Original photo by Chris Makarsky - Creative Commons ShareAlike license https://creativecommons.org/licenses/by-sa/2.0/

Customer Service and Security: What Not to Do

I recently signed up for a financial service so I could pay my awesome editor and writing coach, Matthew Sweet. Matthew is in the UK, but I’m in the US, and while it should be easy to pay someone on a different continent, it actually isn’t. The simplest ways incur huge fees, major delays, or both. I’d love to just pay him via Square, but they don’t currently support global payments.So we’re trying out a different service. One we’d never heard of before. One whose sole purpose is to facilitate international payments while keeping fees down. Sounds great!

We both created accounts and the company collected our bank account information. There were no glaring security issues. Pages and links were encrypted. And since I didn’t feel like trying to break into a financial service’s website, there was no way to tell what was going on in the back end.

A few days later I received an email from the company. They told me that my bank account didn’t match the name I’d provided, and asked again for the name and address on the account.

As I read the email I noticed that the page collecting the information was served over HTTP, not HTTPS. It wasn’t encrypted. I then checked the link the form would be submitted to. That was also not encrypted. This meant that the form could be tampered with before I saw it, and that the information I supplied could be eavesdropped upon and tampered with.

Continue reading

All Your iCloud Accounts Are Belong To Us

When a group calling themselves “The Turkish Crime Family” threatens to wipe hundreds of millions of Apple devices unless they’re paid a bizarrely small amount of money by April 7th, 2017, what do you do? If you’re Apple, you give the offenders a corporate-speak version of the middle finger: we do “not reward cyber criminals for breaking the law.”

Continue reading

Security, Privacy and IoT: The Week of March 18th, 2017

Security

One of the most significant stories of the week is a claim by a hacking group that they have several hundred million Apple account credentials and will use them to remotely wipe devices on April 9th if Apple doesn’t pay up. While it seems unlikely, there are simple precautions you can take which you should already be doing – use a unique strong password on your Apple account (one you don’t use anywhere else) and turn on 2 factor authentication. I’ll write up more about this soon. For now, you can read the original coverage at Motherboard and a follow-up at ZDNET.

Continue reading

Personal Security Questions Are Bullshit

I hadn’t flown on United Airlines for a long time. But in August 2016,  I booked a flight with them and tried to manage it via my United.com account. That was a mistake. Instead of providing real, useful security (like multi-factor authentication or Touch ID on the iPhone app), United insisted that I set up five personal security questions before I could access my account. All I needed to do was check in, but United decided they’d like me to do a pointless security dance for them.

Continue reading

Security, Privacy and IoT: The Week of March 12th, 2017

Security

Google has launched several new tools for Google Cloud Platform and G Suite (formerly Google Apps):

https://blog.google/topics/google-cloud/bolstering-security-across-google-cloud/

Got a Nintendo Switch? Then you also have a vulnerable version of WebKit. The Switch shipped with an old version of WebKit with known vulnerabilities.

Continue reading

%d bloggers like this:
var _gaq = _gaq || []; var pluginUrl = '//www.google-analytics.com/plugins/ga/inpage_linkid.js'; _gaq.push(['_require', 'inpage_linkid', pluginUrl]); _gaq.push(['_setAccount', 'UA-239812-12']); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://' : 'http://') + 'stats.g.doubleclick.net/dc.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })();