Phones Access PINs Security Issues
- Thread starter Rigo
- Start date
Sky-Knight
Well-Known Member
- Reaction score
- 5,150
- Location
- Arizona
For those that prefer to read: https://www.wsj.com/podcasts/tech-n...-minutes/1f55ec3a-f7d1-48ea-9090-3fb87f32656e
For those with brain cells, TLDR don't use Apple or anyone else's integrated password management. Because if some jack hole steals your phone from your hands while you're using it, they can near instantly lock you out of your entire digital reality and will laterally spread to anything they can to get more cash, like all the credit cards you stupidly linked to Apple Pay (or similar service).
You can also avoid the above by using an unlock process that's actually complex. Filling in 123456 or 111111 is eternally dumb, and dumb people will be punished via theft and other means. The market has spoken.
For those with brain cells, TLDR don't use Apple or anyone else's integrated password management. Because if some jack hole steals your phone from your hands while you're using it, they can near instantly lock you out of your entire digital reality and will laterally spread to anything they can to get more cash, like all the credit cards you stupidly linked to Apple Pay (or similar service).
You can also avoid the above by using an unlock process that's actually complex. Filling in 123456 or 111111 is eternally dumb, and dumb people will be punished via theft and other means. The market has spoken.
SAFCasper
Well-Known Member
- Reaction score
- 806
- Location
- United Kingdom
So basically the "news story" is don't set a basic guessable PIN on a device that stores your banking apps and credit cards. Who would have thought that could be a security risk.
No different to setting the PIN on your actual credit card to 1234 then being shocked when a thief manages to steal it and withdraw money. Are credit cards insecure now?
No different to setting the PIN on your actual credit card to 1234 then being shocked when a thief manages to steal it and withdraw money. Are credit cards insecure now?
Last edited:
Sky-Knight
Well-Known Member
- Reaction score
- 5,150
- Location
- Arizona
@SAFCasper The slightly less obvious lesson is to make sure that if you put in your pin to unlock your device, you do it in such a way that someone in public with a nice camera cannot record it.
This ring is observing people unlocking their devices, that's how they get the pin, THEN stealing it. But dang does it require a whole lot of carelessness on the part of the person using their phone.
This ring is observing people unlocking their devices, that's how they get the pin, THEN stealing it. But dang does it require a whole lot of carelessness on the part of the person using their phone.
britechguy
Well-Known Member
- Reaction score
- 4,029
- Location
- Staunton, VA
What would you suggest people entering their PINs do? Erect a blocking wall around themselves? Ask friends to form a ring around them?
This issue can be avoided by using biometrics, really.
I don't think that punching in your PIN when a PIN is requested, without a care in the world, is particularly careless unless you're holding the phone above your head and putting it in like it was a demonstration.
The problem lies more with short or repetitive PINs, and even if one were not using a PIN at all if someone does a "smash and grab" on your phone while unlocked the problem still presents itself. It comes back to, "If you don't have physical security, you don't have any security worth having." General awareness of your surroundings goes a very long way toward avoiding all this to begin with, though there will always be circumstances where distractions abound.
Sky-Knight
Well-Known Member
- Reaction score
- 5,150
- Location
- Arizona
@britechguy Biometric access can be compelled by law enforcement, not to mention those willing to knock your butt out pin / pattern cannot.
The real answer is a biometric unlock with a pin backer. MFA for a phone. Sadly, no phone I'm aware of does this. A short 4 digit easy pin is plenty when you need your face or a finger print to go with it.
Something you have.
Something you are.
Something you know.
Always two must be used for any actual security to happen. Something you know is the only one of these three that can be used as a primary method to boot. The fact these options are not available is directly Google and Apple's fault. They've been asked... for A DECADE to do this. There has been legal action too. But they aren't interested in giving us tools to secure our lives, they make money off the sales of new devices that promise better without actually delivering it.
But yeah, nothing really matters if you don't have physical security. If someone owns your device, they own the contents. There are ways to help that, device encryption and whatnot... but those are all bypassed if someone has the time or will to crack your pin. So we're right back to the easy answer being fingerprint + pin.
Note I'm harping on fingerprint here... because facial unlock can never be secure because it can be bypassed by a PICTURE of you. We have no expectation of privacy about our appearance in public, and there are cameras everywhere. So the facial ID unlock is simply monumentally dumb, and trivially bypassed.
