jm + authentication   26

GitHub - hillbrad/U2FReviews
'Reviews of U2F [Universal Second Factor] devices' -- ie. Yubico keys et al.
u2f  totp  oath  otp  one-time-passwords  authentication  devices  gadgets  security  2fa 
august 2017 by jm
A Cute Internet Star Flirts. All He Wants Is Your Password. - The New York Times
whoa.
Mr. Johnson’s fans are not naïve. Handing over their passwords to some strange, cute boy actually constitutes a minor act of youthful rebellion. The whole encounter delivers a heady mix of intimacy and transgression — the closest digital simulation yet to a teenage crush.


(via Adam Shostack)
via:adam-shostack  passwords  authentication  security  teens  rebellion 
july 2016 by jm
​Why I Hate Security, Computers, and the Entire Modern Banking System | Motherboard
I am honestly amazed the US banking system still works this way, after over a decade of rampant identity theft:
I cannot count the number of times I’ve freely given out my routing and account numbers—in emails, in webforms, in paperwork. This is because it’s necessary for other people to know my routing number and account number in order for them to send me money. But apparently, with that same information, they can also snatch money straight from my account. What kind of insane system is this? There’s two factor authentication, there’s one factor authentication, and then there’s this, which I think I can call zero factor authentication.
identity-theft  phishing  banking  banks  usa  authentication  2fa  0fa  security 
may 2016 by jm
Data Protection Mishap Leaves 55M Philippine Voters at Risk
Every registered voter in the Philippines is now susceptible to fraud and other risks after a massive data breach leaked the entire database of the Philippines’ Commission on Elections (COMELEC). While initial reports have downplayed the impact of the leak, our investigations showed a huge number of sensitive personally identifiable information (PII)–including passport information and fingerprint data–were included in the data dump. [....]

Based on our investigation, the data dumps include 1.3 million records of overseas Filipino voters, which included passport numbers and expiry dates. What is alarming is that this crucial data is just in plain text and accessible to everyone. Interestingly, we also found a whopping 15.8 million record of fingerprints and a list of people running for office since the 2010 elections.

In addition, among the data leaked were files on all candidates running on the election with the filename VOTESOBTAINED. Based on the filename, it reflects the number of votes obtained by the candidate. Currently, all VOTESOBTAINED file are set to have NULL as figure.

fingerprints  biometrics  philippines  authentication  data-dumps  security  hacks  comelec  e-voting  pii  passports  voting 
april 2016 by jm
Troy Hunt: Controlling vehicle features of Nissan LEAFs across the globe via vulnerable APIs
holy crap. Nissan expose a public API authenticated _solely_ using the car's VIN -- which is more or less public info; the API allows turning on/off AC, grabbing driving history, etc.
security  fail  nissan  leaf  cars  apis  vin  authentication 
february 2016 by jm
Authenticated app packages on Sandstorm with PGP and Keybase
Nice approach to package authentication UX using Keybase/PGP.
When you go to install a package, Sandstorm verifies that the package is correctly signed by the Ed25519 key. It looks for a PGP signature in the metadata, and verifies that the PGP-signed assertion is for the correct app ID and the email address specified in the metadata. It queries the Keybase API to see what accounts the packager has proven ownership of, and lists them with their links on the app install page.
authentication  auth  packages  sandstorm  keybase  pgp  gpg  security 
november 2015 by jm
London Calling: Two-Factor Authentication Phishing From Iran
some rather rudimentary anti-2FA attempts, presumably from Iranian security services
authentication  phishing  security  iran  activism  2fa  mfa 
august 2015 by jm
How your entire financial life will be stored in a new 'digital vault' - Telegraph
In a move to make it easier to open bank accounts and Isas, people will be asked to share all of their accounts, tax records and personal details with a central service.
To check someone's identity, a company would then ask potential customers a series of questions and check the answers against the information in the vault. The checks would replace the current system in which new customers must send by post copies of their passports, cross-signed by a friend, along with bank statements and utility bills.


hahahaha NO FUCKING WAY.
bills  banking  uk  tax  privacy  digital-vault  accounts  authentication  identity-theft  bad-ideas 
august 2015 by jm
Vault
HashiCorp's take on the secrets-storage system. looks good
hashicorp  deployment  security  secrets  authentication  vault  storage  keys  key-rotation 
april 2015 by jm
Real World Crypto 2015: Password Hashing according to Facebook
Very interesting walkthrough of how Facebook hash user passwords, including years of accreted practices
facebook  passwords  authentication  legacy  web  security 
march 2015 by jm
Anatomy of a Hack
Authy doesn't come off well here:

'Authy should have been harder to break. It's an app, like Authenticator, and it never left Davis' phone. But Eve simply reset the app on her phone using a mail.com address and a new confirmation code, again sent by a voice call. A few minutes after 3AM, the Authy account moved under Eve's control.'
authy  security  hacking  mfa  authentication  google  apps  exploits 
march 2015 by jm
3D Secure and Verified By Visa to be canned
Yay.
Mastercard and Visa are removing the need for users to enter their passwords for identity confirmation as part of a revamp of the existing (oft-criticised) 3-D Secure scheme.
The arrival of 3D Secure 2.0 next year will see the credit card giants moving away from the existing system of secondary static passwords to authorise online purchases, as applied by Verified by Visa and MasterCard SecureCode, towards a next-gen system based on more secure biometric and token-based prompts.


(via Gordon)
via:gsyme  verified-by-visa  3d-secure  mastercard  visa  credit-cards  authentication  authorization  win  passwords 
november 2014 by jm
Two Factor Auth List
List of websites and whether or not they support 2FA.
Also see the list of 2FA providers and the platforms they support.
2fa  mfa  authentication  security  web-services  web 
september 2014 by jm
Code Spaces data and backups deleted by hackers
Rather scary story of an extortionist wiping out a company's AWS-based infrastructure. Turns out S3 supports MFA-required deletion as a feature, though, which would help against that.
ops  security  extortion  aws  ec2  s3  code-spaces  delete  mfa  two-factor-authentication  authentication  infrastructure 
june 2014 by jm
lookout/ngx_borderpatrol
BorderPatrol is an nginx module to perform authentication and session management at the border of your network. BorderPatrol makes the assumption that you have some set of services that require authentication and a service that hands out tokens to clients to access that service. You may not want those tokens to be sent across the internet, even over SSL, for a variety of reasons. To this end, BorderPatrol maintains a lookup table of session-id to auth token in memcached.
borderpatrol  nginx  modules  authentication  session-management  web-services  http  web  authorization 
june 2014 by jm
When two-factor authentication is not enough
Fastmail.FM nearly had their domain stolen through an attack exploiting missing 2FA authentication in Gandi.
An important lesson learned is that just because a provider has a checkbox labelled “2 factor authentication” in their feature list, the two factors may not be protecting everything – and they may not even realise that fact themselves. Security risks always come on the unexpected paths – the “off label” uses that you didn’t think about, and the subtle interaction of multiple features which are useful and correct in isolation.
gandi  2fa  fastmail  authentication  security  mfa  two-factor-authentication  mail 
april 2014 by jm
Fingerprints are Usernames, not Passwords
I could see some value, perhaps, in a tablet that I share with my wife, where each of us have our own accounts, with independent configurations, apps, and settings.  We could each conveniently identify ourselves by our fingerprint.  But biometrics cannot, and absolutely must not, be used to authenticate an identity.  For authentication, you need a password or passphrase.  Something that can be independently chosen, changed, and rotated. [...] Once your fingerprint is compromised (and, yes, it almost certainly already is, if you've crossed an international border or registered for a driver's license in most US states), how do you change it?  Are you starting to see why this is a really bad idea?
biometrics  apple  security  fingerprints  passwords  authentication  authorization  identity 
october 2013 by jm
Biometric authentication failing in Mysore
Biometrics was rolled out for food distribution in order to cut down on fraud, but it's now resulting in a subset of users being unable to authenticate:
The biometric authentication system installed at the PDS outlets fails to establish the identity of many genuine beneficiaries, mostly workers, as their daily grind in the agricultural fields, construction sites or as domestic help have eroded the lines on their thumb resulting in distorted impressions.
fail  risks  biometrics  authentication  mysore  security  india  fingerprinting 
september 2013 by jm
Authentication is machine learning
This may be the most insightful writing about authentication in years:
<p>
From my brief time at Google, my internship at Yahoo!, and conversations with other companies doing web authentication at scale, I’ve observed that as authentication systems develop they gradually merge with other abuse-fighting systems dealing with various forms of spam (email, account creation, link, etc.) and phishing. Authentication eventually loses its binary nature and becomes a fuzzy classification problem.</p><p>This is not a new observation. It’s generally accepted for banking authentication and some researchers like Dinei Florêncio and Cormac Herley have made it for web passwords. Still, much of the security research community thinks of password authentication in a binary way [..]. Spam and phishing provide insightful examples: technical solutions (like Hashcash, DKIM signing, or EV certificates), have generally failed but in practice machine learning has greatly reduced these problems. The theory has largely held up that with enough data we can train reasonably effective classifiers to solve seemingly intractable problems.
</p>


