If a hacker got control of your machine remotely, the security key still cannot be used remotely. All security keys have a button and/or fingerprint sensor that must be pressed to authenticate/sign in. It would likely be the best two factor option, and you don't have to keep the key plugged in all the time either.
@@matthiasrandomstuff2221From the security standpoint, you actually don't even need the button, you simply unplug the key when you're not trying to log in. An attacker can't plug it back in remotely.
One of the first things I've always done when setting up a new computer is turning on "show file extensions". That one simple step basically eliminates falling for these executables disguised as PDF files, or any other file disguised as something it's not.
I turned it on. after the reinstall. Then turned it off again. I do a lot of renaming files, and having to cursor around the file extensions every time really got in the way.
@@matthiasrandomstuff2221 Total Commander cycles the file rename selection highlight between with and without the extension when you press the F2 key. TC also has a multi-rename tool with regular expressions and other neat features. Microsoft PowerToys has a similar tool called PowerRename.
@@matthiasrandomstuff2221 When you go to rename a file it highlights just the name by default. You can either type out the new name or use the arrow keys to move the pointer. Shift+arrow key to select a range of text.
Shouldn't be. If you slow-double-click a filename (or F2) then it should just highlight the name and not the extension -- start typing or paste in your preferred filename and hit , job done. If you're bulk renaming, you should be using BRU to do the job(s).
A family member used to have a small notebook by their computer with the front cover clearly labelled "passwords and I suggested that it might not be the most secure way of storing them. The book was then re-labelled "not passwords" 🤔
having a physical media for password storage is nice , but it should be out of sight as well, especially not under a webcamera. also "Not" Passwords soo screams "Passwords, come look!"
Matthias, thank you for pointing out that people had unsubscribed to your main channel! I had done that while it was hacked, and didn't realize that it was YOUR channel I was unsubscribing from. I love your videos, and I've re-subscribed!
IMO disabling 2FA should be a ~24h lockout operation, where it requires you either input the code or wait for the timout to expire before it takes effect. That would be already a step in the right direction.
@@cklamNL This should obviously trigger emails and notifications, I already get those if a new device logs in, let alone someone changes a password or 2FA...
@@Dries007BE That doesn't do much for the typical YT user whose email is under the same Google account. The attacker could just delete the security notification. It would work for entirely separate services.
I've said a similar thing about Twitter and Verified accounts. Changing the "name" or "display name" on a verified twitter account should automatically flag it should review... Granted this was before Twitter let anyone pay for "verification".
Not to be "that guy" or anything, but this is exactly why I don't let browsers store passwords or credit cards or anything else like that for me. I don't blame people for using those convenience features, but I do blame the browser makers for not doing more to educate users about the security tradeoff they're making when using those features.
I have never used the inbuilt browser password store for the reason of if someone can get onto my computer, they can just log in to things. I had NEVER considered that the password store could be copied and then used remotely in the manner used here 😞
Chromium actually uses the system Keychain is available, these days. It's just that to my knowledge windows doesn't have one. But at least on Linux it does. The Keychain is encrypted on disk, -and AFAIK their decrypted memory is protected using all kinds of tricks that are available on the OS and by the CPU-
All the browsers would have to do is encrypt the password and auto-fill vault by requiring a master password which opens it for a specific length of time then locks it automatically .
Most password managers require you to type in a master password any time you want to access something stored in it - and all the data inside of it is stored in an encrypted format. Essentially the same as storing your passwords in an encrypted file, but with a browser plug-in to make it more user friendly
Bitwarden has a nice feature that lets you mark particularly sensitive passwords (or credit cards) as requiring the master password every time. So you can have a more relaxed unlock rule for most things to avoid the hassle.
That's mostly true; except typically you'll only need the master password to open it - essentially a key to decrypt. For many of the ones i've used once they're open, they're open until you close them.
If I wanted access to as many peoples data as possible, Id create a service exactly like that and bait people into actually PAYING ME to collect it all with the master passwords I make them type into my site. Governments have been intercepting, copying and routing information since before the days of wax seals. Now people actually pay them billions to do it.
A hardware device like the YubiKey requires that you touch the key to do a login. So even if you leave it plugged into a USB and the computer running, and hackers take over the PC remotely, they can't touch the key to activate it.
QUESTION: Firefox has a feature called a Primary Password. If enabled, Firefox will not show usernames, passwords, or saved payment info unless and until that password is entered, and it will ask for it every time Firefox resets. My question is: a) did you have that set? b) can a session hijacking attack circumvent that? Glad you're back in business.
Primary Password encrypts your stored password on the disk, so they wouldn’t be able to get those. But session hijacking would still work as that session data is what authorizes you to use the account without typing your password for every request. Browsers could maybe do a better job of protecting that data, but at some point it needs to be unencrypted and someone with access to your computer would be able to see it. Someone gaining access to your computer is about the worst possible security failure. If that happens, any other measures can only go so far. Diligence is important.
@@jpa3141Absolutely nothing is safe from that attack. Or nothing that current OSs support anyway. ( i believe macOS actually has the basic capabilities to mitigate this, but it doesn't )
@@jpa3141 yes but that affects every password manager or every program for that matter, unless it encrypts the contents in memory. If malware gains admin access to your machine, it can do pretty much anything. Even if you don't use a password manager, it can log the keys you press. Only way to prevent this is by using a good anti virus software and having basic common sense.
It's what i use. Firefox as my password manager. With a good master password to prevent brute force attack to the database, it's a decent password manager if you use the browser on all devices.
Both times your channel got hacked, I went on a "Mattias watching binge." I am literally so familiar with how you built your router table with built in dust collection, I could probably recite it. Almost the same with your 26" bandsaw wheel making video. Again, glad you're safe and back to secure.
On top of what others have said, you can also host your own instance of BitWarden. Turn a spare computer into a Linux server and run BitWarden on it then point the browser extension to your server’s IP. From there the extension will no longer use BitWarden servers. Of course you have to make sure your server is secure, but since it’s on a separate computer it’s safe from your computer being compromised. Unless you have an active ssh session to it, but that should be rare and can even be never if you just plug a monitor and kbm into the server.
Was gonna say that, and honestly, using a Docker container template and Portainer (a web GUI manager for Docker containers) made it pretty easy to setup, even though it was my first time doing something like that
Running your own Bitwarden server doesn't help much in terms of security. Bitwarden encrypts everything on the client side so even if the server is exploited, no secrets can be revealed. You have to trust your local machine and the local Bitwarden app or extension. As Matthias says, if your local machine is compromised, it's kind of game over already. If you don't trust the Bitwarden software, you shouldn't use it at all. A hardware key like a Yubi-key or U2F key does help, as people mentioned. For the roughly $40 they cost, they are worth it, IMHO.
