Sunday, December 30, 2012

How not to...

... prevent fraud:



... commit fraud:



-- Birgit

A number of ways not to secure things...

... found over the last years on the Internet.


Scissors.



Cordless screwdrivers.



Wire cutters.


-- Birgit

A number of ways not to build a door...

... found over the last years on the Internet.


Access control for dummies.



Building a fence for dummies.



Building a door for dummies.


-- Birgit

A number of ways not to lock a door...

... found over the last years on the Internet.


I hope this one is in good humour and not meant seriously.



I'm not so certain about this one...



And this is a wonderful example that "more security" is not necessarily more security. In fact, it reduces the problem of having to pick a door lock to the problem of having to pick any of these door locks, making it only as secure as the most insecure of them. The larger the number of locks, the larger the probability that one of them sucks...


-- Birgit

A number of ways not to lock your bike...

... found over the last years on the Internet.


This one is probably hardest to open for the owner himself.



Topology is a bitch...


... again ...


... and again ...


... and again ...


... and again ...


... and again.



And also the other way round, by the way. No matter how impressive that lock is otherwise.



... but topology is not the only problem you can run into.


-- Birgit

Sunday, July 29, 2012

Unverified by Visa

It's been a long while since I last wrote scathing reviews about security nightmares (or, worse than that, misunderstood security "precautions"), and of all possible companies that could have annoyed me enough to take up the blogging again, it's Visa that made me return. Yes, Visa, the credit card company. Visa, the company that holds some of my most sensitive information.

What happened?

"Verified by Visa" happened.

In particular, the "personal security message" that they use.

Visa is kindly explaining to you how it is supposed to work:
http://www.visaeurope.com/en/cardholders/verified_by_visa.aspx

My favourite line:
"First you’ll see the personal message that you provided when you signed up for Verified by Visa and that only you and your bank know about. This lets you know that the security screen you’re seeing is genuine."

What an excellent idea!

Here is how I think it is supposed work:
  • You put stuff into your cart at, say, Amazon, and proceed to order it.
  • You enter your credit card number, expiration date and the security code on the back of the card. (That's the amount of security you get without the special "Verified by Visa" treatment, meaning that pretty much anyone who steals your card can immediately use it for shopping online.)
  • You are forwarded to the "Verified by Visa" page, shown your personal message (that only you and your bank know about), can deduct from the message that the input screen is genuine, and enter your password.
  • The transaction is complete.

Let me go off on a tangent and explain why it's so important to know that the screen is genuine if, after all, this does not prevent the shop you are giving money to from being fraudulent.

Let's say you are not shopping at Amazon.com, but at Shady.org. They have the best offers you can imagine, and perfect user reviews. Except that they will never actually send you anything you order, nor are any of their user reviews genuine. In fact, Shady.org only does two things:

One, it has a lot of fake offers. You order a new flat screen TV for only 300€ from them, pay them their money, the TV never arrives, and by the time you notice, the company does not exist any more.

And two, they steal credit card information. You order some cheap items from them, enter your credit card number, expiration date and security code to pay for them, and indeed you receive your items shortly after. However, Shady.org now knows all they need about your credit card in order to go shopping with it themselves now.

"Verified by Visa" can't do anything to protect you from the former.

"Verified by Visa" can do a lot to protect you from the latter. That's because only you and Visa know your password. After entering the other three pieces of data (card number, expiration date, security code), you are forwarded to a security input screen that is owned, hosted and resolved by Visa themselves. The only way for Shady.org to use your credit card information would be if they managed to steal the password as well.

And that is where the whole wonderful system is falling apart. Because there is no way for you to know whether the password entry field is genuine or a phishing version.

"But the personal security message!" you might yelp. "Only Visa and I know it!"

Riiight, let's have a look at that. What exactly did you need in order to get to a screen that shows you your security message? Credit card number, expiration date and security code? What did you just give Shady.org?

Someone clearly has not thought that one through to the end.

Without using any form of cryptographic protocols, there is no way, I repeat: no way to prove, using only plain text messages, that what you see is genuine. (Yes, they could simply use proper security certificates like everyone else instead of these "security messages", but Visa is already in a lot of hot water for not implementing those properly either[1].)

"Well, okay, so it's completely useless" you might say, "but it does not do any harm either, does it?"

Yes, yes it does. Because the only thing that is worse than no security is wrong security. Riddle me this: What will you tell your child on the first day of school? "Never go with any strangers"? Or "Never go with any strangers unless they know your name"?

And still, all of that would not yet have sent me seething. What triggered this little rant was that on www.cardcomplete.com/umsatzabfrage, you can enter any credit card number and immediately get the corresponding "top secret" security message that "only you and your bank know about". Way to go, Visa. Way to go.

[1]http://en.wikipedia.org/wiki/3-D_Secure#Verifiability_of_site_identity

Sunday, May 1, 2011

On chains and dumbest links

And yet another picture that's worth a thousand words:


-- Birgit