Welcome!
If you have an account, please:
Log in

Citibank Unable to Afford Secure Web Design

Really Citibank?

When I teach, I explain how most of the breaches and problems you hear in the world aren't about clever hackers or sophisticated attackers, but instead about weak security. This has just become my new go-to example.

Basically after you logged into your account as a Citi customer, the URL contained a code identifying your account. All you had to do was change around the numbers and boom, you were in someone else's account.

What that means is that if you were to look at the address in your bar at the top of the browser, it contains the name of the website you're on and (as is typical) a whole lot of other junk like this:

http://www.citibank.com/account.asp?were=dumbbell&we=shouldhaveknownbetter

One of the values in the "lots of other junk" area told Citibank who's account to show. If you just entered any random number, the website would think you were the user with that ID and show you their page. Given that this kind of issue is one that security professionals have known about and handled for more than a decade apparently large (and rich) companies can somehow manage to forget the basics.

Source

Tags: , , , ,

Hijack A Facebook Account in One Click

(Image used under: Creative Commons 2.0 [SRC])

Ok so maybe not ONE click. But someone has put together a simple tool that you can use to take over the active sessions of anyone within wireless range of you. Hang out at the Starbucks free wi-fi and you'll be able to control the Facebook or other accounts of people nearby. It's an attack that was always simple to do for those who know how, but now any idiot can do it with a simple new interface.

By the way, they mention a few protections from this at the bottom of the article, but here's one more.

Tags: , ,

Beware of Hijacked Facebook Accounts

(Image used under: Creative Commons 2.0 [SRC])

Of course this isn't a problem limited only to Facebook, but the FBI issued a warning about the rise of hijacking scams. This is where a bad guy gets your login information through various means and then poses as you on your account. They'll send an urgent request for help or money to all your friends who may be fooled and comply (as in the case of Bryan Rutberg).

Remember to use good passwords and protect them especially the password for your e-mail account (which can be used to unlock all your other accounts).
Tags: , , , , , , ,

Sarah Palin’s Private E-mail Account Hacked

(Image is in the Public Domain)

Sarah Palin's Yahoo account has been broken into and e-mails found there posted to Wikileaks. I would say this was a pretty rotten thing to do, but the perpetrators claim they did it to prove that Palin has been using her private e-mail to circumvent recordkeeping laws about government business. If that's true, then perhaps this needed to happen.

Tags: , , , ,

Loading...

If you want to learn more about my professional background, click here to learn more.

Check out one of my guides/tutorials:

goodbye identity theft Tutorial
|INDEX|next: Credit Freeze

Too Late!

If you've already become a victim, here is a list of things you should do.

Solving ID Theft

Lock your credit reports with a Credit Freeze to prevent credit-based ID theft (90% of ID theft risk).
Learn to protect your information to prevent not only ID theft, but many other kinds of problems (the rest of ID theft risk).

Save Time and Money

cancel credit-monitoring services.
Cancel id-theft-insurance

Who is Responsible?

Sometimes you just have to wonder why it's so easy to steal identities in the first place.

... or check out any of my other guides and tutorials by clicking here!

The Identity Theft Victim's Mini-Guide to Recovery

If you've already experienced ID theft, here are some tips of what to do next.

[Click for full description]

Credit Freeze

Setting a credit report freeze is the fastest and most effective way to actually block and reduce your risk of ID Theft. And it's free.

[Click for full description]

Out and About Defense

The best defense against non-credit ID Theft and a variety of other risks is to adopt a mindset of protection: Data Defense. Learn how to protect your information with simple and sometimes free countermeasures all based on a simple philosophy that the less people who have your information, the safer you are.

[Click for full description]