@@naschemebitwarden is open source and pretty big in the cyber security space, so I'd trust it more than a random password manager as everyone can audit the code for vulnerabilities, and fix them (and they do) The good thing about password manager programs is that they ask you for a master password (that you can secure how you like) before automatically entering the website's password, making it impossible to do stuff such as disabling 2fa like they did here. Session hijacking would still work of course, but it would "only" end there and they wouldn't have been able to change his password for example.
Self-hosting Bitwarden is overkill for anyone not competent enough to securely administer their own server. Just make an account on the main Bitwarden site, your data is still end-to-end encrypted.
Windows 11 has a feature called Windows Sandbox. It looks and feels like a standard windows box, but is completely dismantled when you end your session. I'd suggest doing your sensitive work through that. Even if the sandbox gets compromised, there is no other info for the bad actors to gather and your host does not to be reloaded. Couple that with two factor on the host computer or your phone and it becomes very hard to compromise overall. The usb keys with the button are also solid solutions.
I did unsubscribe initially but saw your video on here and resubscribed. Commenting just to increase visibility. Thank you for making great content all of these years. ❤
This is a serious lack of forethought on Google's part. The possibility of losing your phone is NOT a good reason to make disabling 2FA so easy. Losing your phone is a separate problem and should have it's own ways of recovery regardless of your UA-cam security. Removing 2FA should ALWAYS require 2FA confirmation if not MORE (e.g. security questions, 2FA phone, AND secondary e-mail).
You have to enable advanced protection to get those security features because for normal users it can be quite annoying if they travel and get tons of security questions. Yubikey is also very nice you have to enter a prompt. Also credit cards do have hardware security it is in the chip part. The pin you have for canadian credit cards actually encrypts the card data.
Some USB security keys require you to physically touch a button on the key each time to access the credential. That would prevent someone from remotely accessing your machine from accessing a USB security device.
Yes a good practice is using multiple factor authentication (in stead of multiple step authentication) Using at least 2 factors as a combination from: of 1. Something you know (password) 2. Something you have (some hardware with a key) 3. Something you are (retina /iris, fingerprint, gesture, heartbeat etc) 4. Somewhere you are. BTW a password should not be ‘difficult’ with limited various characters but with high entropy (very long such as a password phrase)
Thanks Matthias, I’ve been needing to completely overhaul my security and this was a wake up call. I had an old coworker who was the victim of a SIM Swap attack and it was absolutely devastating. He purchased a new phone thinking it was okay, only for the hackers to regain access.
I very nearly unsubscribed when I saw the scam video... but I paused and thought as I hovered over the video, and clicked "Not Interested" instead. After I saw someone else post a screenshot of the same vid on twitter, I knew what happened. I'm glad that I didn't unsubscribe, but I hope hitting "Not Interested" didn't affect your discoverablity for future uploads.
I like that you mentioned the credit cards. When spying out data in real life was relevant (think putting cameras on ATMs), putting the three digits on the back was a great idea. A lot of credit card issuers now put the three digits on the front next to the 16 digit card number and I have absolutely no clue why.
They do it on purpose to create the problems to convince people to go into things like Central Bank Digital Currencies. Once you realize that they Money we currently use is FAKE, everything starts to make a lot more sense
6:55 Spot on, thanks for suggesting that we check! I remember unsubscribing from a weird crypto thing, wondering how it got in my feed in the first place. Now I see it was your main channel and I just re-subscribed
Reminds me of a conversation I had on Reddit where several people called me an idiot for keeping a password book and extolled the many virtues of password managers. "What if someone steals your book" blah blah. Clearly getting your session info hijacked is a much more meaningful threat.
My brother told be to unsubscribe, but I was skeptical about it since I know I wouldn't have subscribed to begin with if the channel was supposed to be just crypto, so I resubscribed within minutes. Only after looking through my list of channels, I only then realized it was your channel, looked it up, saw the channel and found your video on this channel.
Thank you for the explanation Matthias. As another Firefox user now I know what I need to do. I never realized how many holes" there are for bad guys to get into.
I you use a password manager with a browser plugin to automatically fill in the passwords, make sure to have it require a PIN to unlock the database each time you want to use it, or at least each time after restarting/unlocking the PC. If you run a high risk, like you apparently do, you should have it require the PIN (or even more secure, a security key) each time you use it (with a few minutes timeout).
The Dell Monitor at 7:51 looks like a Dell P2210T or one like it. Those have a barrel jack to provide 12V to the optional sound bar. I have similar monitors that I use for raspberry PIs. A 3D printed bracket clips into the monitor's sound bar tabs and holds the PI and a buck converter which plugs into the barrel jack.
Sorry to hear about your subscribers. Yeah, I think password storage apps are totally bogus. I would never trust them. I’m glad to hear someone else needs the same. My third-party password storage is either a file or a piece of paper just like you said
"I should be able to turn it [2FA] off without my phone, but, well, what if I lost my phone I still need to get rid of it right? so I guess it does make some sense" Nope, it still make no sense on a security maner. Either you need to contact the company (which "isn't secure" most of the time), or you have a backup 2FA: like unique recovery codes or a second emergency 2fa setup
A lot of time it just asks me to confirm the login on my iPad (that's logged in). That would have saved me. I suspect UA-cam will eventually take a few simple measures to make these hacks much less likely to succeed
Absolutely true! All 2FA methods should have some secure way of renewing/changing it in case the current method is unavailable. Usually it's done with recovery codes that can be used to reset it. Allowing to disable 2FA without actually verifying a 2FA method is a major security issue.
@@SammysHP It doesn't need to be fully secure, but it should be clunky, annoying, and slow. Meanwhile you should be getting blasted with alerts that someone is trying to do that to your account. That way you can get back in, but alarm bells are sounding and allow you to block the process.
@@matthiasrandomstuff2221 they haven't done ANYTHING for the last 5 years while this is an ever growing problem. I have seen it in three people I am subscribed to. Google is a billion dollar company. They have the money and technical resources to do what you suggested. I am sorry to say it but their priorities are lying elsewhere. They don't care about the creators and viewers at all! They only care about their ads revenue.
Good point on the password manager considerations. Also, initially I did unsubscribe before I realized what had happened, and I went back and resubbed so that I would be subscribed when you recovered it.
