>From - Sat Mar 02 00:57:24 2024
Received: by 10.236.193.73 with SMTP id j49mr4354075yhn.7.1344721314304;
Sat, 11 Aug 2012 14:41:54 -0700 (PDT)
X-BeenThere: tscm-l2006_at_googlegroups.com
Received: by 10.236.120.244 with SMTP id p80ls9158341yhh.0.gmail; Sat, 11 Aug
2012 14:41:51 -0700 (PDT)
Received: by 10.236.193.73 with SMTP id j49mr4354022yhn.7.1344721311548;
Sat, 11 Aug 2012 14:41:51 -0700 (PDT)
Received: by 10.236.193.73 with SMTP id j49mr4354019yhn.7.1344721311519;
Sat, 11 Aug 2012 14:41:51 -0700 (PDT)
Return-Path: <areda..._at_msn.com>
Received: from snt0-omc2-s49.snt0.hotmail.com (snt0-omc2-s49.snt0.hotmail.com. [65.54.61.100])
by gmr-mx.google.com with ESMTP id y43si779879yhi.2.2012.08.11.14.41.51;
Sat, 11 Aug 2012 14:41:51 -0700 (PDT)
Received-SPF: pass (google.com: domain of areda..._at_msn.com designates 65.54.61.100 as permitted sender) client-ipe.54.61.100;
Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of areda..._at_msn.com designates 65.54.61.100 as permitted sender) smtp.mail
eda..._at_msn.com
Received: from SNT107-W52 ([65.55.90.71]) by snt0-omc2-s49.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
Sat, 11 Aug 2012 14:41:51 -0700
Message-ID: <SNT107-W52090C457C4A2EB89B85AABCB20_at_phx.gbl>
Return-Path: areda..._at_msn.com
Content-Type: multipart/alternative;
boundary="_1b429ebb-5add-43f3-8aeb-261a440d8801_"
X-Originating-IP: [76.218.225.8]
From: Its from Onion <areda..._at_msn.com>
To: tscm-l2006 <tscm-..._at_googlegroups.com>
Subject:
Date: Sat, 11 Aug 2012 21:41:50 +0000
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 11 Aug 2012 21:41:51.0449 (UTC) FILETIME=[1E26FC90:01CD780A]
--_1b429ebb-5add-43f3-8aeb-261a440d8801_
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
The hackers who, on a whim, devastated Wired reporter Mat Honan’s digital=
life, got their 15 minutes of fame this week.The simple trickery they used=
was clever, but nothing new, and certainly didn’t require much technical=
hacking skills.Honan detailed in this Wired story how hackers tricked an A=
mazon rep over the phone into revealing the last four digits of his credit =
card number. Next, they used that information to persuade an Apple rep to r=
eset his AppleID password, which enabled them to wipe clean his iPhone, iPa=
d and MacBook, destroying all of his files, including irreplaceable photos =
of his young daughter.HonanThat caper has put a spotlight on a long running=
debate as to whether web companies that aim to strike riches delivering co=
nsumer cloud services, ought to bear the burden for assuring the person log=
ging into an online account is who he claims to be.Apple iCloud, Google App=
s, Amazon’s Cloud Drive, Microsoft’s Windows Live and most other web se=
rvices that require you to create an account rely on single-factor authenti=
cation, also referred to as knowledged-based authentication, or KBA.But som=
e banks – and, notably, Google Gmail – offer two-factor authentication,=
which brings into the process something you have. The style of two-factor =
that has gained the most traction involves issuing a single-use PIN code =
to your cellphone. When doing certain transactions, such as resetting a pas=
sword, or transferring a large amount of money, you must retrieve the PIN a=
nd enter it along with your username and password.So is it time to mainstre=
am two-factor authentication? Here’s what three authentication experts to=
ld Last Watchdog:Chris Brennan, CEO, NetAuthorityBrennanMany of the current=
strong authentication solutions are expensive, difficult to manage and sca=
le and frustrate user experiences.Companies constantly trade-off a stronger=
authentication solution in fear that poor users experience will drive them=
to other service providers. Users aren’t apathetic, they are frustrated.=
They will change services if their information has been compromised, which=
is making companies sit up and take notice.The real issue here is that use=
rname and password are not sufficient methods of identification. The realit=