If you're going to use your phone as a payment device, it has to be secured like it's a bank. And it cannot be... which is why I do not recommend using your phone as a bank! It's really handy for authentication purposes as a 2nd factor, but it cannot be secure in and of itself at the present.
The real answer is a biometric unlock with a pin backer. MFA for a phone. Sadly, no phone I'm aware of does this. A short 4 digit easy pin is plenty when you need your face or a finger print to go with it.
Something you have.
Something you are.
Something you know.
Always two must be used for any actual security to happen. Something you know is the only one of these three that can be used as a primary method to boot. The fact these options are not available is directly Google and Apple's fault. They've been asked... for A DECADE to do this. There has been legal action too. But they aren't interested in giving us tools to secure our lives, they make money off the sales of new devices that promise better without actually delivering it.
But yeah, nothing really matters if you don't have physical security. If someone owns your device, they own the contents. There are ways to help that, device encryption and whatnot... but those are all bypassed if someone has the time or will to crack your pin. So we're right back to the easy answer being fingerprint + pin.
Note I'm harping on fingerprint here... because facial unlock can never be secure because it can be bypassed by a PICTURE of you. We have no expectation of privacy about our appearance in public, and there are cameras everywhere. So the facial ID unlock is simply monumentally dumb, and trivially bypassed.
If you're going to use your phone as a payment device, it has to be secured like it's a bank. And it cannot be... which is why I do not recommend using your phone as a bank! It's really handy for authentication purposes as a 2nd factor, but it cannot be secure in and of itself at the present.
Last edited:
britechguy
Well-Known Member
- Reaction score
- 4,029
- Location
- Staunton, VA
You want "more security" than most of us do.
If you think that people are going to MFA their access to their phones, I have some oceanfront property in Omaha you should look at.
It really is entirely unrealistic to believe that you can force people to do things they really do not want to do. If you try, they come up with very ingenious ways to get around the parts they don't want to have to deal with, often making things less secure than a reliably employed less secure method.
The context is important, too, and biometrics would not work with a phone taken in a "smash and grab," even if it were open at the time, unless the thieves were *really* fast about getting down to business(or the owner of the phone has set an insanely long "stay awake" time).
I have zero concern about law enforcement compelling me to open my phone. There are now precedents that make it just as illegal for law enforcement to make you open via biometrics as by passcode/swipe code: https://www.lawtechnologytoday.org/2019/08/can-police-force-you-to-unlock-your-cell-phone/
If you think that people are going to MFA their access to their phones, I have some oceanfront property in Omaha you should look at.
It really is entirely unrealistic to believe that you can force people to do things they really do not want to do. If you try, they come up with very ingenious ways to get around the parts they don't want to have to deal with, often making things less secure than a reliably employed less secure method.
The context is important, too, and biometrics would not work with a phone taken in a "smash and grab," even if it were open at the time, unless the thieves were *really* fast about getting down to business(or the owner of the phone has set an insanely long "stay awake" time).
I have zero concern about law enforcement compelling me to open my phone. There are now precedents that make it just as illegal for law enforcement to make you open via biometrics as by passcode/swipe code: https://www.lawtechnologytoday.org/2019/08/can-police-force-you-to-unlock-your-cell-phone/
Sky-Knight
Well-Known Member
- Reaction score
- 5,150
- Location
- Arizona
Yeah I'm aware, I'm aware John Q. Moron doesn't actually want a secure future. But he'll get it, if he wants it or not, because the alternative is MORE of what's going on.
And once again when you say biometrics, they must not be based on images of faces. Those are too easily replicated.
And once again when you say biometrics, they must not be based on images of faces. Those are too easily replicated.
YeOldeStonecat
Well-Known Member
- Reaction score
- 6,379
- Location
- SE Connecticut and SW Florida
One of the reasons I don't put a lot of apps on my phone like...banking apps. I do not want anything that connects to my bank...on my phone.
I don't do credit card payments on my phone...like Google Pay
I don't store a notepad of secret notes on my phone. I chuckle at how many iphone users think that that "notepad" thing in an iPhone is like a bank vault and store every important thing in there...I just shake my head when I see that...thinking ..."yeah, one day...you're poached..."
Yeah you could get to my work stuff...email....but...I don't have secret stuff in my email either.