Suggestion: Password manager for a random hard to remember password prefix, and then you type in a common, reasonably cryptic suffix that you have memorized. All passwords are different, hard bits are stored in cloud where you can use them anywhere, but are useless with knowing your suffix.
Thanks for mentioning checking the main channel. I had indeed unsubscribed without realizing it was you. I figured I accidentally subscribed to something dumb. Sorry you had to deal with that mess.
The problem I see with the paper list is how many passwords do you have? I have over 200 services currently used, which makes that infeasible (unless using the same password on multiple different services - which is bad for other reasons). The only feasible solution, imho, is either an external password manager (lastpass, 1Password, operating system vault, etc), or an external hardware vault plugged in via usb.
As the old saying goes, "If a bad guy can run code on your computer, it is not your computer any more". What do you think about using an offline file manager (e.g. KeyPass) with a USB hardware key (e.g. YubiKey)?
Would using an OS like Linux for your uploads prevent things like this from happening? You could dual boot between Windows and Linux while also having a shared drive you can access your files from while in either OS. You would use Linux for uploading and any UA-cam business related activities. This would create an extra step, but if Linux is immune from these attacks this would provide an extra layer of protection.
Nothing is immune, but Windows is a massive target because of how prevalent it is, so the variety of attacks that have been developed for it is vast. The real question is how the computer became compromised in the first place. Depending on the cause, this may be just as likely to happen in other environments as it is on Windows.
Ok, NOW I understand your answer to the comment I made on your main channel about being unsubscribed. Indeed, I did unsub from a weird-fake-money-scam channel. Never would've guess how I was sunddenly subbed to that. Now I know. Anyway, glad you were able to regain control, sir!
@@matthiasrandomstuff2221astonishingly easy. It really ought to require 2FA (or some sort of contact with Google support if you can't do that) to change it back!
I _think_ there's a notion of a "trusted device" that allows you skill 2FA/MFA on auth. Consider checking if your main browser on your primary device is listed in the trusted device list and removing it. Then every login will require 2FA/MFA (IIRC)
Regarding Credit Card Fraud - They use different security protocols, the seller gets different levels of fees and different levels of fraud reimbursement after chargebacks depending on if the card is used physically versus remotely (over the phone, etc) since almost all cards now have a chip that provides rolling codes. For remote transaction they typically require the users zip code since that information is not stored on the card anywhere. And of course, they monitor remote transactions much more closely and will call if there are any large or multiple transactions occurring.
Curiously, even though the visible name of your main channel was changed, it was still in the same place on the sub list. Something was innate to the channel they couldn't (or didn't bother to) change.
As for the credit card fraud monitoring, considering the sheer volume of transactions happening in the financial system, human eyeballs wouldn't have a chance to keep up, but it's my impression that it's reasonably straight forward to use a machine learning system that can find the usual patterns in your transactions and flag any anomalies automatically.
Indeed, they've been using transaction analysis to do fraud detection as far back as the 70s, apparently. Even before machine learning there were anomaly detection algorithms that were employed.
Yes, the financial systems use automated systems to detect suspicious behavior. I once was notified of a suspicious purchase within 30 seconds of it occurring, got on the phone and had my card cancelled. All within 5 minutes of the event. There's no way they got anything useful out of my card, and double checking transactions confirmed it. This sort of session hijack should be very easy for Google to detect. The only thing they can't detect is if your computer is being remotely operated.
Works pretty well the 2-3 times I've been hit. I get a phone call (for example) asking me to verify that I or someone authorized to use my card is trying to a) withdraw cash at a 7-11 in New Jersey and b) purchase a 72" TV from a WalMart in Dallas, TX. Given I'm several states away from either, yeah no...
@@darkwinter7395 It can definitely still happen if the attackers use it to buy things that are similar to your purchasing habits but that also limits what they can buy, making it potentially a less valuable target.
I did unsubscribe from that channel and thought it was strange at the time, I didn't bother digging deeper to see that it was your main channel. Anyway, resubbed now, thanks for the heads up
In Firefox you should use the Master Password feature it asks for a password before you can log in a site and hackers cant just export them into a csv file.
Just wanted to mention. There are 100% offline encrypted local password managers. It works similarly to the major ones except you are totally in control of your passwords. Might be easier to manage than an encrypted file
I never let anything digital store my passwords. All of my passwords are written down in a cryptic language, so even if somebody were to steal my password notebook, they couldn't decipher it.
Just a question Matthias, when you clicked on the fake PDF didn't windows ask you whether you agree to run that unknown program? That should be the typical behavior with downloaded files.
The PDF file format itself, and PDF readers, can contain vulnerabilities/bugs that can be exploited to execute arbitrary code without being actual executable files / programs themselves. Search "PDF arbitrary code execution" if you want to find some further reading on the subject.
Re the closing remarks: I bought a 3-year old laptop refurbished by Dell during the last Black Friday sale for just under $400 and it runs circles around a lot of brand-new laptops that go for upwards of $1000. I'm pretty much only buying used computers going forward.
Matthias, I'm sure you've thought about this already, but as a long-time Windows user at work, now retired and using a Mac system, I've had zero issues since switching. It may only be pure luck but is that something you've considered? I also keep a copy of passwords (not evident to anyone who looks at them) on my iPhone which I can Airdrop directly to my Mac, using Bluetooth so the password does not go through a Cloud server.
It's wild to think your browser auto-fills passwords without any biometric authentication. There is an option, which is stupidly off by default, that require verification before auto-filling passwords.
I'm still working out what happened. When you first got hacked they copied your firefox database with a bunch of cookies and passwords in it, including your youtube session cookie and password, and a month later they used the cookie+password to disable 2FA and access your account? You didn't change you youtube password since then? I'm confused.
Checking that a session switches IP address can be problematic if you have an ISP that using dynamic IP addressing that could theoretically change your IP mid session.
I wonder about your thoughts about the USB security key though. I have it on my keys and only insert it in the PC when needed. Additionally I need to physically touch it to work. So from my point of view, having control over my PC wouldn't be enough to use that method without my explicit permission.
I think your idea about sites doing some form of session "deviation" (checking sudden changes in IP, location, etc.) has merit, similar to how credit card companies flag transactions when one is travelling (or not if someone stole your card info). I suspect large sites, Google et al, would have no issue doing this since they already do similar deep scan on content and flag those.
Yep, I got unsubscribed from your main channel! And, I might add, I only buy refurbs now. For 20+ years I managed a company's IT and during that time I built from scratch every PC they had. Once upon a time, it was economically feasible. Not so much these days, hence my switch to refurbs. I built my last new on in 2021 and it will be my last build.
