Gosh, you opened up my mind about how hackers, which often are not people but Bots), but I appreciate all your warnings and know how quickly we all can forget to be more conscious about our behavior. Hackers often do rely on our habits. I am not at all techie, so I am glad I found you and know I will learn much.
In my opinion, 2FA goes hand in hand with laws against anonymous SIM cards. Requiring authentication via Smartphone (SIM card) creates a link to an identifiable personal record. Emails can be registered with fake data, but SIM cards cannot. Thats why governments love pushing 2FA, it binds an potentially anonymous online account directly to an easily identifiable SIM card owner record. I think.
Phone number is just a more convenient, reliable, cross-account advertising identifier compared to email in part thanks to those laws. To mitigate there are SMS-activation websites where you can pay with crypto, even some free ones.
@@personanongratis and what if you dont have one? or you break your phone? I broke mine and i dont have the cash to buy a new one and i cant access my credit account because i dont have my phone!!!!!! A good password will be just as good.
So true, if you happen to be in that area where you don't have access to your phone for any reason possible (probably dozens) you are fucked up. sorry to dig your comment from the graveyard, it's my time to do it this time. :)
Great explanation. One thing you forgot to mention though: A hardware token is worthless if you keep in in the same bag with your laptop or it is stolen in a burglary.
@@user-lk8lq1pm5h yes but then you don't need the second factor. This video is about the added security and potential false sense of security associated with a two factor authentification system. If you keep your hardware token so that a potential theif/hacker can just simply get ahold of it, then you might as well just stick to a single factor password sign on. This would be detrimental if you relied on the hardwarte token and because of that chose a weak password.
If I losey phone, then I'm screwed. I use mobile number but change number I'm screwed. I hate the current versions. Google lets me use my landline, others don't.
Thank you for your Honest input on 2FA, or MFA, as I suspected this but wasn't sure. Since my company tried to force this on employees I've been getting non stop spam calls. And business app wants to track my device and where aboutz and requires to download a QR code if I do that instead of the SMS text message. Yet company claims they aren't selling employee data, but they are! It's sooo very frustrating!
I do agree that 2fa like text message is inherently not private and not that secure. But as far as I know TOTP and hardware key are significant security upgrade and do not infringe on your privacy.
Very interesting info about these 2FA thank for sharing it Scotties. Recently I lost the phone and had to changed phone No and can't even login to PayPal with 2FA enable and had to ring them up, what a hassle.
What if (looking at security) the two factor identification is always sent to your e-mail instead of your cellphone via of text? If you put tight controls over your e-mail account would this be a little safer than text?
I would say that's less secure than SMS. Assuming proper configuration of mail servers, e-mail should be relatively secure. The problem is that many mail servers are nowhere near secure.
Nice to see you Scottie! Hackers, scammers, & thieves really took off with WiFi..🤔.. It's never been secure and never will be.. passwords on WiFi are useless it just gives people the false sense of security. You've hit the nail on the head! I turn off the sensors but does it really work when every smart phone if your close enough still can detect who you Are? A little food for thought.. When some of my coworkers are on our bus I get on my smart phone their ads.🤔 Just how smart is this smart tech? Unbelievably smart...Not a good thing! Like this plandemic... ❤🙏🏼 Jeanne
Would it be best to delete cookies when I’m done using the browser? I read some where is good to delete history after each use to help prevent being hacked or spied on so I wondered if deleting the cookies to would be best after each use
I think you have missed a valid point which you have almost made already: get a dumb phone in case you must use sms 2fa, so that there are less sensors for companies to get their hands on.
What happens if someone wants to create the 2FA code and text it to you? For example if I am working with a so-called financial advisor, she wants to create the 2FA for me? Is this a big NO NO? Please respond?
Well, that depends: Do you trust this person 100%? What she is proposing is basically having full access to your account. Generally speaking, I would call that a big No-No!
good day sir,nice video,I have a question,i get a lot of instagram direct url messages to open and I have 2fa as well as i regularly check login activity in the mail and in instagram,my question is even if someone get through the 2fa will they be able to delete the login activity on instagram? the thing is in login activicty it can't be deleted but it gets deleted automatically in 14 days as written.Can I at least feel secure by checking the login activity and security mails? thanks for reading sir
Okta 2 factor authentication is strange in that it works only on computer not controlled by an enterprise, but not on internal computers controlled by a corporate or university IT department for instance.
