Posts Tagged ‘security’
Bye-bye Smile
After some protracted discussions with the folks at smile.co.uk, we seem to have hit stalemate. So I’m going elsewhere.
For anyone else who’s being cornered by Smile, do note that they will allow customers to opt-out of the scheme. But, for me, that’s not the point.
I’m minded to think that VBV, while far from perfect, is better than nothing. But you’ve got to get the implementation right!
Tags: security, smile, vbv, visa
Filed under tech :
Comments (0) :
Oct 21st, 2008
Not Smile-ing about Verified By Visa
“Verified By Visa“. Internet shopping saviour, or a dangerous tool which lulls users into a false sense of security?
On the face of it, VbV looks like a great idea. Before completing an online order, you need to enter a security phrase which only you and your bank know - so you can be sure that no-one can shop using your debit card without permission.
So what could possibly go wrong?
Where does the HTTP POST go to?
In the case of ‘dabs.com’, the VbV web form will be submitted to “secure5.arcot.com”. Who? Exactly. Not my bank, not the merchant, but a previously-unknown third party. And the location bar helpfully says “https://www.dabs.com/”. So that’s not much bloody use.
And the password will be sent to my bank for verification?
OK, let’s assume we trust “secure5.arcot.com”. How do we know that they’ll send the details to our bank for verification, and not to a bunch of Russian mobsters?
In the case of “dabs.com”, the bank’s logo is shown - so we can be confident, right?
Wrong! The first four or six digits of a visa card number comprise the “Issuer Identification Number” which are well known. So any Tom, Dick or Harry could stick the correct bank logo on a phishing webpage and ask for my VbV password.
And with Smile, it’s worse still
I guess they’re just trying to be helpful, but they failed miserably. The Verified By Visa password is set to be the same as one of my “Secure Personal Information” details… specifically, the “memorable name”. I have two problems with this:
- First, many (most?) people would automatically use their mother’s maiden name, which is quite discoverable with a little social engineering
- Second, this means that a piece of private login data - formerly used purely for online banking - is now going to be sent to other places, such as “arcot.com”.
On one hand, the bank encourages us to not write down passwords or share them with anyone, but now expect us to give the same password to a third party every time we do a transaction on the internet?
Finally, it appears that (with Smile bank, at least) I can neither opt out of VbV nor change the VbV passphrase independently of my online-banking login details.
I’m starting to wonder whether I want to stick with a bank with such a misguided approach to security.
Tags: security, smile, vbv, visa
Filed under tech :
Comments (2) :
Sep 9th, 2008
Browsing ’sshd’ logs
FebĀ 3 07:55:09 kurobox sshd[16067]: Failed password for invalid user stud from 189.11.251.194 port 50372 ssh2
I have nothing else to say.
Tags: hacking, security, ssh
Filed under tech :
Comments (0) :
Feb 7th, 2008