Once you regain control of your account, assuming your local PC is not compromised, you can go into your Google account and log out all other sessions.
"If somebody shows up with a different IP address and the same session" A legitimate user could be playing with his VPN settings, or they're using an anonymous service that keeps them from being tracked by malicious state actors. But they should be used to refreshing their session anyway, so yes, bad Google.
A good password manager on windows should be using a secure password input, which works similar to the UAC prompts and runs in a separate windows login session, that should basically be un-keylogable. Excluding any physical hardware key loggers, at which point you're kinda screwed already. I still reckon your plan of writing them down on a piece of paper is still a better option though, just less convenient!
I would recommend a password manager. I do not know about the venerability to hijacking via the session token but all of your passwords are encrypted and stored securely. Even the online hosted ones will not compromise your passwords if there service gets hacked. There is a good computerphile video on how they work.
I never trust any password storage, and if its on the cloud thats even worse. Network attacks are much easier to do. I would say the best thing as a programmer is to make sure your auth system has really audit. Just re-subbed to your main channel.
I have done something similar with a password list. I write down well-formed-for-me hints and have the username or service the hint is for. For banks, they err on the side of decline, and have us confirm.
I have 5 computer users on my network and a bunch of other devices. Would I have to have a Yubico key for each of them in order to be protected? Yikes...
Booting them out by changing the password is not super effective. It usually takes several ourbefore the sessions refresh and requires the new password to be entered.
@@matthiasrandomstuff2221Your devices don't matter; a token (which they got access to) is valid for a certain period. You changing your password doesn't invalidate the token. That's why you need to kill all active sessions (i.e. invalidate tokens, if that isn't already done by changing your password - not sure about that).
I was one of your subscribers who uses the subscription feed and immediately unsubscribed from the cryptoscam channel that suddenly showed up. I was puzzled by how it got there and then I saw your 2nd channel video, so I checked it out and resubscribed later when I saw that this was why.
I use google password manager thinking that those passwords would be encrypted, havent heard of a leak or scandal with that. How come firefox doesnt use encryption for the password saving feature? Are we sure about that? In todays world having a card with passwords you have to type in sound unreasonable, I mean I have about 120 password saved, do I put all of them on a card? Do I reuse some to keep the number lower??
Hi Matthias, I use online banking and would be horrified if someone else got hold of that information, except for the way I log in. to get in you have to put in four letters or numbers from a sixteen digit password that is not held on my computer, also a six digit code is sent to my phone and I need to insert this to enable a transaction to go ahead. So, to get into my computer they would also need my phone and that makes a very strong authenticity code.
I said it before, get yourself a sandbox or virtual machine to do everything that has to do with emails from there. Makes it much less likely that anything happens when you accidentally do open a malicious file.
The way 2 factor should work is have a code needed from a phone to get into the account. If you ever lose that phone, there should be a 2 factor recovery key that you have written down physically
Some of these things should just put out an automatic flag and trigger a two-week cooldown or something. That's how most 2FA platforms do it, I feel like: if you want to disable it, you incur a freeze on all account functionality until you basically got plenty of time to verify what you're doing is proper. Also hardware security keys, as people pointed out, pretty much mitigate all current attack surfaces.
If a hacker got control of your machine remotely, the security key still cannot be used remotely. All security keys have a button and/or fingerprint sensor that must be pressed to authenticate/sign in. It would likely be the best two factor option, and you don't have to keep the key plugged in all the time either.
That button is a great idea. Maybe I'll buy one then.
And furthermore, a password manager on your phone that backs up to storage of your choice would be resilient to someone getting control of your PC.
Buy at least 2. One you use day to day, one you only use if the first one is lost. Maybe even add a 3rd from a different vendor
@@matthiasrandomstuff2221From the security standpoint, you actually don't even need the button, you simply unplug the key when you're not trying to log in. An attacker can't plug it back in remotely.
If somebody got a hold of your whole PC remotely, you do have a bunch of worse things to look into, lol
One of the first things I've always done when setting up a new computer is turning on "show file extensions". That one simple step basically eliminates falling for these executables disguised as PDF files, or any other file disguised as something it's not.
I turned it on. after the reinstall. Then turned it off again. I do a lot of renaming files, and having to cursor around the file extensions every time really got in the way.
@@matthiasrandomstuff2221 Total Commander cycles the file rename selection highlight between with and without the extension when you press the F2 key. TC also has a multi-rename tool with regular expressions and other neat features. Microsoft PowerToys has a similar tool called PowerRename.
@@matthiasrandomstuff2221 When you go to rename a file it highlights just the name by default. You can either type out the new name or use the arrow keys to move the pointer. Shift+arrow key to select a range of text.
Hiding the file extension is one of the most idiotic "features" ever!
Shouldn't be. If you slow-double-click a filename (or F2) then it should just highlight the name and not the extension -- start typing or paste in your preferred filename and hit , job done. If you're bulk renaming, you should be using BRU to do the job(s).
A family member used to have a small notebook by their computer with the front cover clearly labelled "passwords and I suggested that it might not be the most secure way of storing them. The book was then re-labelled "not passwords" 🤔
having a physical media for password storage is nice , but it should be out of sight as well, especially not under a webcamera.
also "Not" Passwords soo screams "Passwords, come look!"
Your comment creased me up............and I'm still giggling at it.😄😆😂
What a smart move 🤓
Matthias, thank you for pointing out that people had unsubscribed to your main channel! I had done that while it was hacked, and didn't realize that it was YOUR channel I was unsubscribing from. I love your videos, and I've re-subscribed!
IMO disabling 2FA should be a ~24h lockout operation, where it requires you either input the code or wait for the timout to expire before it takes effect. That would be already a step in the right direction.
Doesn't really help when the owner doesn't know that he has been hacked. Hackers can just start hijacking after the timeout elapsed.
@@cklamNL Usually emails and other alerts are sent when someone tries to switch off 2FA.
@@cklamNL This should obviously trigger emails and notifications, I already get those if a new device logs in, let alone someone changes a password or 2FA...
@@Dries007BE That doesn't do much for the typical YT user whose email is under the same Google account. The attacker could just delete the security notification. It would work for entirely separate services.
I've said a similar thing about Twitter and Verified accounts. Changing the "name" or "display name" on a verified twitter account should automatically flag it should review...
Granted this was before Twitter let anyone pay for "verification".
Not to be "that guy" or anything, but this is exactly why I don't let browsers store passwords or credit cards or anything else like that for me. I don't blame people for using those convenience features, but I do blame the browser makers for not doing more to educate users about the security tradeoff they're making when using those features.
at the very least, it should have suggested I set a master password or something like that. I didn't even know there was a master password.