Dude are you serious? On my phone i have ALL the tracking data turned off, nobody is tracking me. Maybe you should look into switching off apps that advertise and watch some videos on what you should be turning off on a iphone android to reduce the tracking as much as possible.
You seem to know what your talking about. I was wondering if you could help me with my Gmail and Facebook passwords, my x broke my phone and I forgot my passwords, I have had these accounts for about 20 years, please my life is in there :(
I dunno about FB, but Google has a rather thorough account recovery process. The trick is you need to have added a phone number, 2nd e-mail address, secret recovery questions, etc. sometimes in those 20 years. Usually, you probably did this to keep your account and then promptly forgot about it! Here they even have a link to recover a hijacked account: support.google.com/accounts/answer/7682439?hl=en
Everything is identifiable information. Use not only unique passwords but also unique email addresses (/aliases/temporary ones) and if SMS verification is necessary, there are shady websites where you can receive that SMS. (It's a good idea to enable authy type 2FA wherever possible so websites don't freak out about VPN too much)
Google makes you use an SMS or google authenticator in addition to the key so if you lose your key, you just say you lost your key. SO what good is all the hassle with the KEY! I bought a key, but now I realize this is usesless.
Yeah, the key or a 2FA app can be used in lieu of a phone, but they still make you do the phone thing once to set up the other stuff. For me, it's useful becuz I rarely have my phone on.
Hardware keys are NOT "more secure". They're kind of a joke, actually. Simply by having a key leaves you open to a new vector of attack... the key can be lost, stolen, or you can be compelled at gunpoint to use it. Hardware keys - unlike phones and email accounts - dont require their own sign-in credentials: anyone can use it if they have it. I know possession is largely the point, but it shouldnt be the entirety. Use of the key itself requires no knowledge from the account holder signing in. Some newer and expensive keys do offer a biometric fingerprints to activate, but they're notoriously unreliable, prints can be faked, prints can be lifted, you can still be physically forced, and in fact in some countries law enforcement can compel your print from you (unlike a password). So in these ways, a hardware key adds vulnerability. Whats more, the hardware key isnt even required at sign in at all. At the log-in screen the sites usually give you options for 2FA, with the hardware key being only one of them. The SMS, email, and authenticator app options are still available to you as alternatives. Since they are still available 2FA methods, the hardware key doesnt add any security (even if you reject that it adds vulnerability), because it doesnt remove any vulnerability either. The chain isnt stronger than its weakest link. A hacker can still steal your authenticator app seed, port your phone number, sniff your email; the hardware key can be ignored. Even if you set up a key, you can still be socially engineered into giving up access to email or SMS. These sites dont allow you to disable the other methods and so they remain insecure avenues of attack. Coinbase wont even let you use a hardware key unless you first set up an authenticator app, and you cant deactivate the latter without deactivating the hardware key too. Its all or nothing with many sites. Some sites are worse yet. I was actually able to disable 2FA this very day on a site I only knew the username and password to, without even having to fully sign in, despite 2FA being enabled, all from the login screen. A site I tried to log into today sent a code via SMS but it never arrived (which is another problem entirely with SMS), simply with a few clicks I was able to circumvent the 2FA entirely. I mean, if they are going to implement 2FA this poorly, having a hardware key to go along with it wouldnt help. If you have to use SMS then using a VoIP number is the most secure way, but many sites require a SIM card/cell phone number (which is where the bulk of the SMS vulnerability comes from) and will reject a VoIP number at sign-up. If multiple 2FA methods have to be set up and enabled concurrently, I would prefer that at least two of them be simultaneously required at sign in; a sort of 3FA. But sites dont even allow you to require any particular enabled method.