y is that “what I know” is likely posted publicly in social websites pr=
oviding critical answers to traditional methods of challenging user identit=
y. This is not sufficient or adequate. The right strategy is to introduce a=
n additional factor that is irrefutable.Todd Feinman, CEO Identity FinderFe=
inmanBrute force password-guessing and social engineering happens every day=
, and 99% of the incidents never make news. Over the last few years we have=
seen an increase in data breaches that have led to passwords and personal =
information leaked online. There are massive databases containing username =
and password combinations that criminals test against banks, email provider=
s, and other online services. Because of rampant password reuse, many of th=
ese hacks are successful. The identity thief’s hope is that they hit a fi=
nancial institution like paypal where they can withdraw money. The scope of=
the fraud is hard to quantify, but we know millions of passwords are stole=
n each year.Consumers should avoid storing personal information that could =
lead to identity fraud in an unprotected manner. Shred any files they no lo=
nger need and encrypt the files they do. They can use strong passwords and =
avoid password reuse as well as turn on multifactor authentication when ava=
ilable.Consumers can download a free copy of Identity Finder to search thei=
r computer for personal information that could be used to commit identity t=
heft by going to www.identityfinder.com/free Stephen Cobb, security evangel=
ist, ESETCobbBased on several decades spent observing patterns of system ab=
use, I would say it is extremely likely that a. more hacks like this are po=
ssible, b. more people than ever are looking for them right now, c. not all=
of those people have honorable intentions.In technical terms the online wo=
rld currently suffers from an atrocious conflation of identifiers with auth=
enticators (your phone number, email address, and Social Security number ar=
e identifiers, not authenticators).This situation is compounded by a widesp=
read failure to implement shared secrets effectively (the name of your firs=
t pet is not a shared secret and asking for all the digits of my pin number=
is profligate and inviting of interception). Underlying all of this mess i=
s an excessive reliance on single-factor authentication and an alarmingly w=
idespread misconception that multiple authenticators = multi-factor.Multi=
-factor authentication refers to the three factors: A. Something you know, =
like a password; B. Something you have, like a physical key, C. Something y=
ou are, like your face or your fingerprints or the veins in the palm of you=
r hand. Asking me for two or three or more pieces of information that I kno=
w is not multi-factor authentication.Why large companies with big research =
budgets get things like this wrong is hard to fathom and it strikes me as u=
nfair to force consumers to become security experts just to safely navigate=
services for which someone is paying (either the consumer themselves or th=
e people paying for ads on ad-supported sites or within ad-supported apps a=
nd services). –By Byron Acohido
--_1b429ebb-5add-43f3-8aeb-261a440d8801_
Content-Type: text/html; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>
<p style="line-height: 17px; margin-bottom: 1.35em; font-family: Georgia,=
Helvetica, Arial, sans-serif; background-color: rgb(255, 255, 255); "><a h=
ref="
http://lastwatchdog.com/wired-hack-rekindles-urgency-wider-two-facto=
r-authentication/icloud-logo150px/" rel="attachment wp-att-12491" target=
="_blank" style="color: rgb(0, 104, 207); cursor: pointer; "><img class=
="ecxalignleft ecxsize-full ecxwp-image-12491" title="icloud logo150px"=
src="http://lastwatchdog.com/wp/wp-content/uploads/icloud-logo150px.=
jpg" alt="" width="150" height="172" style="border: none; "></a></p=
><p style="line-height: 17px; margin-bottom: 1.35em; font-family: Georgia=
, Helvetica, Arial, sans-serif; background-color: rgb(255, 255, 255); "><br=