I have never used the inbuilt browser password store for the reason of if someone can get onto my computer, they can just log in to things. I had NEVER considered that the password store could be copied and then used remotely in the manner used here 😞
Chromium actually uses the system Keychain is available, these days.
It's just that to my knowledge windows doesn't have one.
But at least on Linux it does.
The Keychain is encrypted on disk, -and AFAIK their decrypted memory is protected using all kinds of tricks that are available on the OS and by the CPU-
All the browsers would have to do is encrypt the password and auto-fill vault by requiring a master password which opens it for a specific length of time then locks it automatically .
In general, whether in the context of computers or not: The price of security is convenience, and the price of convenience is security.
Most password managers require you to type in a master password any time you want to access something stored in it - and all the data inside of it is stored in an encrypted format. Essentially the same as storing your passwords in an encrypted file, but with a browser plug-in to make it more user friendly
Bitwarden has a nice feature that lets you mark particularly sensitive passwords (or credit cards) as requiring the master password every time. So you can have a more relaxed unlock rule for most things to avoid the hassle.
Firefox has this built in but it is oddly turned off by default.
That's mostly true; except typically you'll only need the master password to open it - essentially a key to decrypt. For many of the ones i've used once they're open, they're open until you close them.
@@NoCoolNamesRemain I had it turned on and then when I updated Firefox, it was turned off. Took me a while to notice.
If I wanted access to as many peoples data as possible, Id create a service exactly like that and bait people into actually PAYING ME to collect it all with the master passwords I make them type into my site. Governments have been intercepting, copying and routing information since before the days of wax seals. Now people actually pay them billions to do it.
many of the hardware encryption keys require physical interaction specifically to break the link of "left attached to a compromised computer"
Keepass or keepassxc is a offline / self hosted password manager that supports syncing on most platforms
A hardware device like the YubiKey requires that you touch the key to do a login. So even if you leave it plugged into a USB and the computer running, and hackers take over the PC remotely, they can't touch the key to activate it.
Just looking at buying one now for that very reason!
You need two (one for backup)
Yea make sure to buy 2 and set them both up together just incase you loose or break one of them
@@matthiasrandomstuff2221I use keepass. Like lastpass etc but open source and locally hosted.
@@hArDsTyLe2259if you loosen one you could always tie it back up again.
Thanks for sharing Matthias. 7:58 Whats the name of that PC? I need a new one. Thanks 👍
a refurbished Lenovo off Amazon. core i4 2017 generation. went for it cause not too old. can do 4K video
@@matthiasrandomstuff2221 awesome thanks so much Matthias 🙌👍
QUESTION: Firefox has a feature called a Primary Password. If enabled, Firefox will not show usernames, passwords, or saved payment info unless and until that password is entered, and it will ask for it every time Firefox resets. My question is: a) did you have that set? b) can a session hijacking attack circumvent that?
Glad you're back in business.
Primary Password encrypts your stored password on the disk, so they wouldn’t be able to get those.
But session hijacking would still work as that session data is what authorizes you to use the account without typing your password for every request. Browsers could maybe do a better job of protecting that data, but at some point it needs to be unencrypted and someone with access to your computer would be able to see it.
Someone gaining access to your computer is about the worst possible security failure. If that happens, any other measures can only go so far. Diligence is important.
When Firefox is running and master password has been entered, a malicious process can try to get the password from process memory.
@@jpa3141Absolutely nothing is safe from that attack. Or nothing that current OSs support anyway.
( i believe macOS actually has the basic capabilities to mitigate this, but it doesn't )
@@jpa3141 yes but that affects every password manager or every program for that matter, unless it encrypts the contents in memory. If malware gains admin access to your machine, it can do pretty much anything. Even if you don't use a password manager, it can log the keys you press. Only way to prevent this is by using a good anti virus software and having basic common sense.
It's what i use. Firefox as my password manager. With a good master password to prevent brute force attack to the database, it's a decent password manager if you use the browser on all devices.
I had unsubscribed the first time not realising who it was, but have resubscribed, glad you got things fixed up
Thank you for taking the time to share your experience so that the rest of us have a better chance of avoiding your woes.
Both times your channel got hacked, I went on a "Mattias watching binge." I am literally so familiar with how you built your router table with built in dust collection, I could probably recite it. Almost the same with your 26" bandsaw wheel making video. Again, glad you're safe and back to secure.
On top of what others have said, you can also host your own instance of BitWarden. Turn a spare computer into a Linux server and run BitWarden on it then point the browser extension to your server’s IP. From there the extension will no longer use BitWarden servers.
Of course you have to make sure your server is secure, but since it’s on a separate computer it’s safe from your computer being compromised. Unless you have an active ssh session to it, but that should be rare and can even be never if you just plug a monitor and kbm into the server.
Or use KeepassXC.
I just sync the database across devices using Syncthing. There is no need to sync on-line for a password manager.
Was gonna say that, and honestly, using a Docker container template and Portainer (a web GUI manager for Docker containers) made it pretty easy to setup, even though it was my first time doing something like that
Running your own Bitwarden server doesn't help much in terms of security. Bitwarden encrypts everything on the client side so even if the server is exploited, no secrets can be revealed. You have to trust your local machine and the local Bitwarden app or extension. As Matthias says, if your local machine is compromised, it's kind of game over already. If you don't trust the Bitwarden software, you shouldn't use it at all. A hardware key like a Yubi-key or U2F key does help, as people mentioned. For the roughly $40 they cost, they are worth it, IMHO.
@@naschemebitwarden is open source and pretty big in the cyber security space, so I'd trust it more than a random password manager as everyone can audit the code for vulnerabilities, and fix them (and they do)
The good thing about password manager programs is that they ask you for a master password (that you can secure how you like) before automatically entering the website's password, making it impossible to do stuff such as disabling 2fa like they did here. Session hijacking would still work of course, but it would "only" end there and they wouldn't have been able to change his password for example.
Self-hosting Bitwarden is overkill for anyone not competent enough to securely administer their own server. Just make an account on the main Bitwarden site, your data is still end-to-end encrypted.
You got me back as a subscriber by pointing out that I may have unsubscribed from the hacked channel....which is exactly what happened!
Windows 11 has a feature called Windows Sandbox. It looks and feels like a standard windows box, but is completely dismantled when you end your session. I'd suggest doing your sensitive work through that. Even if the sandbox gets compromised, there is no other info for the bad actors to gather and your host does not to be reloaded. Couple that with two factor on the host computer or your phone and it becomes very hard to compromise overall. The usb keys with the button are also solid solutions.