I really dont know what the safest 2FA is. How insecure is an SMS to a VoIP number? How insecure is an encrypted email provider bridged to a local email client? How insecure is 2FA tied to a hardware device such as a cell phone, and is it tied to the SIM card or to the phone number more generally? Are authenticator app seeds encrypted on websites? With authenticator apps and hardware keys alike, data associated with your 2FA login scheme is stored on the server. At least with SMS and email, a code can be generated randomly and on the spot before sent, leaving no real trace of 2FA login data to skim by a hacker on the server, so future login attempts cant be recalculated. The biggest thing hardware keys solve, imo, is that it prevents phishing since you have to be on the legitimate site for it to work. But I have concerns. What happens if the URL or domain name changes in any way? What if they move their servers and get a new IP? Will my key still recognize it as the authentic site; why or why not? Why dont you just keep a list of valid site links in a password manager or word document, and only ever use them, thus making it a policy to never click on any other link to your accounts. Dont you still solve the problem of phishing? And if so, what then is the benefit of a hardware key? Also, hardware keys are not cheap, and if you buy one you ought to buy two so you have a backup. Additionally, different makes and models of hardware keys offer different 2FA schemes, and arent all compatible with all sites that offer hardware keys 2FAs. Only a finite number of log-in credentials can be accommodated by any one key; how many accounts do you have? Furthermore, the adoption of hardware keys is very slow, so if you buy in now you wont be able to secure a lot of accounts anyway, and the technology of your key will be antiquated by the time full adoption does come around. So do you wait for better key technology and greater adoption before buying your keys? Given all that Ive said, you decide...
@@leesweets4110 Personally, I think 2FA is only more secure because most people use such bad passwords. There is ALWAYS a way around even the most strict security. It isn't the encryption or the deadbolt or padlock that is the weak point; it's usually a lateral attack - like using a really huge strong padlock on a flimsy little door.
Your cellular provider has complete access to every device with their SIM Card. They modify their devices from the manufactures, Apple, Samsung, etc etc PRIVACY IS AN ILLUSION!!!
I am Not that dumb For the man in the middle i Am not touching any links So i am safe btw Can I use google prompt? I am using Google prompt and Backup codes so i am safe?
I don't care for TFA, it seems these days, it doesn't suffice to give an email adress to register an online account, every company wants your phone number, so TFA is a good way for tracking you even more, yes it's more secure but less private, unfortunately some people confuse security with privacy!
No one should be worried about man in the middle attack If you entering login information it should should sent via the https protocol i.e. encrypted. A man in the middle attack can not fake the ssl certificate. ... and if you ain't using https for entering login detsils then you got bigger problems.
For the most part, that's true... But, as with all things, there are exploitable flaws. I can't find it now, but there was a very interesting article a few years ago about an SSL hack some folks did with a bunch of networked and repurposed game consoles, I think it was. They didn't need to crack the encryption, but instead used a lateral attack on an "unknown" weakness in the algorithm that allowed a MITM attack even with SSL. That's usually the way they do it: they come at the problem from the side, not head on.
Gosh, you opened up my mind about how hackers, which often are not people but Bots), but I appreciate all your warnings and know how quickly we all can forget to be more conscious about our behavior. Hackers often do rely on our habits. I am not at all techie, so I am glad I found you and know I will learn much.
Good morning Cletus and Scottie 🖖🏻 getting my coffee and ready to enjoy the new video
In my opinion, 2FA goes hand in hand with laws against anonymous SIM cards. Requiring authentication via Smartphone (SIM card) creates a link to an identifiable personal record. Emails can be registered with fake data, but SIM cards cannot. Thats why governments love pushing 2FA, it binds an potentially anonymous online account directly to an easily identifiable SIM card owner record. I think.
Phone number is just a more convenient, reliable, cross-account advertising identifier compared to email in part thanks to those laws. To mitigate there are SMS-activation websites where you can pay with crypto, even some free ones.
A fake email is harder to track, a phone number is an identity!
@@personanongratis and what if you dont have one? or you break your phone?
I broke mine and i dont have the cash to buy a new one and i cant access my credit account because i dont have my phone!!!!!!
A good password will be just as good.
i've always felt like 2fa was better at locking people out of their own accounts than actually protecting them
So true, if you happen to be in that area where you don't have access to your phone for any reason possible (probably dozens) you are fucked up. sorry to dig your comment from the graveyard, it's my time to do it this time. :)
@@rachparov the age of my comment doesn't make it any less relevant
@@Shadowwolf-1337 Forces you to come back tho ;)
Scottie thanks for the heads up. Can you do a review of VPN pros and cons?
My phone has been bugging me to set up two step verification. I just keep ignoring it.
Like one of my teenage friends used to say "if I am about to cut your fingers off, your 2fa will not help". He's still here, with us.
Great explanation. One thing you forgot to mention though: A hardware token is worthless if you keep in in the same bag with your laptop or it is stolen in a burglary.
Good point!
Why? The thief also needs to know a password
@@user-lk8lq1pm5h yes but then you don't need the second factor. This video is about the added security and potential false sense of security associated with a two factor authentification system. If you keep your hardware token so that a potential theif/hacker can just simply get ahold of it, then you might as well just stick to a single factor password sign on. This would be detrimental if you relied on the hardwarte token and because of that chose a weak password.
