Slashdot Mirror
Identity Theft and Social Networks
scubacuda writes "This Security Focus article looks at the lack of security social network sites have, particularly their lack of SSL logins, which means a user's session ID will be logged on any proxy and possibly sniffed. From the article: '[A]ccording to [Clay] Shirky, one thing is certain: "The value of each site is communally-created. Links and transactions are more important than individuals." In other words, each community creates its own kind of value. Thus, an attacker might hit Tribe to farm social networks for spam victims; and then he might exploit LinkedIn to get the contact information for a VC he wants to meet.'"
Guess it doesn't matter if you just stay anonymous.
...it is rather scary how little attention people pay to security. The article even states: "...site performance is our highest priority, and SSL is a pain." While it can be costly to set up security (ie, paying security consultants ;) ), if done right from the start it is less expensive than trying to fit it in after the fact.
It is certainly less expensive than having your site hacked and/or having users leave when people post their private thoughts publicly!
libertarianswag.com
I would be all for that.
"It is not how things are in the world that is mystical, but that it exists." -Ludwig Wittgenstein
Oh, wait...
I was a victim of identity theft once and made a police complaint, an FTC complaint, etc.. They all said that it was unlikely anyone would ever be caught. Haven't heard anything for 2 years now. They need to start castrating identity thieves... it's getting out of hand.
One friend feared that she might lose her job when a private entry about problems with her supervisor was made public
Rule 1:
If you want to keep something confidential, don't post it on a free website.
If they aren't using SSL, they are basically saying they don't value privacy the way you value your privacy."
Duh. Unless you use encryption, almost anything you send on the internet can be intercepted. Conduct yourself accordingly.
you're far from safe. SSL connections are vulnerable /.) to realise
to MiTM attacks - we saw this with M$ Passport, hotmail
etc. The only solution to these problems, is
for people (ie the average user of
that anything they transmit over the net is sniffable
with a little effort.
In a dorm or corporate lan environment, all it takes
is one trojaned laptop running a sniffer, and all
you CC numbers are belong to us.
GNAA!
All the more reason to allow "anonymous", one-time use of purchased credits.
Like phone cards - pay cash and use it online as you wish without easy tracking.
Believe it or not, there are a lot of people online that don't have credit cards but would like to buy stuff over the internet (or people that *have* credit cards but are afraid to expose their information.
Yeah, some people are going to bring up the "you are only liable for fifty bucks, anyway" issue.
- There are people who participate in identity theft via any means possible, because that's the life they lead.
- Social security numbers in and of themselves ARE the vulnerable entry point because the information flow to and from them is bidirectional.
The only possible suggestion here is the same one that's been played over and over on the record entitled "keeping your information safe for dummies," which is "use caution and reason in any transaction you make.-- http://www.criticalassets.com
In "The Cuckoo's Egg", one of Cliff Stoll's key points was that the more secure a network becomes, the less useful it is to its users, because it becomes more inconvenient to work with. In a network where the entire idea is to exchange "personal" data such as contact info, then restrictions placed to enforce good security have a way of reducing the value of the network.
But without such security, you have a "tragedy of the commons" type effect where the greedy among us abuse the good nature of others, again, reducing the value of the network.
Seems like a rather immutable Catch-22 to me...
Blogging Weight Loss, Distance Education, and more at verlin.com
It saddens me that nothing will be done until some poor fella pays very dear when someone finds the motivation to sue, gets a good lawyer and wins big.
It seems that in most things related to security, and not only virtual security, people don't start taking measures until something bad happens and they are made to pay for it...
What do we expect anyway, common sense is the less common of senses..
... y Dios vio que Linux era bueno... Genesis 99.666
how about the rate of comment theft?
I congratulate you for using the anti-slash db tool.
The jihad is alive and well. Allah Akbar!!
Look, I don't suppose you could be convinced to take a dinner break or something, could you?