I did unsubscribe initially but saw your video on here and resubscribed. Commenting just to increase visibility. Thank you for making great content all of these years. ❤
Matthias, thanks for the heads-up about being unsubbed to your main channel. I was one of those people, I have re subbed! :)
I'll be curious how many re-subs I'll get. Will have to check analytics in a day or two.
This is a serious lack of forethought on Google's part. The possibility of losing your phone is NOT a good reason to make disabling 2FA so easy. Losing your phone is a separate problem and should have it's own ways of recovery regardless of your UA-cam security. Removing 2FA should ALWAYS require 2FA confirmation if not MORE (e.g. security questions, 2FA phone, AND secondary e-mail).
You have to enable advanced protection to get those security features because for normal users it can be quite annoying if they travel and get tons of security questions. Yubikey is also very nice you have to enter a prompt. Also credit cards do have hardware security it is in the chip part. The pin you have for canadian credit cards actually encrypts the card data.
Some USB security keys require you to physically touch a button on the key each time to access the credential. That would prevent someone from remotely accessing your machine from accessing a USB security device.
Google started to go the next way with FIDO2 by allowing a cellphone to be a keypass which can be a middle ground.
Yes a good practice is using multiple factor authentication (in stead of multiple step authentication) Using at least 2 factors as a combination from: of 1. Something you know (password) 2. Something you have (some hardware with a key) 3. Something you are (retina /iris, fingerprint, gesture, heartbeat etc) 4. Somewhere you are.
BTW a password should not be ‘difficult’ with limited various characters but with high entropy (very long such as a password phrase)
Two-factor is cool and i love and use it. But it still wont stop session cookies from being stolen.
Thanks Matthias, I’ve been needing to completely overhaul my security and this was a wake up call.
I had an old coworker who was the victim of a SIM Swap attack and it was absolutely devastating. He purchased a new phone thinking it was okay, only for the hackers to regain access.
I very nearly unsubscribed when I saw the scam video... but I paused and thought as I hovered over the video, and clicked "Not Interested" instead. After I saw someone else post a screenshot of the same vid on twitter, I knew what happened. I'm glad that I didn't unsubscribe, but I hope hitting "Not Interested" didn't affect your discoverablity for future uploads.
I like that you mentioned the credit cards. When spying out data in real life was relevant (think putting cameras on ATMs), putting the three digits on the back was a great idea. A lot of credit card issuers now put the three digits on the front next to the 16 digit card number and I have absolutely no clue why.
Cheaper to print the parts that are unique to your card all on one side than have to do so on both sides.
They do it on purpose to create the problems to convince people to go into things like Central Bank Digital Currencies.
Once you realize that they Money we currently use is FAKE, everything starts to make a lot more sense
6:55 Spot on, thanks for suggesting that we check! I remember unsubscribing from a weird crypto thing, wondering how it got in my feed in the first place. Now I see it was your main channel and I just re-subscribed
Reminds me of a conversation I had on Reddit where several people called me an idiot for keeping a password book and extolled the many virtues of password managers. "What if someone steals your book" blah blah. Clearly getting your session info hijacked is a much more meaningful threat.
Very interesting discussion - both on the video and in the comments. Thanks for sharing, Matthias, and good luck avoiding the third time. :)
My brother told be to unsubscribe, but I was skeptical about it since I know I wouldn't have subscribed to begin with if the channel was supposed to be just crypto, so I resubscribed within minutes. Only after looking through my list of channels, I only then realized it was your channel, looked it up, saw the channel and found your video on this channel.
Some of the password managers allow you to self host. Plus you can salt the entries. Also keep IDs AND passwords unique for accounts.
"Most people don't watch videos to the end."
I guess I am not most people! Hi Matthias!
Looks like I’m one of the people who unsubbed, so I’m glad I watched this one! Thanks for the education.
Thank you for the explanation Matthias. As another Firefox user now I know what I need to do. I never realized how many holes" there are for bad guys to get into.
I you use a password manager with a browser plugin to automatically fill in the passwords, make sure to have it require a PIN to unlock the database each time you want to use it, or at least each time after restarting/unlocking the PC. If you run a high risk, like you apparently do, you should have it require the PIN (or even more secure, a security key) each time you use it (with a few minutes timeout).
Same here, keepassxc and works like a charm
The Dell Monitor at 7:51 looks like a Dell P2210T or one like it. Those have a barrel jack to provide 12V to the optional sound bar. I have similar monitors that I use for raspberry PIs. A 3D printed bracket clips into the monitor's sound bar tabs and holds the PI and a buck converter which plugs into the barrel jack.
Sorry to hear about your subscribers. Yeah, I think password storage apps are totally bogus. I would never trust them. I’m glad to hear someone else needs the same. My third-party password storage is either a file or a piece of paper just like you said
"I should be able to turn it [2FA] off without my phone, but, well, what if I lost my phone I still need to get rid of it right? so I guess it does make some sense" Nope, it still make no sense on a security maner. Either you need to contact the company (which "isn't secure" most of the time), or you have a backup 2FA: like unique recovery codes or a second emergency 2fa setup
A lot of time it just asks me to confirm the login on my iPad (that's logged in). That would have saved me. I suspect UA-cam will eventually take a few simple measures to make these hacks much less likely to succeed
Absolutely true! All 2FA methods should have some secure way of renewing/changing it in case the current method is unavailable. Usually it's done with recovery codes that can be used to reset it.
Allowing to disable 2FA without actually verifying a 2FA method is a major security issue.
@@SammysHP It doesn't need to be fully secure, but it should be clunky, annoying, and slow. Meanwhile you should be getting blasted with alerts that someone is trying to do that to your account. That way you can get back in, but alarm bells are sounding and allow you to block the process.
@@matthiasrandomstuff2221 they haven't done ANYTHING for the last 5 years while this is an ever growing problem. I have seen it in three people I am subscribed to. Google is a billion dollar company. They have the money and technical resources to do what you suggested. I am sorry to say it but their priorities are lying elsewhere. They don't care about the creators and viewers at all! They only care about their ads revenue.
Keepass appears to be a good password manager.
Good point on the password manager considerations.
Also, initially I did unsubscribe before I realized what had happened, and I went back and resubbed so that I would be subscribed when you recovered it.
Safe manufacturers figured this out years ago with timed safes. Why not require a 48 hour delay before certain changes take place?
What a nightmare 😢
So I was unsubscribed! Now resubscribed and I was actually missing your content, thanks for the video!
