Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
The Scariest End-User Security Question: What Changed?
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/30/2014 | 11:03:20 AM
Re: Too optimistic about multi-factor authentication 'by force'
That might work for me if my cat cooperates!
Bob Covello
50%
50%
Bob Covello,
User Rank: Apprentice
1/30/2014 | 10:58:57 AM
Re: Too optimistic about multi-factor authentication 'by force'
"I tried once and forgot the password" - GASP!

One person submitted this method of never losing the password: He had the password embossed on a dog tag that was then placed on the neck of his Doberman.  How's THAT for a level of security?

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/30/2014 | 10:49:40 AM
Re: Too optimistic about multi-factor authentication 'by force'
You make a good point about the Lost / Stolen / Broken / Drowned device. As for password managers, (embarassingly painful admission) I tried one once and then forgot the password. 
Bob Covello
50%
50%
Bob Covello,
User Rank: Apprentice
1/30/2014 | 10:45:37 AM
Re: Too optimistic about multi-factor authentication 'by force'
Marilyn:

I agree in part with the statement that "everyone" has a cell phone, but in the many years that I have been working supporting those mobile devices, the Lost / Stolen / Broken / Drowned devices exceeds the number of retained devices.

No one can afford to carry two phones simply to have a backup for authentication, but for a small fee, one can register multiple Yubikey devices on the same account. 

I hope you don't mind my constant mention of the Yubikey device, but it just seems to work perfectly when coupled with the correct password manager.

Password manager??  That is a topic of another discussion ...

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/30/2014 | 10:08:15 AM
Re: Too optimistic about multi-factor authentication 'by force'
Bob, I think the ubiquitous cell-phone is perfect as a Multi-factor authentication device. Everyone has one! What's your issue with them. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/30/2014 | 10:05:50 AM
Re: Too optimistic about multi-factor authentication 'by force'
So as long as the losses are lower than the cost of doing things right, people will continue to have security issues over and over again.

Clement, I can't disagree with your argument about the ROI on security investements. It's the reason Target backed backed off its endorsement of smart cards a decade ago. But just last week Target CEO Gregg Steinhafel called on other retailers and banks to push for EMV adoption. Will anything change? I don't know but I certainly hope so. 
Bob Covello
50%
50%
Bob Covello,
User Rank: Apprentice
1/29/2014 | 12:18:24 PM
Re: Too optimistic about multi-factor authentication 'by force'
Marilyn:

Two things are different now: First is the amazing volume of compromises that we have been witnessing.
Second: up until a few years ago, most folks did not carry a 2nd Factor authenticator with them. 
I am not a strong supporter of the cell-phone as a multi-factor device, but one cannot deny the behavioral change it has caused. I am challenged to find anyone who is without a cell-phone.
(I prefer a one-time-password generator such as the Yubico Yubikey - smaller than a cell phone and way more durable, but not in universal use YET.)
Bob Covello
50%
50%
Bob Covello,
User Rank: Apprentice
1/29/2014 | 11:59:26 AM
Re: Too optimistic about multi-factor authentication 'by force'
Clement:

Thanks for your thoughful response.

I am confident that the USA will soon be changing their credit card technology, as there will start to be a public outcry.  The idea that a person cannot buy something as simple as a pair of socks at Target, or a glue stick at Michael's without putting their identity at risk will begin to have an impact.  There I go being an optimist again!

For any of the readers who are not familiar with Clement, he is a MASTER at security-related information.  His tireless efforts at educating others is legendary, and his web site is an essential tool for anyone who wants to pass any InfoSec Exam.  https://www.cccure.com/cart/

I am flattered and honored to be in such good company!

 
clementdupuis
50%
50%
clementdupuis,
User Rank: Apprentice
1/29/2014 | 10:44:02 AM
Re: Too optimistic about multi-factor authentication 'by force'
Good day Bob,

The problem is not one of technology, the problem is one of attitude toward security.

Security should be risk based, however today in the USA it is based on  total loss versus cost of doing things right.   So as long as the losses are lower than the cost of doing things right, people will continue to have security issues over and over again.


The use of taken based authentication tools have been used in Europe for years, I am talking more than a decade in most countries.  It is only catching up in North America.

We bitch about card theft, but yet we still dont have chip enabled cards which would greatly help in such cases.   Once again cost of card replacement versus potential losses. 

Answering your question:  What has changed?  When I look at computer security nothing has changed and it is unlikely to change quickly in the future.  History is repeating itself over and over again.  You just change the name of the company that was the victim and the reminder of the text would still apply.


Best regard

Clement

 

 
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
1/29/2014 | 10:32:31 AM
Re: Too optimistic about multi-factor authentication 'by force'
I think multi-factor authentication for consumers is a good idea, and mobile phones make it easier because that can serve as a second factor (the standard user-name/password is something you know, and the phone is something you have). The provider can send a text message with a code that the user can enter into a site, whether as part of the log-in or for something like requesting a password change. It's not perfect, but it's much more manageable for the consumer than having to juggle a bunch of hardware tokens or waiting for every computing device to come with a fingerprint reader.
Page 1 / 2   >   >>


More SolarWinds Attack Details Emerge
Kelly Jackson Higgins, Executive Editor at Dark Reading,  1/12/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-36192
PUBLISHED: 2021-01-18
An issue was discovered in the Source Integration plugin before 2.4.1 for MantisBT. An attacker can gain access to the Summary field of private Issues (either marked as Private, or part of a private Project), if they are attached to an existing Changeset. The information is visible on the view.php p...
CVE-2020-36193
PUBLISHED: 2021-01-18
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
CVE-2020-7343
PUBLISHED: 2021-01-18
Missing Authorization vulnerability in McAfee Agent (MA) for Windows prior to 5.7.1 allows local users to block McAfee product updates by manipulating a directory used by MA for temporary files. The product would continue to function with out-of-date detection files.
CVE-2020-28476
PUBLISHED: 2021-01-18
All versions of package tornado are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configura...
CVE-2020-28473
PUBLISHED: 2021-01-18
The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with defa...