If I losey phone, then I'm screwed. I use mobile number but change number I'm screwed.
I hate the current versions.
Google lets me use my landline, others don't.
Thank you for your Honest input on 2FA, or MFA, as I suspected this but wasn't sure. Since my company tried to force this on employees I've been getting non stop spam calls. And business app wants to track my device and where aboutz and requires to download a QR code if I do that instead of the SMS text message. Yet company claims they aren't selling employee data, but they are! It's sooo very frustrating!
Superbly done, thank you Scottie!
Great job on this video.
Ohhh greaat never really thought about the whole “marketing” stuff
Thanks for the straightforward explanation, surprisingly rare on tech topics.
I do agree that 2fa like text message is inherently not private and not that secure. But as far as I know TOTP and hardware key are significant security upgrade and do not infringe on your privacy.
Very interesting info about these 2FA thank for sharing it Scotties. Recently I lost the phone and had to changed phone No and can't even login to PayPal with 2FA enable and had to ring them up, what a hassle.
Nice video. Thank you.
How about using a VOIP phone number for 2FA?
What if (looking at security) the two factor identification is always sent to your e-mail instead of your cellphone via of text? If you put tight controls over your e-mail account would this be a little safer than text?
I would say that's less secure than SMS. Assuming proper configuration of mail servers, e-mail should be relatively secure. The problem is that many mail servers are nowhere near secure.
I am starting to remove things from my computer and phone
Nice to see you Scottie! Hackers, scammers, & thieves really took off with WiFi..🤔.. It's never been secure and never will be.. passwords on WiFi are useless it just gives people the false sense of security.
You've hit the nail on the head! I turn off the sensors but does it really work when every smart phone if your close enough still can detect who you Are? A little food for thought..
When some of my coworkers are on our bus I get on my smart phone their ads.🤔 Just how smart is this smart tech? Unbelievably smart...Not a good thing! Like this plandemic...
❤🙏🏼 Jeanne
Just like masks on faces are useless, they give a false sense of security in this plandemic
Wish banks had an option for authentication apps or security keys.
Would it be best to delete cookies when I’m done using the browser? I read some where is good to delete history after each use to help prevent being hacked or spied on so I wondered if deleting the cookies to would be best after each use
It's good practice to have. If you don't have anything saved on the device ransomware is pointless when you get it. Thus lowering the attack surface
Also still need to look out for programs that still store some info on your device, like how discord stores images and caches them on your device
All those things so complicated crooked , I don't want use it just a minimum as much as possible
Great job. Have you reviewed open source fido's like solokey and only key?
Can you address Proton mail and give us info on the security of it and how it works? Is IP still there etc.
Question for you Scottie...if you go to a website and dont accept cookies do they still go on to yr laptop? Thx!!
We have become the product
I think you have missed a valid point which you have almost made already:
get a dumb phone in case you must use sms 2fa, so that there are less sensors for companies to get their hands on.
What happens if someone wants to create the 2FA code and text it to you? For example if I am working with a so-called financial advisor, she wants to create the 2FA for me? Is this a big NO NO? Please respond?
Well, that depends: Do you trust this person 100%? What she is proposing is basically having full access to your account. Generally speaking, I would call that a big No-No!
So that’s why I’m getting so many scamming phone calls now! Good to know, but how do I stop it?
Yeah, that's the problem... If possible, never give your phone number and use an authentication app instead (like Authy). authy.com/
@@ScottiesTech can i use Google prompt and backup codes?
What do the providers of authentication apks get out of it ? Are man in the middle attacks visible to 24/7 Antivirus apks like Malwarebytes?
Does Google Authenticator just hoover up your data too?
I really enjoyed every single minute, great talk 👍
good day sir,nice video,I have a question,i get a lot of instagram direct url messages to open and I have 2fa as well as i regularly check login activity in the mail and in instagram,my question is even if someone get through the 2fa will they be able to delete the login activity on instagram? the thing is in login activicty it can't be deleted but it gets deleted automatically in 14 days as written.Can I at least feel secure by checking the login activity and security mails? thanks for reading sir
I have a question. Do you think Instagram will someday allow its users to use security keys? Just curious.
