How storing passwords let hackers bypass two factor authentication 

If a hacker got control of your machine remotely, the security key still cannot be used remotely. All security keys have a button and/or fingerprint sensor that must be pressed to authenticate/sign in. It would likely be the best two factor option, and you don't have to keep the key plugged in all the time either.

A family member used to have a small notebook by their computer with the front cover clearly labelled "passwords and I suggested that it might not be the most secure way of storing them. The book was then re-labelled "not passwords" 🤔

One of the first things I've always done when setting up a new computer is turning on "show file extensions". That one simple step basically eliminates falling for these executables disguised as PDF files, or any other file disguised as something it's not.

Not to be "that guy" or anything, but this is exactly why I don't let browsers store passwords or credit cards or anything else like that for me. I don't blame people for using those convenience features, but I do blame the browser makers for not doing more to educate users about the security tradeoff they're making when using those features.

IMO disabling 2FA should be a ~24h lockout operation, where it requires you either input the code or wait for the timout to expire before it takes effect. That would be already a step in the right direction.

many of the hardware encryption keys require physical interaction specifically to break the link of "left attached to a compromised computer"

Matthias, thank you for pointing out that people had unsubscribed to your main channel! I had done that while it was hacked, and didn't realize that it was YOUR channel I was unsubscribing from. I love your videos, and I've re-subscribed!

Most password managers require you to type in a master password any time you want to access something stored in it - and all the data inside of it is stored in an encrypted format. Essentially the same as storing your passwords in an encrypted file, but with a browser plug-in to make it more user friendly

This is a serious lack of forethought on Google's part. The possibility of losing your phone is NOT a good reason to make disabling 2FA so easy. Losing your phone is a separate problem and should have it's own ways of recovery regardless of your RU-vid security. Removing 2FA should ALWAYS require 2FA confirmation if not MORE (e.g. security questions, 2FA phone, AND secondary e-mail).

QUESTION: Firefox has a feature called a Primary Password. If enabled, Firefox will not show usernames, passwords, or saved payment info unless and until that password is entered, and it will ask for it every time Firefox resets. My question is: a) did you have that set? b) can a session hijacking attack circumvent that? Glad you're back in business.

Thank you for taking the time to share your experience so that the rest of us have a better chance of avoiding your woes.

A hardware device like the YubiKey requires that you touch the key to do a login. So even if you leave it plugged into a USB and the computer running, and hackers take over the PC remotely, they can't touch the key to activate it.

I had unsubscribed the first time not realising who it was, but have resubscribed, glad you got things fixed up

Both times your channel got hacked, I went on a "Mattias watching binge." I am literally so familiar with how you built your router table with built in dust collection, I could probably recite it. Almost the same with your 26" bandsaw wheel making video. Again, glad you're safe and back to secure.

Some USB security keys require you to physically touch a button on the key each time to access the credential. That would prevent someone from remotely accessing your machine from accessing a USB security device.

Thank you for the explanation Matthias. As another Firefox user now I know what I need to do. I never realized how many holes" there are for bad guys to get into.

I did unsubscribe initially but saw your video on here and resubscribed. Commenting just to increase visibility. Thank you for making great content all of these years. ❤

On top of what others have said, you can also host your own instance of BitWarden. Turn a spare computer into a Linux server and run BitWarden on it then point the browser extension to your server’s IP. From there the extension will no longer use BitWarden servers. Of course you have to make sure your server is secure, but since it’s on a separate computer it’s safe from your computer being compromised. Unless you have an active ssh session to it, but that should be rare and can even be never if you just plug a monitor and kbm into the server.

You got me back as a subscriber by pointing out that I may have unsubscribed from the hacked channel....which is exactly what happened!

Happy to hear you got your channel back!

Windows 11 has a feature called Windows Sandbox. It looks and feels like a standard windows box, but is completely dismantled when you end your session. I'd suggest doing your sensitive work through that. Even if the sandbox gets compromised, there is no other info for the bad actors to gather and your host does not to be reloaded. Couple that with two factor on the host computer or your phone and it becomes very hard to compromise overall. The usb keys with the button are also solid solutions.