Funny thing, I was never subscribed to your main channel 😂. I always though this was your main channel
Suggestion: Password manager for a random hard to remember password prefix, and then you type in a common, reasonably cryptic suffix that you have memorized. All passwords are different, hard bits are stored in cloud where you can use them anywhere, but are useless with knowing your suffix.
Never have faith in such mechanisms. As there are neath tools for key analysis
@@peli71 no system is without faults. But if you have keyloggers in your computer, then no system will protect your passwords.
Thanks for mentioning checking the main channel. I had indeed unsubscribed without realizing it was you. I figured I accidentally subscribed to something dumb. Sorry you had to deal with that mess.
The problem I see with the paper list is how many passwords do you have? I have over 200 services currently used, which makes that infeasible (unless using the same password on multiple different services - which is bad for other reasons).
The only feasible solution, imho, is either an external password manager (lastpass, 1Password, operating system vault, etc), or an external hardware vault plugged in via usb.
Thank you for sharing such a detailed breakdown of the situation! I'm sure it was immensely frustrating but I appreciate the transparency!
There's a neat bootable cd image that allows for booting from the USB on computers that don't support it.
Oh, knowing that would have helped!
@@matthiasrandomstuff2221 the keywords to search for are “plop boot manager”
@@matthiasrandomstuff2221 the name of it is plop bootloader
@@matthiasrandomstuff2221 for some reason, my further reply seems to be not here. The name of the boot manger that can do this is called plop.
Did not know there was even a main channel. I subscribed for the random stuff only...
oh my sweet summer child
How the heck would you even find this channel without going through the main one??
@@Koushakurrecommendations. i didn't know Matthias main channel before the hack.
@@Koushakurit came to me in a fortune cookie
@@Koushakur The best fan placement video got recommended to me... It has a decent 6.5M views now.
As the old saying goes, "If a bad guy can run code on your computer, it is not your computer any more".
What do you think about using an offline file manager (e.g. KeyPass) with a USB hardware key (e.g. YubiKey)?
Would using an OS like Linux for your uploads prevent things like this from happening? You could dual boot between Windows and Linux while also having a shared drive you can access your files from while in either OS. You would use Linux for uploading and any UA-cam business related activities. This would create an extra step, but if Linux is immune from these attacks this would provide an extra layer of protection.
Nothing is immune, but Windows is a massive target because of how prevalent it is, so the variety of attacks that have been developed for it is vast.
The real question is how the computer became compromised in the first place. Depending on the cause, this may be just as likely to happen in other environments as it is on Windows.
Ok, NOW I understand your answer to the comment I made on your main channel about being unsubscribed. Indeed, I did unsub from a weird-fake-money-scam channel. Never would've guess how I was sunddenly subbed to that. Now I know. Anyway, glad you were able to regain control, sir!
Happy to hear you got your channel back!
Wasn't there a password manager that was free and then all of a sudden started to change for it?
How tf google allowed them to disable 2fa without reauthentication?
they just wanted the login session and the password. yes, too easy.
@@matthiasrandomstuff2221astonishingly easy. It really ought to require 2FA (or some sort of contact with Google support if you can't do that) to change it back!
I _think_ there's a notion of a "trusted device" that allows you skill 2FA/MFA on auth.
Consider checking if your main browser on your primary device is listed in the trusted device list and removing it. Then every login will require 2FA/MFA (IIRC)
These kinds of problems suck, but it's helpful to raise awareness. Thank you.
What's the point of having a session if the session can be accessed from an alternate IP address?
Mobile devices.
I think by all the things algorithms do in the background they should definetly be able to detect when a account gets hacked.
100% if they wanted to. This is google afterall we are talking about, not some small website.
@@YourFavouriteCommentExactly, which is why we have what we have.
Regarding Credit Card Fraud - They use different security protocols, the seller gets different levels of fees and different levels of fraud reimbursement after chargebacks depending on if the card is used physically versus remotely (over the phone, etc) since almost all cards now have a chip that provides rolling codes.
For remote transaction they typically require the users zip code since that information is not stored on the card anywhere.
And of course, they monitor remote transactions much more closely and will call if there are any large or multiple transactions occurring.
Google's advanced protection program might be worth considering.
Curiously, even though the visible name of your main channel was changed, it was still in the same place on the sub list. Something was innate to the channel they couldn't (or didn't bother to) change.
I watch all your videos to the end and I'm glad you are back in your acount👍
As for the credit card fraud monitoring, considering the sheer volume of transactions happening in the financial system, human eyeballs wouldn't have a chance to keep up, but it's my impression that it's reasonably straight forward to use a machine learning system that can find the usual patterns in your transactions and flag any anomalies automatically.
Indeed, they've been using transaction analysis to do fraud detection as far back as the 70s, apparently. Even before machine learning there were anomaly detection algorithms that were employed.
Yes, the financial systems use automated systems to detect suspicious behavior. I once was notified of a suspicious purchase within 30 seconds of it occurring, got on the phone and had my card cancelled. All within 5 minutes of the event. There's no way they got anything useful out of my card, and double checking transactions confirmed it. This sort of session hijack should be very easy for Google to detect. The only thing they can't detect is if your computer is being remotely operated.
Works pretty well the 2-3 times I've been hit. I get a phone call (for example) asking me to verify that I or someone authorized to use my card is trying to a) withdraw cash at a 7-11 in New Jersey and b) purchase a 72" TV from a WalMart in Dallas, TX. Given I'm several states away from either, yeah no...
I've had fraudulent charges make it thru the system. In the US at least, I'm not liable for the charges, but it was a bit of a hassle to get fixed.
@@darkwinter7395 It can definitely still happen if the attackers use it to buy things that are similar to your purchasing habits but that also limits what they can buy, making it potentially a less valuable target.
I did unsubscribe from that channel and thought it was strange at the time, I didn't bother digging deeper to see that it was your main channel. Anyway, resubbed now, thanks for the heads up
Thanks for keeping us updated and pointing out things like this. Constant vigilance is important.
yeah, i unsubscribed both times, because i don't support criminals. but when you got your channel back, i re-subscribed.
In Firefox you should use the Master Password feature it asks for a password before you can log in a site and hackers cant just export them into a csv file.
Just wanted to mention. There are 100% offline encrypted local password managers. It works similarly to the major ones except you are totally in control of your passwords. Might be easier to manage than an encrypted file
Thumbsup, before we know it he will have to become a security expert too. Matthias, did you considered switching entirely to GNU/Linux yet?
