Online buying stuff ... and security
Here's an anecdote from a couple of years ago. ( about 8 years ago )
System affected : a multi million dollar Sun server ...
The culprit : me (using a windows 95 machine on the network).
When enabling the network in win95 you need to provide a username and password. So jokingly, i had created an account on win95 called 'root' with the password set to 'blah'.
I plug the machine on the network and access the network disks shared out by this Sun server. I copied a couple of files to the server. Try to open them from a Unix workstation and it says permission denied. A quick ls-l shows owner as 'root'... That's odd..... this couldn't be could it ? I tried a couple more things ... I could use the win95 box to write anywhere, move directories, delete files. I had full root permission just like the legit root user.
Why ? Because stupid Samba running on hypersecure Unix negotiated in the following way :
Samba : who is logged on ?
Win95 : her it says 'root' .
Samba : did he log on correctly on your side ?
Win95 : his password matches what is stored on my side
Samba : ah, it;'s ok then: go ahead.
Security on Unix ? that hole was so big you could run a 6 lane highway through it and have room to spare for a bunch of exits , a shopping mall , a couple of casino's , hotels and a small city with a population of a couple million.
When we flagged this, the answer was : oops. well have to patch that ... in the mean time the IT department issued this statement : It is not allowed to plug win95 machines on the network since they make unix unstable. Solve the disease by killing the patient...
The morale of the story is this: It all comes down to who has the bigger hammer !
Thats exactly the case with this phishing stuff. Norton , McAfee, Windows Linux , Unix , Firefox , IE , Opera whatever ... the guy with the biggest hammer pounds the hole in the wall.
Online banking ? no thank you... My bank is just around the corner.
What we need for online buying stuff on the internet are 'one-time use' bank cards. You go to an ATM machine punch in the request for money and instead of bills it gives you a paper slip with a unique code. This is a virtual cheque that is limited to the exact amount you put in it.
You feed that number to the payment site. When it's spent, the 'account' is empty. So it can not be used a second time.
If someone phishes it : no damage done. If they try to cash it in 2 things can happen :
- it was already cashed in so they get caught because they tried cashing it in a second time .
- if it was not cashed in : they still get caught because the cashing in can only be done by having a bank account. Their identity is known. So if the legit receiver files complaint : bingo you can trace where the money went.
The technology exists. So start using it.