></p><p style="line-height: 17px; margin-bottom: 1.35em; font-family: Geo=
rgia, Helvetica, Arial, sans-serif; background-color: rgb(255, 255, 255); "=
><br></p><p style="line-height: 17px; margin-bottom: 1.35em; font-family:=
Georgia, Helvetica, Arial, sans-serif; background-color: rgb(255, 255, 255=
); ">The hackers who, on a whim, devastated <em>Wired</em> report=
er Mat Honan’s digital life, got their 15 minutes of fame this week.</p><=
p style="line-height: 17px; margin-bottom: 1.35em; font-family: Georgia, =
Helvetica, Arial, sans-serif; background-color: rgb(255, 255, 255); ">The s=
imple trickery they used was clever, but nothing new, and certainly didn’=
t require much technical hacking skills.</p><p style="line-height: 17px; =
margin-bottom: 1.35em; font-family: Georgia, Helvetica, Arial, sans-serif; =
background-color: rgb(255, 255, 255); ">Honan detailed in <a href="h=
ttp://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/" targ=
et="_blank" style="color: rgb(0, 104, 207); cursor: pointer; ">this&nbs=
p;<em>Wired</em> story </a>how hackers tricked an Amazon rep over=
the phone into revealing the last four digits of his credit card number. N=
ext, they used that information to persuade an Apple rep to reset his Apple=
ID password, which enabled them to wipe clean his iPhone, iPad and MacBook,=
destroying all of his files, including irreplaceable photos of his young d=
aughter.</p><div id="ecxattachment_12500" class="ecxwp-caption ecxalign=
left" style="line-height: 17px; font-family: Georgia, Helvetica, Arial, s=
ans-serif; background-color: rgb(255, 255, 255); width: 100px; "><a href==
"
http://lastwatchdog.com/wired-hack-rekindles-urgency-wider-two-factor-auth=
entication/mat-honan90px/" rel="attachment wp-att-12500" target="_blank=
" style="color: rgb(0, 104, 207); cursor: pointer; "><img class="ecxsiz=
e-full ecxwp-image-12500" title="mat Honan90px" src="http://lastwat=
chdog.com/wp/wp-content/uploads/mat-Honan90px.jpg" alt="" width="90" he=
ight="137" style="border: none; "></a><p class="ecxwp-caption-text" s=
tyle="margin-bottom: 1.35em; ">Honan</p></div><p style="line-height: 17=
px; margin-bottom: 1.35em; font-family: Georgia, Helvetica, Arial, sans-ser=
if; background-color: rgb(255, 255, 255); ">That caper has put a spotlight =
on a long running debate as to whether web companies that aim to strike ric=
hes delivering consumer cloud services, ought to bear the burden for assuri=
ng the person logging into an online account is who he claims to be.</p><p =
style="line-height: 17px; margin-bottom: 1.35em; font-family: Georgia, He=
lvetica, Arial, sans-serif; background-color: rgb(255, 255, 255); ">Apple i=
Cloud, Google Apps, Amazon’s Cloud Drive, Microsoft’s Windows Live and =
most other web services that require you to create an account rely on singl=
e-factor authentication, also referred to as knowledged-based authenticatio=
n, or KBA.</p><p style="line-height: 17px; margin-bottom: 1.35em; font-fa=
mily: Georgia, Helvetica, Arial, sans-serif; background-color: rgb(255, 255=
, 255); ">But some banks – and, notably, Google Gmail – offer two-facto=
r authentication, which brings into the process something you have. The sty=
le of two-factor that has gained the most traction involves issuing&n=
bsp; a single-use PIN code to your cellphone. When doing certain transactio=
ns, such as resetting a password, or transferring a large amount of money, =
you must retrieve the PIN and enter it along with your username and passwor=
d.</p><p style="line-height: 17px; margin-bottom: 1.35em; font-family: Ge=
orgia, Helvetica, Arial, sans-serif; background-color: rgb(255, 255, 255); =
">So is it time to mainstream two-factor authentication? Here’s what thre=
e authentication experts told Last Watchdog:</p><p style="line-height: 17=
px; margin-bottom: 1.35em; font-family: Georgia, Helvetica, Arial, sans-ser=
if; background-color: rgb(255, 255, 255); "><strong>Chris Brennan, CEO, Net=
Authority</strong></p><div id="ecxattachment_12492" class="ecxwp-captio=
