... that is all!
Dear Mr Dabbs. Thank you for your business. Please see invoice enclosed. This doesn’t bode well: I am not the sort of person who is able to make private purchases on account. As much as I’d love to swan into a shop, point at various things and drawl “Send them over, will you, darlings?” as I saunter off into a waiting limo, …
... that is all!
The real issue with a lot of these password rules, especially the frequent change rules, is that they encourage people to write their passwords down on paper or into an unencrypted file.
"The real issue with a lot of these password rules, especially the frequent change rules, is that they encourage people to write their passwords down on paper or into an unencrypted file."
Yep...After the 15th time of being asked to change my passwords for a fairly basic admin system I just couldn't figure out what greater than 6 character string with at least one uppercase, one lower case, one special character and one number in it I could remember I simply mashed the keyboard with my palm and wrote down the result on a post it note attached to my monitor.
My reasoning is that this system in no way needs a password, it certainly doesn't need to be this secure, and the alarm, locks and deadbolts on the doors and windows in the office are probably more secure against attack than my PC is.
If the place where you keep the paper is secure, then that's a pretty good way of storing a password. No hacker is going to be able to guess it, they'd have to break into your house/office to get hold of it, and if someone is going to those lengths, well...
"If the place where you keep the paper is secure, then that's a pretty good way of storing a password."
Physical security trumps digital security, in an office environment not so good, but ideal for home use.
Obfuscate or salt them simply if you like, to avoid casual theft.
You forgot the Post-it note on the monitor, or underneath the keyboard. I know from experience.
IT security people are a bunch of I D 10 Ts
Meh... All they have to do is dig through the trash on the first of the month.
Reminds me of our outsources helpdesk, I look away for a second and it decides "You've been idle for to long BYE" along with anything on the screen no matter how long.
Llonnygog's law: The complexity of password rules is in inverse proportion to the sensitivity of information being protected.
Let's take Llonnygog's Law to its logical extreme to see how it holds up: for 15 years during the Cold War, the code meant to prevent unauthorized launching of the United States' arsenal of Minuteman nuclear missiles was apparently "00000000". Yep, Llonnygog's Law holds up pretty well!
My electricity provider's website is the worst. I have to log in to it once every three months to pay my electricity bill. Its password rules are arcane and impenetrable, and inevitably wind up with me having a password that is impossible to remember when you only use it every three months.
I usually deal with this situation by typing random rubbish in as a password, then hitting the "I forgot my password" button next time I need to log in. But they've cunningly found a way of thwarting this method. When I signed up, I had to also choose a "memorable word." Seriously. Pick a word that's memorable, that you won't have forgotten in three months time when you come to log in next.
The end result is, of course, that I don't log in, I call them and pay over the phone. I wonder how many people ever manage to pay their bill through the website.
The other "security" function is that these dumb sites force you to record a memorable place, date and name. All in the interest of security of course. Anybody sane in security (can't be many left) knows that this usually leads to a less secure system than a more secure one.
And as for "Verified by Visa" (or the equivalent for MC), I have never, ever, entered my password correctly on that. Every time I click "Forgotten Password", enter some trivial details, enter another junk password that I'll never remember and that's it. Does this aid security in any way? No
Verified by VISA is truly craptastic.
Although, to be fair to it, there is one mildly useful security feature. It shows me a password, that supposedly only VISA know. So I know that the vendor have connected to VISA's servers. However, given the piss-poorety of the design of that, I'm sure that's probably printed in large flashing letters on top of their building, along with my credit card number and d.o.b. whenever I use the 'serivce'.
You can never be too careful. A password is obviously needed in case someone was to maliciously pay your bill for you.
I encountered that problem 3 years ago when I tried to pay my (ill in hospital) Mother's phone bill, we were both with Virgin Media. They wouldn't accept my encyclopaedic knowledge of her and her account details. Eventually I drove 100 miles to her house and made the phone call from her phone, thus 'proving' my bona-fides and obtaining details for making a direct transfer from my bank account. I'm surprised that they didn't accuse me of being a burglar who'd broken into her house.
