When I Contacted Carbonite to shut down my account...

[+Warwagon MVC]

Just contacted carbonite to have them delete all my data and close my account down, due to the lack of two factor authentication.....

 

I told him why I switched to something else, because of the lack of two-factor authentication. 

 

He said "When you say two-factor authentication what do you mean? Do you mean a security question?"

 

I got a gibsonian response that when you call them all you need to validate/ verify your identity with them is ..

 

The Last 4 of the credit card used with carbonite - which is Located and shown on your carbonite account

Name on Card - Which is Located and shown on carbonate account

Billing address Not located or shown on the account but my first and last name is, so they could just look my first and last name online, because in my case, there is only one of me  and then proceed to get my address.

 

They should really verify with information not located on the account.

 

If someone were to get into my account, they could contact carbonite with all the information and closed my account down.

 

The person over the phone let me know that they don't have access to the full card number. I said, well then on your end maybe show the last 6 and on the site show the last 4.

 

Just have some information which is not located on the persons account. After he closed my account, I told him that if someone got my email address and password THEY could have called on my behalf and shut my account down.

 

He said, well that's why your email address and password is important. I said, yes but you also issued a mandatory password  reset (by email with a clickable link no less), because you showed unauthorized logins to peoples accounts due to people using the same password everywhere.

 

 

[xendrome]

How would carbonite be able to verify information not on your account? That seems impossible for them to know information they don't have..

[+Gary7 Subscriber²]

I do not nor never will use any online site such as Carbonate, I have plenty of 1TB hard drives for that,

[+Warwagon MVC]

3 minutes ago, xendrome said:

How would carbonite be able to verify information not on your account? That seems impossible for them to know information they don't have..

Like i said, on the carbonite account they mask all but the last 4 of the credit card ... at the carbonite office mask all but the last 6. That way anyone who logged into someones account would have to be in possession with the full credit card number to be able to validate the last 6 

[xendrome]

Just now, warwagon said:

Like i said, on carbonite the mask all but the last 4 of the credit card ... at carbonite mask all but the last 6. That way anyone who logged into someones account would have to be in possession with the full credit card number to validate the last 6 

Oh you are speaking of the account information shown online to a user. If you mean they should have something in their CRM/Billing system like a pin that you would verify and not shown in the online account page, then I get it.

[T3X4S]

Is carbonite the only online backup solution that actually restores files back to their proper place ? (as opposed to letting you download your system32 folder that was backed up prior, but it just creates a dump folder and puts things in there - not putting recovered files back in their original location)

[Blue-Vision]

I've had experience with Carbonite in the past, and it was a train wreck. They like to make themselves out as an Enterprise-grade data storage and disaster-proof recovery and backup solution, and they charge as such; but what I found was ineptitude and a complete lack of some fairly routine security and data handling measures that we here at Neowin (and pretty much anyone who's ever worked in IT) would do by default. Their Client Software is garbage. 

 

Yep.  They're junk.

[+Warwagon MVC]

17 minutes ago, xendrome said:

Oh you are speaking of the account information shown online to a user. If you mean they should have something in their CRM/Billing system like a pin that you would verify and not shown in the online account page, then I get it.

There was also no way for me to remove my information from the site. I deleted the client from my computer. I talked with him and the only way, is to let the account expire, at which point after a certain number of days of weeks the data gets deleted. But because I switch to a more secure service which did offer two-factor I wanted my info GONE OFF THE CARBONITE, but there is no "Delete all my data" option.

 

Someone mentioned that if a bad guy got into your account they could also do that. Which is true, but as demonstrated above they can also just call them up on the phone. But as @xendrome mentioned have a pin setup at the time of the creation of the account, or password or really anything that you would then store somewhere, which would let you authenticate to the site, to Permanently delete your data.

 

and oh gee, if they would have had two-factor those accounts probably wouldn't have been compromised. Because of the lack of two-factor their security collapsed just like I thought it would.

[+BudMan MVC]

We had this thread before when you were looking for solution with MFA?  Seems you found one - which one is it?

 

I am still curious to what exactly are you storing online that you feel requires MFA... I mean come on... Someone after your recipes and cat videos?  If there is any concern to this data, why would it not be encrypted before you even put it online?  So what exactly does MFA get you other than headache getting to your own freaking data?

 

I am using crashplan that has had MFA for quite some time.. I just don't have it turned on because while I have my home videos backed up - if anyone wants to watch them I don't really care if someone see's my grand daughters kindergarten graduation.., etc..  If you can guess the 12 character random have at watching her drool on herself when she was couple months old, etc.