KFG
Nothing to do with laziness. SSL adds extra strain on the system. It's cheaper to not use it. And I really don't see the need for SSL on LiveJournal... it's a journal site, not a bank account.
As if that is our problem. That's the wild-west attitude: if you can't secure yourself, you deserve whatever you have coming for you.
Why should we invest in something that's a self-evident fundamental right (even on the net): security.
What we need here is strong action from the world governments. Make the net a safe place for everyone!
Most community sites seem to be local run affairs by the kid down the hall in his spare time, not by those with the money to spend on SSL certs. That, and given the value of the Internet is to allow people to connect in new ways unencumbered by worrying how to pay for it suggests that the problem here is not how to provide technically secure transactions.
The problem here is how to create personaly security on the Internet. When you're in the mall, gals keep their bags so the flap is on the inside. Guys don't stare at other guys for too long. That is how they are personally secure, not because the mall guards have guns.
So a more interesting question is not "how can you make other people more secure?" but "how do you make yourself more secure?" Publish your results, and best practice will win.
...which cost me >$100, in order to have some password security on the bulletin board I run. phpbb would mail the password out in the clear, and didn't allow you to log in over SSL. It wasn't a big deal to hack it, but I was surprised that it wasn't an option. It may be that more people would use decent security if the software they ran supported it.
An insecure network is useless to this user (for purposes that I deem to be in need of security), no matter how "convenient" it is.
Generally speaking, I wonder how the numbers of people who would refuse to use a given network because it is inconveniently secure compare to the numbers of people who would start using it if was no longer inconveniently insecure?
Takahashi Rumiko made beats! DON, taku, DON, taku. . .
Indeed. My wife was the victim of identity fraud. The police caught the perp with my wife's ID -- and LET HER GO. She's been stealing cars from rental agencies and running up Sam's Club credit and cell phone bills ever since -- and the cops know who she is, and how much of a scourge she can be...
Slashdot doesn't use or require SSL logins???
I'll have Taco's balls for this!!!! Yes siree!
Hey Taco, instead of constantly fiddling with the lameness filter and the moderation system, how about implementing basic security. Either that, or you could go home to Kathleen. [shudder]
Lameness filter encountered. Post aborted!
Reason: Your subject looks too much like ascii art.
Post above is copied from one made months ago by a different poster. Please mod accordingly.
Sure its nice to have SSL, but 90% of breakins are due to compromised email accounts, especially hotmail (where to change a password you just need a correct response to a user-generated question like "What is my favorite color"). Not to mention hotmail's past reputation with security issues.
The user is always the weakest link, the'll click/run on anything that looks tempting, and its going to take a buttload more than SSL to protect against that.
What's Reza up to these days? Judging by her photos, I'd say 600lbs!
HAW! HAW! HAW!
you make no sence.. do you have a drivers license? then you have an id card.. wtf..
Did you know that the crime of identity theft ist virtually unknown in Europe (at least in Germany, where I live)?
Yes I did. That's because I read the post made months ago that you copied this from.
Like with most things in life. Problems only gets solved once they truly become a problem. Currently banks takes the responsibilty when they are conned out of money. Once they loose more money this way than it would cost to do something about it, it would change.
The same happens with most laws. The laws the politician creates in the meantime are either of no real significance or to boost personal interests.
I clicked on the story reference and after 10 or so irritating cookie alerts told my browser to put the referenced host onto the unconditional cookie reject list.
Referenced story looks bona fide.
WTF?
You see, some of us are still free...
1. " The idea of social networks is just insecure from the get-go."
2. "Make me your friend; my fans get +1 comment scores."
?
Money is just a piss poor patch (at best) to the
problem of people just not being able to get along
with eachother.
