this post was submitted on 10 Feb 2024
91 points (96.0% liked)

Firefox

17301 readers
125 users here now

A place to discuss the news and latest developments on the open-source browser Firefox

founded 4 years ago
MODERATORS
 

I'm just scared that they're saved with reversible encryption on the disk, then malware could steal them

top 50 comments
sorted by: hot top controversial new old
[–] Dehydrated 37 points 8 months ago (6 children)

I recommend a password manager like Bitwarden, it has a great Firefox extension and it's very secure.

[–] lemming741 6 points 8 months ago (2 children)

I self host vault warden, and the card auto-fill works ~70% of the time, and about half of those, the security code or the expiration doesn't work. EBay is the first one that comes to mind. I know it's the websites not following standards or conventions. It happens often enough that I remember the dates and codes now because I end up having to fill them in so often.

[–] [email protected] 23 points 8 months ago (2 children)

Protip: if a field doesn't populate, right click on it, then choose "copy name for bitwarden" (or something like that, not using FF in English), then add a custom field in the CC entry in bitwarden using that name in the clipboard. From now on on that specific page it will work

[–] [email protected] 6 points 8 months ago

I actually didn’t know that. Thanks for the tip!

load more comments (1 replies)
load more comments (1 replies)
load more comments (5 replies)
[–] [email protected] 30 points 8 months ago (7 children)

I trust it enough to use the feature, but I've got separate cards for online and in-person purchases. The online card is temporarily disabled in my bank app, and I only unblock it when I intend to use it. Takes like 30 seconds extra.

The in-person card is permanently unlocked for NFC and regular store transactions, but region locked to the country where I'm currently at, and transactions over $30 require the PIN.

[–] [email protected] 3 points 8 months ago (2 children)

Out of curiosity, would it not take less than 30 seconds to type your CC numbers in online each time? I mean the month and ?ccv are easily memorable

[–] FireRetardant 9 points 8 months ago (1 children)

It being blocked still helps protect them if the card number gets snatched during a transaction. By the time the scammers are ready to use the card numbers, the card would be locked.

load more comments (1 replies)
load more comments (1 replies)
load more comments (6 replies)
[–] [email protected] 27 points 8 months ago (5 children)

Please don't save stuff in your browser. It's very easy to rip those passwords and logins. If you must, keep it in a proper password manager like bitwarden or keepass.

[–] [email protected] 3 points 8 months ago (1 children)

Yup, I only store testing creds for work use. My actual credentials are in a proper password manager.

[–] [email protected] 5 points 8 months ago (1 children)

Historically, I've seen more "proper" password managers with breaches than browser storage.

[–] [email protected] 5 points 8 months ago (7 children)

Well yeah, if you breach a password manager, you get tons of credentials. If you breach a person's computer, you get one set of credentials. And most of those breaches are low impact, such as Okta:

For 99.6% of customers, hackers accessed only full names and email addresses, according to Okta, though in some cases they may also have accessed phone numbers, usernames and details of some employee roles.

Here's an example of a browser attack (not necessarily password management, but related):

These scams have been going on for months, and one YouTuber claims they work through fake sponsors reaching out to creators. The YouTubers are then convinced to download a file related to the sponsorship, which is just malware designed to steal cookies, remotely control PCs, and ultimately hijack YouTube accounts.

Basically, any script that can run on your machine can compromise stored passwords and credit cards if there's no master password set (typically the default behavior). If there is a master password, it could be brute forced (I'm guessing most attackers don't bother). It's just a lot harder to detect this kind of breach since it happens on end-user machines instead of an audited web service. I'm guessing a lot of people get hacked this way, but it doesn't make the news because individuals don't dig into the breach to find the cause.

My understanding is that password managers are still way more secure than using your browser's built-in PW management, and you can take it a step further and self-host (e.g. Bitwarden offers this) to require attackers to actually target you.

load more comments (7 replies)
load more comments (4 replies)
[–] [email protected] 25 points 8 months ago (1 children)

reversible encryption

All encryption is reversible, otherwise it wouldn't be encryption, it would be a hash. If you don't use a password, it's easy to reverse the encryption. If you do use a password, the maximum security with a brute force attack is 112 bits, which is pretty weak.