And that is the failure on online, paperless billing. If you become ill and someone needs to pick up the pieces for you, well, good luck. They're probably not going to even know what bills are coming in, let alone being able to get them paid for you. I had to do this for an unrelated friend. If her billing had been electronic rather than on paper she would have been confronted with all manner of late fees, collection threats and service terminations after her hospitialization.
My bank insist on knowing the answers to 5 security questions, a random one of which is asked alongside the Verified by VISA password. The problem is I can't actually answer a couple of them - e.g. Q. What was the name of your first pet? A. I've never had a pet so wtf am I supposed to say?
The last time I phoned them the computer asked me for the position of two letters in my password - only the two letters it asked for aren't in my password! Or the password I used before the current one, or any password I remember. Fortunately it eventually let me though to a human who confirmed it was wrong.
@Nick Ryan The thing with set questions like those is that you are in charge of what you put for an answer. Memorable place? Potato. Memorable date? Pluto. I've similarly ignored answering truthfully to standard questions for a while to throw off anyone that might be capable of guessing the answer to security questions.
"Q. What was the name of your first pet?"
My first pet was called Bob and that triggered "pet name too short".
" A. I've never had a pet so wtf am I supposed to say?"
The questions can be too Yankified as well. They seem to have a fascination with memories of school days that simply doesn't exist for me.
Around here, major banks are doing a bit of community service, and are providing website authentication services on very amicable terms. Authorization tokens from the online banks are accepted by most utilities and e-tailers.
Bank credentials have to be guarded with utmost care, obviously, but the password hell is neatly avoided.
I recently set up an online account over the phone with an institution I'd never dealt with previously. They asked me a number of verification questions, including an either-or for which both options were wrong. Which was actually the point. A fraudster would make a 50-50 bluff and then call back later and try the other option if he got it wrong, whereas the real account holder would know the correct answer and say 'neither'.
I agree that pre-defined verification questions are terrible. The most likely person to attempt to fraudulently access any website under my name is my ex-wife (again) and she knows all the answers to the usual questions. Much better to let me write-in a question with a non-obvious answer.
"And as for "Verified by Visa" (or the equivalent for MC), I have never, ever, entered my password correctly on that. Every time I click "Forgotten Password", enter some trivial details, enter another junk password that I'll never remember and that's it."
I did that a couple of times, until I found that they accepted "shitvisa666".... Not forgotten it once since.
how about "PetsIHaveHadNone" (or similar)- usually gives you chance to enter something more secure than Rover/Spot etc.
My usual response to that sort of thing is "Fuck0ffV1sa/Yah00/wh0ever", which is not only memorable but also heartfelt.
So, put in your wife, gf, or relative's name instead. I suppose that Mickey Mouse would trigger some kind of flag, as would Bart Simpson. Oh, yeah, those are both "Yankified"...
Gee, thanks for your password! :-p
It appears that my idea isn't unique then
My bank's clientèle must have moaned a lot about the extra hassle of VbV, at least that's the best theory I can come up with, because a month or two after rollout, the password prompt was binned. Now there's just a few seconds' wait and a throbber while the vendor/PSP site contacts the bank, then it's job done.
Or it could be the vendors themselves, having gotten their ears bent with all too much "What the hell's this, I already put my card number in!" etc. Either way, if true it amounts to a damning indictment of my fellow patrons (not to mention majority shareholders, hint hint) of the bank in question.
Other, more charitable theories welcome.
Tokens seem like a good idea until you get the new HSBC calculator-style one for Australia.
Step 1) Turn on device with (stupid finger breaking) key press combination
Step 2) Enter PIN to activate device (!!!)
Step 3) Enter last eight digits of your account number (!!!)
If suitably annoyed, add:
Step 4) Run over device repeatedly with car before closing account.
Step 5) Discover that a non-run-over device is required to close account.
I just answer 'fuckyou' for the answer to every one. If it won't let you, be creative with your swear words. You get the added benefit, that if asked for them on the phone by some annoying customer service monkey you get to say 'fuckyou' to them.