Matthias, thanks for the heads-up about being unsubbed to your main channel. I was one of those people, I have re subbed! :)

Very interesting discussion - both on the video and in the comments. Thanks for sharing, Matthias, and good luck avoiding the third time. :)

Thank you for sharing such a detailed breakdown of the situation! I'm sure it was immensely frustrating but I appreciate the transparency!

Thanks Matthias, I’ve been needing to completely overhaul my security and this was a wake up call. I had an old coworker who was the victim of a SIM Swap attack and it was absolutely devastating. He purchased a new phone thinking it was okay, only for the hackers to regain access.

You have to enable advanced protection to get those security features because for normal users it can be quite annoying if they travel and get tons of security questions. Yubikey is also very nice you have to enter a prompt. Also credit cards do have hardware security it is in the chip part. The pin you have for canadian credit cards actually encrypts the card data.

I you use a password manager with a browser plugin to automatically fill in the passwords, make sure to have it require a PIN to unlock the database each time you want to use it, or at least each time after restarting/unlocking the PC. If you run a high risk, like you apparently do, you should have it require the PIN (or even more secure, a security key) each time you use it (with a few minutes timeout).

These kinds of problems suck, but it's helpful to raise awareness. Thank you.

Good point on the password manager considerations. Also, initially I did unsubscribe before I realized what had happened, and I went back and resubbed so that I would be subscribed when you recovered it.

I like that you mentioned the credit cards. When spying out data in real life was relevant (think putting cameras on ATMs), putting the three digits on the back was a great idea. A lot of credit card issuers now put the three digits on the front next to the 16 digit card number and I have absolutely no clue why.

The Dell Monitor at 7:51 looks like a Dell P2210T or one like it. Those have a barrel jack to provide 12V to the optional sound bar. I have similar monitors that I use for raspberry PIs. A 3D printed bracket clips into the monitor's sound bar tabs and holds the PI and a buck converter which plugs into the barrel jack.

6:55 Spot on, thanks for suggesting that we check! I remember unsubscribing from a weird crypto thing, wondering how it got in my feed in the first place. Now I see it was your main channel and I just re-subscribed

"I should be able to turn it [2FA] off without my phone, but, well, what if I lost my phone I still need to get rid of it right? so I guess it does make some sense" Nope, it still make no sense on a security maner. Either you need to contact the company (which "isn't secure" most of the time), or you have a backup 2FA: like unique recovery codes or a second emergency 2fa setup

Thaannkkkk you, for pointing it out: people need to finally stop storing passwords in their browsers. It was always a very bad idea and just because of laziness

I watch all your videos to the end and I'm glad you are back in your acount👍

"Most people don't watch videos to the end." I guess I am not most people! Hi Matthias!

Safe manufacturers figured this out years ago with timed safes. Why not require a 48 hour delay before certain changes take place?

Thanks for keeping us updated and pointing out things like this. Constant vigilance is important.

So I was unsubscribed! Now resubscribed and I was actually missing your content, thanks for the video!

I think by all the things algorithms do in the background they should definetly be able to detect when a account gets hacked.

I usually watch interesting videos till the end :)

Did not know there was even a main channel. I subscribed for the random stuff only...

Suggestion: Password manager for a random hard to remember password prefix, and then you type in a common, reasonably cryptic suffix that you have memorized. All passwords are different, hard bits are stored in cloud where you can use them anywhere, but are useless with knowing your suffix.

Reminds me of a conversation I had on Reddit where several people called me an idiot for keeping a password book and extolled the many virtues of password managers. "What if someone steals your book" blah blah. Clearly getting your session info hijacked is a much more meaningful threat.

My brother told be to unsubscribe, but I was skeptical about it since I know I wouldn't have subscribed to begin with if the channel was supposed to be just crypto, so I resubscribed within minutes. Only after looking through my list of channels, I only then realized it was your channel, looked it up, saw the channel and found your video on this channel.

How tf google allowed them to disable 2fa without reauthentication?

Is there an advantage to uploading video on one dedicated machine and emails+ whatever else on another machine ? Separation of functions ?

