nanog mailing list archives
Re: User negligence?
From: ken emery <ken () cnet com>
Date: Sun, 27 Jul 2003 21:31:26 -0700 (PDT)
On Sun, 27 Jul 2003, Stephen Sprunk wrote:
That's not even the dumbest part. You can reset your password at most banks, insurance companies, stores, airlines, etc. by claiming you forgot it; they'll happily reset it to your mother's maiden name, SSN, or some other publicly-available datum.
NOTE: I've had over $42,000 stolen from bank accounts via the internet. Take that into account when you read this... First of all security of the physical and network bank web sites may very well be up to snuff. However when you combine with the customer service side of things for the whole package BANK SECURITY IS AN ABSOLUTE JOKE! At one bank I was at someone called up claiming to be me and setup my web account and wired themselves $9,500 three times over a two day period. They even called the bank back asking what was taking so long and why the money wasn't in their account yet. When I found out about this a month later (I had no reason to check the website since I didn't use it) the bank was able to reverse two of the tranfers and ate the other one (noone ever said thieves were smart, they never moved most of the money out of the destination account). During the conversations with the bank I asked that the account be disabled and never enabled again and to have this request noted. Well about 8 months later someone called in claiming to be me and got the account reenabled. They had a bank check made out to themselves for about $13,500 and sent via postal mail. Fortunately they got caught cashing the check in AZ and are now in jail awaiting trial. That however is not the end of things. I haven't had any more money stolen, but at another bank, which I have been at for well over 10 years thus predating any web site, they automatically setup web accounts with a default password (last four digits of your SSN). When I heard this I said to my self "oh %^&*!" I asked to have the web account disabled and was told this could not be done. So I immediately went back to my computer and changed the password. Fortunately noone has done anything with that account. Basically while the network security may be there that is only part of the package and the rest of the package is not up to snuff. The big "problem" in my eyes is that physical presense is no longer necessary so it is next to impossible to catch these thieves (unless they do stupid things like the ones who stole from me). A sophisticated criminal will probably be able to get away with millions of dollars in a very short period of time and be able to vanish without a trace. I'm not sure what needs to be done, but the security as now implemented is not even close to enough IMHO. Networkwise (to bring this back on topic) I'm not sure there is really much that can be done. bye, ken emery
Current thread:
- Re: User negligence?, (continued)
- Re: User negligence? Kandra Nygårds (Jul 27)
- Re: User negligence? Sean Donelan (Jul 27)
- Re: User negligence? Kandra Nygårds (Jul 27)
- Re: User negligence? Owen DeLong (Jul 27)
- Re: User negligence? James H. Cloos Jr. (Jul 27)
- Re: User negligence? JC Dill (Jul 27)
- Re: User negligence? David Lesher (Jul 27)
- Re: User negligence? JC Dill (Jul 27)
- Re: User negligence? Christopher L. Morrow (Jul 27)
- Re: User negligence? Sean Donelan (Jul 27)
- Re: User negligence? Stephen Sprunk (Jul 27)
- Re: User negligence? ken emery (Jul 27)
- Re: User negligence? Peter Galbavy (Jul 28)
- Re: User negligence? Kandra Nygårds (Jul 27)
- Remembering history passwords may be bad, but they are getting worse Sean Donelan (Jul 27)
- Message not available
- Re: Remembering history passwords may be bad, but they are getting worse Kevin Day (Jul 27)
- Re: Remembering history passwords may be bad, but they are getting worse Peter Galbavy (Jul 27)
- Re: Remembering history passwords may be bad, but they are getting worse Scott Call (Jul 28)
- Learning more about authentication and passwords Sean Donelan (Jul 29)
- Re: Learning more about authentication and passwords Dave Israel (Jul 29)
- Re: Learning more about authentication and passwords Jason Dixon (Jul 29)
- Re: User negligence? Stephen Sprunk (Jul 27)