Well, yeah, and the idea of real-life face to face social networks is also inherently insecure. The more you interact with other people the greater the chances that one of them (or someone who knows one of them, or happens to eavesdrop on one of them) will take advantage of you. But interacting with other people is not automatically a "bad idea" because of this, and the same is true online. You need to weigh the security risks along with other factors (e.g. the social benefits of networking in this manner, or the amount of critical information that is actually compromised by these risks). I think friendster-style web-based networks are valuable enough that people should see what can be done to make them more secure rather than abandoning them as inherently insecure.
Citibank provides disposable CC numbers for one time use only, or for use with only one merchant (i.e. subscription).
You log on to their web site with your account info and gener... Oh, wait...
Seriously, it's already been pointed out once that this post was blatantly plagiarised from an earlier one. Why are people STILL modding this regurgitated crap up?
It's never late. Getting working site under SSL is 2 hours to 2 days work. I did it few times and never had any serious performance problems.
And if performance is still a problem, isn't reasonable to consider a web-hosting? If application is done one anything that a web-hosting company can run (Perl, Java, ASP, even Zope) then both performance and SSL are even less problem - most of hosting companies provide SSL and have no performance problems. The thumb rule is: if you don't know how to do the job right - give it to people who know the drill.
Less is more !
On the other hand, I tend to think people who live through their on-line journal / blog need to find a real life.
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
I'm Brad Fitzpatrick, from LiveJournal.
The reporter who talked to me obviously wanted a fun slant for her article: "Look at all this insecure crap out there!"
Things we talked about that she decided to ignore in her article:
-- we've been working on challenge/response logins in JavaScript so passwords don't go in the clear. it's like Digest auth but in JS instead. We had this working when we talked to her, and since then it's gone into final user testing on our public test site. it'll probably go live this weekend. (I remember when I talked to her I compared it to HTTP Digest Auth and I had to explain what Digest auth was to her..... this is a _security_ reporter?)
-- we never said SSL wasn't important or security wasn't a priority. we told her it HAS BEEN a priority, but performance stuff keeps getting in the way. in fact, we have SSL stuff working and it's going live at the same time as the challenge/response logins. we just told her that it's hard to do right when you have a shitload of servers.
-- we let users bind their login session to their IP, so damage from cookie theft over non-SSL is mitigated
-- we don't let users do any major action (like, oh, change the account's password) without the original password.
-- we have no many anti-hijacking measures in place to let owners of accounts restore their stolen accounts. and you know what? it's not because of SSL... it's because of people just people plain dumb/trusting/gullible. SSL isn't a magic security wand.
Anyway, please recognize an article on a security site wants a "security's terrible!" slant. Who wants to read an article saying, "Yup, security's pretty good and improving." The security situation isn't as grim as it's made out to be.
To this day, I can not figure out how to change your eBay password over an SSL connection. Sure, you can login via SSL, but you can't send you new password over SSL.
This kind of defeats the purpose of using SSL. Once it's sent in plaintext, it's not secure.
I liked this message the first time I read it, when it was posted by Robert Arnold.
I don't know what the bank example is doing in your list. If I want to store money in some bank under whatever name I want, why shouldn't I be able to do it? A bank account alone doesn't get me very far. Now, if I were to start taking out loans and so on, things get sticker, but if I just want a checking account, I shouldn't have to make an appointment a week in advance, then show up and have to show identity, proof of residency, proof of address, proof of salary, and on and on and on. (This isn't made-up, I actually had to do this.) When I last opened a bank account in the US, which was a while ago, they basically asked for my money. I like this. There isn't really an opportunity for fraud by providing bad information.
I have no real contention with the rest of your statements, just this one.
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
So fucking what?!
Are you so hung up on the concept of karma that you can't stand the idea of someone gaining it?
Fuck you. The post is ON TOPIC and INSIGHTFUL. It doesn't matter if it was or was not original.
It is YOU who should be modded down. Asshole.
Rather than concentrate on more and more extreme punishments, maybe we should concentrate our resources on more and more effective ways of catching fraudsters? Y'think?
