2-Factor: Here We Go Again

Just got this email…

image1170×2532 342 KB

I got this today too. Didn’t the last experiment go down in flames?

It sure did

It is only if you have a loan?

Huh it does say that. I don’t have a loan though and still got the email.

Me too!

Team no loans so 2-factor can kiss my grits. I mean, I can understand it for things that really need to be secure, like banking and credit cards and things where they have your SSN and stuff but with the DVC site the worst anyone can do is either pay my dues (please, no, don’t pay my dues!) or login and make a booking that I can just cancel.

They could also cancel a booking.

Or change your password and email address.

I don’t have a problem with 2FA if it works properly. I am annoyed they won’t allow texts for international members though.

Either way it’s very targeted stuff, not random hacker stuff. There is literally nobody out there hacking into the DVC system to steal passwords and cancel random bookings. There’s no money in that, and any possible reward is not at all worth the effort or the risk.

In other words they’re protecting people from people they freely gave their password to rather than from some shadowy threat. If you’ve given your password out to someone and now you’re not on good terms with that person (to the point where they’d cancel your bookings or try to lock you out of your account) then just change the password. It’s not that difficult, and if you can’t be bothered then that’s your own fault.

Since your one password applies to all accounts, can you change it somewhere else online to change your DVC password or does everyone (all Disney platforms) need to call now?

I suppose the big concern isn’t really whether someone might gain access to one’s DVC account, loans or otherwise.

The concern is really what other information might be gleaned from a member’s DVC info that could be leveraged elsewhere. For example, I have a couple online accounts that often use my knowledge of my home address as a way to authenticate me over the phone. This is information that someone could easily find on a DVC reservation if they were able to login to my account. What about the account numbers where my loan payments are made? Or my home phone number?

All these tiny pieces of information can be put together to let an attacker “social engineer” their way into some other part of a victim’s online life (say your bank, or your Apple ID), then get more information, and so on.

I feel like a few moments of cut and pasting a code from my email is a small price to pay for another tiny roadblock against identity theft.

ASSUMING IT WORKS, of course!

By the way, THIS drives me crazy! Such security theater!