The worst part is Markus stores his passwords in plaintext, or slightly better reversible encryption.
POF will mail a person their password. This is a security nightmare because basic precautions were not taken.
I just checked and POF is still able to reproduce and email me my password. I also checked the email I use for POF and there is no mention of this in any of their emails. If markus took this seriously at all he'd be resetting everyones password and have instructions to reset their email password.
"We have reset all users passwords and closed the security hole that allowed them to enter." This is a lie, I just logged in with my username and password. I wasn't even asked on login to change it.
I don't know what it's like now, since I haven't used POF since 2008 or so when I met my current girlfriend (though I only remembered to kill the account a few months back), but back then they would actually send you reminders every so often - I want to say once a week - that included your plain text password as a reminder.
I think this is just the kick in the ass I needed to go through all my accounts around the internet and make sure they all have unique, reasonably complex passwords. My email and banking passwords have always been unique, but I know I've been slack elsewhere. I won't let that happen again.
Having just a password to protect your bank account sounds pretty scary to me. That's about as juicy as it gets. I'm paranoid enough about my servers having 'just' a password to protect them (oh, and an ACL), if my bank accounts would have only a password I wouldn't sleep.
Every time I log on I have to use my chipcard in a little electronic device with an LCD display and a bunch of buttons on it, the chipcard generates a unique ID every time I log in. When I want to do an actual transaction I have to authorize it using 1, 2 or 3 challenges depending on the amount and destination of the transaction. It's less convenient than a password protected system but it's fairly secure.
It's also protected against the most common form of theft called 'skimming' because it uses the chip and not the magnetic stripe so a thief using the data on a skimmed card could only use that to use an ATM but not to access the internet banking section of the website of my bank.
The downside is that there's now a single point of failure, albeit with more factors. If you get someone's CPR number, their NemID password, and their current NemID card with some indication on it of which the next unused code is (most people mark off the used codes), you can log into everything: all Danish banks, the tax authority, the municipal authorities, your library account, etc., etc.
They do try to minimize it by writing strongly worded warnings everywhere not to store your NemID password in your wallet. A typical wallet contains a Danish health card with CPR number, and the NemID code card, so it's fairly important that the NemID password not also be there.
If is impossible to protect against your own family: the have hardware access to your computer, they can intercept all your paper mail, they know all details about your life, etc. So they are the perfect identity thieves.
Some Danes think they are clever and scan the paper card and store it as an image on their computer. Some people are just impossible to make a secure access system for.
The upside of the downside is that if anybody gets hold of your login details, then there is a single place to stop them instead of having to change 20 logins.
BTW. "NemID" translated to English is "EasyID". Within the next year, a hardware dongle will be available (e.g. for users who often login and uses up all the codes on a paper card in no time).
1. UserID is your date of birth and some random-ish number appended
2. It asks for three random characters from your password and your PIN
3. For any transaction you have the chip-card-plus-calculator-looking-device (and you need to know the pin for that.)
Personally I'm happy enough with the German system (username, password, random TAN from a piece of paper). At least I will be until my kids grow up :-).
Do you always have to pick the next one-time code in the printed sequence? In Germany, you used to be free to pick any of the unused TANs, which made phishing really simple. Nowadays it's more common for a bank to challenge you to a randomly chosen TAN.
Unfortunately, such a thing seems all but unheard of here in Canada.
Our debit and credit cards are being replaced with cards with chips embedded, which could be a sign that such devices are coming, but for now I'm afraid my password is my only real line of defense online. I have noticed that when I login from a new computer (for example, when I visit my parents), the site uses one of my challenge questions to ensure it's really me. I guess that's something, although I really don't know the exact circumstances that trigger the challenge.
Don't quote me on this, but I think banks are starting to lean on "possession of a trusted mobile device" as their two-factor authentication. The basic theory is that I give them a number I can receive SMSes at, and then any time they want to verify that the person operating my web browser is really me, they say "We just sent you a one-time password via SMS. Enter it, resend it, or talk to customer service."
This has significant advantages over dongles from the perspective of the bank: they don't have to get into dongle distribution, and people are probably better at keeping cell phones available than they are at keeping dongles available.
I click a button, they SMS a 6 digit code, I enter it, money transferred (or bill paid).
http://www.commbank.com.au for those who don't get the joke.
Most banks use the "you only get to try three times before your account is locked" method of security. It's pretty hard to bruteforce a password with only three attempts before you have to call customer service. At that point, you might as well print out a fake driver's license, walk into a branch, and ask to close "your" account.
Of course, like anything, there will be vulnerabilities, and in the interests of usability, some issuing banks will relax restrictions.
Because of the crypto involved in the back and forth communication between hardware and card, EMV transactions piss off a lot of customers, it can easily take 2-3 times more time to process a transaction when compared to a mag-swipe.
Though it does reduce the chance of your card getting skimmed. (Skimming is where your details are captured during the swipe. Yes, a swipe through the appropriate device reveals all the information required to completely duplicate the card.)
