This is a totally legit response. After all if something goes wrong they must have followed "best practices". No reasonable person would expect them to do more.
And it's true (if you only consider the needs of the business). This is a solid strategy for getting lawsuits dismissed. I've seen it in physical security too [+]. It only took one investment bank to put badge-checking turnstiles in place and then they all had to do it. That stuck with banks only for a while until one more conventional business did it...and now I was at Twitch the other day and they have it.
Of course who's missing here is the customer. But the customer's needs aren't paramount: the business's are -- and more specifically the manager who has to spend the money on security. If they have put in just enough that they won't get fired when it fucks up, and if they saved money and effort in the process: WIN!
[+] my favorite physical security story is old, so at the end: when leaving Intel's Santa Clara fab in the 1990s you would have to hand over your briefcase for inspection to make sure you weren't leaving with any Intel documents. They didn't care if you had floppy disks. Why? Because this was a defense against shareholder lawsuits and "what else could the guards do?" This is where I learned the explanation above: once anyone in the industry increased plant security they all would have to, which nobody wanted. So LCD was the name of the game.
2. LCD = lowest common denominator in this case?
1. I don't really give a shit either way when I encounter one but as a businessman I am against them as something I should have to pay for. My points were twofold:
A> there's a games theory/cartel issue around "best practices", and you basically have no liability if you provide the "standard of care". This is true in security practices, medicine, etc.
And B> there is often an incentive mismatch between the implementor of a process and those subject to it which biases aggressively down or up, against gradualism. The most visible extreme is TSA in which the risk of letting a shoe bomber is extremely high (i.e. the decision maker would lose their job if it actually happened) while the cost is borne by all the miserable travelers who, realistically, fare essentially epsilon risk of actually encountering such a device.
So we have no idea, if any of these, has actually improved security. It's possible that just no one has tried since 9/11 because there was no reason to.
 Although I'd say the more likely problem is that the personnel doing the screenings may be ineffective, rather than the fairly-standard-worldwide screening methods they use.
 Which in all honesty is quite impressive. Immediately after 9/11 I'd never have guessed we'd go 16 years not only without another 9/11-scale attack, but no attacks on airplanes at all. It's not yet as good as Israeli airport security's 41-year perfect record, but it's nothing to sneeze at.
Apart from the fact that it is totally untrue?
(I was being sarcastic about "legit" -- it's only legit from the selfish POV of the web admin)
But almost as bad: websites that insist on over-elaborate security measures for trivial stuff. Take a bow, HM Revenue & Customs:
> You’ve got a new message from HMRC
> Dear Fred
> You have a new message from HMRC about Self Assessment.
> To view it, sign in to your HMRC online account. For security reasons, we have not included a link with this email.
> Why you got this email
> You chose to get paperless notifications instead of letters by post. This means we send you an email to let you know you have a new message in your account.
> From HMRC Self Assessment
And HMRC have mandatory 2FA. So to read the spam they've sent me - and it is pretty much spam, it says "you need to do your self-assessment before next January", I know that already - I need to go through the rigmarole of entering my Government Gateway number, which I don't remember but starts with a 4 or something and hopefully that will be enough for Chrome to autofill it, then authing with my mobile phone. Which I think I left upstairs or something. Wait while I ring it with the landline to find where it is.
Seriously, I might just go back to getting letters by post.
Edit: No. My Government Gateway number which starts with a 4 is my company one. My Self-Assessment login appears to be a different number.
People elsewhere in the world, whenever anyone tells you that the UK Government Digital Service is a beacon of usability and good practice, please don't believe them.
Famously HMRC resists everything GDS has ever tried to do, and after GDS built a entire system for secure gov ID login which is deliberately not tied to a single vendor, HMRC refused to use it and instead is building another one, which is locked to a single vendor in perpetuity.
Search "UK GDS HMRC" for a sample of just the most recent bit of tiresome Whitehall infighting.
[Edit: Oh, and -- the identity system that HMRC wants is a replacement for its nearly-20-year-old pre-existing one. This may or may not have anything to do with the fact that it's insecure in a massively corrupt way. http://www.bbc.com/news/technology-38979144 ]
I guess HMRC took one look and said "this not sufficiently bureaucratic for our needs". In general I liked the HMRC much better than the IRS, but I was sort of shocked to receive a paper cheque for my refund as it was the only time I ever saw a check in the UK. They have their ways I guess.
Whenever I read of yet another multi-billion pound failed IT project by SAIC or the like, I always wonder why on earth they didn't just let GDS at it.
If GDS can't get their claws into HMRC then Government digital (lower case) is pretty broken.
If users can be trained to see "Login to your bank account to see the message", that's much better for their own security.
I got an email using the PayPal template headed "Dear PayPal Customer" once. The copying was so faithful that it preserved the footer at the bottom noting "Communications from PayPal will always address you by your name, never as 'Dear Customer' or similar".