Okta 2 factor authentication is strange in that it works only on computer not controlled by an enterprise, but not on internal computers controlled by a corporate or university IT department for instance.
I learned something new today. Thanks!
Should I just change passwords after a couple of months and turn 2Fa off
I never knew I could get my account back, Thanks to #Cyber_belford on IG. He helped me get my account back.
Yes but turn on Google prompt and Backup codes Then your account is safe
Dude are you serious? On my phone i have ALL the tracking data turned off, nobody is tracking me. Maybe you should look into switching off apps that advertise and watch some videos on what you should be turning off on a iphone android to reduce the tracking as much as possible.
You seem to know what your talking about. I was wondering if you could help me with my Gmail and Facebook passwords, my x broke my phone and I forgot my passwords, I have had these accounts for about 20 years, please my life is in there :(
I dunno about FB, but Google has a rather thorough account recovery process. The trick is you need to have added a phone number, 2nd e-mail address, secret recovery questions, etc. sometimes in those 20 years. Usually, you probably did this to keep your account and then promptly forgot about it! Here they even have a link to recover a hijacked account: support.google.com/accounts/answer/7682439?hl=en
Is authy safe?
Everything is identifiable information. Use not only unique passwords but also unique email addresses (/aliases/temporary ones) and if SMS verification is necessary, there are shady websites where you can receive that SMS. (It's a good idea to enable authy type 2FA wherever possible so websites don't freak out about VPN too much)
Google makes you use an SMS or google authenticator in addition to the key so if you lose your key, you just say you lost your key. SO what good is all the hassle with the KEY! I bought a key, but now I realize this is usesless.
Yeah, the key or a 2FA app can be used in lieu of a phone, but they still make you do the phone thing once to set up the other stuff. For me, it's useful becuz I rarely have my phone on.
Are you from Slovenija or this cup is just a Souvenir?
He's actually from Chicago
You must have some image enhancing device cause I can't make out anything on that cup!
@@Riker-ER In that case you must increase the video resolution to 1920x1080 to be able to see what is written on the Tea cup on the Desk!
@@Riker-ER Or maybe let your eyes checked, maybe you need glasses, who knows!
From Chicago so I'm American, but I also am a Slovenian citizen. I'm 7/8 Slovenian, and 1/8 Croatian.
NO do not enable this feature you will lose access to your accounts if
you lose access to your original phone numbners do not use
Scottie thanks so much for great Cookies.😅 That was rich info...
Thank you. I can now take steps to protect my self...
Hardware keys are NOT "more secure". They're kind of a joke, actually.
Simply by having a key leaves you open to a new vector of attack... the key can be lost, stolen, or you can be compelled at gunpoint to use it. Hardware keys - unlike phones and email accounts - dont require their own sign-in credentials: anyone can use it if they have it. I know possession is largely the point, but it shouldnt be the entirety. Use of the key itself requires no knowledge from the account holder signing in. Some newer and expensive keys do offer a biometric fingerprints to activate, but they're notoriously unreliable, prints can be faked, prints can be lifted, you can still be physically forced, and in fact in some countries law enforcement can compel your print from you (unlike a password). So in these ways, a hardware key adds vulnerability.
Whats more, the hardware key isnt even required at sign in at all. At the log-in screen the sites usually give you options for 2FA, with the hardware key being only one of them. The SMS, email, and authenticator app options are still available to you as alternatives. Since they are still available 2FA methods, the hardware key doesnt add any security (even if you reject that it adds vulnerability), because it doesnt remove any vulnerability either. The chain isnt stronger than its weakest link. A hacker can still steal your authenticator app seed, port your phone number, sniff your email; the hardware key can be ignored. Even if you set up a key, you can still be socially engineered into giving up access to email or SMS. These sites dont allow you to disable the other methods and so they remain insecure avenues of attack. Coinbase wont even let you use a hardware key unless you first set up an authenticator app, and you cant deactivate the latter without deactivating the hardware key too. Its all or nothing with many sites.
Some sites are worse yet. I was actually able to disable 2FA this very day on a site I only knew the username and password to, without even having to fully sign in, despite 2FA being enabled, all from the login screen. A site I tried to log into today sent a code via SMS but it never arrived (which is another problem entirely with SMS), simply with a few clicks I was able to circumvent the 2FA entirely. I mean, if they are going to implement 2FA this poorly, having a hardware key to go along with it wouldnt help. If you have to use SMS then using a VoIP number is the most secure way, but many sites require a SIM card/cell phone number (which is where the bulk of the SMS vulnerability comes from) and will reject a VoIP number at sign-up.