Only thing on the phone I have concerns about losing...is my Microsoft Authenticator app with over 20 accounts work of MFA/TOTP stuff in there.
So that would make me run a "remote wipe" soon as I think my phone is gone.(or have someone at my office do that).
My phone is fingerprint unlocked, I have a longer PIN.
The "ease" of users being targeted for their phones is something that is on the rise for sure. How many of you still go grocery shopping? Stand in line at the checkout? Ever see people standing there waiting for the line to move forward...they whip their phone out of their purse or back pocket or coat pocket..unlock it (just 3-4 feet in front of you)...you can easily catch their PIN with your eyes. Not hard to grab a phone out of a ladies purse at a line. Or follow out to the parking lot and jack her. Or...how about at a bar? I don't think that many people here spend time at a bar...if they don't immediately recognize how juicy of an easy environment this is. People sitting at a bar (or standing) very often whip their phones out...unlock, use them quickly...put them down....a few minutes later, pick up, unlock.use for a minute...put down. All the while as they talk to someone next to them...(usually meaning turning and facing them). At bars, people "not" sitting at the bar often nudge up to the bar to order a drink(s) and walk away. Bars with high volume and high turnover of customers...bars that cater to younger people..x10. Pretty easy to eyeball someone unlocking their phone from..."standing right next to them distance"...wait til they place their phone down on the bar (as...many people do)...the victim turns away to talk to someone...BOOM, grab and walk away. None of the victims here had to stand up, hold their phones over their head and enter the PIN for everyone to see. It was all done many times in an hour within close visual range.
I'm becoming more and more security aware in recent years, because we're seeing so many businesses get poached from...lack of some form of security on their data. Even those with some basic security...sadly things like this recent "auth token" stealing is going around rampantly.
I don't do credit card payments on my phone...like Google Pay
I don't store a notepad of secret notes on my phone. I chuckle at how many iphone users think that that "notepad" thing in an iPhone is like a bank vault and store every important thing in there...I just shake my head when I see that...thinking ..."yeah, one day...you're poached..."
Yeah you could get to my work stuff...email....but...I don't have secret stuff in my email either.
Only thing on the phone I have concerns about losing...is my Microsoft Authenticator app with over 20 accounts work of MFA/TOTP stuff in there.
So that would make me run a "remote wipe" soon as I think my phone is gone.(or have someone at my office do that).
My phone is fingerprint unlocked, I have a longer PIN.
The "ease" of users being targeted for their phones is something that is on the rise for sure. How many of you still go grocery shopping? Stand in line at the checkout? Ever see people standing there waiting for the line to move forward...they whip their phone out of their purse or back pocket or coat pocket..unlock it (just 3-4 feet in front of you)...you can easily catch their PIN with your eyes. Not hard to grab a phone out of a ladies purse at a line. Or follow out to the parking lot and jack her. Or...how about at a bar? I don't think that many people here spend time at a bar...if they don't immediately recognize how juicy of an easy environment this is. People sitting at a bar (or standing) very often whip their phones out...unlock, use them quickly...put them down....a few minutes later, pick up, unlock.use for a minute...put down. All the while as they talk to someone next to them...(usually meaning turning and facing them). At bars, people "not" sitting at the bar often nudge up to the bar to order a drink(s) and walk away. Bars with high volume and high turnover of customers...bars that cater to younger people..x10. Pretty easy to eyeball someone unlocking their phone from..."standing right next to them distance"...wait til they place their phone down on the bar (as...many people do)...the victim turns away to talk to someone...BOOM, grab and walk away. None of the victims here had to stand up, hold their phones over their head and enter the PIN for everyone to see. It was all done many times in an hour within close visual range.
I'm becoming more and more security aware in recent years, because we're seeing so many businesses get poached from...lack of some form of security on their data. Even those with some basic security...sadly things like this recent "auth token" stealing is going around rampantly.
Sky-Knight
Well-Known Member
- Reaction score
- 5,150
- Location
- Arizona
LOL and the shoes are starting to drop!
www.bleepingcomputer.com
TLDR, all you crazy IT people... security problems are NOW YOUR FAULT. Sure it's not law... yet. But that's a ticking timebomb that will go off soonish when you've got the insurance industry funding it.