I'm not sure why, but I've seldom seen EMV transactions take longer than a regular swipe, but this might be because both 1 second * 3 is still not that big of a deal. (Or for all I know, it might be because they are only validating the credit card number..)
The interesting thing is that skimming is still possible, at least in Norway. It still happens that there is some kind of communication problem with the EMV system, and swiping the card is the fallback option. I guess this option will be turned off as soon as it works "all the time" and they can remove the magnetic stripe.
Correct, in fact there already are. Most of those will require at a minimum a hardware hack or access to transactions 'in progress' (modified terminals) and will usually only gain access to the data that is stored on the magnetic stripe, not to the other data stored on the chip (the chip contains a duplicate of the stripe data and some other data only available on the chip and not sent out over the wire used in challenge/response fashion).
The system is not 100% secure but is a bit better than just having a password and the fact that it requires access to the original card makes it a lot harder still (those cards can be stolen though, and combined with a bit of hardware and a 'yes' card (a card that always responds 'transaction authorized') you could fool online payment terminals).
But that's still a step removed from gaining complete control of a bank account using web based banking and a password.
Do you want to know something scary about that. We've had Chip and PIN as the de-facto standard in the UK for some years now (although I do remember it coming in).
The really scary thing is; my parents remember it being widely used in Germany in the late 80's.
Has it really taken that long to get to Canada?
It is true that paying in stores with my German ATM card and its PIN was nothing new when I got my first bank account in the mid-90s. However, that system used the magnetic stripe of the card (which is why skimming is still so attractive here); smart-card chips on bank cards were introduced a lot more recently.
But when the Chip 'n Pin system came in here in the UK my Dad's first comment was "oh, they were using that in Germany in '87/88"
Yes, working from NL at the moment.
> Unfortunately, such a thing seems all but unheard of here in Canada.
> Our debit and credit cards are being replaced with cards with chips embedded, which could be a sign that such devices are coming, but for now I'm afraid my password is my only real line of defense online.
> I have noticed that when I login from a new computer (for example, when I visit my parents), the site uses one of my challenge questions to ensure it's really me.
So the bank likely either keeps a record of 'known' IP addresses for you or they keep a cookie on the computer that they use to identify a computer that you've used at least once.
How annoying. It's interesting how we berate POF for not following 'best practices' but even institutions such as banks could do a whole lot better to protect their and their customers best interests.
Are you liable for fraud committed with your account online?
Or would the bank indemnify you if your password were used to clean out your accounts?
>Yes, working from NL at the moment.
With one bank I must use the hardware token solution (and I am able to use any device, not just the one issued to me). With another bank I must register my mobile telephone number with them and they send me a text with an authorisation token whenever I need one.
I much prefer the hardware solution even though it is a major inconvenience when travelling light.
Not with TD Canada Trust, to an extent:
"As set out in our account agreements, you are responsible for maintaining the care, control and confidentiality of your Access Card number, Connect ID, and passwords. TD Bank Financial Group is not responsible for unauthorized access to accounts online or losses that occur as a result of you voluntarily disclosing your Access Card number, Connect ID, or passwords, or the careless or improper handling, storing or disclosure by you of this information. In the event of loss, theft, misuse or compromise of your Access Card, Connect ID, and/or passwords, you must notify TD Bank Financial Group immediately."
The "Known IP" is a bit more complicated. I was travelling through South America recently, and could always access it from my phone. However, accessing from a hostel or internet cafe required answering a security question.
Or would the bank indemnify you if your password were used to clean out your accounts?
Honestly, I have no idea. I really should look into the fine print in the online TOS/Rules&Regs.
On top of that we do have indemnification.
Combating electronic banking fraud is an ever lasting game of leap frog, it looks like the banks are at least one step too far behind. At least they have the extra challenge question, I hope you made them hard enough :)
1. He provides emails - I think Mark(Guy from Plenty of Fish), really needs to get those voice recordings of Chris threatening his wife online to be more credible.
2. Mark tells a complicated story - A story with mafia and all that, really? If we follow Occam razor, Chris story sounds more realistic. He saw a flaw and reported it. Everything was going dandy until he saw ads for Plenty of Fish data. At this point Mark decides to try ruin Chris by fabricating a story, since he believe it is him trying to sell the data. It is a simpler story.
3. Why isn't Mark contacting the authorities? - A week and Chris is not in jail and responding freely on his blog?
Mark does have some valid points though,he did hack pirate bay: http://torrentfreak.com/the-pirate-bay-hacked-users-exposed-...
But Chris claimed again, proof of concept and he has no bad intentions.[What is the appropriate way to expose vulnerabilities?]
In my opinion, he[Mark] should release the voice recording to add more credibility because right now he is sounding shaky.
I think a. is unlikely, because he did actually manage to break in, although, the hole itself might've been trivial and therefore this might not count. I don't think so, though.
Which leaves b.
Reading between the lines, it looks like his sales tactics were heavy on the FUD (he pointedly hasn't denied making any claims about Russian conspiracies), leaving Frind paranoid and angry. And probably also embarrassed if the security flaws were as basic as is being suggested.
