SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


The Security of Interconnected Systems


The Security of Interconnected Systems

Author
Message
Nadrek
Nadrek
SSCrazy
SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)SSCrazy (2.4K reputation)

Group: General Forum Members
Points: 2419 Visits: 2730
Yes, we have newer rules to add to the old "never reuse your password" and "never reuse your security question" rules - "never reuse a credit card number".

Non-refillable Visa gift cards purchased with cash are your friend; use a different one for each account, and there should be no real way for an attacker to get from credit card number on site A to credit card number on site B.

Different refillable Visa gift cards are at least a little better than the same credit card number - it requires the attacker to go through whatever account is refilling both (all) the gift cards, so it's up to you whether or not you trust your bank, the gift card company, and whoever's in the middle (and who everyone sells the division doing the work to) Blink
Robert.Sterbal
Robert.Sterbal
SSC-Addicted
SSC-Addicted (437 reputation)SSC-Addicted (437 reputation)SSC-Addicted (437 reputation)SSC-Addicted (437 reputation)SSC-Addicted (437 reputation)SSC-Addicted (437 reputation)SSC-Addicted (437 reputation)SSC-Addicted (437 reputation)

Group: General Forum Members
Points: 437 Visits: 2000
I give my credit card company a substantial amount of money by using the card and letting them collect fees for the transaction. For that consideration, I leave it up to them to dictate what should be done about fraud. If they want me to use a different card number for every vendor or transaction, I would, but they don't. It isn't where the fraud is.

With our online accounts what we need are logs, and access to them. Why shouldn't every login I make be written to a read only log?
Jim P.
Jim P.
Ten Centuries
Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)

Group: General Forum Members
Points: 1139 Visits: 2215
Robert.Sterbal (2/18/2014)
With our online accounts what we need are logs, and access to them. Why shouldn't every login I make be written to a read only log?

Well if you go to the bottom of a gmail account there us a "Last account activity: 1 hour ago Details" link. It just tracks the IP and location that the account was accessed from in the recent past.

Even that simple change could help. Once my gmail account was hacked. They sent a spam from my gmail account to my work e-mail so I caught it quickly. The account had been accessed from India. That told me it wasn't a casual mistake. Even that simple change could help.



----------------
Jim P.

A little bit of this and a little byte of that can cause bloatware.
paul.knibbs
paul.knibbs
SSCrazy
SSCrazy (3K reputation)SSCrazy (3K reputation)SSCrazy (3K reputation)SSCrazy (3K reputation)SSCrazy (3K reputation)SSCrazy (3K reputation)SSCrazy (3K reputation)SSCrazy (3K reputation)

Group: General Forum Members
Points: 2994 Visits: 6235
Jim P. (2/18/2014)
Robert.Sterbal (2/18/2014)
With our online accounts what we need are logs, and access to them. Why shouldn't every login I make be written to a read only log?

Well if you go to the bottom of a gmail account there us a "Last account activity: 1 hour ago Details" link. It just tracks the IP and location that the account was accessed from in the recent past.


I'm pretty sure my online banking and credit card accounts all do that--they have a note saying "You last logged in on X". They don't give full details of what transactions were carried out then, mind you.

Security varies between those accounts quite significantly, though--the bank account requires a one-time authentication using my debit card and PIN number (using a card reader device they supplied) as well as my login details; the first credit card account requires a username, password *and* PIN; but the other credit card is just plain username and password. OK, it does the usual trick of asking you to enter certain letters from your password rather than just typing the whole thing, but I actually think that's counterproductive because it encourages you to choose a shorter password (can you imagine trying to mentally count through your lovely secure 23-letter password to find the 22nd letter?).
Gary Varga
Gary Varga
SSCoach
SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)SSCoach (19K reputation)

Group: General Forum Members
Points: 19697 Visits: 6534
Authentication is a problem currently without a suitable solution.

That is what I think. I have yet to use a system that succeeds on the two criteria required:
1) Secure.
2) Usable.

For the record, I dislike the card readers. My bank issues one where you can check the PIN as many times as you like and it will helpfully tell you whether you got it right or not. OK there are 9999 combinations but I bet some smart person could pull it apart and automate the check getting the PIN within a couple of hours at most. Maybe minutes or even seconds.

Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
jcb
jcb
SSCrazy
SSCrazy (3K reputation)SSCrazy (3K reputation)SSCrazy (3K reputation)SSCrazy (3K reputation)SSCrazy (3K reputation)SSCrazy (3K reputation)SSCrazy (3K reputation)SSCrazy (3K reputation)

Group: General Forum Members
Points: 2970 Visits: 994
Surveys don't tell the whole history but for sure social engineering makes people the weakest ring in the chain.
If scams/spams and phishing are not profitable they cannot be increasing day-by-day.

Anyway the hardest part to do a "public" system it to do it both secure and user friendly.
Example: People hates captchas and confirmation emails.

And social engineering can do amazing things.
Do you know how to by pass turing tests and captchas?
Just create a "free xxx site" and redirect to it the captchas images from the site you are hacking.

In not time you ill got thousands of tennagers helping you to broke inside that site. :-P
Robert.Sterbal
Robert.Sterbal
SSC-Addicted
SSC-Addicted (437 reputation)SSC-Addicted (437 reputation)SSC-Addicted (437 reputation)SSC-Addicted (437 reputation)SSC-Addicted (437 reputation)SSC-Addicted (437 reputation)SSC-Addicted (437 reputation)SSC-Addicted (437 reputation)

Group: General Forum Members
Points: 437 Visits: 2000
Security is not a process of putting up impenetrable walls. Instead it is a calculation of cost and benefit, usually many parties are involved in the calculation, though not with a lot of transparency.
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search