengers and social media, and access Signal and WhatsApp encryption keys.

The iOS Forensic Toolkit costs $1495. It can be purchased by anyone.