[Sebring]

I've been using Bose BT Speaker for ages now. Works best

Quote:

Originally Posted by neoonwheels

What I meant is, I want speaker which has mic in built but wont pick echo

[concorde24]

Quote:

Originally Posted by concorde24

Thanks Thad - i will go ahead and try with iHerb this time.
On shipping partner, I understand from the cart options that it is not DHL anymore and but Aramex.

The order placed on iHerb was delivered in 10 days, including document collection for KYC. I noticed that the item got shipped only after KYC confirmation which will save time on orders where product with customs but name mismatch.

It was a smooth experience and thanks @Thad for your feedback.

[bblost]

I used https://www.croma.com/ to buy an iPad.

It has this offer of cashback and no cost EMI for HDFC credit cards.
I selected the offer and completed the purchase with a HDFC credit card.

Chroma denies that I selected this offer and hence says I am not gonna get the cashback.

Its a matter of just 3k and I am not going to fight with Croma for it.

But the feeling that this website made a fool of me is something I will not forget and will never ever buy anything from this online portal ever again.

Every purchase from Flipkart and Amazon has left me feeling like it was a straight forward deal. But Croma left me feeling like a fool for having believed the website works.

[Jaguar]

Quote:

Originally Posted by bblost

I used https://www.croma.com/ to buy an iPad.

It has this offer of cashback and no cost EMI for HDFC credit cards.
I selected the offer and completed the purchase with a HDFC credit card.

But Croma left me feeling like a fool for having believed the website works.

It could be a browser issue. Which browser did you use? Most of the sites are not tested to work properly on all browsers. The Croma website sucks, so do many others, which is why the likes of Amazon are so successful.

I bought a dryer from Croma last month. Just before entering the OTP, I realized that the instant cashback was not applied and I was being charged the full amount. Discarded the transaction and tried with another browser (Chrome I think) and managed to get the discount.

[bblost]

I used Chrome browser. I selected the offer and it said offer applied. I then entered the credit card details and went to the OTP page.

Transaction was completed and I called Croma store. Then went and picked it up.

Spoke to the guy on the cashback as he said this will be done in 120 days. He also said the invoice gets generated after pickup and I will get it in 24 hours.

When I got the invoice later there was no mention of cashback. This prompted me reaching out to the customer support.

[audioholic]

Quote:

Originally Posted by bblost

Spoke to the guy on the cashback as he said this will be done in 120 days. He also said the invoice gets generated after pickup and I will get it in 24 hours.

When I got the invoice later there was no mention of cashback. This prompted me reaching out to the customer support.

Cashback is usually a HDFC offer and wont be shown on the Croma invoice. I have brought more than five apple devices so far from Croma, all offline in store buys. What we get is a mention of the cashback in the card chargeslip. It would be written towards the end. Since yours is an online purchase, I believe that wasnt mentioned. But usually it has worked all the time for me and the cashback would appear in the third or fourth statement. And regarding invoice it would automatically be mailed to you.

In general I have found Croma experience to be top notch. Even today, I can access the invoices dating to 2016 with just one call to the customer care with my registered mobile number. I found it useful when I wanted to sell my iPhone last year to Cashify and they asked for an invoice. Got it within two minutes of calling the CC.

[diyguy]

Anyone getting warnings on amazon app - a data breach on a site or app exposed your password. Google recommends changing your password on amazon.in now.
This is happening on the new Android 11 update on my wife's oneplus nord. I am not getting the similar alert on my older op5.

[saket77]

Quote:

Originally Posted by diyguy

Anyone getting warnings on amazon app - a data breach on a site or app exposed your password. Google recommends changing your password on amazon.in now.
This is happening on the new Android 11 update on my wife's oneplus nord. I am not getting the similar alert on my older op5.

My iPhone says same for aliexpress and amazon as well. I changed both some time ago but this warning has popped up again.
Actually with so many login ids across sites and devices, I am finding it difficult to be creative enough for passwords.

[binand]

I'm not sure what to make of this news item:

https://theprint.in/india/governance...x-this/636083/

First glance, this sounds like a great idea. But the implementation plan seems a bit impractical. This, for example:

Quote:

...a team of experts possessing the required domain knowledge and expertise to investigate the reviews [who] will work as content regulators, [...] help in flagging fake reviews

[meerkat]

Quote:

Originally Posted by diyguy

Anyone getting warnings on amazon app - a data breach on a site or app exposed your password. Google recommends changing your password on amazon.in now.
This is happening on the new Android 11 update on my wife's oneplus nord. I am not getting the similar alert on my older op5.

While I haven't received any such warning so far (I don't have Android 11, if that matters), I have noticed something curious in my Amazon profile the other day -- it showed that 14 devices were allowed to log in without an OTP! I've never logged in from more than 3 or 4 devices in total, let alone 14. No one else was ever allowed by me to log into my account either.

Thankfully, There was no other obvious signs that my account was broken into. I, of course, have immediately blocked any device from logging in without an OTP, and changed my password too.

But I'm completely puzzled as to how could it have happened in the first place. If any hacker can find out my password somehow, how come one is allowed to log in without an OTP? What's the use of a 2-factor authentication if it is not on by default, and any new device can log in at will if the password is somehow leaked?
.

[binand]

Quote:

Originally Posted by diyguy

Anyone getting warnings on amazon app - a data breach on a site or app exposed your password. Google recommends changing your password on amazon.in now.
This is happening on the new Android 11 update on my wife's oneplus nord. I am not getting the similar alert on my older op5.

Not sure about this, but I believe what Google is warning you about is a compromised password - that is, the password you use on Amazon is compromised (ie, present in a leaked list of passwords somewhere). The leak could have happened from any site, not necessarily Amazon.