Apparently I have to wait another couple of minutes before posting this, so on another subject: why oh why oh why are CD players so big? I mean, with the latest codecs, you ought to be able to store much much longer audio streams on those tiny little CDs you can fit in your pocket. So why not start making more portable CDs like that and standardize on a format and codec?
And what's the deal with all those endings for Lord of the Rings: Return of the King? Some of us had to go for a pee for crying out loud. Did any of them add any value to the film whatsoever? No, so why include them? And is the rumour true that the Special Edition Extended DVD version of Return of the King will be essentially the same film only with another three hours of endings tacked on to the end?
Given that there are two posts further up that have both been modded up to +4 and +5 that are blatant reposts of other people's works, it's hardly surprising that he thought he could get away with it.
While taking a physics class at the University of Michigan, I was required to sign up for an "online homework" website. It was 30 some dollars, and was considered homework for the class (i.e. you take the class, you sign up and pay).
Sure enough, their Terms of Service require me to prevent others from obtaining my login/password. It goes on to say that if someone steals it, there is basically no way to reverse their actions.
Fine. Except for the fact that after signing up, they immediately e-mail me my password in plaintext. There's no SSL whatsoever on the site, and no way whatsoever to change my password.
After e-mailing the company involved, I was simply informed that the site will not be changed. I complained to both the professor and the University. Apparently no one pays attention to this, or they just don't care enough to do something about it. What else can I do? (besides leave the University, obviously)
in most European countries (except e.g. the UK) every citizen is required to have a national ID card which you show whenever somebody has to be sure of your ID. (These cards have all kinds of witty security features to make them really hard to counterfeit.)
Even though this looks like a copy, I'll respond.
I am a french citizen. I have a CARTE NATIONALE D'IDENTITE, which consists of a photograph attached with 2 rivets to a cheap paper and a bad stamp. With this document I can enter france (and most of the EU), and it's trivial to forge this document.
Lesson 1: no-one likes a smart-alec.
Lesson 2: no-one likes the person who points out faults in their system.
Lesson 3: no one is interested in the truth/optimal performance.
Lesson 4: EVERYTHING IS ABOUT POLITICS (this is the capital rule).
So please, for your own sake, shut the fuck up and kiss the dean's ass (or donate big bucks) if you wish to accomplish something.
Oh well... Bruce Schneier's old but well written doc always comes to mind when thinking of this topic: "Ten Risks of PKI: What You're not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier
Computer security has been victim of the "year of the..." syndrome. First it was firewalls, then intrusion detection systems, then VPNs, and now certification authorities (CAs) and public-key infrastructure (PKI). "If you only buy X," the sales pitch goes, "then you will be secure." But reality is never that simple, and that is especially true with PKI. (source)
Most people like fast content and often overlook security. Hell eBay out of all sites, billions in transactions, and SSL is an option! How sickening is that.
MoFscker
Being a copy isn't a bad thing in itself. Copying someone else's post and re-posting it as your own is plagiarism. I think most most people on Slashdot would agree THAT is a bad thing.
Get a fucking life, freak.
I generally like the options for moderating on Slashdot, but we really need a -1 Plagiarism moderation for posts like the parent. The parent post as well as several others under this article are being copied from a previous Slashdot article on identity theft. These accounts will be used for trolling at Score:2 later on if people keep modding them up.
THAT's pathetic.
I will keep modding these guys up because they are not offtopic, trolls or flamebaits.
The problem in America is that once you have someone's social security number you can pretty much do anything. You are most of the way to owning their identity. Most banks only require you to recite your SSN before you enter any transaction. This is allready a huge security hole, but is becoming larger as more and more services ask for the SSN to help identify someone. It was impossible for me to get a cell phone in California 6 years ago without using my SSN for example. The more people have this info, the easier it is for it to get into the wrong hands. The banking system is really to blame. A SSN should NOT be used as a way to authenticate someone. A SSN is simply the same as someone's name. Everyone should have something like a cryptokey which we were given at DEC. When you contact your bank you could first give them your name, they would send you a challenge, which you could enter into your cryptokey, and would return its response. Since the challenge would always be different, even the employee of the bank would not be able to do anything with that information. The problem is glaring. The solution is obvious. Banks should really be held responsible for not coming up with a solution to this.
