4 posts tagged “security”
I don't know if you know the name Christopher Soghoian, but he's the Ph.D. student at Indiana University who created a website that allowed visitors to create a fake Northwest Airline Boarding Pass as a way of pointing out the flaws in the security system for preventing non-passengers from getting through the security screening.
My wife and I discussed how easily creating a fake boarding pass is as soon as the requirement was implemented. It is just another step in creating the perception of security in the minds of the public. (As a possible justification, since most people won't try using fake passes, it does decrease the number of people that are under surveillance in the boarding areas. I still think it's mostly perception management because a hijacker wouldn't balk at using a fake pass.)
When I first heard about this site, I was shocked at the boldness of Christopher. I applauded his commitment to exposing the truth of this "security measure" while fearing the worst for his personal wellness. Apparently, he had good legal counsel from the outset because he won't be prosecuted by the federal government. Hooray! Check his blog for more information: http://slightparanoia.blogspot.com/2006/11/good-news-and-bad-news.html
Today, I read an article about a man who used and mp3 player that can record sound, to record the phone line transmissions from ATMs in shops and bars. http://www.theregister.co.uk/2006/11/18/mp3_player_atm_hack/ While the headline is catchy because it uses the term "mp3 player," the important thing is that the phone line was accessible and the tones recorded. The recorded tones were then decrypted and used to clone cards, complete with the PIN numbers.
This type of fraud isn't unique to the machine itself. There are many scams for ATMs (as you can see from the Register's associated links). Even more scary was the coverage of a Russian crime ring a while back that legitimately licensed a chain of independent ATMs (the kind you find all of the place that aren't associated with a specific bank and have steep transaction fees) and turned out to be swiping all of the customer data for ATM card cloning & identity theft.
I think that given the relative ease to commit fraud, a simple rule of thumb to lower exposure to risk is to only withdraw funds from established bank ATMs except in the rare "emergency."
Cellphone security is something that I'm not very knowledgeable about, but there are some folks who know a lot about it. Read this article for information on how easily someone can reprogram your phone to make it call them every-time it gets a call, and you'll never know.
http://www.itwire.com.au/content/view/7216/127/
I would say that the attacker could take it a step further and have the 800 # called go to a voicemail service that simply logs every call. Suddenly, there are audio file transcripts of every call you've made. Send this through a voice to text filter and they've got an easily searchable transcript of every call you've made. SCARY!
It seems the system SMS process is broken and needs a layer of authentication and phone user approval to prevent this exploit.
Today I had to reset my BarnesAndNoble.com password because I hadn't shopped there in such a long time that the notes I had for my account info weren't working. After entering my email address, I received an email stating
"To ensure the security of your account, we require you to reset your account password. Please click the link below. You'll be asked to enter the last 4 digits of a credit card number you have used previously at www.bn.com. Once you complete that step, you'll be directed to reset your password. The link is active for 24 hours."
This seemed reasonable until it became apparent that I hadn't used any of the cards I've been using the last few years to shop there. After the first few tries it became apparent this is a ridiculous measure for anyone with more than a few credit cards. I was almost unable to finish the reset until I remembered an old credit card stuffed in a drawer that turned out to be the one.
Cycling through the digits from my entire group of credit cards didn’t fill me with confidence in the security of the system, but it did cause me to get so annoyed that I considered avoiding ever shopping at barnesandnoble.com again.
I appreciate the importance of multi-phase authentication architectures, but calling for information that isn’t likely to be known by the user (what card did I use when I shopped at B&N?) is bad design.
A better solution?
Because I'm focused on answers, here's what I would propose instead. Ask for another piece of information that the user is likely to know.
This could be in the form of a multiple choice question. A great model for this approach are the credit reporting agency websites. They'll have a question like, "How much was your mortgage amount?" and list various options. Applied to B&N, this could be something like "To whom have you shipped a gift purchase to?" List five choices with four of the choices being randomly generated fictious people (or all fictitious with "none of the above" as an option).
If it's really necessary to authenticate based on the credit card, the system could display the last four digits of the credit card and ask for the associated verification number. Just don't make the user go through the tedium of entering every possible card until they get lucky. Obviously, if the user needs to reset their access info, they haven't been to the site in a sufficiently long time to forget the details of any transactions that may have taken place.
(For completeness, the B&N web team did allow a user to create a new account, but why would I want to do that? Will I loose my account history? What's the impact of that option? I shudder to think of where that route would have lead.)