As the old saying goes, "If a bad guy can run code on your computer, it is not your computer any more". What do you think about using an offline file manager (e.g. KeyPass) with a USB hardware key (e.g. YubiKey)?

Re-subscribed to main channel. Cheers for the heads up

Some of the password managers allow you to self host. Plus you can salt the entries. Also keep IDs AND passwords unique for accounts.

I wonder about your thoughts about the USB security key though. I have it on my keys and only insert it in the PC when needed. Additionally I need to physically touch it to work. So from my point of view, having control over my PC wouldn't be enough to use that method without my explicit permission.

just checked and still subscribed to both channels and yes I do watch to the end of a video

I use google password manager thinking that those passwords would be encrypted, havent heard of a leak or scandal with that. How come firefox doesnt use encryption for the password saving feature? Are we sure about that? In todays world having a card with passwords you have to type in sound unreasonable, I mean I have about 120 password saved, do I put all of them on a card? Do I reuse some to keep the number lower??

7:45 I was able to get my old computer to boot off USB by burning a prog to CD called PLOP V 5.0.15. Once PLOP is running you tell it what USB port to boot from. Works great. For my computer I had to go into PLOP settings and set "force USB mode 1.1" to make it work.

Google's advanced protection program might be worth considering.

Google looking for suspicious patterns: Your on VPN therefore you must fill out a captcha 😂

Would using an OS like Linux for your uploads prevent things like this from happening? You could dual boot between Windows and Linux while also having a shared drive you can access your files from while in either OS. You would use Linux for uploading and any RU-vid business related activities. This would create an extra step, but if Linux is immune from these attacks this would provide an extra layer of protection.

I have done something similar with a password list. I write down well-formed-for-me hints and have the username or service the hint is for. For banks, they err on the side of decline, and have us confirm.

It is good security practice to physically logout of websites when you are done. This will help with session key hijacking. Also using a random password manager helps quite a bit.

Just a question Matthias, when you clicked on the fake PDF didn't windows ask you whether you agree to run that unknown program? That should be the typical behavior with downloaded files.

thanks for the update I wasn't subscribed to the main channel

do you know hat you can set main password in firefox to encrypt your passwords

I was one of your subscribers who uses the subscription feed and immediately unsubscribed from the cryptoscam channel that suddenly showed up. I was puzzled by how it got there and then I saw your 2nd channel video, so I checked it out and resubscribed later when I saw that this was why.

I did unsubscribe from that channel and thought it was strange at the time, I didn't bother digging deeper to see that it was your main channel. Anyway, resubbed now, thanks for the heads up

Thanks for mentioning checking the main channel. I had indeed unsubscribed without realizing it was you. I figured I accidentally subscribed to something dumb. Sorry you had to deal with that mess.

Do I understand correctly that you did not change your password after last attack??? Or do you use FF account to sync passwords that was used to get the new password? If yes, all your pwds are compromised. BTW, using security key is safe in a sense that you need to physically touch it to activate. Problem with the key is that you need two of them for backup and it is extremely inconvenient keeping them in sync.

Thanks for sharing, Matthias. 1. Are you running Windows? Did it ask you if you want to run this executable? 2. What kind of anti-virus program do you use? Might have prevented the exe file from running...? Not sure if this would have helped, but... 3. Do you use the Brave web browser? It has auto java script (and ad) blocking, built in. FYI, you can add the ScriptSafe extension on Firefox & Chrome browsers to automatically block Javascripts from all websites until you whitelist them. PS - I'm still subscribed to your main channel. PPS - I use uBlock Origins add-on on Firefox & Chrome web browsers to block all ads, on all websites.

There's a neat bootable cd image that allows for booting from the USB on computers that don't support it.

Glad I stuck around in the video. I was one of those people who un-subbed.

Matthias, I'm sure you've thought about this already, but as a long-time Windows user at work, now retired and using a Mac system, I've had zero issues since switching. It may only be pure luck but is that something you've considered? I also keep a copy of passwords (not evident to anyone who looks at them) on my iPhone which I can Airdrop directly to my Mac, using Bluetooth so the password does not go through a Cloud server.