So those of you that don't like MFA, I suggest you retire now. Everyone else, warm up your lawyers, and update your agreements because over the next five years things are going to get much more expensive for all of us.
Liability insurance for IT providers is about to turn into something matching malpractice insurance. Good luck!
As I said before, John Q. Moron will be secure, if he wants it or not, because with the force of government, he will have no choice otherwise. The feedback loop between cybercriminals and insurance companies will be broken. And you will personally be making up the difference if you don't get out of the way.
I've said it before but I'll say it again. All MSPs must become MSSPs or die.
But these policies are also saying all break / fix shops will do things in a Zero Trust way, or be sued out of existence.
Security cannot be ignored.
White House releases new U.S. national cybersecurity strategy
The Biden-Harris administration today released its national cybersecurity strategy that focuses on shifting the burden of defending the country's cyberspace towards software vendors and service providers.
TLDR, all you crazy IT people... security problems are NOW YOUR FAULT. Sure it's not law... yet. But that's a ticking timebomb that will go off soonish when you've got the insurance industry funding it.
So those of you that don't like MFA, I suggest you retire now. Everyone else, warm up your lawyers, and update your agreements because over the next five years things are going to get much more expensive for all of us.
Liability insurance for IT providers is about to turn into something matching malpractice insurance. Good luck!
As I said before, John Q. Moron will be secure, if he wants it or not, because with the force of government, he will have no choice otherwise. The feedback loop between cybercriminals and insurance companies will be broken. And you will personally be making up the difference if you don't get out of the way.
I've said it before but I'll say it again. All MSPs must become MSSPs or die.
But these policies are also saying all break / fix shops will do things in a Zero Trust way, or be sued out of existence.
Security cannot be ignored.
Last edited:
YeOldeStonecat
Well-Known Member
- Reaction score
- 6,379
- Location
- SE Connecticut and SW Florida
Once again, "Thanks Biden".
We're going to have to document our suggestions to clients...especially their refusals. Or even...get rid of those who refuse to let us implement best practices.
Just this morning, a client reached out to me...a typical exec fraud (spoof) email.....just urgently requesting gift card purchases, clearly coming from a poorly spoofed gmail account. (client themselves still on google workplace..thus no good spam filtering...scheduled to migrate to 365). It went to most of the staff, and the bad actor was quite impatient, with follow ups every couple of hours. I had signed up all staff for Breach Secure/PII Protect just a few weeks ago.
So I ask the client..."Did much of your staff watch the PII protect training yet?" She said she was pretty sure about 7 or did (they have about 15 employees). I logged into my PII portal, looked at their client entry, only 3 did.
Quick moral of the story..."You can lead a horse to water......"......
We're going to have to document our suggestions to clients...especially their refusals. Or even...get rid of those who refuse to let us implement best practices.
Just this morning, a client reached out to me...a typical exec fraud (spoof) email.....just urgently requesting gift card purchases, clearly coming from a poorly spoofed gmail account. (client themselves still on google workplace..thus no good spam filtering...scheduled to migrate to 365). It went to most of the staff, and the bad actor was quite impatient, with follow ups every couple of hours. I had signed up all staff for Breach Secure/PII Protect just a few weeks ago.
So I ask the client..."Did much of your staff watch the PII protect training yet?" She said she was pretty sure about 7 or did (they have about 15 employees). I logged into my PII portal, looked at their client entry, only 3 did.
Quick moral of the story..."You can lead a horse to water......"......
britechguy
Well-Known Member
- Reaction score
- 4,029
- Location
- Staunton, VA
From the article cited:
"We must rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses, and local governments, and onto the organizations that are most capable and best-positioned to reduce risks for all of us," the White House said today.
"The Federal Government will also deepen operational and strategic collaboration with software, hardware, and managed service providers with the capability to reshape the cyber landscape in favor of greater security and resilience."
-------------
That seems to me an entirely appropriate approach.
It also doesn't seem to me that those of us out in the trenches doing break-fix will be affected much, if at all, because the work we do is NOT related to client security. My going in to someone's business to set up a new printer, replace a battery in a laptop, etc., etc., etc., is not linked to their security setup in any way.
Security at the scale that government and business requires is not something that any "mom and pop" computer repair shop is capable of providing, and that's been true for years now.