People are getting lazier, as people get lazier security goes down, deal with it.
poeple arenot geeting lazy! their just..aw fuck it.
No they don't.
I always thought you Americans had to show a reasonable amount of documentation when opening a bank account, to prove that you were *you*
I have to say that I am English, not American, so I could be talking rubbish (which is not unknown...)
Wired has a rather old article about this, and i remember doing some project work for a large US bank in London for this. No idea if anything came of it though.
(Of course, by the sound of it, from the parent poster, nothing much did come of it)
The best is the enemy of the good
Banks here (Canada) have digitized reproductions of the original account owner's signature. How far away are we from having a face image in the database?
And will this generate more of that face-ripping-off crime?
Feeding trolls is bad.
Well, I am a bit out of date, the last time I opened a US bank account was in the fall of 1998, which is before the publication of that article. (The account is still open, though!)
However, I don't get the impression that things have changed. Whenever I complain about how much crap you have to go through to open an account in France, and how it takes roughly 10 minutes with no paperwork in the US, nobody has ever jumped up and said, "Wait, that's not true, I opened an account last month and I had to...."
I don't think that such a system would be very practical, because there are quite a number of people who (legally) exist in the US without any ID at all. If you don't drive and don't travel outside the country, you can get away without having one. Suddenly requiring all of these people to get ID just to have a bank account would make a lot of people angry. There have been efforts to require ID to vote, and it has made a lot of people angry exactly because of that.
But I also could be wrong. Although I'm American, I haven't been involved enough in the American financial system to be anything remotely approaching authoritative.
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
If this is a plagiarized post, then nuke-mod him. Still, a plagiarized about identity thief is mildly funny, and certainly ironic.
One line blog. I hear that they're called Twitters now.
I think Dead Kennedys said it best with: Give me convenience or give me death...
Bah.
This is the same as the morons that are happy about the fact that the police in my area cannot get into a high speed chase unless they are in pursuit of someone who is in the commission of a felony. Well, guess what kiddies; fleeing and eluding is a felony in itself and will thus warrant a high speed chase.
The bottom line is that it's very easy to talk smack on the internet but I can assure you that if a cop asked for your ID...you damned sure would hand it over.
"The strong will do what they want, the weak will do what they must."
-Thucydides
PATRIOT Act (yes, that one) requires from banks to verify identity of the people before opening bank accounts.
as they have a SSL certificate, they just 302 you instead of processing the login then 302 you
but i guess programmers know best right ?
Well, until you get arrested for not producing identification, at which point in time the cop will remove your ID from your wallet so that he can get your identity. Basically, the cop has a suspicion that you may be involved in something and requests that you provide identification.
That depends on your local laws. In my country, (not the US) the police can ask for ID, but you do not have provide it unless you are under arrest. As well, no law requires you to carry ID with you all the time. I am not a US lawyer, but I believe it's the same in the US.
In some countries, you are required to carry ID. It is a crime to NOT carry ID and provide it when asked.
Funny, both those documents said the user's client would display a big red warning saying: "HEY DUMBASS, THERE IS SOMETHING WRONG WITH THE SERVER'S KEY." It isn't the protocol's problem if the user doesn't understand basic security and will ignore warnings.
So because one crappy browser has a bug which may potentially be exploited, we should forget about using SSL for security? Whatever you say.
BTW, I check the cert every time I log into an important site, though an IE bug won't affect me because I use that other crappy dragon browser (for HTTPS anyway, I use Dillo for most everything else.)