n ecxalignleft" style="line-height: 17px; font-family: Georgia, Helvetica=
, Arial, sans-serif; background-color: rgb(255, 255, 255); width: 100px; ">=
<a href="
http://lastwatchdog.com/wired-hack-rekindles-urgency-wider-two-f=
actor-authentication/chris-brennan90px/" rel="attachment wp-att-12492" ta=
rget="_blank" style="color: rgb(0, 104, 207); cursor: pointer; "><img c=
lass="ecxsize-full ecxwp-image-12492" title="Chris Brennan90px" src="=
http://lastwatchdog.com/wp/wp-content/uploads/Chris-Brennan90px.jpg" al=
t="" width="90" height="130" style="border: none; "></a><p class==
"ecxwp-caption-text" style="margin-bottom: 1.35em; ">Brennan</p></div><p =
style="line-height: 17px; margin-bottom: 1.35em; font-family: Georgia, He=
lvetica, Arial, sans-serif; background-color: rgb(255, 255, 255); ">Many of=
the current strong authentication solutions are expensive, difficult to ma=
nage and scale and frustrate user experiences.</p><p style="line-height: =
17px; margin-bottom: 1.35em; font-family: Georgia, Helvetica, Arial, sans-s=
erif; background-color: rgb(255, 255, 255); ">Companies constantly trade-of=
f a stronger authentication solution in fear that poor users experience wil=
l drive them to other service providers. Users aren’t apathetic, they are=
frustrated. They will change services if their information has been compro=
mised, which is making companies sit up and take notice.</p><p style="lin=
e-height: 17px; margin-bottom: 1.35em; font-family: Georgia, Helvetica, Ari=
al, sans-serif; background-color: rgb(255, 255, 255); ">The real issue here=
is that username and password are not sufficient methods of identification=
. The reality is that “what I know” is likely posted publicly in social=
websites providing critical answers to traditional methods of challenging =
user identity. This is not sufficient or adequate. The right strategy is to=
introduce an additional factor that is irrefutable.</p><p style="line-he=
ight: 17px; margin-bottom: 1.35em; font-family: Georgia, Helvetica, Arial, =
sans-serif; background-color: rgb(255, 255, 255); "><strong>Todd Feinman, C=
EO Identity Finder</strong></p><div id="ecxattachment_12493" class="ecx=
wp-caption ecxalignleft" style="line-height: 17px; font-family: Georgia, =
Helvetica, Arial, sans-serif; background-color: rgb(255, 255, 255); width: =
100px; "><a href="
http://lastwatchdog.com/wired-hack-rekindles-urgency-wi=
der-two-factor-authentication/todd-fienman90px-3/" rel="attachment wp-att=
-12493" target="_blank" style="color: rgb(0, 104, 207); cursor: pointer=
; "><img class="ecx ecxwp-image-12493 " title="Todd Fienman90px" src==
"http://lastwatchdog.com/wp/wp-content/uploads/Todd-Fienman90px2.jpg" a=
lt="" width="90" height="123" style="border: none; "></a><p class=
="ecxwp-caption-text" style="margin-bottom: 1.35em; ">Feinman</p></div>=
<p style="line-height: 17px; margin-bottom: 1.35em; font-family: Georgia,=
Helvetica, Arial, sans-serif; background-color: rgb(255, 255, 255); ">Brut=
e force password-guessing and social engineering happens every day, and 99%=
of the incidents never make news. Over the last few years we have seen an =
increase in data breaches that have led to passwords and personal informati=
on leaked online. There are massive databases containing username and passw=
ord combinations that criminals test against banks, email providers, and ot=
her online services. Because of rampant password reuse, many of these hacks=
are successful. The identity thief’s hope is that they hit a financial i=
nstitution like paypal where they can withdraw money. The scope of the frau=
d is hard to quantify, but we know millions of passwords are stolen each ye=
ar.</p><p style="line-height: 17px; margin-bottom: 1.35em; font-family: G=
eorgia, Helvetica, Arial, sans-serif; background-color: rgb(255, 255, 255);=
">Consumers should avoid storing personal information that could lead to i=
dentity fraud in an unprotected manner. Shred any files they no longer need=
and encrypt the files they do. They can use strong passwords and avoid pas=
