http://www.tradingmarkets.com/.site/news/Stock%20News/2432093/
Jul 062009
http://www.informationweek.com/news/security/client/showArticle.jhtml?articleID=218200003
Interesting comparison and contrasting of offerings, though oddly enough, Ping seems to be fairly well behind the other two on the surface of it.
Jun 132009
If you are still in the misguided camp of those thinking that OTPs (One Time Password) are the end-all be-all of online security then you may find this information interesting. Of course this particular instance is not the first case of OTPs being successfully attacked, Citibank and Nordea Bank both had reasonably well covered attacks a couple years ago. Now the same man-in-the-middle techique is being applied to the lucrative virtual gold / goods market of the game World of Warcraft.
You can read about it here if you want on the World of Warcraft related site, WoW.com: “An Interview With a Scammer“. You may not find the entire article interesting so you can cut right to the part of the article about OTPs by searching on “authenticator” as this is part of the branded name Blizzard (creators of WoW) has given to their OTP, “Blizzard Authenticator”. If you’re uninterested in the article, here’s the money-quote:
Interviewer: Do you have a way to get around the Authenticator?
Scammer: Actually yes. For the very FIRST login, I can get around it. So I have to change the password then or make a quick clean sweep of the account.
Interviewer: Ah, how do you do it?
Scammer: Just enter the Authenticator code they put into my site.
So a couple of points I’d like to make that I’ve made in the past:
- On the internet, where things happen in milliseconds, 30 or 60 seconds is a very long time.
- Only one compromise of an account is needed to ruin your day and make the scammer richer.
- Consequently, OTPs aren’t really all that good at protecting you when logging into a website.
- OTPs can be a solid protection when used in conjunction with a thick client such as an IPSec VPN client or in this particular case, the WoW game client. This is because it is much tougher to gain enough access to a PC to steal your keystrokes outside a browser in real time than from a field you type into inside a browser.
Which is why I bought ($6.50) a Blizzard Authenticator as soon as I could get my hands on one and why I try to never log into my account within a browser and when I do, I am very, very careful. I only do so from a machine that I protect jealously and by typing in the worldofwarcraft.com URL myself.
Consequently, OTPs do have a place and can be of some value if you understand the risk, but do not fool yourself into thinking that because you are using an OTP that you are bulletproof.
Apr 302009
Facebook First Big Site To Really Embrace OpenID
Finally an announcement in the OpenID world about an RP! Everyone wants to rule the world as IPs, but no one (that matters) wants to reciprocate. Guess I can’t say that anymore as FB certainly matters (for now).
How to Spot a Fake Census Worker
Remember, if anyone says, “I’m from the government and I’m here to help”… Don’t believe it and you should probably be plotting a run for your gun!
MLB Nearing $1 Million in iPhone Revenue
Content is king and funny how if you provide anything of value, users have no problem finding, downloading, using and even paying for a special “thick” client.
Reinventing the Book in the Age of the Web
I’d buy a Kindle tomorrow if 1) it did ANYTHING else or was more around $250. I can’t see spending much more on a book reader than I would for a large MP3 player or PSP or DS.
Panda introduces cloud-based free antivirus
Increasingly no need to be paying for anti-virus. If you’re ISP doesn’t give you a copy for free, then investigate the other free alternatives of which this is just the most recent.
Funny that discussions around identity systems always come back to being analogous to payment systems such as this post wishing OpenID to be the next Visa. Similar to my thoughts on looking for Identity’s version of PayPal, though I don’t think OpenID as an organization has any hope in Hades of becoming the Visa of Identity. Someone may use OpenID as a spec to build the Identity of Visa, but that’s even doubtful given its current security model.
The problem holding any such system from emerging is an underlying liability infrastructure so everyone knows who is taking what risks and who gets screwed when the excrement hits the fan at any given stage. The banks formed Visa and signed onto a rule-set that was then taken and marketed to merchants and customers who signed up for their various parts including risk exposure, penalties, etc.. PayPal came along and while they did offer their own guarantees and manage their own risk, they really rode the pre-existing liability infrastructures of Visa, Mastercard, etc.
So where does a wannabe emergent identity system get an existing liability infrastructure from which to launch to victory? Who vets and backs online identities tied to actual, legally prosecutable individuals across more than one system that isn’t tied to a payment instrument? I can’t think of any. Everyone that wants my business or would have potential cause to persue me for some type of fraud requests a payment device from me. My credit card number, bank account number, etc.