Also it is a relatively new feature of Google Account (2 years-ish?), so might not be present in older versions of Android.

Quote:

Originally Posted by saket77

Actually with so many login ids across sites and devices, I am finding it difficult to be creative enough for passwords.

I suggest using a password manager that can generate strong passwords for you. Google itself has one, so does Firefox, and there are several third-party ones.

I also have this bookmarked (for the rare scenario where I need to generate a password myself): https://mkpasswd.web-tool.net/

Quote:

Originally Posted by meerkat

I have noticed something curious in my Amazon profile the other day -- it showed that 14 devices were allowed to log in without an OTP! I've never logged in from more than 3 or 4 devices in total, let alone 14. No one else was ever allowed by me to log into my account either.

Probably the lifetime total devices you have logged in from? Phone changes, app uninstall/reinstall cycles etc. all count among new devices. Just get rid of the ones you don't recognise - or better still, get rid of them all and re-login from the devices that you trust.

Quote:

Originally Posted by meerkat

If any hacker can find out my password somehow, how come one is allowed to log in without an OTP? What's the use of a 2-factor authentication if it is not on by default, and any new device can log in at will if the password is somehow leaked?

Very few service providers default to 2FA currently. Most require the user to explicitly enable it. Which is how I believe it should be - not everyone wants 2FA for all services (after all, SMS-based 2FA is not true 2FA).

[carboy]

Quote:

Originally Posted by binand

after all, SMS-based 2FA is not true 2FA

SMS based 2FA is of course true 2FA. 2FA is 2 Factor authentication. The 3 main factors of authentication are

- What you know
- What you have
- What you are

Any authentication which uses 2 of the above 3 is 2FA

Password is what you know
Your SIM Card is what you have (The SMS comes on your SIM Card - you having the OTP means you have the SIM Card)

So nothing is lacking.

[binand]

Quote:

Originally Posted by carboy

So nothing is lacking.

This is a facile, ill-informed view (based on the kool-aid produced by the marketing departments of service providers?). To the extend that OTP is supposed to do the "what you have" authentication with respect to the SIM card, I agree. But the problem is that OTP, as implemented currently, conflates knowledge of the PIN ("what you know") with possession of the SIM - which, depending on the protection you need or the threat model you have, is not a true interchangeability that holds good in the real world.

From the administrator of the backend system where the OTP is produced to SMS software's developers, there are several entities who aren't in possession of the SIM card but can access the OTP making it a very unsafe method of authentication.

[meerkat]

Quote:

Originally Posted by binand

....
Probably the lifetime total devices you have logged in from? Phone changes, app uninstall/reinstall cycles etc. all count among new devices.

"Lifetime total devices" still don't add up! I've started using the Amazon app only recently, and only from a single phone so far! Plus may be 2 or 3 PCs/ laptops ever (all mine). But I didn't know app uninstall/reinstall cycles could contribute to this count too!

Quote:

Very few service providers default to 2FA currently. Most require the user to explicitly enable it. Which is how I believe it should be - not everyone wants 2FA for all services

That's what confounds me. After all, anybody could turn off 2FA for specific devices as they want. Otherwise, what's the point of having 2FA at all? As I see it, if the password is not compromised, 2FA is redundant, and if it is compromised, anybody could log in from other devices! So I don't see how having 2FA is of any use at all unless it is on by default!

Quote:

Originally Posted by binand

...
From the administrator of the backend system where the OTP is produced to SMS software's developers, there are several entities who aren't in possession of the SIM card but can access the OTP making it a very unsafe method of authentication.

And I, rather naively it seems after your explanation, have always assumed that the whole process is somehow securely automated! Still it begs the question, how come our whole financial system (among others) has become so critically dependent on this type of authentication, and no major issues have surfaced so far due to such ubiquitous reliance on this!
.

[binand]

Quote:

Originally Posted by meerkat

After all, anybody could turn off 2FA for specific devices as they want. Otherwise, what's the point of having 2FA at all? As I see it, if the password is not compromised, 2FA is redundant, and if it is compromised, anybody could log in from other devices! So I don't see how having 2FA is of any use at all unless it is on by default!

The implementations I have seen are like this:

1. They all default to single factor only. 2FA is something the user explicitly turns on.
2. Once the user turns it on, they have to login from every device once with the full 2FA flow.
3. After that, the user has the option of marking one or several devices as "trusted devices" where logging in will not be mandated any longer.

I believe you are talking of #3? It is meant for your personal devices and the choice is entirely yours. I think it is a reasonable midpoint in the security vs convenience range. It is not "anybody could turn off", it is "people with access to the device can turn off" - and you as the device owner has control on limiting that set.

Maybe there is some other issue you want to point out? Because I certainly do not agree with "2FA is redundant".

Quote:

Originally Posted by meerkat

And I, rather naively it seems after your explanation, have always assumed that the whole process is somehow securely automated! Still it begs the question, how come our whole financial system (among others) has become so critically dependent on this type of authentication, and no major issues have surfaced so far due to such ubiquitous reliance on this!

Of course there have been hundreds, thousands of cases where OTPs were stolen/retrieved and transactions made without the knowledge/consent of the account owner. The newspapers report these frequently. All these are failures of our faulty implementation of 2FA.

I remember using an RSA SecurID 2FA token, issued by HSBC in India, back in early oughties - so it is not that they can't do it. They just drag their feet because implementing the right approach is costlier for them, and the downside of not implementing is not expensive enough.

Edit: About 2-3 years back I migrated to a Yubikey (https://www.amazon.in/gp/product/B07HBD71HL/) for some of my important accounts instead of SMS OTP or TOTP. Today I prioritise 2FA as: Yubikey, if not supported then TOTP, if not supported then SMS, if not supported take a long hard look at the service and decide whether it is really worth it.