[Luc2k]

7 minutes ago, BudMan said:

I am still curious to what exactly are you storing online that you feel requires MFA... I mean come on... Someone after your recipes and cat videos?  If there is any concern to this data, why would it not be encrypted before you even put it online?  So what exactly does MFA get you other than headache getting to your own freaking data?

 

I bet he's sitting of TBs worth of deadly jokes. We wouldn't want that in anyone's hands.

[+Warwagon MVC]

2 hours ago, BudMan said:

We had this thread before when you were looking for solution with MFA?  Seems you found one - which one is it?

 

I am still curious to what exactly are you storing online that you feel requires MFA... I mean come on... Someone after your recipes and cat videos?  If there is any concern to this data, why would it not be encrypted before you even put it online?  So what exactly does MFA get you other than headache getting to your own freaking data?

 

I am using crashplan that has had MFA for quite some time.. I just don't have it turned on because while I have my home videos backed up - if anyone wants to watch them I don't really care if someone see's my grand daughters kindergarten graduation.., etc..  If you can guess the 12 character random have at watching her drool on herself when she was couple months old, etc.

I'm using 1TB of storage on one drive.

 

As far as why multi-factor authentication, if you look at what happened to carbonite which caused them to send out a mass password reset is because people got a hold of other peoples user names and passwords and that's all it took to log in to their personal data. Yes those people were using the same passwords everywhere, but still, to me it's the principle of the thing.

 

I personally think there should be a second factor. It's kind of cool the way google is doing it, and so is Microsoft.  When installing the Microsoft authenticator. When logging into my Microsoft account, after you submit your username and password it pops up on the phone saying "trying to log in" ... Yes or No ... you punch yes and BAM! you are in, same with google. So in this case it's not a headache at all.

 

As to what happens when you loose your phone, well I have all my accounts also authenticating to a backup phone in my house in case something happens to my main phone and I just purchased a cheap $39 Moto E for my safety deposit box that I have everything authenticating to that as well, in case something happens to my main phone and my backup phone... like the house burning down or something.

 

[Shiranui]

So, which company are you using now Mr. Wagon?

[+Warwagon MVC]

Just now, Shiranui said:

So, which company are you using now Mr. Wagon?

Microsoft onedrive 1 terabyte with an office 365 business subscription. I get the 1 terabyte of storage 5 installs of Microsoft Office. And two-factor authentication to boot

[Shiranui]

27 minutes ago, warwagon said:

Microsoft onedrive 1 terabyte with an office 365 business subscription. I get the 1 terabyte of storage 5 installs of Microsoft Office. And two-factor authentication to boot

Oh, I have that. Must start using Onedrive....

[+BudMan MVC]

"pops up on the phone saying "trying to log in" ... Yes or No"

 

thats great until it doesn't work because you don't have coverage on you cell. Or that system is down, etc. etc.. Now you can't get to your recipes...

 

There is security, and then there is unneeded headache to secure nonsense..  that be nice when adding a new device.. But really you need mfa every time you turn on your computer and access your storage?

 

btw: 1 drive from an office subscription is not anything like what carbonite is for.. 1 is just online storage and sync, the other is backup of your stuff in cloud.

[+Warwagon MVC]

I am using onedrive with Syncback Pro, while it's not as instant as carbonite it does sync stuff every night in the AM.

[+Warwagon MVC]

2 hours ago, BudMan said:

There is security, and then there is unneeded headache to secure nonsense..  that be nice when adding a new device.. But really you need mfa every time you turn on your computer and access your storage?

Its not every time, in a lot of cases of two factor it's when a new device connects it doesn't recognize.

 

Millions of normal people are using backup services like carbonite that takes it upon itself to backup their entire profile folder for them. Most of those people don't know how to encrypt. They just save it to the documents folder.

 

They save their Tax return to their documents directory and carbonite instantly uploads it.

 

They are also the same people who use the same username and password everywhere and not some strong random 12 character password.

 

So now there username and password get compromised in a different site hack and now people can log into carbonite as them and download all their data.

[+BudMan MVC]

And you think these same people that use the same password everywhere are going to use MFA??

 

Yes when I add a new device to access my bank accounts it is MFA to auth that device.  When I access my lastpass from unknown location, again mfa..  Shoot I have any country other than US blocked anyway to my lastpass even if they have the MFA info..

 

I would assume your using strong random passwords that are different, I would assume anything of any sort of sensitive information you have encrypted before you place in the cloud.  So again what does MFA get YOU???  We are not discussing the usefulness of it in specific scenarios..  We are talking about its usefulness for YOU that are backing up your cat videos..   In what world does this warrant MFA??  Your 12+ random password is not enough?  Knowing you its prob 32+ random..