Whilst Nigeria is one of such countries, it doesn't follow that all documents with alphabetised numbers are illegit.
If you ask me, both of them sound crazy and deluded. Marcus' story doesn't make much sense if you read the email on that site, but carrying on about serial killers doesn't help your case much either. And that freelancer link is just a red herring - I can't see what it's got to do with the case at hand.
 Update: Or even if you read his own post: "I listened in the background and I closed the breach if indeed there was one while my wife was on the phone". Er, was there a breach or not? And why are you calling his mother and not the police?
Chris Russo is there commenting, and it calls your ability to judge character into question. For starters, he has never denied the story about Russians holding his computer hostage and threatening to kill him. He just ignored it. Then he goes for the "race" card and says PoF are suspicious of his intent just because he is in Argentina.
Really sounds suspicious.
I believe the PoF guy simply because he has more to lose. You can already see this Russo character writing his own "If I Did It" account of the tale. Looks like his attempt at getting a gig backfired.
There is more than meets the eye here imo.
I managed to stumble through the first part of the article, but lost interest when Russo claimed that "he can see what the Russians are doing because they took over his computer." This sounds technologically implausible at best.
Maybe the official post in the morning will make more sense.
However, it doesn't make sense then those who hacked his supposed honeypot would be aware of his oversight ("they are trying to kill him"), while still using the honeypot to perform whatever illegal shenanigans they were up to ("they are currently downloading plentyoffish’s database").
Just a small clarification about this bit:
"They then start talking about money because they need to incorporate a company that can deal with companies outside of Argentina and that will cost $15,000. They also needed to know if they were going to make over $100k/year or 500k/year as that would require different registrations…"
I am from Argentina, and I own a company. Yes, in order to bill services to foreign customers, you need to register your company as an "exporter of services". And to do that you have to put money on escrow (but not $15000, only $7500), or your company has to demonstrate assets for over $12500.
If Russo has been working without an incorporated company (he could be a "monotributista", which is a way to bill as a physical person). A monotributista can export services, but... he's personally liable, so doing security consulting that way is insane.
That's probably why Russo could be asking for money up-front: if he didn't, he would have been doing business illegally."
If you work on security this way, you are going to get sued eventually. If you are a monotributista or responsable inscripto, you will lose everything. A SRL (like a LLC) is the logical way to handle this kind of work.
What I meant by illegally is that it would be illegal if he was already incorporated as a SRL and exporting services (he needs to do the escrow to do that legally).
We don't store passwords in plaintext though, sheesh.
Edit: I just upgraded the hashing algorithm on the site from SHA1 to Bcrypt. Paranoia for the win.
I still feel icky because of the sourceforge hack and wonder if I should reinstall everything. I probably should :-(
When I read this post on my iPhone, I saw a match.com ad on the top of the page. match.com competes with Plenty Of Fish.
POF is a multi-million dollar business. I'm surprised that they aren't paying Wordpress to provide an ad-free experience.
No, you have to wait for OKCupid to get hacked for that to happen.
Scenario: I own a safe with all my personal information locked inside of it; a Safe Cracker (let's call him...Chris) comes along a cracks me safe. Chris call me as says to me 'yeah, I cracked your safe if you don't hire my company to fix you safe's vulnerability maybe your personal information might get out.'
Who is the bad guy in that situation the dope with the safe, with a 1-2-3-4 combination or the guy who takes the dopes information and attempts to use it for his own personal gain.
NOTE: To anyone who still thinks the dope is more to blame; please send me your address i'll rob your apartment/house then sell your things back to you (don't worry I'll also sell you new locks).
I mean, who settles things through the blogosphere... come on folks, there is a judicial system!
Fun Fact: Markus Frind graduated the same year as I did from BCIT in Vancouver. I took Mechanical Design and Mark took Computer Science. Do I regret not taking CS, hmm maybe?
Of course, sending a PoC with an offer to fix the security does have a "nice website you have there, it'd be a shame if something happened to it" vibe to it; still, it's factually different from trying to extort money from a company by dangling a dump of their customer database.
Hacked a site?
Send them a message about it, give them time to respond and time to fix. If they don't respond after a reasonable time has passed go public with it, don't try to translate it in to paid work.
It would be good if more companies set up bug bounties, and even better if they'd set the reward a bit closer to (reputed) black-market prices.
[edited to fix name. sorry 'bout that, been a long day]
> Extortion, outwresting, and/or exaction is a criminal offense which occurs when a person unlawfully obtains either money, property or services from a person(s), entity, or institution, through coercion.
Where is the coercion? Is there a threat here to do something? I can't see it. In fact, the opposite - the damage is already done.
The coercion would exist only if there was a threat to do something bad from the extorter, which really, I can't see at all.
I'd tend to lean towards injection, given that it took Russo (apparently?) 2 days to produce a working exploit with what amounts to fiddling around, but if anyone knows where I can read a write-up on it I'd appreciate it.
(Professional curiosity, I'm a web dev and like to be apprised of what catches the more popular sites. Sometimes you get lucky and it's subtle/neat.)