Comment by bentcorner

Comment by bentcorner 10 months ago

3 replies

View on Hacker News

> So how do you not click links to confirm your email for a new account?

Fair question, but the "don't click links in email" is for emails that you don't expect. And sure, that's an unsatisfying answer because it's hard to communicate this wisdom to your grandmother.

I think the best answer is defense-in-depth. Ensure you use updated email clients, browsers, and OS, and employ a dns blocker like a pihole or equivalent public service.

For less-savvy people a device like an iPad or Chromebook can be a reasonable defense.

hunter2_ 10 months ago

If I'm being honest, "don't click links in email unless you were expecting that particular email message" seems easier for grandma than "update x, y, and z, and use Pihole" unless you want to administer her network and devices. But maybe you're saying that an iPad/Chromebook can mitigate all of the above needs? A little bit.

Anyway, while I haven't heard of any cases yet, it wouldn't surprise me if senders of phishing email someday manage to deliver messages shortly after detecting some traffic (DNS lookup?) that you legitimately make with the entity the email is spoofing. Then you're expecting it, roughly.

Reply View 2 replies
  • johnklos 10 months ago

    It is a bit easier, at least. My almost 90 year old Mom now knows to be suspicious of email and to not believe email unless she has a reason to think she should be getting it.

    To be fair about setting up a Pihole or some other form of DNS filtering, that's something that the network administrator should do, not individual users. It's a shame that it's still not trivial - companies that make NAT routers resist building in things that they don't completely control, so a configuration page for Pihole in your NAT router's web interface likely isn't coming soon. I hope that changes.

    Mom also understands that someone taking over her Nextdoor account would be a nuisance, whereas someone taking over her banking account would be significantly more problematic, so the more important something is, the more time she'll take to ascertain its authenticity.

    I practice explaining these things because I do it often. One interesting observation is that Mom believes me, so she does the things I suggest, whereas younger people think they know better, so they generally don't put much energy in to my suggestions. I'm working on ways of showing people that they're not necessarily safe because they're "doing the same things they've always done, and nothing bad has happened yet".

    Reply View 1 reply
    • hunter2_ 10 months ago

      > a configuration page for Pihole in your NAT router's web interface likely isn't coming soon. I hope that changes.

      In the meantime, the majority of routers do allow you to specify the DNS resolver instead of using whatever it learns via WAN DHCP, so you could put in a filtered public resolver (as opposed to your own Pihole instance) which gives pretty similar results if you don't need to whitelist anything. Plus, you can do the same on mobile devices that roam beyond that router (and avoid VPN through said router). I've been using dns.adguard-dns.com (94.140.14.14 and 94.140.15.15) [0]. They were founded in Moscow but now operate out of Cyprus (EU) and I don't have much of a reason to trust any other DNS operator more than them.

      [0] https://adguard-dns.io/en/public-dns.html -- "method 2"

      Reply View 0 replies