If multiple 2FA methods have to be set up and enabled concurrently, I would prefer that at least two of them be simultaneously required at sign in; a sort of 3FA. But sites dont even allow you to require any particular enabled method.
I really dont know what the safest 2FA is. How insecure is an SMS to a VoIP number? How insecure is an encrypted email provider bridged to a local email client? How insecure is 2FA tied to a hardware device such as a cell phone, and is it tied to the SIM card or to the phone number more generally? Are authenticator app seeds encrypted on websites?
With authenticator apps and hardware keys alike, data associated with your 2FA login scheme is stored on the server. At least with SMS and email, a code can be generated randomly and on the spot before sent, leaving no real trace of 2FA login data to skim by a hacker on the server, so future login attempts cant be recalculated.
The biggest thing hardware keys solve, imo, is that it prevents phishing since you have to be on the legitimate site for it to work. But I have concerns. What happens if the URL or domain name changes in any way? What if they move their servers and get a new IP? Will my key still recognize it as the authentic site; why or why not? Why dont you just keep a list of valid site links in a password manager or word document, and only ever use them, thus making it a policy to never click on any other link to your accounts. Dont you still solve the problem of phishing? And if so, what then is the benefit of a hardware key?
Also, hardware keys are not cheap, and if you buy one you ought to buy two so you have a backup. Additionally, different makes and models of hardware keys offer different 2FA schemes, and arent all compatible with all sites that offer hardware keys 2FAs. Only a finite number of log-in credentials can be accommodated by any one key; how many accounts do you have?
Furthermore, the adoption of hardware keys is very slow, so if you buy in now you wont be able to secure a lot of accounts anyway, and the technology of your key will be antiquated by the time full adoption does come around. So do you wait for better key technology and greater adoption before buying your keys? Given all that Ive said, you decide...
@@leesweets4110 Personally, I think 2FA is only more secure because most people use such bad passwords. There is ALWAYS a way around even the most strict security. It isn't the encryption or the deadbolt or padlock that is the weak point; it's usually a lateral attack - like using a really huge strong padlock on a flimsy little door.
This is why I have a seperate voip number for online accounts.
Your cellular provider has complete access to every device with their SIM Card. They modify their devices from the manufactures, Apple, Samsung, etc etc PRIVACY IS AN ILLUSION!!!
This is the most idiotic security feature ever . I got blocked on several accounts because authenticator code did not match what I received
Wow!!! Great INFO thanks for sharing
Great video!
I'm a guy that likes things!
I don't believe in Scottie but I'm tappin all that right space spots on this thing!
Thanks for the information.
Thanks Scottie! GTSY 👍
the Key is nice but what if you loose it. :) Not so secure after all. :)
I am Not that dumb For the man in the middle i Am not touching any links So i am safe btw Can I use google prompt?
I am using Google prompt and Backup codes so i am safe?
"Dumb phone" 😂😂😂😂😂😂
Thanks man !
thank you!
I don't care for TFA, it seems these days, it doesn't suffice to give an email adress to register an online account, every company wants your phone number, so TFA is a good way for tracking you even more, yes it's more secure but less private, unfortunately some people confuse security with privacy!
was just preparing to delete my Paypal account lol
Thank You . . .
I never knew I could get my account back, Thanks to #Cyber_belford on IG. He helped me get my account back.
Great video
Damn... ! Thank you .
Would you be kind enough to come back on the subject of crypto protection ?
Twitter was first
Mmm.... cookies.
🕊🇺🇸WWG1WGA🇺🇸🕊️ Gratitude!!!🙏
No one should be worried about man in the middle attack
If you entering login information it should should sent via the https protocol i.e. encrypted.
A man in the middle attack can not fake the ssl certificate.
... and if you ain't using https for entering login detsils then you got bigger problems.
For the most part, that's true... But, as with all things, there are exploitable flaws. I can't find it now, but there was a very interesting article a few years ago about an SSL hack some folks did with a bunch of networked and repurposed game consoles, I think it was. They didn't need to crack the encryption, but instead used a lateral attack on an "unknown" weakness in the algorithm that allowed a MITM attack even with SSL. That's usually the way they do it: they come at the problem from the side, not head on.
I never knew I could get my account back, Thanks to #Cyber_belford on IG. He helped me get my account back.