I don't know what the AC's problem was (Troll? LJ is just a blog site, and the article even said the main problem was users giving away their passwords), but it is stupid to say some javascript code is as secure as SLL. Especially using windows troll logic--"there is a potential hole in X, so it negates the tonnes of glaring holes in my favorite Y. Y is clearly better." It may be more secure than nothing, but don't just make crap up.
Maybe you should've pointed out Master Fitzpatrick already said he was working on it and asked the AC troll why it wanted to break into 14 year old girl's blog accounts anyway. ;-)
Most banks only require you to recite your SSN before you enter any transaction
damn.. i love sweden. everyone has an identity card; no photo = no identity card. you cannot do anything without your identity card; everything is based around your personal number (like social security id), but, if you want to do anything serious/transaction/bank stuff/use credit card - you have to flash that lovely little bit of plastic.
no problems with identity theft here. oh well.
LOL.
slashdot...
check one of the last comments by him, there's an offtopic discussion on how he's a bit of a troll.
Only case of identity theft that I've heard of was one of the customers at the bank I work at. He did all the investigation himself and figured out how to steal his own identity. Turns out, he ended up calling the guy that stole his identity as the cops were on his front door. Yet again we see that to get anything done in the American legal system, you have to be anti-American and get up off you ass to do it yourself.
~mingust
it sure as hell looks pretty trivial to forge an ID card... but, it does bring some security.
However... i had to cancel a few cards at the bank, and they asked me for no ID. I had to renew my drivers license, and no ID again. So, all of those who are crying about loss of freedom, it's not a big deal. In Portugal, police can take you in for identification if you can't provide it, but that's it.
And about mailboxes... they're not that safe... i open mine with an old bicicle lock key...
it's copying.
Ben
Work Safe Porn
The patriot act has solved some of the problems associated with identity theft, as banks now have more information about their customers. Regardless if this is a violation of personal privacy or not. Working in a bank, I often check to make sure the phone number being called from is one that matches and account or ask other information than a social security number. The most important method of identification is the personal relationship at a bank though. If you don't want your information stolen, find an employee that's been with the bank for a long time and deal only with that person. I know when I transferred locations, it was a very foreign atmosphere to me and people were upset when I'd ask them for ID because I did not yet know them. The many many cases of identity theft are also due to people giving out their own information to scams, not leakage from corporate sources. I can't count the number of pay stubs that are discarded without being shredded each Friday. Each one often has a SSN, as well as other personal identifying information.
~mingust
I'm a little wary of some of these social network tools, because social network information is incredibly valuable & sensitive. Putting my info onto Friendster seems like yielding too much of my privacy, and I guess I also don't see the payoff. In direct personal relationships, my liability is limited both in scope and in time. If I meet a vicious sociopath, there's only so much he can do, he can pretty much only get me without a lot more work, and I'm mostly vulnerable to him only when I'm nearby.
Now let's say some bad guy gets the Friendster data. How hard can that be, considering how poor data protection in general is? The marvelous thing about data security is that once the data is loose, it could go anywhere. After all information wants to be distributed on SPAM CDs.
The bad guy could be a blackmailer, or perhaps just a law & order type who believes in guilt by association, or a politician and suddenly one of my friends is on an enemies list.
It was horrifying when we heard that the Colombian cartels were getting telco records, and murdering people based on them. This is similarly sensitive information.
One friend suggested that I join up anonymously if I was uncomfortable with the privacy issues of Friendster. Unfortunately, I've still compromised the privacy of everyone else on my list, and anyone who was interested could fairly easily interpolate my identity based on all the other data that is valid. That's a side effect of one of the coolest things about Friendster. People can fake accounts, but it has little effect, because the fakes won't go anywhere much.
Sure, probably nobody will come looking for me, but I lock my doors at night anyway.
I do know people who wouldn't have gotten certain jobs if their network of friends was known.
Assembly is the reverse of disassembly.