I never let anything digital store my passwords.
All of my passwords are written down in a cryptic language, so even if somebody were to steal my password notebook, they couldn't decipher it.
Just a question Matthias, when you clicked on the fake PDF didn't windows ask you whether you agree to run that unknown program? That should be the typical behavior with downloaded files.
The PDF file format itself, and PDF readers, can contain vulnerabilities/bugs that can be exploited to execute arbitrary code without being actual executable files / programs themselves. Search "PDF arbitrary code execution" if you want to find some further reading on the subject.
Re the closing remarks: I bought a 3-year old laptop refurbished by Dell during the last Black Friday sale for just under $400 and it runs circles around a lot of brand-new laptops that go for upwards of $1000. I'm pretty much only buying used computers going forward.
I was one who got unsubscribed. It’s all good, I’m resubscribed. Thanks for the warning.
Matthias, I'm sure you've thought about this already, but as a long-time Windows user at work, now retired and using a Mac system, I've had zero issues since switching. It may only be pure luck but is that something you've considered? I also keep a copy of passwords (not evident to anyone who looks at them) on my iPhone which I can Airdrop directly to my Mac, using Bluetooth so the password does not go through a Cloud server.
Mac apps run in a sandbox, which should make them more secure. I figured Windows was doing something similar these days.
@@RickmakesThis is false. iOS apps are sandboxed, but macOS apps are definitely not (unless you get them from the Mac App Store).
It's wild to think your browser auto-fills passwords without any biometric authentication.
There is an option, which is stupidly off by default, that require verification before auto-filling passwords.
No unsubscribing here, but please keep making great videos! So many cheap ex-office PCs on the market, and used hardware, that new makes little sense.
I'm still working out what happened. When you first got hacked they copied your firefox database with a bunch of cookies and passwords in it, including your youtube session cookie and password, and a month later they used the cookie+password to disable 2FA and access your account?
You didn't change you youtube password since then? I'm confused.
Checking that a session switches IP address can be problematic if you have an ISP that using dynamic IP addressing that could theoretically change your IP mid session.
I wonder about your thoughts about the USB security key though. I have it on my keys and only insert it in the PC when needed. Additionally I need to physically touch it to work. So from my point of view, having control over my PC wouldn't be enough to use that method without my explicit permission.
I think your idea about sites doing some form of session "deviation" (checking sudden changes in IP, location, etc.) has merit, similar to how credit card companies flag transactions when one is travelling (or not if someone stole your card info). I suspect large sites, Google et al, would have no issue doing this since they already do similar deep scan on content and flag those.
Yep, I got unsubscribed from your main channel! And, I might add, I only buy refurbs now. For 20+ years I managed a company's IT and during that time I built from scratch every PC they had. Once upon a time, it was economically feasible. Not so much these days, hence my switch to refurbs. I built my last new on in 2021 and it will be my last build.
Once you regain control of your account, assuming your local PC is not compromised, you can go into your Google account and log out all other sessions.
"If somebody shows up with a different IP address and the same session"
A legitimate user could be playing with his VPN settings, or they're using an anonymous service that keeps them from being tracked by malicious state actors.
But they should be used to refreshing their session anyway, so yes, bad Google.
A good password manager on windows should be using a secure password input, which works similar to the UAC prompts and runs in a separate windows login session, that should basically be un-keylogable. Excluding any physical hardware key loggers, at which point you're kinda screwed already.
I still reckon your plan of writing them down on a piece of paper is still a better option though, just less convenient!
I would recommend a password manager. I do not know about the venerability to hijacking via the session token but all of your passwords are encrypted and stored securely. Even the online hosted ones will not compromise your passwords if there service gets hacked. There is a good computerphile video on how they work.
the concern is that if my computer gets compromised that hackers may hijack that account.
I never trust any password storage, and if its on the cloud thats even worse. Network attacks are much easier to do. I would say the best thing as a programmer is to make sure your auth system has really audit.
Just re-subbed to your main channel.
I have done something similar with a password list. I write down well-formed-for-me hints and have the username or service the hint is for.
For banks, they err on the side of decline, and have us confirm.
I have 5 computer users on my network and a bunch of other devices. Would I have to have a Yubico key for each of them in order to be protected? Yikes...
Great analogy at 6:20. Thank you for your knowledge.
Booting them out by changing the password is not super effective. It usually takes several ourbefore the sessions refresh and requires the new password to be entered.
Not on my devices!
@@matthiasrandomstuff2221Your devices don't matter; a token (which they got access to) is valid for a certain period. You changing your password doesn't invalidate the token. That's why you need to kill all active sessions (i.e. invalidate tokens, if that isn't already done by changing your password - not sure about that).
I was one of your subscribers who uses the subscription feed and immediately unsubscribed from the cryptoscam channel that suddenly showed up. I was puzzled by how it got there and then I saw your 2nd channel video, so I checked it out and resubscribed later when I saw that this was why.
I use google password manager thinking that those passwords would be encrypted, havent heard of a leak or scandal with that. How come firefox doesnt use encryption for the password saving feature? Are we sure about that? In todays world having a card with passwords you have to type in sound unreasonable, I mean I have about 120 password saved, do I put all of them on a card? Do I reuse some to keep the number lower??
Hi Matthias, I use online banking and would be horrified if someone else got hold of that information, except for the way I log in. to get in you have to put in four letters or numbers from a sixteen digit password that is not held on my computer, also a six digit code is sent to my phone and I need to insert this to enable a transaction to go ahead. So, to get into my computer they would also need my phone and that makes a very strong authenticity code.
I said it before, get yourself a sandbox or virtual machine to do everything that has to do with emails from there. Makes it much less likely that anything happens when you accidentally do open a malicious file.
The way 2 factor should work is have a code needed from a phone to get into the account. If you ever lose that phone, there should be a 2 factor recovery key that you have written down physically
Maybe I missed it in there, but I don't think you described how you suspect the session hijack was run on your machine.
He covered it in the previous video. Short version; he got in a rush and opened something he shouldn't have.
make sure to turn on primary password in firefox.
They have remote access to your machine. The hijack sessions do not work the way you described. The problem is not the two-factor authentication.
Some of these things should just put out an automatic flag and trigger a two-week cooldown or something. That's how most 2FA platforms do it, I feel like: if you want to disable it, you incur a freeze on all account functionality until you basically got plenty of time to verify what you're doing is proper. Also hardware security keys, as people pointed out, pretty much mitigate all current attack surfaces.
Ip based, could be an issue since most ISPS use what's called cgnat. Your modems public ip is not that the world sees