Thanks for sharing Matthias. 7:58 Whats the name of that PC? I need a new one. Thanks 👍

well I just try disable MFA or sec. key as you did/say and it require my security key for doing so, of corse I have 2 sec. keys enabled, so ... I would say you have all options there, you just did not use them

so firefox stores pw locally unencrypted?

resubbed... thanks for the heads up. i am one of those that 1)watches their subscription feed and 2)watches videos to the end LOL

Great analogy at 6:20. Thank you for your knowledge.

Haha, I thought this was your main channel and never actually knew about your main channel.

Good info! Thanks! ⭐🙂👍

Nope, wasn't subscribed, but now I am again.

I checked and still am subscribed to your main. cheers

I think your idea about sites doing some form of session "deviation" (checking sudden changes in IP, location, etc.) has merit, similar to how credit card companies flag transactions when one is travelling (or not if someone stole your card info). I suspect large sites, Google et al, would have no issue doing this since they already do similar deep scan on content and flag those.

You can get some fantastic deals on the used PC parts market, haven't bought a new pre-built since 2006 when I got a Dell laptop

You didn't have a U2F hardware key? Only one from the phone?

I'm still working out what happened. When you first got hacked they copied your firefox database with a bunch of cookies and passwords in it, including your youtube session cookie and password, and a month later they used the cookie+password to disable 2FA and access your account? You didn't change you youtube password since then? I'm confused.

Resubscribed. Thanks for the heads up.

The problem I see with the paper list is how many passwords do you have? I have over 200 services currently used, which makes that infeasible (unless using the same password on multiple different services - which is bad for other reasons). The only feasible solution, imho, is either an external password manager (lastpass, 1Password, operating system vault, etc), or an external hardware vault plugged in via usb.

Still subscribed!

yeah, i unsubscribed both times, because i don't support criminals. but when you got your channel back, i re-subscribed.

As for the credit card fraud monitoring, considering the sheer volume of transactions happening in the financial system, human eyeballs wouldn't have a chance to keep up, but it's my impression that it's reasonably straight forward to use a machine learning system that can find the usual patterns in your transactions and flag any anomalies automatically.

Regarding Credit Card Fraud - They use different security protocols, the seller gets different levels of fees and different levels of fraud reimbursement after chargebacks depending on if the card is used physically versus remotely (over the phone, etc) since almost all cards now have a chip that provides rolling codes. For remote transaction they typically require the users zip code since that information is not stored on the card anywhere. And of course, they monitor remote transactions much more closely and will call if there are any large or multiple transactions occurring.

I also just write my passwords on paper in a similar manner to you. Very secure!!

would yubikey work?

I think having the password on paper like you have done is by far the most secure way. However for me I've been using a self hosted bitwarden server on a PI type device which has worked very well for me.

I would recommend a password manager. I do not know about the venerability to hijacking via the session token but all of your passwords are encrypted and stored securely. Even the online hosted ones will not compromise your passwords if there service gets hacked. There is a good computerphile video on how they work.

I use a password manager that keeps the passwords encrypted unless it's actually in the process of being used; and I have to unlock it every time I use it. I happen to have a Mac with TouchID, which makes this process more seamless, but 3rd party biometric hardware keys work also.

Last two PC's (mb mem cpu) I've bought was used. Last two gaming gfx cards also used. It's a gamble, but so far stuff has been ok. To the contrary: The the 4 gen older gfx card I bought from a store, that was sold at a discount (but full warranty) as "store demo or returned from customer" was not ok. Sadly I could not pin point / attribute the error to the gfx card in time. Sneaky error, of the (roughly) 50 games I ran only 2 had issues like intermittent crashes. 4 years ago I figured out the issue in gpu core by using OCCT. Damn card ran all 'visual' gfx stress programs.

I checked my subscription to the main channel and it was no longer subscribed but I don't recall unsubscribing.

Keypass still a viable option?

Keepass appears to be a good password manager.

Wasn't there a password manager that was free and then all of a sudden started to change for it?

I have 5 computer users on my network and a bunch of other devices. Would I have to have a Yubico key for each of them in order to be protected? Yikes...