And, if you provide training (and what large entity that deals with cybersecurity doesn't) and your clients do not follow protocol, that can't be your fault. We can no more make individuals do something than doctors can. Provided we do what we can, and should, depending on what sector we're servicing and for what purpose, after doing our due diligence it's up to clients to do theirs. Doctors don't get sued for malpractice when patients refuse treatment. This situation is directly analogous.
britechguy
Well-Known Member
- Reaction score
- 4,029
- Location
- Staunton, VA
And do you think that any court in the land would hold you responsible for this? I don't.
I also find it shocking that anyone finds the kind of spoofed email described something that warrants panic. Delete it and move on with life. The next one will assuredly come, whether in 5 minutes, hours, days, or weeks. If you can't recognize this kind of stuff by now, when it makes it through, and promptly dispatch it to the great bit-bucket, you never will. These things will happen, and ALWAYS will happen.
YeOldeStonecat
Well-Known Member
- Reaction score
- 6,379
- Location
- SE Connecticut and SW Florida
Not sure yet, but..having to go to court, I'm not fond of paying a shyster's retainer and rates for a battle, nor having to take the time off or get distracted.
The vast majority of our clients are cool, laid back, I have long relationships with them. BUTTTT....once in a while we'll have a cheap client who...we don't like, who won't listen to us, and one of our guys will have one. Such as recently...last summer a new manager took over an already "pain in the butt" client one of our engineers had for a client. New manager there was really condescending, always in a rush, never taking our advice, etc etc. So...he let someone "in the door" with his authenticator...hit "approve" from the MFA fatigue (well, not really fatigue I'm sure in his case, he was just an impatient jerk). It resulted in some shenanigan's between his email, and their finance lady. Bottom line, (he claims)..$85k wired somewhere. Yeah they didn't have common sense verbal policies in place to re-authenticate money related things. He brought in a forensic team (which...I'm sure, also told him that his phone "let in" the bad guys). And I'm sure who told him "You should have had a policy in place to double authenticate via voice or face any $ related requests from email or text". However, here we are with our first case in our nearly 30 years...he hired a legal team, and he hired another MSP to take over (and I'm sure they're living a hell right now..they keep coming back to us asking about more info they weren't told up front...LOL).
I'm not worried about losing any case, he'll be shown he was an idiot. He was never signed up for any of our security plans or services. But myself and the primary engineer had to spend XX amount of hours working with the ISP in transferring things, and...we lost over $4k/month in revenue (antivirus, updating, backup for servers, 365 licensing, etc). (plus..they did purchase quite a bit of hardware regularly).
Regarding the spoofed email and "panic"...this particular client is a non profit advocacy organization for the parents of children with disabilities. Their staff is mostly retired or older..., and I always encourage them to check with us for anything suspicious. They weren't in a "panic"...the usual contact I deal with just messaged me in Teams. I offered to take a look at the email, to verify if it was harmless, or if action needed to take place. They are what I call a "Level 2 managed client"...so that's what I'm here for...I'm their IT department.
Sky-Knight
Well-Known Member
- Reaction score
- 5,150
- Location
- Arizona
The real issue at hand here is the IT industry maturing. It's leaving the no barrier to entry, wild west state we've all gotten used to and moving into a regulated reality with gates imposed by government and financial institutions.
Along the way, a TON of stuff gets litigated, and none of us wants to be involved in that. Losing everything you've built to legal fees is not a great time.
And along the way? You're going to see break fix shops get hit, just like the local automotive mechanics get hit. If you "help a user" recover an account, BOOM you're on the hook. So much of break fix will be forced into a mold of sorry... I can't help with that.
Just watch, it's happened before, and it's happening again right now. And @YeOldeStonecat Why are you "Thanking Biden"? He's not driving this, the liability insurance companies are pushing this. The policies as announced aren't bad, and you should be doing all of those things already. Heck I'd be shocked if there is much you need to change at all with your company, other than a bit more documentation. Furthermore the standards being set forth are industry best practice, and never a bad idea to begin with. This just means your recommendations come with force of government. Handled correctly, this should be a sales opportunity, not a cost. Trump or anyone like him could be in the Oval Office for the next three decades and this trend WOULD STILL CONTINUE. The banks will not stand these losses anymore.
Along the way, a TON of stuff gets litigated, and none of us wants to be involved in that. Losing everything you've built to legal fees is not a great time.
