Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
The Scariest End-User Security Question: What Changed?
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/30/2014 | 11:03:20 AM
Re: Too optimistic about multi-factor authentication 'by force'
That might work for me if my cat cooperates!
Bob Covello
50%
50%
Bob Covello,
User Rank: Apprentice
1/30/2014 | 10:58:57 AM
Re: Too optimistic about multi-factor authentication 'by force'
"I tried once and forgot the password" - GASP!

One person submitted this method of never losing the password: He had the password embossed on a dog tag that was then placed on the neck of his Doberman.  How's THAT for a level of security?

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/30/2014 | 10:49:40 AM
Re: Too optimistic about multi-factor authentication 'by force'
You make a good point about the Lost / Stolen / Broken / Drowned device. As for password managers, (embarassingly painful admission) I tried one once and then forgot the password. 
Bob Covello
50%
50%
Bob Covello,
User Rank: Apprentice
1/30/2014 | 10:45:37 AM
Re: Too optimistic about multi-factor authentication 'by force'
Marilyn:

I agree in part with the statement that "everyone" has a cell phone, but in the many years that I have been working supporting those mobile devices, the Lost / Stolen / Broken / Drowned devices exceeds the number of retained devices.

No one can afford to carry two phones simply to have a backup for authentication, but for a small fee, one can register multiple Yubikey devices on the same account. 

I hope you don't mind my constant mention of the Yubikey device, but it just seems to work perfectly when coupled with the correct password manager.

Password manager??  That is a topic of another discussion ...

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/30/2014 | 10:08:15 AM
Re: Too optimistic about multi-factor authentication 'by force'
Bob, I think the ubiquitous cell-phone is perfect as a Multi-factor authentication device. Everyone has one! What's your issue with them. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/30/2014 | 10:05:50 AM
Re: Too optimistic about multi-factor authentication 'by force'
So as long as the losses are lower than the cost of doing things right, people will continue to have security issues over and over again.

Clement, I can't disagree with your argument about the ROI on security investements. It's the reason Target backed backed off its endorsement of smart cards a decade ago. But just last week Target CEO Gregg Steinhafel called on other retailers and banks to push for EMV adoption. Will anything change? I don't know but I certainly hope so. 
Bob Covello
50%
50%
Bob Covello,
User Rank: Apprentice
1/29/2014 | 12:18:24 PM
Re: Too optimistic about multi-factor authentication 'by force'
Marilyn:

Two things are different now: First is the amazing volume of compromises that we have been witnessing.
Second: up until a few years ago, most folks did not carry a 2nd Factor authenticator with them. 
I am not a strong supporter of the cell-phone as a multi-factor device, but one cannot deny the behavioral change it has caused. I am challenged to find anyone who is without a cell-phone.
(I prefer a one-time-password generator such as the Yubico Yubikey - smaller than a cell phone and way more durable, but not in universal use YET.)
Bob Covello
50%
50%
Bob Covello,
User Rank: Apprentice
1/29/2014 | 11:59:26 AM
Re: Too optimistic about multi-factor authentication 'by force'
Clement:

Thanks for your thoughful response.

I am confident that the USA will soon be changing their credit card technology, as there will start to be a public outcry.  The idea that a person cannot buy something as simple as a pair of socks at Target, or a glue stick at Michael's without putting their identity at risk will begin to have an impact.  There I go being an optimist again!

For any of the readers who are not familiar with Clement, he is a MASTER at security-related information.  His tireless efforts at educating others is legendary, and his web site is an essential tool for anyone who wants to pass any InfoSec Exam.  https://www.cccure.com/cart/

I am flattered and honored to be in such good company!

 
clementdupuis
50%
50%
clementdupuis,
User Rank: Apprentice
1/29/2014 | 10:44:02 AM
Re: Too optimistic about multi-factor authentication 'by force'
Good day Bob,

The problem is not one of technology, the problem is one of attitude toward security.

Security should be risk based, however today in the USA it is based on  total loss versus cost of doing things right.   So as long as the losses are lower than the cost of doing things right, people will continue to have security issues over and over again.


The use of taken based authentication tools have been used in Europe for years, I am talking more than a decade in most countries.  It is only catching up in North America.

We bitch about card theft, but yet we still dont have chip enabled cards which would greatly help in such cases.   Once again cost of card replacement versus potential losses. 

Answering your question:  What has changed?  When I look at computer security nothing has changed and it is unlikely to change quickly in the future.  History is repeating itself over and over again.  You just change the name of the company that was the victim and the reminder of the text would still apply.


Best regard

Clement

 

 
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
1/29/2014 | 10:32:31 AM
Re: Too optimistic about multi-factor authentication 'by force'
I think multi-factor authentication for consumers is a good idea, and mobile phones make it easier because that can serve as a second factor (the standard user-name/password is something you know, and the phone is something you have). The provider can send a text message with a code that the user can enter into a site, whether as part of the log-in or for something like requesting a password change. It's not perfect, but it's much more manageable for the consumer than having to juggle a bunch of hardware tokens or waiting for every computing device to come with a fingerprint reader.
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises Are Assessing Cybersecurity Risk in Today's Environment
The adoption of cloud services spurred by the COVID-19 pandemic has resulted in pressure on cyber-risk professionals to focus on vulnerabilities and new exposures that stem from pandemic-driven changes. Many cybersecurity pros expect fundamental, long-term changes to their organization's computing and data security due to the shift to more remote work and accelerated cloud adoption. Download this report from Dark Reading to learn more about their challenges and concerns.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-46547
PUBLISHED: 2022-01-27
Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via /usr/local/bin/mjs+0x2c17e. This vulnerability can lead to a Denial of Service (DoS).
CVE-2021-46548
PUBLISHED: 2022-01-27
Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via add_lineno_map_item at src/mjs_bcode.c. This vulnerability can lead to a Denial of Service (DoS).
CVE-2021-46549
PUBLISHED: 2022-01-27
Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via parse_cval_type at src/mjs_ffi.c. This vulnerability can lead to a Denial of Service (DoS).
CVE-2021-46550
PUBLISHED: 2022-01-27
Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via free_json_frame at src/mjs_json.c. This vulnerability can lead to a Denial of Service (DoS).
CVE-2021-46553
PUBLISHED: 2022-01-27
Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_set_internal at src/mjs_object.c. This vulnerability can lead to a Denial of Service (DoS).