AaaHa! So the banks should be the ones that issue my identity… uh wait a minute. Banks are slow, uninnovative, fraidy-cats, which is why PayPal got to be what it is.
Yeah, so there we are. Back to square one. Perhaps Facebook Connect will lead the way, but they will have to a significantly better job of vetting users identity. I’m not sure about you, but I’ve got several Facebook accounts. Which one is the actual me? Or are they all? Does it matter for an identity system? Probably given that the main purpose of an identity system is to smooth the path to various forms of e-commerce.
Dang! Back to payment again!
I ran across this initial post OpenID, Information Cards, and Passwords in my newsreader which then led me to the original article “Goodbye, Passwords. You Aren’t a Good Defense” as well as a bunch of other responses to the Goodbye article by Kim Cameron, Axel Nennker and Dave Kearns.
Great posts and all of this is marvelous commentary on all that is wrong, what exists but isn’t enough and the remaining challenges, but are the players with the technology and know-how just going to sit by and let something coalesce out of the chaos? Do they have a choice? All the big players have a reason to hark back to the MS Passport / Hailstorm days and shiver, but what about the little guys with nothing to lose, but some sleep and VC money?
Users are aware of the problems and looking for solutions. One community alone is keeping the virtual shelves bare of even the hated OTP over at the Blizzard store* trying to protect their virtual loot in WoW. I haven’t been able to order one, though I’ve been checking multiple times a day over the last month. You know from my previous posts, that I have an unnatural hatred of OTPs, yet I’m eager to get one for this very specific, non-single sign-on situation.
Do people really want a digital readout thing-a-ma-bob? Not even with Blizzard stamped on it. Do they want to make dang sure that their stuff doesn’t go missing as is happening with great frequency to their friends, even the supposedly security savvy? (no, it hasn’t happened to me <grin>). Clearly, yes.
Combine this article with the news today about the various worms running through the Facebook and MySpace communities, wouldn’t we expect these communities to react with the same vigor as the WoW folks? Sure, there may not be as much virtual goodies to be stolen, but these sites reportedly thrive on something more important… my reputation with my friends and their friends and their… yeah, the social net thing. However, regardless the supposed Data Portability announcements with some fuzzy commentary of “trusted authentication” among 3rd parties, where are the true security related announcements?
The majority of these attacks start at the same place and the stories all begin with the same phrase: “With the compromised credentials, the attacker… [insert virtual violation technique here]“. As the MythBusters often exclaim whilst smacking their foreheads, “well THERE’s your problem!”. If Startup X showed up tomorrow and gave users easy to use, very, very difficult to compromise credentials, that worked for even just the top 50% of sites they want security for, would they use it? That question, along with “what would they pay?” are the two questions I always hear as the discussion killer by the jaded.
But think how much happier users and vendors would be in the Blizzard Authenticator case if the solution was software based and not bound by the availability of what is apparently a strongly sought after physical item at $6.50 each. That’s just for one site that 10+ million people care about. Oh that’s right, those OTPs can’t be purchased outside the U.S. so the number of users keeping these in short supply is well south of 10 million. Imagine then that your software only solution would truly be available to the global community and with significantly better margins than a physical device. Getting anyone’s attention yet?
Is authentication enough to really generate strong numbers? I think that it would, but consider if the credential were of a significantly powerful variety to provide functionality beyond authentication. Then that brings in both fence-sitters and entirely new groups of users with different security and / or business interests. Folks, there’s enough technology out there already available (with some about to make an appearance that I’ll chat about here when it is ready for public announcement) to put together a very compelling, game-changing and revenue generating service.
Before you say, “No one would ever trust a startup / new entrant enough to permit the creation of an uber-powerful identity provider”, remember that is exactly what the banks and their blinder-wearing service providers said while PayPal came in and ate their lunch. Funny that in the “Goodbye, Passwords” article, PayPal is properly called out as one of the key players in deciding what is and isn’t secure enough in Web 2.0 and beyond.
==========================================================
* Loading the Blizzard store is still problematic as fans crush it for Blizzcon tickets as of 8/12/08.
Jun 062008
As I discussed in ID Theft Confusion, I’m much more concerned about ID Theft than I am any number of fraudulent uses of my stolen account information. This story, “ID Theft – After-shock review” and the report it references, “Identity Theft: The Aftermath 2007“ should help convince you to be equally concerned to understand the difference and to take steps to protect against ID theft.
