Slashdot Mirror
Identity Theft and Social Networks
scubacuda writes "This Security Focus article looks at the lack of security social network sites have, particularly their lack of SSL logins, which means a user's session ID will be logged on any proxy and possibly sniffed. From the article: '[A]ccording to [Clay] Shirky, one thing is certain: "The value of each site is communally-created. Links and transactions are more important than individuals." In other words, each community creates its own kind of value. Thus, an attacker might hit Tribe to farm social networks for spam victims; and then he might exploit LinkedIn to get the contact information for a VC he wants to meet.'"
Guess it doesn't matter if you just stay anonymous.
...it is rather scary how little attention people pay to security. The article even states: "...site performance is our highest priority, and SSL is a pain." While it can be costly to set up security (ie, paying security consultants ;) ), if done right from the start it is less expensive than trying to fit it in after the fact.
It is certainly less expensive than having your site hacked and/or having users leave when people post their private thoughts publicly!
libertarianswag.com
Oh, wait...
I was a victim of identity theft once and made a police complaint, an FTC complaint, etc.. They all said that it was unlikely anyone would ever be caught. Haven't heard anything for 2 years now. They need to start castrating identity thieves... it's getting out of hand.
One friend feared that she might lose her job when a private entry about problems with her supervisor was made public
Rule 1:
If you want to keep something confidential, don't post it on a free website.
If they aren't using SSL, they are basically saying they don't value privacy the way you value your privacy."
Duh. Unless you use encryption, almost anything you send on the internet can be intercepted. Conduct yourself accordingly.
you're far from safe. SSL connections are vulnerable /.) to realise
to MiTM attacks - we saw this with M$ Passport, hotmail
etc. The only solution to these problems, is
for people (ie the average user of
that anything they transmit over the net is sniffable
with a little effort.
In a dorm or corporate lan environment, all it takes
is one trojaned laptop running a sniffer, and all
you CC numbers are belong to us.
GNAA!
All the more reason to allow "anonymous", one-time use of purchased credits.
Like phone cards - pay cash and use it online as you wish without easy tracking.
Believe it or not, there are a lot of people online that don't have credit cards but would like to buy stuff over the internet (or people that *have* credit cards but are afraid to expose their information.
Yeah, some people are going to bring up the "you are only liable for fifty bucks, anyway" issue.
- There are people who participate in identity theft via any means possible, because that's the life they lead.
- Social security numbers in and of themselves ARE the vulnerable entry point because the information flow to and from them is bidirectional.
The only possible suggestion here is the same one that's been played over and over on the record entitled "keeping your information safe for dummies," which is "use caution and reason in any transaction you make.-- http://www.criticalassets.com
In "The Cuckoo's Egg", one of Cliff Stoll's key points was that the more secure a network becomes, the less useful it is to its users, because it becomes more inconvenient to work with. In a network where the entire idea is to exchange "personal" data such as contact info, then restrictions placed to enforce good security have a way of reducing the value of the network.
But without such security, you have a "tragedy of the commons" type effect where the greedy among us abuse the good nature of others, again, reducing the value of the network.
Seems like a rather immutable Catch-22 to me...
Blogging Weight Loss, Distance Education, and more at verlin.com
It saddens me that nothing will be done until some poor fella pays very dear when someone finds the motivation to sue, gets a good lawyer and wins big.
It seems that in most things related to security, and not only virtual security, people don't start taking measures until something bad happens and they are made to pay for it...
What do we expect anyway, common sense is the less common of senses..
... y Dios vio que Linux era bueno... Genesis 99.666
Nothing to do with laziness. SSL adds extra strain on the system. It's cheaper to not use it. And I really don't see the need for SSL on LiveJournal... it's a journal site, not a bank account.
Most community sites seem to be local run affairs by the kid down the hall in his spare time, not by those with the money to spend on SSL certs. That, and given the value of the Internet is to allow people to connect in new ways unencumbered by worrying how to pay for it suggests that the problem here is not how to provide technically secure transactions.
The problem here is how to create personaly security on the Internet. When you're in the mall, gals keep their bags so the flap is on the inside. Guys don't stare at other guys for too long. That is how they are personally secure, not because the mall guards have guns.
So a more interesting question is not "how can you make other people more secure?" but "how do you make yourself more secure?" Publish your results, and best practice will win.
...which cost me >$100, in order to have some password security on the bulletin board I run. phpbb would mail the password out in the clear, and didn't allow you to log in over SSL. It wasn't a big deal to hack it, but I was surprised that it wasn't an option. It may be that more people would use decent security if the software they ran supported it.
An insecure network is useless to this user (for purposes that I deem to be in need of security), no matter how "convenient" it is.
Generally speaking, I wonder how the numbers of people who would refuse to use a given network because it is inconveniently secure compare to the numbers of people who would start using it if was no longer inconveniently insecure?
Takahashi Rumiko made beats! DON, taku, DON, taku. . .