 

So while the whole subscription and 1TB seems like a reasonable price for their office suite..  Your talking apples and oranges for "backup" software..  Your 1 drive setup does not backup anything for this user that is using the same password everywhere and storing their tax return and other sensitive info just in their my docs that now gets sync'd to the cloud with them prob not even understanding it is..

 

You had to go out of your way to setup some form of backup plan which I am guessing is other files not in the auto sync folders of 1 drive?  Is normal user going to do that?  Does this plan of your have file versions ore revisions of your backups?  Has 1 drive enabled this for anything other than office docs?  I do not believe that had that?  So what happens when you get hit with ransomware and all your files get encrypted and then copy you have in the cloud is overwritten with the encrypted version.

 

How does this setup help the stupid user using the same password everywhere, no backup, no file versioning of their tax return copy that is a pdf or some tax software format - maybe they did their taxes in excel?   But hey they have MFA that they don't even understand what that means

[+Warwagon MVC]

18 minutes ago, BudMan said:

 So again what does MFA get YOU???  

My personal feeling is that I should have to go through an additional step to authenticate myself when accessing my personal online backup vs logging into Neowin. That's just how I feel.

[+BudMan MVC]

And your tinfoil hat is too freaking tight is how I feel   MFA serves no real purpose "backup" or even sync of normal home users files.. It just doesn't.. If you like pain in accessing your stuff have at it.. What I would suggest is you create a 64 character password random and then store this in 4 different places around your house in 6 point font with only 16 characters of the password.  So then every time you need to log in you can go find the pieces put them together view them with your magnifying glass and type them in by hand.

 

And then make sure you change this password every other day..  Also make sure that your timeout is like 1 minute so if you turn your head for a second or go to the bathroom you will have to start the process of login all over again

 

You seem to like pain in accessing your own ######, because your worried someone is going to give 2 ###### about your cat videos?  So you don't have the business plan of 1 drive?  Is that stuff even encrypted at rest on their servers?  Pretty sure that is only for business users.  More than likely you have everyone working for MS with free rain access to all your cat videos and recipes for pesto..

[+Warwagon MVC]

Mr B .. Do you have two factor setup on your gmail account(s)?

[HawkMan]

10 minutes ago, warwagon said:

Mr B .. Do you have two factor setup on your gmail account(s)?

Why would you make so much trouble for yourself reading your mail ? just use a secure password. 

[+Warwagon MVC]

8 minutes ago, HawkMan said:

Why would you make so much trouble for yourself reading your mail ? just use a secure password. 

What are you talking about? It's no trouble at all to read my emails

 

on my phone I added my google account and only had to authenticate with two-factor only once .. Done.. 

I have it on my thunderbird via app specific password  ... Done

I have it on my couch computer via thunderbird via app specific password Done

 

I can read my emails just fine. if I did want to log into the site itself, I type in the username and password, my phone says are you trying to log in, I say yes, ...Done.

 

Why is everyone making two factor out as this horrible, excruciating, Pain full, troublesome process?

 

Also, The google account isn't just for reading email, it's also your google account for an Android phone, which stores much more than just email.

[T3X4S]

OK Wagon - I have to chime in here too.
I appreciate the fact you are a nerd, like me and most others on here.

But, if you are protecting the nation's launch codes - I'd like to borrow them.
Are you storing client's data on your OneDrive ?  (I'd like to borrow that too)
Or are you just geeking out and your tinfoil is cutting off circulation ?  hehe

That deal for Office365 and 1TB OneDrive is awesome.

Got the $49 deal for 5 installs, 5TB OneDrive - and used that as gifts for family members (they think I spent a ton of money on them

 

[+Warwagon MVC]

46 minutes ago, T3X4S said:

OK Wagon - I have to chime in here too.
I appreciate the fact you are a nerd, like me and most others on here.

But, if you are protecting the nation's launch codes - I'd like to borrow them.
Are you storing client's data on your OneDrive ?  (I'd like to borrow that too)
Or are you just geeking out and your tinfoil is cutting off circulation ?  hehe

That deal for Office365 and 1TB OneDrive is awesome.

Got the $49 deal for 5 installs, 5TB OneDrive - and used that as gifts for family members (they think I spent a ton of money on them

 

sorry to say, no launch codes. But after thinking about hawkman's comment again, an email address is usually the one place password reset links are sent so that is the one service I would want locked down.