Categories ArchivesConsumer Security

Ditch SMS for True Second Factor Authentication standard

At one point, getting a text message with a code seemed like a great way to provide more identity and authentication assurance. Phone networks are out of band from email, the cost of sending the message is relatively inexpensive, and few people are without a cell phone these days. As it gained popularity, SMS-based authentication got the attention of cyber criminals and they soon exposed a number of high- and low-tech attacks that make SMS authentication unreliable. I’ve been on a kick to turn on any 2nd-factor authentication option possible in every site/service that I use. Lately, however, I’m switching to real 2nd-factor options that include apps, U2F, or other methods. To that end, I recently published an article that ...

Continue Reading

No Need to Sign standard

If you went shopping on Sunday and happened to notice that a signature was not required for your credit card purchase, that wasn’t an April Fools joke. Back in December & January, the major payment networks all announced they were dropping the signature requirement. Even MORE time saved when paying for things! I’m sure many of you are like me in that you didn’t even put your actual signature on those papers or electronic signature capture devices. The only time I have been serious about it is when I travel abroad. Those cashiers are very good at matching your signature to what is signed on the back of the card. Possibly Related Posts: Ditch SMS for True Second Factor Authentication ...

Continue Reading

What’s the craic on KRACK? standard

For those who are not familiar with the Irish slang, read this. We got another fun named vulnerability this week that goes after WPA2 encryption, something that is ubiquitous but not impenetrable. Key Reinstallation Attacks, or KRACK for short, exposes a weakness in the WPA2 protocol. It’s an attack on the protocol itself, so anything that is unpatched and properly implemented to the Wi-Fi and WPA2 standard is vulnerable. Patches are already well on their way to being released and deployed. But this problem is going to stick around for a long time like Shellshock and Heartbleed. Many Wi-Fi hotspots are running outdated firmware that cannot be upgraded in some cases. Just like Shellshock and Heartbleed, the only way to ...

Continue Reading

Equifax is only half the problem, your SSN needs a redesign! standard

The Social Security Number in the United States is the closest thing we have to a national identification system. It’s widely used to deal with the government, open lines of credit, and serves as the unique ID for a tax payer. It’s effectively your financial and governmental digital footprint identifier from which all actions are compared. Great, right? We can use it to ensure people pay their taxes, connect bank records and large financial transactions to an identity, ferret out money laundering and illicit business, and get a personal balance sheet on anyone who has credit. Except, once that number is disclosed, it’s disclosed. Unlike a payment card number, there is no wide-scale method to reissue a social security number. Like ...

Continue Reading

More EMV Bypass Fun standard

So I’m sitting here in San Diego, which we all know is German for… never mind. As I pay for my lunch, I present my chip card and there is some kind of error. I know I entered my PIN correctly, but it immediately came back as failed. The bartender taught me a neat trick that I am sure we all need to be aware of as people capture magstripes and write them to new cards. “Oh, no problem on bypassing that. Just turn the card around and insert it, it will fail, and you can swipe!” The Verifone VX-675 terminal this place used detected that a card was inserted without a valid chip read, and immediately told me to ...

Continue Reading

Netgear (In)Security and their Failed Remote Management standard

I’ve been having issues with some home networking equipment and decided that after a couple of years, I needed to make some updates. I did my research and ultimately settled on the Netgear R8000. Not just because it looks dead sexy or because it’s called the Nighthawk, but because it had really great reviews and I’ve generally been on board with Netgear’s product quality and technology. That is, until today. One of my biggest complaints about today’s networking equipment is that it really wants to be the only router in your house. It wants to be the command center. So if you have a couple of pieces of networking equipment, they both want to be in charge. I get it, ...

Continue Reading

Does Age Determine How Quickly Shoppers Return? standard

Here’s another visualization to consider based on demographic data generated from my Consumer Attitudes Toward Breaches research (sponsored by MAC). Did age matter when it came to how quickly shoppers returned to a breached merchant? The data seemed to have a couple of stand-out bumps. Below is a graph that shows, on average, how quickly consumers returned to stores after a breach, grouped by age. The trend seems to be such that, in general, the youngest groups are more likely to return to a breached merchant before the older groups.  The middle two age groups are virtually identical up to the fourth digit past the decimal point—enough to consider them equal. What this means for management, is that younger generations ...

Continue Reading

Secure SSH, Go Beyond the Defaults standard

Secure Shell, or ssh, quickly became the replacement for telnet, rlogin, and rsh once system and network administrators realized how easy it was to capture credentials and modify traffic in flight. It’s the stuff out of movies. An administrator is logging into a system with an elevated account (such as root) while a bad guy is snooping all of the traffic and displaying the stream on his screen. He’s got all the credentials and can see everything that administrator is doing. Or worse, he’s sitting in between the administrator and his equipment and modifying the keystrokes from the administrator before forwarding them to the device. Cue the dramatic music. After its release over twenty years ago, it has seen near ...

Continue Reading

What an IRS Scam Sounds Like standard

Like many of you, I have come to the realization that people not in my contact list who actually use their voices to communicate with me over this texting machine usually want something from me—many times, a sales pitch. I’ve given up on answering most of these calls. For the few that leave a message, I will return it if it’s important. Hopefully people have figured out by now that written communication is preferred in many instances. I recently got one of those robo-dialers to leave me a generic, threatening message (which you can listen to here) that meets many of the requirements of good social engineering. The transcript is below (apologies for the bad copy in two areas, the ...

Continue Reading

Does Income Matter for Awareness? standard

Here’s another visualization to consider based on demographical data generated from my Consumer Attitudes Toward Breaches research (sponsored by MAC). Did income levels matter in breach awareness? It appears to have mattered, yes, but not in the way you might expect. Below is a graph that shows how consumers reported their awareness of breaches as separated by income level. When we add weights to our responses to make sure we are comparing apples to apples. What’s interesting here is that the smallest two and largest two income levels were the most aware of the breaches, while the middle three were much less aware. Do lower income segments watch their dollars more closely? Are higher income segments more likely to be ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!