Brian Krebs has two excellent articles that made my morning. (Ok, one of them is several weeks old and I just hadn’t read it yet.)
First, “Busy Signal Service Targets Cyberheist Victim,” talks about a new service in the cyber criminal underground that will call a victim over and over to tie up their phone line so that bank calls to verify large money transactions can’t get through adequately.
This illustrates the give and take the security plays with attackers. You want to complete a call to the customer but have been blocked. Essentially, while a nice feature, this isn’t going to be foolproof. Basically, spin again.
Second, “Loopholes in Verified by Visa & [MasterCard] SecureCode.” The hole is essentially a piss-poor method to reset forgotten passwords.
I hate things like this because it illustrates how much lip-service is put into security until you get concerned consumers or other entity asking public questions or slapping proverbial wrists. This is why I so heavily value disclosure, transparency, and public assistance. It might also illustrate the lack of critical thinking in those who contract, design, and implement these solutions.
Then again, attending to forgotten password issues is a bit of an art. This weekend I saw that my usual screenname was taken over at SWTOR.com (Star Wars!). The forgot password function requires that I at least know the email address under the account, and if this was indeed me, I don’t recall what email address I used to sign up. So comes a call in to support. On release weekend. Needless to say, I’m still waiting to see how this goes. 🙂
(Side note: SWTOR.com accounts have the “option” of using 3-5 security questions. These questions are typical questions you see everywhere. Unlike Network Solutions who allows me to answer these questions all identically [but then tell me I can’t do that when on the phone with a rep, despite their system letting me], the SWTOR.com site actually forces them to be different. I don’t understand this. I don’t use these questions as truthful answers but rather as a second password. I don’t want to have to remember 3 more passwords. I don’t have solutions that I like, but I can surmise this current situation of security questions and passwords is more often done wrong than done right.)