Wednesday, February 17, 2010

How Foursquare can help people steal your stuff. PS - Want to buy some privacy insurance?

When I first got access to the Internet, my parents were quite paranoid about me talking about when we'd be going on vacation, and when people weren't home. I'm not sure if they're still paranoid about it, but I admit I think about their concerns every time I mention that I'm in another city on Twitter.

However, I've never seen anyone get that point across so nicely as which uses Foursquare and Twitter to build a nice list of people who aren't home right now. Combine that with a little extra observation to find out where their homes are, and I bet you'll probably also find a wealth of other information about the things they own that are worth stealing. Handy for all your thieving needs!

I wonder how many people will rethink using Foursquare after seeing this. I'm guessing not actually that many, though. Just like Facebook, a few people will be appalled, but more will be thinking "eh, that'll never happen to me." My supervisor asserts that people will only really care about privacy when someone from Google goes completely bonkers and uses the information at their disposal to kill someone. But I am not sure even that would be enough: they're already risking people's safety with gaffes in new products, and while that gets people upset, I know I haven't closed my Google accounts or turned off the phone that's transmitting my location data to them all the time...

Mind you, I know how easy it is to break in to my house and I haven't upgraded my locks either, just bought insurance and backed up my digital assets off-site. I know how insecure my credit card is, yet I'm counting on the law to keep me from being liable if it's abused. And you can buy insurance on top of that for identity theft.

So sure, I'm happy to hear that the Canadian privacy commission wants to know more about Google Buzz. But what I'm really wondering is how to sell insurance for privacy. I'd make a killing in this market!

(Addendum: If only I could figure out how to make that work... Can't you just imagine a team of lawyers descending upon your mother to do damage control when your friends' drunken antics get leaked through Facebook?)

Wednesday, February 10, 2010

Bank being sued for teaching customers bad security habits

After mentioning in a previous post that banks are now suing customers who get robbed, here's a lawsuit going the other way: Comerica Phish Foiled 2-Factor Protection.

A metals supply company in Michigan is suing its bank for poor security practices after a successful phishing attack against an employee allowed thieves to steal more than half a million dollars last year.

The short version is that the bank regularly sent customers emails where they were required to click a link and then enter their password on that site in order to update a security certificate. Unfortunately, priming people to do this also makes them easy marks for phishing attacks which often... have users click a link to go somewhere that looks like their bank site, then enter their password. Awkward.

Read the details here (or scroll down on that site to see the lawsuit and initial response from the bank).

Monday, February 8, 2010

Amex thinks shorter passwords without special characters are more secure

I was working on a background section of my thesis proposal and was talking about how some misconceptions regarding security policies can result in web sites being a lot less secure. But American Express takes security misconceptions to a new low:

I would like to inform you that our website has a 128 bit encryption. With this base, passwords that comprise only of letters and alphabets create an algorithm that is difficult to crack. We discourage the use of special characters because hacking softwares can recognize them very easily.

And it gets worse!

The length of the password is limited to 8 characters to reduce keyboard contact. Some softwares can decipher a password based on the information of “most common keys pressed”.

Therefore, lesser keys punched in a given frame of time lessen the possibility of the password being cracked.

Uh, no guys. Just no.

Also, the former magazine editor in me is going, "softwares? softwares?!" but that's another problem entirely.

Read the rest of what American Express said and see the screenshot here.

Saturday, February 6, 2010

Barcodes for breaches


Barcode: <script>alert("test")</script>

I'm highly amused by the XSS, SQL Injection and Fuzzing Barcode Cheat Sheet. Who knew security attacks could look almost... pretty? It's just standard XSS and SQL injection test code translated to bar codes, so they could be used as injection vectors. I know I've scanned codes to grab an app I want faster on my phone, and I'm seeing codes popping up in the free daily papers, which I find somewhat interesting given that early attempts to get people to use barcodes have met with commercial failure and ridicule. Oh well, it's all ok now that we have smartphones, right?

Anyhow. This is still an entertaining attack vector. Maybe governments (such as my own!) will ban bar codes as hacking tools next?

Friday, February 5, 2010

Credit card companies covering their asse(t)s

Exactly whose security does your credit card company have in mind? Here's a hint: It's probably not yours.

I often use Mastercard SecureCode as an example of a usability failure in online security: in order to order plane tickets where SecureCode is used, I found I had to disable many of the browser security measures I have in place for regular browsing. So, that time when I'm making an expensive transaction is thus the time when I'm at most risk... Not exactly trust-inspiring, is it?

But Steven J. Murdoch and Ross Anderson of Cambridge do more than just complain about "Verified by VISA” and “MasterCard SecureCode.” They presented a detailed analysis of the '3-D Secure' card protocol. Check out the abstract:

Abstract. Banks worldwide are starting to authenticate online card transactions using the ‘3-D Secure’ protocol, which is branded as Verified by Visa and MasterCard SecureCode. This has been partly driven by the sharp increase in online fraud that followed the deployment of EMV smart cards for cardholder-present payments in Europe and elsewhere. 3-D Secure has so far escaped academic scrutiny; yet it might be a textbook example of how not to design an authentication protocol. It ignores good design principles and has significant vulnerabilities, some of which are already being exploited. Also, it provides a fascinating lesson in security economics. While other single sign-on schemes such as OpenID, InfoCard and Liberty came up with decent technology they got the economics wrong, and their schemes have not been adopted. 3-D Secure has lousy technology, but got the economics right (at least for banks and merchants); it now boasts hundreds of millions of accounts. We suggest a path towards more robust authentication that is technologically sound and where the economics would work for banks, merchants and customers – given a gentle regulatory nudge.

So, basically, 3-D Secure provides economic security rather than technical security -- but not for you, the customer. It's providing extra security for the banks by passing the buck.

This is hardly the only way in which the banks protect themselves above the consumer. Take a look at Security and Usability: The Gap in Real-World Online Banking for some fascinating insight into what your bank thinks you should do to be secure online, and how few people do these things in practice. And this is especially worrisome now that, as Mannan anticipated in that paper in 2007, banks have started suing their customers when breaches occur.

I'll be really curious to see if this paper about 3-D Secure manages to make changes in industry or government legislation. Amusingly, this paper about how insecure they are makes me feel more secure -- at least if a bank sues me because someone's stolen my money, I'll have more evidence to claim in court that the bank wasn't trying hard enough to protect me.