SUMware
Premium
join:2002-05-21
| How I Stole Someone's Identity
From Scientific American
By Herbert H. Thompson
August 18, 2008 - said by Herbert H. Thompson :
As a professor, a software developer and an author I've spent a career in software security. I decided to conduct an experiment to see how vulnerable people's accounts are to mining the Web for information. I asked some of my acquaintances, people I know only casually, if with their permission and under their supervision I could break into their online banking accounts. After a few uncomfortable pauses, some agreed.
Visit above link for full story. |
|
sobergeorge
Premium
join:2003-01-09
Forest Hills, NY | Interesting Read!! |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T Midwest
| reply to SUMware
I'm not really surprised.
I never did like those "additional security questions" that so many sites require you to answer. It has always seemed to me that they weaken my security.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.1 |
|
justin9876
join:2006-04-21
Keller, TX
| reply to SUMware
SUMware, thanks for posting. That is a very interesting article. What's really interesting is how easy it was, starting with so little info. I have already sent the members of our computer club the link to the article, think it will be good reading for them (and their children and perhaps grand-children).
Thanks again. |
|
sivran
God Save The Suite
Premium
join:2003-09-15
Arlington, TX
clubs:
 ·RoadRunner Cable
| reply to nwrickert
said by nwrickert  :I'm not really surprised. I never did like those "additional security questions" that so many sites require you to answer. It has always seemed to me that they weaken my security. They weaken your security if they force you to use personal information for them.
Sites that allow you to make up your own questions and answers have the potential to greatly enhance your account security however. Upon seeing my custom question, I doubt anyone would have any response other than, "WTF?"
--
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon profitable cause... |
|
habya
Premium
join:2003-05-29
Huntsville, AL
clubs: 
edit:
August 20th, @02:51PM
| Just because they force a 'personal information' question does not mean you have to answer with personal information.
You are allowed to enter any answer you want, so just make something up you will remember (I've never had one that forced an 'answer' only select questions). Or use a passphrase instead of the actual answer. No less secure than anything else so long as it is hard to guess/crack. I never use real personal information on the security questions and I doubt anyone would be able to guess the answers  .
--
HABYA HABYA HABYA TEAR DOWN THE HEMP STALKS EAT UP THE OLD MAN AND WOMAN AND CARRY OFF THE LITTLE GIRL MAY YOU DIE ALONE |
|
sivran
God Save The Suite
Premium
join:2003-09-15
Arlington, TX
clubs: | True, but it makes it more likely I'll forget what I made up for that question. |
|
SnowyOne
Premium
join:2003-04-05
Kailua, HI
·RoadRunner Cable
 ·Clearwire Wireless
| reply to habya
said by habya :Just because they force a 'personal information' question does not mean you have to answer with personal information. That is true. It's the folks who aren't aware of that or use real data that this becomes a real security issue. |
|
NetFixer
From my cold dead hands
Premium
join:2004-06-24
Murfreesboro, TN
 ·Vonage
·Cingular Wireless
·AT&T CallVantage
·AT&T Southeast
·Comcast
| reply to nwrickert
said by nwrickert :I'm not really surprised. I never did like those "additional security questions" that so many sites require you to answer. It has always seemed to me that they weaken my security. For me most of the "additional security questions" have been impossible to answer with any truly personal information because I did not have a "favorite whatever". I also did not have a prayer of remembering the correct what/who answer for the "first whatever/whoever" questions (I am older than dirt, and there are very few "firsts" still accessible in my personal memory bank).
As a result I generally have to fabricate the answers for those questions and put the Q/A information into the same encrypted database that I always use for account credentials. The end result is really no different than if I had used computer generated random questions and answers.
--
We can never have enough of nature.
We need to witness our own limits transgressed, and some life pasturing freely where we never wander.
Test your firewall. |
|
Grail Knight
Who Dares Wins
Premium
join:2003-05-31
Erie, PA | reply to SUMware
Excellent article.
Thanks.
--
"Lego Succurro Lima" |
|
Greg_Z
Premium
join:2001-08-08
Springfield, IL | reply to SUMware
Why go to all that trouble, when all he had to do is dangle some Chocolates in front of her, and she would of spilled her guts. |
|
traker1001
@mchsi.com
| Im not really that impressed, I would be more impressed if he had used a total stranger.
On that note I use these ideas and tools to reset passwords for clients that forgot their passwords and amusingly can't get passed the reset questions themself's. You would be surprised at how often this happens. |
|
exocet_cm
Signal 26's Rock
Premium
join:2003-03-23
New Orleans, LA
clubs: | reply to SUMware
Makes it sound so easy...  |
|
CoxCable4
Temp banned from BBR more then anyone
join:2002-10-02
PwnZone | why would her bank account information go to her gmail account?
I get statements sent to my email, but my actual login is separate, and in order to make any changes I need to call up my bank. |
|
Greg_Z
Premium
join:2001-08-08
Springfield, IL
·Comcast
·Vonage
·Insight Communicat..
| said by CoxCable4 :why would her bank account information go to her gmail account? I get statements sent to my email, but my actual login is separate, and in order to make any changes I need to call up my bank. Again, you are asking this why? She is probably one of those that has their password the same as when they started, with it saved in their email, or taped under the Keyboard.
They are also the same ones that have their pin number as their Bday, or house address. |
|
GameGuy369
join:2004-07-09
Olathe, KS
clubs:
| reply to SUMware
I always try to make my security questions something that are not only based on fact, but my own personality. One site had you answer 3 separate custom questions to reset the password. I have since changed this, but since I am from Philly...
Question: "Passwords?"
Answer: "We're talkin bout passwords?"
*Allen Iverson reference*
I have fun with em. I never use anything that much of anyone would know unless they married me, haha. |
|
CoxCable4
Temp banned from BBR more then anyone
join:2002-10-02
PwnZone
·RoadRunner Cable
| reply to Greg_Z
said by Greg_Z :Again, you are asking this why? She is probably one of those that has their password the same as when they started, with it saved in their email, or taped under the Keyboard. yeah but what i'm saying is the bank's password recovery policy is ludicrous. I mean a single email account? he skipped like 4 steps right there just cuz her bank is n00b |
|
nil
Java Geek
join:2000-11-27
Host:
Webmasters and Dev..
Forum Feature Requ..
| reply to SUMware
This is where speaking a foreign language could be quite useful. Who knows which one of the three languages I speak I used to answer my questions.. or maybe a combination of more than one!
--
Life is too short to be boring |
|
Greg_Z
Premium
join:2001-08-08
Springfield, IL | reply to CoxCable4
Depends on how backwoods the bank is. There are some that have never caught up with the times, and their Online Banking sites look like something from the early dawn of the Internet. |
|
raythompsontn
join:2001-01-11
Oliver Springs, TN
| reply to SUMware
OK, so he now has access to her online bank account via the web. What is he going to do? I don't know of a PC yet that can produce money. Have a check issued? Well that is easily traced. He could check her balance I suppose. He could see if a check had cleared.
Bottom line is he really got access to very little useful information if cash is the ultimate goal. Having online access is not nearly as good as having the debit card information.
If you really want to be shaken up I will send you a check for $1.00. You deposit the check blindly writing your account number on the back, or kindly placed on the back by the bank. When I get back the image of the check I now have your bank's R/T number and your account number. Now I simply print checks with a bogus name and address with your account number. I can drain your account using these checks. And recovering the funds is much more difficult. |
|
