[stevenwliao]

Start by analyzing whichever email service you use.

Add additional checkboxes:

- [y/n] Is SMS the only 2FA method available?

- [y/n] Is there no 2FA at all?

- [y/n] Do they have a history of unpatched zero-days?

- [y/n] Is it possible that if there is a security breach, you won't hear about it because no tech journalist pays attention to this service?

- [y/n] Can someone socially engineer the support team to get access to your account?

- [y/n] If a hacker gets access to your account, can your bank accounts be drained?

[jbm]

Forget about emails, this seems like it applies to banks directly (in Canada at least).

[bombcar]

Can you recover your account if you forget your password or lose your 2FA?

If so, how?

Is that socially engineerable?

[worthless-trash]

Aren't all vulnerabilities zerodays and therefore unpatched at some point?

[lcnPylGDnU4H9OF]

It’s a zero-day only at the point when it’s been exploited without having been reported. “Zero” is referring to the number of days since disclosure that an exploit ocurred. If it’s patched before it’s exploited, it wouldn’t be considered a “zero-day exploit”.

[pksebben]

or if it's been reported but not acted on, and gets exploited before that happens.

[lcnPylGDnU4H9OF]

I believe if, say, 10 days had passed since the report, it would be called a “10-day” exploit. But it’s also security research jargon that I’m not familiar with in a practical sense so I may be wrong.

[stevenwliao]

I guess to be more specific, zero-days that they don't fix even after they're exploited.

[slater]

known vs. unknown, and all that