I recommend using a different password management service (which also handles credit card info), any password manager will be fine. I personally use Bitwarden, which uses 256 bits of encryption. That's pretty standard across password managers, so you're better of focusing on making a secure password.

That said, if you're only worried about credit card info and not storing passwords in Firefox, you're probably fine. Credit cards have a ton of protection, so if someone steals your card info, call your bank to dispute the fraudulent transactions and get a new card, it doesn't cost anything and has little hassle. Debit cards are another story, so I recommend just not using debit cards at all online.

[–] Wizard_Pope 3 points 8 months ago (15 children)

Prepaid debit cards for the win. You need to buy something online? Open your banking app, transfer the amount to the card, pay. After that the card is empty and cannot be used to pay flr anything until you need it again.

[–] [email protected] 5 points 8 months ago* (last edited 8 months ago) (1 children)

That sounds like way more effort than a credit card, especially here in the US where transfers between banks take 2-3 days.

If you really want to avoid credit, you can lock your debit card and unlock it when you make a purchase. That's still annoying, but effective. But if you're responsible, there's really no reason to avoid credit, and you get rewards on top.

[–] SirQuackTheDuck 4 points 8 months ago (1 children)

especially here in the US where transfers between banks take 2-3 days.

*Laughs in SEPA Instant Transfer*

Anyhow, locking and unlocking is an option. Using "3D Secure" systems - which require a secondary approval via an app or website - works significantly better, and chargebacks are one tap in a banking app (modern apps, so US might again be fucked here).

load more comments (1 replies)
load more comments (14 replies)
[–] Bob_Robertson_IX 19 points 8 months ago (3 children)

If it's a credit card then you should have pretty decent protection against fraud from the credit card company. I've had my card details stolen a few times (though never directly from my browser) and each time the credit card company has identified the fraud and reached out to me within minutes.

Now if it's a debit card, you should NEVER put those numbers into a computer. I only ever use my debit card to access the ATM, and even that is rare.

[–] [email protected] 13 points 8 months ago (2 children)

Sounds like a very US specific answer. In EU I only have a debit card and sometimes I have a hard time using it even myself because I need to pass 2fa and sometimes even that isn't enough if I'm on a new browser

[–] [email protected] 4 points 8 months ago

Credit cards work the same everywhere*, it's not US-specific. My debit card actually only has my bank account number on it (but I think that actually is a Germany-only thing with our Girocards), so paying for stuff online is just a normal bank transfer, where yeah you do have to pass the bank's 2FA (unless it's via SEPA direct debit).

* mostly, my card requires me to confirm some charges in a special phone app, I don't think that's a thing everywhere since it's also fairly recent

load more comments (1 replies)
[–] [email protected] 5 points 8 months ago

That's only true for debit cards that aren't backed by master card or visa. When you use your debit card that is online, it's run as a credit card and has the same fraud protections.

[–] [email protected] 3 points 8 months ago* (last edited 8 months ago)

I don't use debit cards anywhere for this exact reason. Don't even have one. When I have in the past, I've had the card linked to a seperate bank account with a small balance and no overdraft protection to limit damage. What I'd found though is that even when you tell the bank not to enable overdraft protection, they conveniently forget that and it stays possible to overdraft your account and get hit with fees,

I do the same strategy for crypto wallets, there's only a small amount in my browser wallet so that if somebody gets it, they can't steal much. From there you can have varying degrees of storage security for larger amounts: multi-sig so you have to sign transactions using multiple devices, hardware wallets, and cold storage.

I see all these articles about people getting thousands of dollars stolen from their crypto wallet and I'm like, you put $3,000 on the same computer you play Zombie Run 4 on? Knowing there was no fraud protection? And that a hardware wallet costs $100? Or that multi-sig is free? If you are storing that much in crypto, you need to either educate yourself on safe storage or use a custodian you can trust (exchange, multi-sig with family member, etc) who can.

