Slashdot Mirror
Identity Theft and Social Networks
scubacuda writes "This Security Focus article looks at the lack of security social network sites have, particularly their lack of SSL logins, which means a user's session ID will be logged on any proxy and possibly sniffed. From the article: '[A]ccording to [Clay] Shirky, one thing is certain: "The value of each site is communally-created. Links and transactions are more important than individuals." In other words, each community creates its own kind of value. Thus, an attacker might hit Tribe to farm social networks for spam victims; and then he might exploit LinkedIn to get the contact information for a VC he wants to meet.'"
Citibank provides disposable CC numbers for one time use only, or for use with only one merchant (i.e. subscription).
You log on to their web site with your account info and gener... Oh, wait...
I'm Brad Fitzpatrick, from LiveJournal.
The reporter who talked to me obviously wanted a fun slant for her article: "Look at all this insecure crap out there!"
Things we talked about that she decided to ignore in her article:
-- we've been working on challenge/response logins in JavaScript so passwords don't go in the clear. it's like Digest auth but in JS instead. We had this working when we talked to her, and since then it's gone into final user testing on our public test site. it'll probably go live this weekend. (I remember when I talked to her I compared it to HTTP Digest Auth and I had to explain what Digest auth was to her..... this is a _security_ reporter?)
-- we never said SSL wasn't important or security wasn't a priority. we told her it HAS BEEN a priority, but performance stuff keeps getting in the way. in fact, we have SSL stuff working and it's going live at the same time as the challenge/response logins. we just told her that it's hard to do right when you have a shitload of servers.
-- we let users bind their login session to their IP, so damage from cookie theft over non-SSL is mitigated
-- we don't let users do any major action (like, oh, change the account's password) without the original password.
-- we have no many anti-hijacking measures in place to let owners of accounts restore their stolen accounts. and you know what? it's not because of SSL... it's because of people just people plain dumb/trusting/gullible. SSL isn't a magic security wand.
Anyway, please recognize an article on a security site wants a "security's terrible!" slant. Who wants to read an article saying, "Yup, security's pretty good and improving." The security situation isn't as grim as it's made out to be.
I don't know what the bank example is doing in your list. If I want to store money in some bank under whatever name I want, why shouldn't I be able to do it? A bank account alone doesn't get me very far. Now, if I were to start taking out loans and so on, things get sticker, but if I just want a checking account, I shouldn't have to make an appointment a week in advance, then show up and have to show identity, proof of residency, proof of address, proof of salary, and on and on and on. (This isn't made-up, I actually had to do this.) When I last opened a bank account in the US, which was a while ago, they basically asked for my money. I like this. There isn't really an opportunity for fraud by providing bad information.
I have no real contention with the rest of your statements, just this one.
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
SSL connections are vulnerable to MiTM attacks [...] In a dorm or corporate lan environment, all it takes is one trojaned laptop running a sniffer, and all you CC numbers are belong to us.
A trojaned laptop running a sniffer is not a man-in-the-middle (MiTM) attack. SSL is safe against sniffers. For MiTM, you need to compromise a router/switch. Or else compromise a proxy that the network requires you to use for external web-access.