1) what the fuck business to they have knowing these personal details. More info on me you can sell.
2) the very nature of the questions are EXACTLY the kinda thing you'll find the answer to on facepuke in 30 seconds.
There's the other twist to this, like google/yahoo do when you sign in to mail sometimes:
'in order to make your mail more secure and aid you recovering if you forget your password, please tell us your mobile phone number'
ah.. yeh my mobile number.. cause that's a nice bit of info there for you to sell eh. Not the colour of my eyes or how many fingers I have... no.. my mobile number, so you can flog it to the PIP scammers. fuck you. fuck you all.
Haha. My bank sends out a one-time-code-generating fob to use when logging in to internet banking. Each time you login, you put your PIN into the fob and it spits back a login code. It's great.
But... somehow they IMPROVE on the security of this scheme by also asking what the make and model of my first car is.
That reminds me of the beef I have with the Google authenticator and OTP devices in general: it may have escaped the people who designed this that we're not using ATMs but genuine computer thingies with lots of keys.
Why the f*ck do I have to type in 6 digits if you can get more variations out of 4 alphanum characters, even if I remove the ones that could be confused such as 1 and l? Hello? Forgot that we actually enterd the twentyFIRST century?
On the plus side, that is an example of an OTP that works, even if it is bound to time instead of a challenge-response approach, so well done Google (for once)...
No end of Sharepearean sonnets will protect me from eBay’s lead windows or a Ministry of Defence civil servant leaving his laptop in a taxi.
Is that a deliberate error? Or an open source bard?
Oh how I wish my errors were deliberate.
Having initially missed the typo, I just spent three fruitless minutes seeing if that phrase would work in Iambic Pentameter thinking Mr Dabbs had done something clever.
I don't care about my eBay password being stolen, my acount wasn't raided, the complex password isn't being used elsewhere and I've changed it now. What I care about is the time it took eBay to tell me it had been swiped, therefore increasing the exposure of my account being used fraudulently, but most importantly, they've let some scumbag have my name, address, phone, D.O.B and probably other info too!! Just about all they need to impersonate me for fanancial gain.
Authorities should fine them a very large ammount and put it in a fund to help fraud victims who have lost personal info from their eBay accounts for the next few years.
I'd like ANYONE to tell me why you'd ever store customers personal info in an unencrypted form like eBay did (and a lot of others probably do).
That's a bit like BT's pisspoor excuse for a security announcement about the hack of btinternet.com.
We have a very old company email addy on there, that's still used. When it's not drowning in spam from other btinternet addresses. They forced a password reset. Didn't email us to say they were doing it, just invalidated the password on their pop server, and waited for us to guess.
Nothing on the service status on bt.com either. That service is always up, they only occasionally post a problem when it covers one exchange and after it's solved.
Great. I reset the password. But remember something I'd seen on El Reg. It was of course the bloody password reset database that had been hacked.
Surprise! Surprise! We had to reset the password the next day. Again no error message, or warning email / letter. This time I changed the security details.
At least this vindicates my policy of always lying on security questions! This email was set up ten years before I joined the company.
I'd like ANYONE to tell me why you'd ever store customers personal info in an unencrypted form like eBay did (and a lot of others probably do).
Oh I can do that. It's cheaper.
Just like it's amazing the number of companies where helpdesk/tech support can see your password on their screen when you phone up. Because basic security is just too much effort.
I especially like 1and1 internets phone security, where they insist that you give them your full login password OVER THE PHONE
I found out about the eBay leak from the Beeb, and changed my password to something new and horrible when I got home. A week letter (yesterday), I get an email from eBay saying they'd been hacked and I should change my password. This wasn't another, newer hack, but the original one - the one the media had been having a field day over, with eBay keeping firmly schtum throughout. I'd like to say better late than never, but I think that would be a load of balls....
I've not heard of that mobile scam before. I wonder how they allow their tills to ship out phones on credit like that? It's just asking for trouble.
