Reviews:
 ·WestNet Broadband
| reply to Snowy
Re: Secret Security Questions Are a Joke said by Snowy:said by norwegian:... It does highlight the inherent weakness of the authentication system.
Hmm, OK, that I'd be willing to debate. The weakness is not the 'system' as much as it the users. But then I suppose it can be argued that the system should have built in self defense mechanisms against a known weak link (users) in the chain. Okay, I will play along with this.
You can engineer a fail safe system that is perfect; but if it is not designed around the user needs it becomes ineffective in it's end resolve.
You can take a horse to water but you can't make it drink.
This is the dilemma faced.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
|
|
|
|
 SnowymIRC unix.ro UnderNetPremium
join:2003-04-05
Kailua, HI
kudos:6
 ·RoadRunner Cable
 ·Clearwire Wireless
| said by norwegian:You can engineer a fail safe system that is perfect; but if it is not designed around the user needs it becomes ineffective in it's end resolve.
Ok, but the incurable weak link is the user.
Shouldn't the system be held accountable for a weak point that's 100% certain to fail?
There is a system check that would eliminate the common password weak point at a critical stage.
If site A were to ping the associated email account using the same password used for it's domain it would clearly show a common password in use. Then it's just a matter of forcing a unique password. |
|
Reviews:
·WestNet Broadband
| reply to Name Game
said by Name Game:Yes well if you are Mat..you did not complain about security questions.
Funny you should say that, in this case especially in regards to security questions:
quote:
When hackers broke into Mat Honan's Apple account late last week, they couldn't answer the security questions designed to verify his identity.
What could he/her answer then? I have read the full story and it seems quite relevant. I will say I've had an issue not relative to security questions, but the end result was just as scary:
Let me elaborate;
I had a new bank card lost/stolen twice, the second time it had the new pin with it, because it turned up on a Friday and I had no time to deal with changing it to something I'd remember, the end result was.
1. $800 was taken before I notified the bank to seize all transactions until Monday when I would present myself in person.
2. There was a phone call placed to reopen the funds by a third party, lift the daily limit to $2,000, which factually had to be processed on paper with your signature according to the rules they had in place, and by the end of the weekend a vast sum had disappeared.
3. I went into the bank Monday and to my surprise, there was very little left in this account. Luckily the manager was understanding and I wasn't rude, but I did get back every penny after I made that first call to close the account.
quote:
No matter, Apple issued them a temporary password anyway setting off a chain of hacks that laid waste to Honan's digital life.
The Apple support - user to keyboard interface virus has infected the Internet? 
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
|
|
| reply to Snowy
said by Snowy:said by norwegian:... It does highlight the inherent weakness of the authentication system.
Hmm, OK, that I'd be willing to debate. The weakness is not the 'system' as much as it the users. But then I suppose it can be argued that the system should have built in self defense mechanisms against a known weak link (users) in the chain. That's exactly my take on it and is at the heart of these problems. After all, the system is built by people as well. Development should always include the human factor. It's not how a product is intended it to be used that's important - it's how it IS used in reality that needs to considered in design and re-design.
After all it is the developers who are tasked with making it secure - I'm not taking a swipe at developers, btw. Used to be one myself. So I know ultimately the responsibility lies at the feet of the corporation whom they are in employ to ensure security. Motivating accountability to design secure systems is yet another hurtle.
Granted, there is a lacking of security training and adherence by end-users - But, they will do what they are asked for the most part (ex: answering honestly a security question).
-Jim |
|
Reviews:
·WestNet Broadband
| said by JALevinworth :So I know ultimately the responsibility lies at the feet of the corporation whom they are in employ to ensure security. Motivating accountability to design secure systems is yet another hurtle.
-Jim
And we know big corporations priorities now days do not lie with security and / or an efficient accurate system, but with keeping share holders happy.
So many times a short quick high bearing result, can turn ugly down the road because of the ramifications of the end results failing long term.
Will we see an authentication process adopted across the board that bypasses the needs of big corporations and stick to the essence of the matter, secure authentication methodology as a standard, IE, not patented by one company and charged accordingly?
For the matter of this topic though:
Would allowing the end user make his or her own security questions help the authentication process and help take the weight off the companies involved including liabilities, and provide us with a better system? I don't think it would but it sounds better as a band-aid fix, as long as that same Apple support person did not get involved and just bypass it altogether.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
|
|
Reviews:
·WestNet Broadband
| reply to antdude
In regards to the Apple support person who bypassed the security questions in Mat's case. In his or her defense, I have seen it numerous times for me, so how they do it for the mass is beyond me.
When authenticating your account, what ever means required, security questions and the like, as in this case, if you can not remember the correct login details for the phone conversation or online transaction, and remember you are not allowed to write them and store in your wallet, you quite often find your birth date, address etc become the next line of clearance, similar to the credit card's last 4 numbers in Mat's case. If your wallet is stolen or somewhere on the Internet your credentials are freely visible, say for argument's sake a google search gave you enough for the process, then you are already had your accounts hacked, cracked by social engineering (sorry Kilroy  couldn't help it).
The support person can not be blamed for this also inherent weakness in the systems process and sorry I don't have a magical answer to it all either.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke
|
|
| reply to norwegian
said by norwegian:said by JALevinworth :So I know ultimately the responsibility lies at the feet of the corporation whom they are in employ to ensure security. Motivating accountability to design secure systems is yet another hurtle.
-Jim
And we know big corporations priorities now days do not lie with security and / or an efficient accurate system, but with keeping share holders happy. So many times a short quick high bearing result, can turn ugly down the road because of the ramifications of the end results failing long term. Will we see an authentication process adopted across the board that bypasses the needs of big corporations and stick to the essence of the matter, secure authentication methodology as a standard, IE, not patented by one company and charged accordingly? For the matter of this topic though: Would allowing the end user make his or her own security questions help the authentication process and help take the weight off the companies involved including liabilities, and provide us with a better system? I don't think it would but it sounds better as a band-aid fix, as long as that same Apple support person did not get involved and just bypass it altogether. To the first part; Exactly. Couldn't have said it better myself.
As to the second; allowing a free-form question is a better alternative but how many end users (now already trained with the standard type questions) would just create one that could be answered with publicly available or easily socially engineered info anyway? Probably many. |
|
| reply to norwegian
said by norwegian:said by Snowy:said by norwegian:... It does highlight the inherent weakness of the authentication system.
Hmm, OK, that I'd be willing to debate. The weakness is not the 'system' as much as it the users. But then I suppose it can be argued that the system should have built in self defense mechanisms against a known weak link (users) in the chain. Okay, I will play along with this. You can engineer a fail safe system that is perfect; but if it is not designed around the user needs it becomes ineffective in it's end resolve. You can take a horse to water but you can't make it drink. This is the dilemma faced. Exactly. Not having seen this, I just finished posting the same point (sorry in advance to Snowy too for the unintended duplicity) |
|
 Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | reply to antdude
Account recovery is really the issue and that is broken.
»www.oneid.com/thoughts/epic-acco···dnt-help |
|
| reply to antdude
Apple Hires Former NSA for Security Post
»www.cultofmac.com/78455/apple-hi···ty-post/
Judging from what we've seen, I'd guess that little has been going into consumer-side security. I wonder if this hire was to bolster the NSA's view into Apple customer data in the cloud |
|
davePremium,MVM
join:2000-05-04
not in ohio
kudos:8 | reply to antdude
My Amazon Web Services security questions are:
Security Response #1?
Security Response #2?
Security Response #3?
(this is one of the choices offered by AWS, not something I made up)
which gets round the public-records aspects of the matter, but it means now I have to remember a three-part password that I never use, just in case I forget the password that I use more frequently. So while this seemed like a good idea at the time, now I'm not so sure. |
|
davePremium,MVM
join:2000-05-04
not in ohio
kudos:8 | reply to Snowy
said by Snowy:If site A were to ping the associated email account using the same password used for it's domain it would clearly show a common password in use. Then it's just a matter of forcing a unique password.
And of calling the email provider to reset my password because Site A was the 10th site I've been changing my password on today, and all those wrong-password probes from Sites ABCDEFGHIJ have locked out my email account. |
|
 StuartMWWho Is John Galt?Premium
join:2000-08-06
Galt's Gulch
kudos:2
·CenturyLink
| reply to antdude
quote:
Bridgekeeper: Hee hee heh. Stop. What... is your name?
King Arthur: It is 'Arthur', King of the Britons.
Bridgekeeper: What... is your quest?
King Arthur: To seek the Holy Grail.
Bridgekeeper: What... is the air-speed velocity of an unladen swallow?
King Arthur: What do you mean? An African or European swallow?
Bridgekeeper: Huh? I... I don't know that.
Didn't work out so well for the Bridgekeeper 
--
Don't feed trolls--it only makes them grow! |
|
Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:7 | You must only use sites that give you the pledge.  |
|
 SpyPremium
join:2001-09-22
NE | reply to MaynardKrebs
said by MaynardKrebs:Apple Hires Former NSA for Security Post
»www.cultofmac.com/78455/apple-hi···ty-post/
Judging from what we've seen, I'd guess that little has been going into consumer-side security. I wonder if this hire was to bolster the NSA's view into Apple customer data in the cloud
shit not the NSA again, my plastic gloves and garter belts need repairing so i will be forced to buy more blow up dolls with puckered lips if you keep mentioning that agency.  |
|
SnowymIRC unix.ro UnderNetPremium
join:2003-04-05
Kailua, HI
kudos:6 Reviews:
·RoadRunner Cable
·Clearwire Wireless
| reply to dave
said by dave:And of calling the email provider to reset my password because Site A was the 10th site I've been changing my password on today, and all those wrong-password probes from Sites ABCDEFGHIJ have locked out my email account.
We are talking about security/account hijacking.
Looks good to me. |
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | reply to Name Game
said by Name Game:I like them too. Some others that are used at sites one can choose from include.
What is you childhood nickname ?
What is your father's middle name?
What was your mother's maiden name?
If you want to get fancy just use those questions..but put in info as if it was your spouse for your own account.
Many other sites are now including a small avatar type graphic that you must confirm..that you chose when setting up the account. And then even asking if you are now at the login on your home computer or a public one.
My local bank has been requiring a graphic I chose and must confirm each time I login since about forever....well, not that long, but a for a long time now. This is nothing new ....but then my local bank was the FIRST bank in the nation to have online banking. I got an invitation to join the beta many years ago. I was doing online banking when the percentage of those doing it was very tiny. This bank has won many awards (especially back in the beginning of online banking) as being the best banking site (along with being the best bank in America now for three straight years according to Forbes and others).
This same bank uses those questions you mentioned and also questions like "Where was your mother born"? "What is your father's astrological sun sign"? They have really good questions. Usually, I am asked two questions. They also request to register your personal computer and have been quite responsive the couple of times, over the years, that I have noticed something not as secure as should be. This bank also practices proper privacy/security by asking for User ID on the first secure page and then collecting your password on the next secure page.
What throws me is when a different local bank, or the landline phone company here, asks me for the answer to my security question and I have no idea what that is. I don't know what triggers the teller/CSR asking for that as it has happened rarely. They won't tell me what the security question is and, when this happened the first time many years ago, and then years later again, at both places I
didn't even remember ever setting a security phrase on the phone or bank account. It took me several days to remember because I had no clues at all to help me remember. When I finally recalled it, I was proud of myself because I had used a question (made up by me) and answer that no one but me would know the answer to.
Then about a year ago, out of nowhere, my cable company suddenly asked me for a pin number when I called them about an internet connection problem. I did not remember ever setting a pin number with them as they had never wanted me to set one as far as I could recall and I didn't think that was necessary anyway with the cable company as I pay my bill in person each month and never login to my billing account at their website which I suppose you can do if you have set it up but I never set anything like that up. Yet, they suddenly demanded a pin number before they would help me with my internet problem. I had to hang up with no help because I had no idea what it was. I thought about it for awhile and called back and gave several possible pin numbers (of course, not the same pin numbers I use for automatic teller machines) until the CSR said one of them was the correct one. I still don't understand why they need that and I have not been asked recently when I have called them so something triggers needing it sometimes I guess.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson |
|
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | reply to hortnut
I was in grad school at the Ohio State University in 1970 and got tear gassed by the National Guard more than once. I was just trying to teach my speech communication class that happened to be in Derby Hall where all the Administration's records were housed in the basement...I wasn't trying to destroy the records. The student riots and then Kent State got OSU shut down for the rest of that spring semester.
Making up a name is good...IF you can remember it!
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson |
|
 DrDrewSo that others may surf.
join:2009-01-28
SoCal
kudos:8
2 edits | reply to Mele20
said by Mele20:What throws me is when a different local bank, or the landline phone company here, asks me for the answer to my security question and I have no idea what that is.
...
Then about a year ago, out of nowhere, my cable company suddenly asked me for a pin number when I called them about an internet connection problem. I did not remember ever setting a pin number with them as they had never wanted me to set one as far as I could recall and I didn't think that was necessary anyway with the cable company as I pay my bill in person each month and never login to my billing account at their website which I suppose you can do if you have set it up but I never set anything like that up. Yet, they suddenly demanded a pin number before they would help me with my internet problem. I had to hang up with no help because I had no idea what it was. I thought about it for awhile and called back and gave several possible pin numbers (of course, not the same pin numbers I use for automatic teller machines) until the CSR said one of them was the correct one. I still don't understand why they need that and I have not been asked recently when I have called them so something triggers needing it sometimes I guess.
The "extra" security is required by companies providing phone service (including cable companies) due to a 2007 FCC regulation of CPNI. You can usually find your initial PIN code on your billing statement although it may not specifically be called a PIN code. They don't need the codes when conducting transactions in person because they should be checking ID instead when making account changes or asking for certain account info. On your Oceanic bill the code is listed as your "Customer Code": » www.timewarnercable.com/Hawaii/s···e-and-ho» www.oceanic.com/help/about_your_···ead_billExamples of from other cable companies requiring PIN codes: Charter: » www.myaccount.charter.com/custom···eid=1955Cox: » ww2.cox.com/residential/centralf···00000000Comcast: » forums.comcast.com/t5/Voice-Serv···p/863267--
If it's important, back it up... twice. Even 99.999% availability isn't enough sometimes. |
|
Reviews:
·Comcast
| reply to antdude
said by antdude:http://it.slashdot.org/story/12/08/09/1410231/secret-security-questions-are-a-joke
My company just gave us all access to our payroll info online and the company that provides it asks you to set a reminder phrase for your password. Like if your password is your dogs name they say "use My Dog". No need for stinkin' complex passwords on a payroll site. Just...WOW! Really?  D'Ave --
I may have been born yesterday. But it wasn't at night. |
|