This is what I posted over at Web Worker Daily in response to a great post by Mike Gunderloy, “OpenID: A Contrarian View“.
I have to confess that as closely as I follow and often espouse the value of OpenID, I’m a complete hypocrite as I don’t use it day-to-day. I like OpenID more as a demonstration of what we need than an actual solution to that need. I play with some of the IPs offerings waiting to see if someone is going to offer a secure IP solution with additional security services of real value.That being said, I’ll comment on the three points:
1) I do need “it” with “it” being defined as simple single signon. Today I’m one of those Roboform-aholics using it to fulfill that very real need. However, keeping Roboform or any other thick client solution synched up across several PCs and my mobile device is not fun. I’d love to have Roboform Online (or equivalent) retaining my full control and with some solid security.
2) I completely agree, a universal solution is a must and any OpenID IP would be well-served to take into account non-OpenID site support.
3) I don’t trust it and neither does anyone that’s been paying attention to the plethora of articles, papers and demos. That’s why the predominant use is to non-critical applications. OpenID is a SSO protocol without any security model. That’s fine, just so long as OpenID proponents don’t try to argue otherwise. Security needs to be added either as part of a service offering or at another protocol layer over which OpenID travels.
Phew, nice to get that out in the open! I feel internal hypocrisy levels falling…
While reading the article, “Brits risk card fraud with slack security“, I was struck again by the confusion around the various types of fraud and what falls into the bin of “identity theft”. The article holds no surprises for anyone that’s ever watched the general public interact with their cards on and offline. Hence, it really isn’t worth reading, but hey, I gotta keep up and wading through some of this drivel is necessary.
The paragraph that raised my ire and prompted this post is:
A third of those surveyed by Which? said money had been fraudulently taken from their credit card or bank account. However the “vast majority” got all the stolen money back. The consumer group says this seems to suggest that ID theft insurance is “unnecessary for most people”.
At first reading I blamed the journalist for being a moron, then realized they were just channeling the stupidity of the “consumer group” representative. Since when is my money my identity? I have long said that I’d much rather a crook get into my account of whatever type and run up $3,000 worth of fun for themselves. There’s lots of protections for me to get my money back, but even if there weren’t I’d much rather be out $3,000 than have that same crook steal enough identity data to go open brand new accounts with my name on them. In the first theft, I’m out $3,000. In the second theft, I’m out lots and lots of money, hours, sleep with lawyers involved, etc. I’ve experienced the stolen card number case and really, that has been completely painless (thanks AmEx). I definitely fear having my identity misappropriated (can’t really steal it, just abuse the heck out of it) and having my credit ruined with all the subsequent pains that follow.
It is completely irrational to state that because banks protect their users by reimbursing them for fraudulent account use that users shouldn’t protect themselves from a significantly higher impact theft with equally significant costs.
Got this in an email for posting up my picture of Phormtaiqr on Spock.com: 
“Spock users have flagged and deleted a picture which you contributed to Tim Renshaw’s search result. Flagging and deletion occurs for a number of reasons. Sometimes it is because information is factually incorrect, sometimes it is because contributions are inappropriate. For more information please visit our community guidelines.”
I have reviewed the community guidelines and am not sure why my picture was removed. It was not a picture involving nudity, it was not copyrighted (indeed Blizzard is quite happy too have me promote World of Warcraft by spreading my in-game image hither and yon) and is indeed a picture of me that many of my friends will know as me. The “me” is from an online game, actually the online game / community World of Warcraft, through which I have met many people and this picture is the only “me” they have ever seen.
I suggest that Spock review their own community guidelines to ascertain what they are going to define as “me” and “my identity”. This will of course have non-trivial impacts on what reputation of “mine” they are defining. If the site is only going to work on purely “real me” identities, that’s fine, but I believe that really sells the site’s reputation possibilities short. Reputation matters a great deal to me in virtual spaces. One of the core ideas behind forming Clans and Guilds in virtual worlds is around the idea of reputation. Anyone who has put on a headset and ventured into Halo on Xbox 360 knows that you don’t want to just hang out and play with just any schlub online.
I continue to watch Spock with a level of interest, but I don’t believe their allowing themselves enough breadth and interconnectivity to all that defines “me” online such that my reputation can really be meaningful across all the various entities representing me online.