And along the way? You're going to see break fix shops get hit, just like the local automotive mechanics get hit. If you "help a user" recover an account, BOOM you're on the hook. So much of break fix will be forced into a mold of sorry... I can't help with that.
Just watch, it's happened before, and it's happening again right now. And @YeOldeStonecat Why are you "Thanking Biden"? He's not driving this, the liability insurance companies are pushing this. The policies as announced aren't bad, and you should be doing all of those things already. Heck I'd be shocked if there is much you need to change at all with your company, other than a bit more documentation. Furthermore the standards being set forth are industry best practice, and never a bad idea to begin with. This just means your recommendations come with force of government. Handled correctly, this should be a sales opportunity, not a cost. Trump or anyone like him could be in the Oval Office for the next three decades and this trend WOULD STILL CONTINUE. The banks will not stand these losses anymore.
timeshifter
Well-Known Member
- Reaction score
- 2,163
- Location
- USA
TLDR (all of it)
Clipper chip 2.0??
Clipper chip 2.0??
Sky-Knight
Well-Known Member
- Reaction score
- 5,150
- Location
- Arizona
Wait, that's not TPM?
YeOldeStonecat
Well-Known Member
- Reaction score
- 6,379
- Location
- SE Connecticut and SW Florida
I actually see this as a way for "business clients" to get away from it, THEY don't have to seek security or listen to our preachings. It used to be:
*We'd preach the best practices..and above...and the clients either accepted/adopted it, or not, because the onus was on them. I like the onus being on the client. Such as our clients that deal with healthcare, they KNOW they have to follow HIPAA. Or our clients that do work for the gov't..they KNOW they have to follow NIST or CMMC...else they stop getting contracts from the gov't. The onus is on them. They come to us and ask us for help! They don't refuse our recommendations.
*Now...the onus falls on us. Now I have to go out of my way to triple document client refusals. I used to at least keep their email saying "I don't want this". Because stubborn clients will still be stubborn, they can still play the refusal game...knowing if something bad happens, they can whip out the old finger pointing game and blame us somehow.
This whole shift is very simply about ownership and accountability...plain and simple.
*And the bigger part...(and I'll borrow your own words for this)...."Liability insurance for IT providers is about to turn into something matching malpractice insurance. Good luck!" Yeah...good deal. Health insurance already up 22% just this year, next year we can look forward to likely AT LEAST double that for our E&O.
britechguy
Well-Known Member
- Reaction score
- 4,029
- Location
- Staunton, VA
And, yet, everything you say is the case now still puts ownership and accountability on the service provider, in the end, because if they don't present necessary practice then how would any client, who should be presumed to be ignorant of the nuts and bolts, know?
We present, they decide. And if we document that we presented, and they decided against, I don't see how we're on the hook. Yes, of course there will be frivolous lawsuits (as there always are) trying to lay blame where it doesn't belong. But that's true now, too.
I don't know of any instance of someone successfully suing a doctor for malpractice, and winning, if they refused to follow medical advice. You have to have received advice, followed it, and the advice was bad to begin with (or at least could be interpreted as bad). That's pretty much true in any area of professional practice. You're not liable for any individual refusing to implement something you've said should be implemented. And if you can show that you did state it should be implemented and the client refused, well, what are you to have done about that?
I don't think that our clients, who hire us for our professional expertise, should be expected to know what's what. They hire us for that. We should own that. But, at the same time, if professional expertise is offered and documented as having been, we've met our obligation if the answer from the client is, "No."
The real danger comes if the answer is, "Yes," because you had better be darned sure that what you're suggesting, particularly in regard to security measures, will actually provide the level of security needed. [Again, very analogous to medical malpractice.]
Sky-Knight
Well-Known Member
- Reaction score
- 5,150
- Location
- Arizona
@YeOldeStonecat Your E&O will be a combination of industry models as well as your own. So you will be able to control your rates there by removing bad clients from your services.
So we're all going to have to figure out how many refusals we'll accept before we fire a client.
@britechguy Exactly! The ignorant yahoos that flood this field are going to be having a very hard time financially once this trend plays out.
So we're all going to have to figure out how many refusals we'll accept before we fire a client.
@britechguy Exactly! The ignorant yahoos that flood this field are going to be having a very hard time financially once this trend plays out.
Similar threads