(via Tony Finch.)
passwords  authentication  big-data  machine-learning  google  abuse  antispam  dkim  via:fanf 
december 2012 by jm
Massive identity-theft breach in South Korea results in calls for national ID system to be abandoned
In South Korea, web users are required to provide their national ID number for "virtually every type of Internet activity, not only for encrypted communications like e-commerce, online banking and e-government services but also casual tasks like e-mail and blogging", apparently in an attempt to "curb cyber-bullying". The result is obvious -- those ID numbers being collected in giant databases at companies like "SK Communications, which runs top social networking service Cyworld and search site Nate", and those giant databases being tasty targets for black-hats. Now:

"In Korea’s biggest-ever case of data theft the recent hacking attack at SK Communications, which runs top social networking service Cyworld and search site Nate, breached 35 million accounts, a mind-boggling total for a country that has about 50 million people and an economically-active population of 25 million. The compromised information includes names, passwords, phone numbers, e-mail addresses, and most alarmingly, resident registration numbers, the country’s equivalent to social security numbers."

This is an identity-fraudster's dream: "In the hands of criminals, resident registration numbers could become master keys that open every door, allowing them to construct an entire identity based on the quality and breadth of data involved."
south-korea  identity  fraud  identity-theft  web  bullying  authentication  hacking 
june 2012 by jm
DuoSecurity
well-packaged, well-designed, two-factor auth for SSH from Dug Song. free for small-scale use, too, it looks like. awesome! I've signed up (via Nelson)
via:nelson  security  authentication  authorization  two-factor-auth  openssh  ssh  dug-song 
april 2011 by jm
Internet Security is a failure
ASF's Paul Querna: 'Security on the Internet sucks, and it is only getting worse. The problem is systemic, with security researchers and developers not producing viable ways for the average user to live on the Internet in a secure fashion without excessive paranoia.'
asf  authentication  infrastructure  tls  internet  security  from delicious
april 2010 by jm
Inside View from Ireland: Analysing Electronic Forensics Evidence
fascinating note from Bernie Goldbach: 'MORE THAN 20 YEARS ago, I worked with message traffic and the work told me the importance of verifying source material.'
bernie  spam  anti-spam  authentication  spoofing  security  phishing  from delicious
february 2010 by jm
Ross Anderson and Steven J Murdoch rip into Verified By VISA
'this is yet another case where security economics trumps security engineering, but in a predatory way that leaves cardholders less secure.'
verified-by-visa  security  phishing  web  banks  banking  money  authentication  finance  visa  3dsecure  papers  from delicious
february 2010 by jm

related tags

0fa  2fa  3d-secure  3dsecure  abuse  accounts  activism  anti-spam  antispam  apis  apple  apps  asf  auth  authentication  authorization  authy  aws  bad-ideas  banking  banks  bernie  big-data  bills  biometrics  borderpatrol  bullying  cars  code-spaces  comelec  credit-cards  data-dumps  delete  deployment  devices  digital-vault  dkim  dug-song  e-voting  ec2  exploits  extortion  facebook  fail  fastmail  finance  fingerprinting  fingerprints  fraud  funny  gadgets  gandi  gmail  google  gpg  hacking  hacks  hashicorp  http  identity  identity-theft  india  infrastructure  internet  iran  key-rotation  keybase  keys  leaf  legacy  machine-learning  mail  mastercard  mfa  modules  money  mysore  nginx  nissan  oath  one-time-passwords  openssh  ops  otp  packages  papers  passports  passwords  pgp  philippines  phishing  pii  post-its  privacy  rebellion  risks  s3  sandstorm  secrets  security  session-management  south-korea  spam  spoofing  ssh  storage  tax  teens  tls  totp  tv  tv5monde  two-factor-auth  two-factor-authentication  u2f  uk  usa  vault  verified-by-visa  via:adam-shostack  via:fanf  via:gsyme  via:nelson  vin  visa  voting  web  web-services  win  yubikey 

Copy this bookmark:



description:


tags: