Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase ««12

The Security of Interconnected Systems Expand / Collapse
Author
Message
Posted Tuesday, February 18, 2014 10:23 AM
SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Yesterday @ 11:59 AM
Points: 876, Visits: 2,419
Yes, we have newer rules to add to the old "never reuse your password" and "never reuse your security question" rules - "never reuse a credit card number".

Non-refillable Visa gift cards purchased with cash are your friend; use a different one for each account, and there should be no real way for an attacker to get from credit card number on site A to credit card number on site B.

Different refillable Visa gift cards are at least a little better than the same credit card number - it requires the attacker to go through whatever account is refilling both (all) the gift cards, so it's up to you whether or not you trust your bank, the gift card company, and whoever's in the middle (and who everyone sells the division doing the work to)
Post #1542667
Posted Tuesday, February 18, 2014 10:48 AM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Today @ 9:55 AM
Points: 162, Visits: 1,817
I give my credit card company a substantial amount of money by using the card and letting them collect fees for the transaction. For that consideration, I leave it up to them to dictate what should be done about fraud. If they want me to use a different card number for every vendor or transaction, I would, but they don't. It isn't where the fraud is.

With our online accounts what we need are logs, and access to them. Why shouldn't every login I make be written to a read only log?
Post #1542673
Posted Tuesday, February 18, 2014 11:10 AM


SSChasing Mays

SSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing Mays

Group: General Forum Members
Last Login: Tuesday, September 23, 2014 7:42 PM
Points: 635, Visits: 2,215
Robert.Sterbal (2/18/2014)
With our online accounts what we need are logs, and access to them. Why shouldn't every login I make be written to a read only log?

Well if you go to the bottom of a gmail account there us a "Last account activity: 1 hour ago Details" link. It just tracks the IP and location that the account was accessed from in the recent past.

Even that simple change could help. Once my gmail account was hacked. They sent a spam from my gmail account to my work e-mail so I caught it quickly. The account had been accessed from India. That told me it wasn't a casual mistake. Even that simple change could help.




----------------
Jim P.

A little bit of this and a little byte of that can cause bloatware.
Post #1542686
Posted Wednesday, February 19, 2014 2:26 AM
SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Yesterday @ 7:41 AM
Points: 1,593, Visits: 5,631
Jim P. (2/18/2014)
Robert.Sterbal (2/18/2014)
With our online accounts what we need are logs, and access to them. Why shouldn't every login I make be written to a read only log?

Well if you go to the bottom of a gmail account there us a "Last account activity: 1 hour ago Details" link. It just tracks the IP and location that the account was accessed from in the recent past.


I'm pretty sure my online banking and credit card accounts all do that--they have a note saying "You last logged in on X". They don't give full details of what transactions were carried out then, mind you.

Security varies between those accounts quite significantly, though--the bank account requires a one-time authentication using my debit card and PIN number (using a card reader device they supplied) as well as my login details; the first credit card account requires a username, password *and* PIN; but the other credit card is just plain username and password. OK, it does the usual trick of asking you to enter certain letters from your password rather than just typing the whole thing, but I actually think that's counterproductive because it encourages you to choose a shorter password (can you imagine trying to mentally count through your lovely secure 23-letter password to find the 22nd letter?).
Post #1542894
Posted Wednesday, February 19, 2014 2:45 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 9:48 AM
Points: 5,466, Visits: 3,245
Authentication is a problem currently without a suitable solution.

That is what I think. I have yet to use a system that succeeds on the two criteria required:
1) Secure.
2) Usable.

For the record, I dislike the card readers. My bank issues one where you can check the PIN as many times as you like and it will helpfully tell you whether you got it right or not. OK there are 9999 combinations but I bet some smart person could pull it apart and automate the check getting the PIN within a couple of hours at most. Maybe minutes or even seconds.


Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Post #1542899
Posted Wednesday, February 19, 2014 5:41 AM


SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Yesterday @ 10:46 AM
Points: 2,734, Visits: 943
Surveys don't tell the whole history but for sure social engineering makes people the weakest ring in the chain.
If scams/spams and phishing are not profitable they cannot be increasing day-by-day.

Anyway the hardest part to do a "public" system it to do it both secure and user friendly.
Example: People hates captchas and confirmation emails.

And social engineering can do amazing things.
Do you know how to by pass turing tests and captchas?
Just create a "free xxx site" and redirect to it the captchas images from the site you are hacking.

In not time you ill got thousands of tennagers helping you to broke inside that site.
Post #1542938
Posted Wednesday, February 19, 2014 6:45 AM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Today @ 9:55 AM
Points: 162, Visits: 1,817
Security is not a process of putting up impenetrable walls. Instead it is a calculation of cost and benefit, usually many parties are involved in the calculation, though not with a lot of transparency.
Post #1542973
« Prev Topic | Next Topic »

Add to briefcase ««12

Permissions Expand / Collapse