[–] [email protected] 16 points 8 months ago

More likely to be stolen in person at your local coffee shop

[–] [email protected] 10 points 8 months ago

I don't even trust Steam, let alone Mozilla. I don't think I've ever had any credit card auto-fill on any browser I've ever had

[–] [email protected] 10 points 8 months ago

With credit cards any fraud is the responsibility of the credit card processor not the individual. So the risk isn't on your side.

[–] [email protected] 9 points 8 months ago (1 children)

I simply use my credit card number for my password on every site. it makes it so much easier to remember both. back in the day i would use my social security number. thanks to that simple trick, i never get robocalls or spam and i've been removed from most mailing lists because no one will ever issue credit or do business of any kind with me. a hacker stole my identity once and my credit score quadrupled. he even gave my identity back a week later!

load more comments (1 replies)
[–] [email protected] 7 points 8 months ago

If Firefox can read it from disk without a password, any other program running as your user can read it from disk without a password. But to prevent this you can encrypt your Firefox profile with a password.

[–] [email protected] 7 points 8 months ago

I don't save them in Firefox, not because I don't trust Firefox, just because keeping them in a password manager is more convenient. I don't think there's a reason not to trust Firefox.

[–] [email protected] 7 points 8 months ago

I do trust it well enough, but I don't use it.

For starters, I don't want it to be too easy to spend money. If I want something, I should want it enough to pull my card out and type the number again.

Second, the auto-fill often doesn't work perfectly, so you need the card anyway.

Third, there's the slim chance it could be hacked. So why even take that chance when the only benefit is convenience

[–] [email protected] 6 points 8 months ago

No, i use keepass and coppy/paste like the other commenter

[–] Coreidan 6 points 8 months ago

No. If I want my CC number I just…..look at my CC

[–] [email protected] 6 points 8 months ago

I put it into my password manager. (KeePassXC with Syncthing to share the database)

[–] [email protected] 5 points 8 months ago

Absolutely not.

[–] RustyNova 5 points 8 months ago

I would totally trust it, but on a cyber security stand point I don't trust anything with my credit card. The only place where the numbers are stored are on the physical card itself

[–] [email protected] 5 points 8 months ago

I'm also kinda wary of saving cards in the browser. So I created a virtual card with a spending limit for that purpose.

Although there's more to fear from malware stealing saved passwords. Fraudulent transactions can be reversed, identity theft will do a lot more damage.

[–] RememberTheApollo 5 points 8 months ago

I leave a number wrong. The security code, date, whatever. I can remember one number and correct the autofill while making an attempt to keep things a little more secure and still convenient.

[–] [email protected] 5 points 8 months ago (1 children)

No. I don't save cc's on any browser.

load more comments (1 replies)
[–] registeredusername 4 points 8 months ago* (last edited 8 months ago)

No... not leaving cc on any browser... I use KeepassXC and setup to clear anything in the clipboard within 10 seconds

[–] [email protected] 4 points 8 months ago (1 children)

If you've got credit card paranoia, Privacy.com has a solution for you. I personally just rely on my credit cards theft/fraud protection programs.

[–] [email protected] 3 points 8 months ago

Privacy.com won't solve this problem. In fact, it's likely more insecure than saving your information locally.

[–] CaptainProton 3 points 8 months ago

It's the banks problem, to be frank. If you're in the US, your liability for fraud is capped by law at $50 per card.

[–] [email protected] 3 points 8 months ago

I actually memorised my credit card number including the expiration date and security code. it's very convenient and I highly recommend it.

[–] [email protected] 3 points 8 months ago

Your saved passwords are reversible too, just don't do it. If you really want to, put a password on it, but then why would you even save it at all? The convenience is lost at that point. And if you save it without a password, to decrypt the cc a decryption key has to be saved somewhere, and if it's not on your pc, it's saved on a server you don't own.

load more comments
view more: next ›