Indeed. My wife was the victim of identity fraud. The police caught the perp with my wife's ID -- and LET HER GO. She's been stealing cars from rental agencies and running up Sam's Club credit and cell phone bills ever since -- and the cops know who she is, and how much of a scourge she can be...
Post above is copied from one made months ago by a different poster. Please mod accordingly.
Well, yeah, and the idea of real-life face to face social networks is also inherently insecure. The more you interact with other people the greater the chances that one of them (or someone who knows one of them, or happens to eavesdrop on one of them) will take advantage of you. But interacting with other people is not automatically a "bad idea" because of this, and the same is true online. You need to weigh the security risks along with other factors (e.g. the social benefits of networking in this manner, or the amount of critical information that is actually compromised by these risks). I think friendster-style web-based networks are valuable enough that people should see what can be done to make them more secure rather than abandoning them as inherently insecure.
Citibank provides disposable CC numbers for one time use only, or for use with only one merchant (i.e. subscription).
You log on to their web site with your account info and gener... Oh, wait...
On the other hand, I tend to think people who live through their on-line journal / blog need to find a real life.
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
I'm Brad Fitzpatrick, from LiveJournal.
The reporter who talked to me obviously wanted a fun slant for her article: "Look at all this insecure crap out there!"
Things we talked about that she decided to ignore in her article:
-- we've been working on challenge/response logins in JavaScript so passwords don't go in the clear. it's like Digest auth but in JS instead. We had this working when we talked to her, and since then it's gone into final user testing on our public test site. it'll probably go live this weekend. (I remember when I talked to her I compared it to HTTP Digest Auth and I had to explain what Digest auth was to her..... this is a _security_ reporter?)
-- we never said SSL wasn't important or security wasn't a priority. we told her it HAS BEEN a priority, but performance stuff keeps getting in the way. in fact, we have SSL stuff working and it's going live at the same time as the challenge/response logins. we just told her that it's hard to do right when you have a shitload of servers.
-- we let users bind their login session to their IP, so damage from cookie theft over non-SSL is mitigated
-- we don't let users do any major action (like, oh, change the account's password) without the original password.
-- we have no many anti-hijacking measures in place to let owners of accounts restore their stolen accounts. and you know what? it's not because of SSL... it's because of people just people plain dumb/trusting/gullible. SSL isn't a magic security wand.
Anyway, please recognize an article on a security site wants a "security's terrible!" slant. Who wants to read an article saying, "Yup, security's pretty good and improving." The security situation isn't as grim as it's made out to be.
To this day, I can not figure out how to change your eBay password over an SSL connection. Sure, you can login via SSL, but you can't send you new password over SSL.
This kind of defeats the purpose of using SSL. Once it's sent in plaintext, it's not secure.
I don't know what the bank example is doing in your list. If I want to store money in some bank under whatever name I want, why shouldn't I be able to do it? A bank account alone doesn't get me very far. Now, if I were to start taking out loans and so on, things get sticker, but if I just want a checking account, I shouldn't have to make an appointment a week in advance, then show up and have to show identity, proof of residency, proof of address, proof of salary, and on and on and on. (This isn't made-up, I actually had to do this.) When I last opened a bank account in the US, which was a while ago, they basically asked for my money. I like this. There isn't really an opportunity for fraud by providing bad information.
I have no real contention with the rest of your statements, just this one.
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
While taking a physics class at the University of Michigan, I was required to sign up for an "online homework" website. It was 30 some dollars, and was considered homework for the class (i.e. you take the class, you sign up and pay).
Sure enough, their Terms of Service require me to prevent others from obtaining my login/password. It goes on to say that if someone steals it, there is basically no way to reverse their actions.
Fine. Except for the fact that after signing up, they immediately e-mail me my password in plaintext. There's no SSL whatsoever on the site, and no way whatsoever to change my password.
After e-mailing the company involved, I was simply informed that the site will not be changed. I complained to both the professor and the University. Apparently no one pays attention to this, or they just don't care enough to do something about it. What else can I do? (besides leave the University, obviously)
in most European countries (except e.g. the UK) every citizen is required to have a national ID card which you show whenever somebody has to be sure of your ID. (These cards have all kinds of witty security features to make them really hard to counterfeit.)
Even though this looks like a copy, I'll respond.
I am a french citizen. I have a CARTE NATIONALE D'IDENTITE, which consists of a photograph attached with 2 rivets to a cheap paper and a bad stamp. With this document I can enter france (and most of the EU), and it's trivial to forge this document.
Oh well... Bruce Schneier's old but well written doc always comes to mind when thinking of this topic: "Ten Risks of PKI: What You're not Being Told about Public Key Infrastructure By Carl Ellison and Bruce Schneier
Computer security has been victim of the "year of the..." syndrome. First it was firewalls, then intrusion detection systems, then VPNs, and now certification authorities (CAs) and public-key infrastructure (PKI). "If you only buy X," the sales pitch goes, "then you will be secure." But reality is never that simple, and that is especially true with PKI. (source)
Most people like fast content and often overlook security. Hell eBay out of all sites, billions in transactions, and SSL is an option! How sickening is that.