sword reuse as well as turn on multifactor authentication when available.</=
p><p style="line-height: 17px; margin-bottom: 1.35em; font-family: Georgi=
a, Helvetica, Arial, sans-serif; background-color: rgb(255, 255, 255); ">Co=
nsumers can download a free copy of Identity Finder to search their compute=
r for personal information that could be used to commit identity theft by g=
oing to www.identityfinder.com/free</p><p style="line-height: 17px; margi=
n-bottom: 1.35em; font-family: Georgia, Helvetica, Arial, sans-serif; backg=
round-color: rgb(255, 255, 255); "><strong> Stephen Cobb, security eva=
ngelist, ESET</strong></p><div id="ecxattachment_12504" class="ecxwp-ca=
ption ecxalignleft" style="line-height: 17px; font-family: Georgia, Helve=
tica, Arial, sans-serif; background-color: rgb(255, 255, 255); width: 100px=
; "><a href="
http://lastwatchdog.com/wired-hack-rekindles-urgency-wider-t=
wo-factor-authentication/stephen-cobb90px-2/" rel="attachment wp-att-1250=
4" target="_blank" style="color: rgb(0, 104, 207); cursor: pointer; "><=
img class="ecxsize-full ecxwp-image-12504" title="Stephen Cobb90px" src=
="http://lastwatchdog.com/wp/wp-content/uploads/Stephen-Cobb90px1.jpg=
" alt="" width="90" height="130" style="border: none; "></a><p clas=
s="ecxwp-caption-text" style="margin-bottom: 1.35em; ">Cobb</p></div><p=
style="line-height: 17px; margin-bottom: 1.35em; font-family: Georgia, H=
elvetica, Arial, sans-serif; background-color: rgb(255, 255, 255); ">Based =
on several decades spent observing patterns of system abuse, I would say it=
is extremely likely that a. more hacks like this are possible, b. more peo=
ple than ever are looking for them right now, c. not all of those people ha=
ve honorable intentions.</p><p style="line-height: 17px; margin-bottom: 1=
.35em; font-family: Georgia, Helvetica, Arial, sans-serif; background-color=
: rgb(255, 255, 255); ">In technical terms the online world currently suffe=
rs from an atrocious conflation of identifiers with authenticators (your ph=
one number, email address, and Social Security number are identifiers, not =
authenticators).</p><p style="line-height: 17px; margin-bottom: 1.35em; f=
ont-family: Georgia, Helvetica, Arial, sans-serif; background-color: rgb(25=
5, 255, 255); ">This situation is compounded by a widespread failure to imp=
lement shared secrets effectively (the name of your first pet is not a shar=
ed secret and asking for all the digits of my pin number is profligate and =
inviting of interception). Underlying all of this mess is an excessive reli=
ance on single-factor authentication and an alarmingly widespread misconcep=
tion that multiple authenticators = multi-factor.</p><p style="line-hei=
ght: 17px; margin-bottom: 1.35em; font-family: Georgia, Helvetica, Arial, s=
ans-serif; background-color: rgb(255, 255, 255); ">Multi-factor authenticat=
ion refers to the three factors: A. Something you know, like a password; B.=
Something you have, like a physical key, C. Something you are, like your f=
ace or your fingerprints or the veins in the palm of your hand. Asking me f=
or two or three or more pieces of information that I know is not multi-fact=
or authentication.</p><p style="line-height: 17px; margin-bottom: 1.35em;=
font-family: Georgia, Helvetica, Arial, sans-serif; background-color: rgb(=
255, 255, 255); ">Why large companies with big research budgets get things =
like this wrong is hard to fathom and it strikes me as unfair to force cons=
umers to become security experts just to safely navigate services for which=
someone is paying (either the consumer themselves or the people paying for=
ads on ad-supported sites or within ad-supported apps and services).</p><p=
style="line-height: 17px; margin-bottom: 1.35em; font-family: Georgia, H=
elvetica, Arial, sans-serif; background-color: rgb(255, 255, 255); "><em>&n=
bsp;–By Byron Acohido</em></p> </div></body>
</html>
--_1b429ebb-5add-43f3-8aeb-261a440d8801_--
Received on Sat Mar 02 2024 - 00:57:24 CST