ID theft in Europe is about the same rate as in the US, its just that there are nearly 0 prosecutions so unlike in the US where 1 in 7000 get caught, its more like one in a million.
I can tell you why banks want ID for their customers, even for a checking account.
Last year, someone opened two checking accounts using my name: one in Cyprus and one in Germany. Then they broke into my E*TRADE account and wired all the money from "me@etrade" to "me@bank-of-cyprus" and "me@some-german-bank".
E*TRADE got all the money back but it sure ruined my month. And now I have instructions on all my bank and brokerage accounts: "no outgoing wire transfers. Ever."
The point is that a bank account accepts deposit and wire transfers, which the bank then acts to collect on behalf of the customer. That's why banks want proof of identity just to open an account.
What's the point? I mean, if they've only got a 1 in 7,000 chance of getting caught, then how good is any deterent going to be?
7,000 crimes does not imply 7,000 criminals. The risk for an individual criminal is the added risks for all his crimes.
... the empty set!
A few years ago, PA tried to sell its drivers licence database (including digital pictures) to some Florida company for about $100M. At the last minute, common sense whacked the state goverment in the head and the deal was called off. They basically wanted the cash.
We aren't that far off from the face images in company databases.
/ \
\ / ASCII ribbon campaign for peace
x
/ \
Face-ripping-off; that hurts!
If I want to store money in some bank under whatever name I want, why shouldn't I be able to do it?
:)
Well, if it's an interest bearing account, then the IRS may want to know about it, since IIRC, dividends are taxable income (though with current rates, it's not very much).
Also, the bank wants to know it's you, so that when you come back later for your money, they can still verify it's you
Finally, there's the crime issue. Criminals would love to be able to just store their money under any name, as that would make it much harder for the authorities to find it.
"Save the whales, feed the hungry, free the mallocs" -- author unknown
YourReputation.com (https://www.yourreputation.com) is another real-world social network type of site that doesn't have such flaws. It uses SSL for its logins, and third-party, commercial-grade identity verification before people can post. We believe this is the type of service all social network sites should switch to, to protect their userbase.
Show your love for the Hacker community
HackerLogo.com
Anyone who cares about security should setup their own site for their community and close it down and have it use SSL. This way it's also not such a big strain on CPU as this is only for a few people.
In addition you set the policy and shouldn't let anyone else in, so your posts can't be leaked. (Though you should be prepared for it, as anything that is on an internet-connected device has to be considered in-danger)
In addition I'm still not sure why people and businesses still use _unsigned_ and _unencrypted_ mails. If mails would be signed from the merchant or journal site it would be much easier to catch fake mails! How hard can it be?
These cards can't be faked? We've seen perfect fake IDs (Drivers' Licenses) here in the States.
I wouldn't go assuming they're all men...
Consider the fact that its just as easy to get such sensitive information by installing spy cam or hidden microphone in your home, through your friends, etc with or without SSL.
Online or offline, there's always a trade-off between convenience and security and these sites are no exception. SSL tends to be slower because it requires more round trips between the server and client, much more processing power, etc and sites know that performance affects their popularity.
The rule of thumb should be: get informed about how easy it is for someone to hijack information you put on any social networking site and and don't put it there if you think someone may be sufficiently motivated to do so in your own case.
One thing social networking sites can do is provide higher security, including SSL, to those that need it and perhaps charge them more. Besides the free e-mail providers like Yahoo and Hotmail have a similar problem to solve on a much larger scale!
Jean-Luc Vaillant, VP Engineering, LinkedIn
Credit card provides, at least in the USA, provide address and name checking. When you did this, where was you credit card bill being sent to?
If this is a checking account, you have the possibility to overdraw it. Eurocheques have a maximum guaranteed amount, so the bank cannot really bounce them... The bank must protect itself against customers who open a checking account, deliberately overdraw it, and run.
Say no to software patents.