MoFscker
This is the same as the morons that are happy about the fact that the police in my area cannot get into a high speed chase unless they are in pursuit of someone who is in the commission of a felony. Well, guess what kiddies; fleeing and eluding is a felony in itself and will thus warrant a high speed chase.
The bottom line is that it's very easy to talk smack on the internet but I can assure you that if a cop asked for your ID...you damned sure would hand it over.
"The strong will do what they want, the weak will do what they must."
-Thucydides
The posting-bots are only half of it. I'm sure that they keep a large enough stable of minimum use puppet IDs such that some of them always have mod points. (Remember the BBS program Pyroto Mountain? Slashdot reminds me of that sometimes.)
The other day, I noticed a new article had over 50 posts, and all but 10 had been modded down to -1. This must be a real pain for the slashdot crew.
One line blog. I hear that they're called Twitters now.
Funny, both those documents said the user's client would display a big red warning saying: "HEY DUMBASS, THERE IS SOMETHING WRONG WITH THE SERVER'S KEY." It isn't the protocol's problem if the user doesn't understand basic security and will ignore warnings.
So because one crappy browser has a bug which may potentially be exploited, we should forget about using SSL for security? Whatever you say.
BTW, I check the cert every time I log into an important site, though an IE bug won't affect me because I use that other crappy dragon browser (for HTTPS anyway, I use Dillo for most everything else.)
I don't know what the AC's problem was (Troll? LJ is just a blog site, and the article even said the main problem was users giving away their passwords), but it is stupid to say some javascript code is as secure as SLL. Especially using windows troll logic--"there is a potential hole in X, so it negates the tonnes of glaring holes in my favorite Y. Y is clearly better." It may be more secure than nothing, but don't just make crap up.
Maybe you should've pointed out Master Fitzpatrick already said he was working on it and asked the AC troll why it wanted to break into 14 year old girl's blog accounts anyway. ;-)
Most banks only require you to recite your SSN before you enter any transaction
damn.. i love sweden. everyone has an identity card; no photo = no identity card. you cannot do anything without your identity card; everything is based around your personal number (like social security id), but, if you want to do anything serious/transaction/bank stuff/use credit card - you have to flash that lovely little bit of plastic.
no problems with identity theft here. oh well.
it sure as hell looks pretty trivial to forge an ID card... but, it does bring some security.
However... i had to cancel a few cards at the bank, and they asked me for no ID. I had to renew my drivers license, and no ID again. So, all of those who are crying about loss of freedom, it's not a big deal. In Portugal, police can take you in for identification if you can't provide it, but that's it.
And about mailboxes... they're not that safe... i open mine with an old bicicle lock key...
I'm a little wary of some of these social network tools, because social network information is incredibly valuable & sensitive. Putting my info onto Friendster seems like yielding too much of my privacy, and I guess I also don't see the payoff. In direct personal relationships, my liability is limited both in scope and in time. If I meet a vicious sociopath, there's only so much he can do, he can pretty much only get me without a lot more work, and I'm mostly vulnerable to him only when I'm nearby.
Now let's say some bad guy gets the Friendster data. How hard can that be, considering how poor data protection in general is? The marvelous thing about data security is that once the data is loose, it could go anywhere. After all information wants to be distributed on SPAM CDs.
The bad guy could be a blackmailer, or perhaps just a law & order type who believes in guilt by association, or a politician and suddenly one of my friends is on an enemies list.
It was horrifying when we heard that the Colombian cartels were getting telco records, and murdering people based on them. This is similarly sensitive information.
One friend suggested that I join up anonymously if I was uncomfortable with the privacy issues of Friendster. Unfortunately, I've still compromised the privacy of everyone else on my list, and anyone who was interested could fairly easily interpolate my identity based on all the other data that is valid. That's a side effect of one of the coolest things about Friendster. People can fake accounts, but it has little effect, because the fakes won't go anywhere much.
Sure, probably nobody will come looking for me, but I lock my doors at night anyway.
I do know people who wouldn't have gotten certain jobs if their network of friends was known.
Assembly is the reverse of disassembly.
If I want to store money in some bank under whatever name I want, why shouldn't I be able to do it?
:)
Well, if it's an interest bearing account, then the IRS may want to know about it, since IIRC, dividends are taxable income (though with current rates, it's not very much).
Also, the bank wants to know it's you, so that when you come back later for your money, they can still verify it's you
Finally, there's the crime issue. Criminals would love to be able to just store their money under any name, as that would make it much harder for the authorities to find it.
"Save the whales, feed the hungry, free the mallocs" -- author unknown
Jean-Luc Vaillant, VP Engineering, LinkedIn