Sunday, February 21st, 2016 (No comments yet
When I teach, I explain how most of the breaches and problems you hear in the world aren't about clever hackers or sophisticated attackers, but instead about weak security. This has just become my new go-to example.
Basically after you logged into your account as a Citi customer, the URL contained a code identifying your account. All you had to do was change around the numbers and boom, you were in someone else's account.
What that means is that if you were to look at the address in your bar at the top of the browser, it contains the name of the website you're on and (as is typical) a whole lot of other junk like this:
One of the values in the "lots of other junk" area told Citibank who's account to show. If you just entered any random number, the website would think you were the user with that ID and show you their page. Given that this kind of issue is one that security professionals have known about and handled for more than a decade apparently large (and rich) companies can somehow manage to forget the basics.
Tags: Account Security
, Continual Stupidity
, Utter Failure
Thursday, January 20th, 2011 (No comments yet
I'm fairly ambivalent about the whole Wikileaks issue. I've long been a supporter of whistleblowing in general as companies and the governement should be held accountable for abuses and wrong-doing and often it's only fully public scandals that allow that to happen (though sometimes not even then).
Anyway, as to whether Wikileaks has done anything wrong, one must first ask if there was anything posted that caused significantly more harm than good (which so far has been a "no" it seems).
But to the point, Wikileaks is expected to release a lot of data about Bank of America very soon. There's a lot of speculation, but more interestingly, there are reports that Bank of America is preparing focused teams to respond to whatever drops when it drops.
I look forward to seeing how slime covered that rock is when it's lifted.
Tags: Bank of America
, Easter eggs
Wednesday, July 13th, 2016 (No comments yet
Sometimes when you set up an account with a company, they'll let you set a question and the answer. Then when you call in, the operator will read the question YOU WROTE and you get to provide the response. This has the potential to be highly amusing if done right:
Q: What the hell is your f***ing problem, sir?
A: This is completely inappropriate and I'd like to speak to your supervisor.
Q: I've been embezzling hundreds of thousands of dollars from my employer, and I don't care who knows it.
A: It's a good thing they're recording this call, because I'm going to have to report you.
Q: Are you really who you say you are?
A: No, I am a Russian identity thief.
Check out a ton more here.
, Telephone Challenge Questions
Monday, July 11th, 2016 (No comments yet
With tweetMyMoney, you can monitor your account balance, deposits, withdrawals, holds and cleared checks with simple commands. And, you can even transfer funds within your account. It’s all available on Twitter, 24/7! And, the best part is, our tweetMyMoney service is free!
Hello Twitter banking, goodbye money.
Why anyone thought this was a good idea, I don't know. Granted, you can't transfer money to OTHER accounts, only "within you account", but someone who breaks into your twitter account can still get a lot of information about you and move your money around causing you serious overdraft fees.
The issue at heart here is that getting information about your account and moving money around only requires the security of your Twitter account (which isn't to say much). How many people put strong passwords on their Twitter like they do the bank? How much effort does Twitter put into their security?
I think the idea of alerts to your phone is kind of cool, but maybe the bank should have set up its own Twitter-like messaging service instead of using a public one that's a big fat target of bad guys already.