So there can still be ways to tell the difference. Point of interest: would it be more alarming to the PayPal-using public generally if their fake emails omitted that footer, or if the fake emails preserved the footer while still addressing the victim as "dear customer", as happened with mine? You, the phisher, can't avoid having some difference between your email and legitimate email, but you can choose how much and what kind.
Doubleclicking text fields or pressing the Down arrow key (with the textbox focused) sometimes produces helpful responses.
If you're just dealing with numbers, though, you only have ten possibilities for the first digit, and actually typing a character is likelier to have higher chances of success.
It's basically crying wolf. Next time they have something really important to tell me, I suspect I'll just go "nah, it wasn't important last time, I can't be arsed to spend three minutes logging in" and delete it.
This guy is notorious for writing crap like this. But according to the powers that be, he's a 'god'.
The funnier bit? This site is RSA protected.
They also had a contest for their agents and the database they used to store all of the entries and information was an access database that happened to be sitting in the public directory for the website to simply serve to anyone who knew to request the database.
Seeing so much "security" makes me realize that a large majority of sites out there are a complete shit show, especially if the companies I worked for / with couldn't get it right and they actually had some money to their name.
This guy is special.
What does that even mean?
A one time, time based hash as 2FA. Despite using this 2FA, the bad code completely circumvents it.
1) This is one of the largest banks in the UK and they don't accept special characters?
2) If you store my password encrypted(as you should be!), how could you remove any characters from it?
I sent them an official complaint, they replied saying their security is fantastic and there is nothing to worry about, I closed my account a week later.
It's clearly not as secure as it could be, and it's annoying to work out too - I wish they'd just do normal 2FA. Those plastic keyfobs HSBC use are even worse.
For the record, I think services should ideally offer all three options (SMS, TOTP and physical device), since the biggest problem in security is actually getting users to use ANYTHING at all, and something like SMS that offers 99% of the protection in return for easier setup/ease of use is well worth it.
It's silly but probably has to do with some percentage of customers not realizing that - and _ aren't the same character or something.
This really makes me want to write a "Stupid security questions generator" website.
ex. I what town did you first meet your best friend? "potato".
Sometimes I use a straight up password generator for the answers. Hope I never have to give those out over the phone.
I filled the security answer for my Blizzard account with random ascii garbage, which I didn't record, confident that I would always know my password.
That was true. But Blizzard disabled my account for purchasing time codes with a credit card other than the one that my account designated "preferred payment". (The card I was paying with was also listed under my account, but it wasn't "preferred". I have no idea what attack they think they're defending against.)
I had to call in. Phone-based customer service accepted "I don't think I can give you the answer to the security question" as a valid answer.
"PRO TIP: To hack the account of a network security engineer, call support and tell them your mother's maiden name is a bunch of hex digits."
"potato" "potato" "potato"
then they tell you that you cant use the same security answer for multiple questions
...... and thats when i nope out
A safer option is to just generate a random password for those questions as well and store it on your password manager.
If your grandmother is living and has a single dog, as 'security questions' go that would strike me as being pretty good.
The site doesn't have to know you're making it up.
0: Obviously, it'd be better if your idealized grandma spoke with your password generator beforehand, and therefore named her dog something less guessable, like `ff627f056c51b694e2e5d0bdc168c647`.
If the answer is unique when you create it, but a new dog comes into the picture when you need to recall it, I doubt that's going to cause much of a problem. Maybe you get it wrong once and try again - you're only going through this because you already forgot your password.
* companies running a website and collects customer data must have an incident response plan laid out.
If we punish bad service providers reported by consumers, why can't we do the same? We are talking about companies ignoring and downplaying even the most low-hanging fruit vulnerability, and companies that don't understand web security because the workers there have no clues what they are dealing. If we can't raise our cyber security awareness and education domestically, then we fail at being a top technology leader in this world. I don't expect every company hires a security engineer, perhaps under some managed services.
Voluntary, socially-enforced customs are better. Things like the MPAA rating system have successfully staved off government intervention. Such standards are much more flexible.
We already have this de-facto via TLS and the browser's angry messages if you don't comply with their expectations, but it'd be interesting if browsers started running a more thorough security verification program and giving preferential treatment to sites that implemented it.
That is also scary because it centralizes more control in browser manufacturers (which, today, means Google almost as much as it meant Microsoft in the oughts). But still better than the government I guess, and blocking a site in software is much more motivating than the risk of a fine for non-compliance.
In case most of you didn't know/forgot: a large amount of the modern security practices on the web are due to browsers making it easy for sites to attack users, and making MITM trivial. The most common attack vector is literally the browser and protocol design, not a bug in the browser.
Also, to replace passwords, all you need is TOTP. You can combine TOTP with a 2nd factor for a little boost, but TOTP is much better than passwords, and more convenient when automated. Combine this with password reset and one-time use codes and the majority of users would not need to remember more than one or two passwords (the password for their e-mail or OAuth provider). You can also password-protect the shared secret to protect data at rest (some VPNs do this as alternative to physical tokens)
A protocol extension could define a handshake to negotiate TOTP tokens. The browser would generate a token with a plugin and send it securely after prompting the user to authorize it, and optionally try to verify the identity of the site. It could be extended to rotate the shared secret after an expiration period.
Also, it's about time we defined a better secure mail standard so we can rely on password resets to be valid and eliminate phishing.
They rely on public key auth, which is more complicated and less reliable than a simple TOTP token. Considering that web browsers already support public key authentication but nobody uses it because their design is a UX garbage fire, I don't think that scheme will work well.
Other things are problematic too, like scripts (rather than the web server) having control of the process; this is an unnecessary attack vector. They also depend on browser-specific technology which limits how this system can be extended to other clients. This spec was clearly written by a JS developer, for JS developers.
This should not be a "web standard". Service providers that need strong authentication for HTTP don't only use web browsers. It will be more useful to be able to support existing applications through the use of an HTTP extension, rather than updating every single web app in the world to support this scheme.
In fact, now that I think of it, you could tack TOTP onto existing HTTP authentication right now! Just allow "TOTP:<token>" as a password entry. I don't know why I didn't think of that before.
A former employer of mine had internal security questions. Five of them. They were all inane questions, the "favorite movie?" type, so I came up with a somewhat random answer and used the same answer to all of them. The one time I had to use it, the representative asked all five questions, and I gave him the same ridiculous answer each time. He did it all with a straight face somehow, and looking back, I don't know why I didn't stop him at the fourth question to ask "if I knew the first three, you really think I don't know the last two?"
That actually was a typo. Amazingly, a typo that has earned me a -3 downvote so far...
People seem really freakishly touchy about word choice around here lately. Honestly, that's likely to make me care less about their delicate sensibilities.
They _assume_ card numbers will get stolen all the time and invest in identifying suspicious behavior. And all behavior is 100% auditable all the time. Security isn't just about authentication/authorization. I wish more websites assumed passwords might get phished and thought through how to protect users in that case.
My credit card numbers are one of my pieces of private information I feel _least_ apprehensive about sharing.
I think they can be used with a signature too? Maybe? I've never heard of anyone actually signing a bill instead of using the pin, and besides, I don't even sign my cards.
I'm talking about credit cards, mind you. Debit cards are different, and while in my country Visa Electron doesn't require anything but a signature, it's entirely possible if I tried to use it abroad they'd ask for a pin code. Not sure.
I'm not saying there aren't cards that need signing,but I've literally never seen any.
I've done some reading and now I believe it depends on the country which issued the card (as opposed to the country where you're using the card). So if you have a card issued in the US and Latin America, you probably won't asked for a PIN -- because you don't have one -- and instead you'll be asked for id and your signature. If you have a card issued in Europe, you'll be asked for a PIN.
Interesting. A PIN seems safer than a signature to me, or possibly the combination of chip + PIN, but it simply doesn't get used where I live.
Parent comments are talking about online purchases, for which your PIN is not needed.
Now I've done some reading, and it seems my country (in Latin America) is following US standards. It seems US-issued credit cards only require signatures, even when used abroad, and only recently (as far as I can google it) are they slowly starting to switch to either PIN or chip-based cards. Newly issued cards where I live have chips (this is a relatively recent development), which I'm not sure exactly how are supposed to be safer than magnetic strip cards, and also don't require PINs.
Just means I don't care to shop there, its a pain.
It is also a UX nightmare. The browser you are reading this with almost certainly support it, but try to see if you can find the menu option to install one.
Something like your proposal may work if it involves a one-way hash of biometric data (fingerprint scan) so that people can't "lose their cert", but that comes with its own problems too.
Such as biometrics make terrible passwords because they can't be changed. Once compromised (3d printed fingerprints anyone? ) then you are forever compromised. Just in case someone wanted an example of why biometrics are terrible.
Does anyone here buy from auction sites often? Those are a nightmare, they let the sellers do pretty much anything and very few accept paypal (they're THAT stingy) - sellers on liveauction.com routinely ask buyers to provide credit card info over email. It looks like a lot of sellers are flocking to these because ebay is too strict, wait, I mean "sane".
* inactivates your account if your account is negative.
* one reason for negative account is the credit card is expired.
* you cannot update your credit card if the account is inactive.
However, if the password was encrypted, they shouldn't really have this information should they? So by asking for it, they're basically admitting everything's stored in either plain text (very bad) or a reversable form of encryption (also quite bad).
There are other complaints about this too (like accidentally encouraging people to write the passwords down so they can figure out which character is the 3rd one or what not):
And it also doesn't seem much like a good deterrent against keyloggers. But yeah, quite a few banking sites do this, which is a tad worrying.
If I were designing a new product today, I would never consider having usernames and passwords. While it is a shame Mozilla killed Persona before it could even have a chance, it is still way, way more reasonable to use third party signin buttons than to try to do it on your own. Again. Brokenly. For the thousandth time per person.
It is a shame that one button alone does not work, but just OpenID connect includes Google, MS, and Amazon (so one login backend and three click buttons and you are covering probably 99% of people, who will have one of those three accounts).
If there were a true, privacy-oriented product whose sole job was identity, perhaps.
Usernames and passwords are not hard. It's just that a lot of people are stupid.
LOL at 'reducing virus noises' too.
It’s even worse when these “security” questions are coupled with the “Monday-Friday, 9-5 ET” phone numbers. I once had a mobile login “lock out my account” on a Friday night and I was informed that I could not unlock it without calling one of those numbers and answering my “security” questions. So instead of having access as a customer, I had over two full days of nothing, followed by the obligation to find time to call these people, followed by the awkward process of wondering if I would even remember the damned questions or answers. Every last bit of that process is broken, wrong, unnecessary, adds no security, and disrespects customers.
And in case you think account-lockouts are any better, consider that it is TRIVIAL to use this as an attack. Someone you don’t like? Odds are you can find their E-mail log-in. “Guess” their password 3 times, and they can’t access their account at all for some extremely-inconvenient length of time. Ever-increasing delays between log-in attempts work just fine as an alternative to lockouts.
Absolutes are the wrong language. It adds a significant burden (steal the user's phone account), which if nothing else requires individual attention, which drastically changes the economics of an attack vs, say, mass automated attacks using leaked passwords checking for re-use. Sure, you and I might have unique randomly generated passwords for our accounts, but not everyone is so careful, and SMS verification can and does save many an account.
I got an email on 4th April, 2017 that reads as follows:
This weekend, our Security Intelligence Team detected an incident
affecting HipChat.com that may have resulted in unauthorized
access to user account information (including name, email address
and hashed password). Atlassian ID is used to manage access to
your HipChat.com account and other Atlassian services you use.
The password is encryprted using bcrypt with a random salt. In
our security investigation, we found no evidence of unauthorized
access to financial and/or credit card information. We can also
confirm that we have found no evidence of other Atlassian systems
or products being affected.
As an added precaution, we have reset your Atlassian ID which is
used to access all Atlassian services, including HipChat. Please
go to https://id.atlassian.com/login/resetpassword and enter your
email address to trigger a password reset email for your Atlassian
ID account. If you have been using your Atlassian ID password on
other sites, services or online accounts, we recommend that you
immediately change those passwords as well.
Please refer to the HipChat Blog at http://blog.hipchat.com for
additional information about this incident. We regret any
disruption this may have caused and appreciate your immediate
attention. If you have questions, please do not hesitate to
contact HipChat Support via our support portal or by sending email
directly to email@example.com.
– Ganesh Krishnan, Chief Security Officer
I think if you tweeted at them they would release an email list to you for updating the https://haveibeenpwned.com/ website. I imagine there's still a lot of people that are unaware that their details are out there and that their accounts are vulnerable.
Additionally you can use the previous warning emails to really target somebody as one of the few that need "further recovery/security" steps. This is a security issue.
I didn't get an email from the email checking website - I assume they haven't disclosed a database of emails with him.
As an added precaution, we have reset your Atlassian ID
which is used to access all Atlassian services
The "Here, hold my beer..." line is totally played out at this point, anyway, but the usage here doesn't even make sense. The implication is that you're about to do something stupid, not that you're about to tell us about some stupid things other people have done.
Why would I need to hold your beer while you tell me a story?
test, Burdur, Eastern, Hong Kong , Hong Kong
Daytime Contact Number: 1234567890 ; Mobile: 55555555
i think the author is knowledgeable, but .. please make it more readable
And which will you remember better... a crazy story that you would never do, or a dry 10-point list, half of which may not be applicable to you?
I've lost count of how many websites I've used that were blatantly insecure. Sometimes you have no choice but to do it, like when I had to apply for a Brazil travel visa. Their SSL certificate has expired, and has been expired for years now.
I used to feel almost like an imposter when I first started but I've seen so many "experts" who have been selling their services for decades yet they don't understand even the fundamentals of their profession. We already require licensing professionals for many things which are arguably less important than a lot of websites. I think a fair balance could be struck here to make sure that large businesses like Betfair can't get away with this crap yet not stifle hobbyists or businesses whose websites don't pose any appreciable risk.