Reminds me of my temping days in the mobile industry.
I was working for an insurance company, doing mobilie insurance at £5-15 a month, for a chain of shops. Bronze, silver and gold. I'd bene there a mere week, when they sacked the person who processed credit card transactions. So I got that job. As a temp. With private access to the credit card terminal and about 10,000 files with people's card numbers and addresses on. Nothing I did was ever checked. Plus tens of thousands of other files with the direct debits and all the banking info.
After two weeks I noticed that they'd fucked up, and were only renewing the Direct debit after a year on Gold subscriptions. Even though the contracts were for at least 2 years. They rewarded me for this act of genius on my £6 an hour temp heaven by saying thanks, and sacking me 2 weeks later. I think at that time there payment processing team entirely staffed by temps was down from 6 to 2. So I dread to think what state it was in. We saw our manager about twice a day.
However, we were so well run that we had the trust of the banks. We were allowed to process Direct Debits without presenting any evidence to the bank. We maintained our signed copy of the Direct Debit mandate, the bank never checked them. And obviously we had nothing to check the signature against, even though it was often in a different coloured pen (for some reason). I used to get a call from the banks' call centres every couple of hours, with a customer querying a payment on their other line. Sometimes just because we weren't called the same as the mobile company, but mostly because the salesman had filled out the insurance agreement after the customer had left, to meet his bonus targets.
Then I got one of the funniest documents I've seen in my working career. Internal audit had audited one of the stores. And posted it to the separate company who ran their insurance, rather than their own head office. Top work there chaps! The shop hadn't counted their Pay&Go top up cards (back when they were scratch card things in cellophane). Or done a stock take of any kind. In over 2 years. Apparently the staff would take a handful of them whenever they went down the pub, and sell them cheap for beer money. Probably a few handsets as well.
There were several signed, but un-processed, customer direct debit mandates for contracts and insurance. Some from months ago. With all the good details on. Some were on the side by the till, in the actual shop, on open display. Others were in the kitchen and break room. Some had made it as far as the office. The kitchen hadn't been cleaned in ages. There was rotting food in the fridge and on the work surfaces.
The report conclusion: Above average. 75%!
After being dumped, at 4 o'clock on a Friday afternoon, thanks for helping the temp get a post for next week old chaps, I think I only did one more temp job before getting something permanent, and none since. So I have just over a month of experience in the mobile phone industry (from the late 90s), and it doesn't seem that much has changed.
I once managed to get my landlady to pay for a course I was taking. The school called me to chase payment, which was in installments by direct debit. I knew I had my bank account details written down on a piece of paper somewhere on my desk, so I scouted about until I found a bank account number on my desk. Unfortunately, my landlady had an account at the same bank and what I'd found were her details.
I rattled these off to the school, who passed them on to the bank, who dutifully started transferring money out of her account, despite the name on the account being 100% wrong.
It was only three months (and three payments) later that my landlady noticed these payments on her account statement. She queried it with the bank, who queried it with the school, who queried it with me. Both the bank and I had very red faces.
I still can't believe they clearly didn't have two factor authentication on their remote DB access, that just seems shoddy. RSA tokens etc are pretty widespread technology these days!
I signed up on one site which required the usual additional security:
Where were you born?
What was the name of your first school?
What was your mother's maiden name?
Fair enough except for the following paragraph:
You MUST ensure your answers are unique to this site!
Bit difficult without the aid of time travel to change those answers.
Just lie like everyone else - how are they going to check?
Then when they get hacked it doesn't matter.
It is also nice to get birthday wishes every month.
It is also nice to get birthday wishes every month.,
I've picked one new birthday, so I can actually remember my fake d.o.b. Rather than just picking randomly as I did before.
Except for restaurant mailing list sign-ups. Those have to be carefully picked, so you get nice vouchers, spread around when they're useful. So a couple of them are near my actual birthday. Though sadly the last one to regularly remember my birthday have closed down their branch here. So no more birthday tapas for me.
eBay = Twunts
Thats not big, it's not clever, but neither are they anymore.