NNSquad - Network Neutrality Squad
[ NNSquad ] Re: Researchers fault 3-D Secure (3DS) online credit card system
It should be noted of course that -- even though I myself pointed out the advantages of not answering "secret questions" with actual personal data -- lying on Web site sign-up forms may not always be consequence free. Remember the overzealous prosecution in the recent tragic cyberbullying suicide case? Prosecutors dragged the defendant into another state and attempted to claim that by lying about her age at sign-up a Terms Of Service violation had occurred that could be prosecuted as a criminal act. Obviously this was an extreme case, but sometimes there are extremely radical prosecutors as well. Just something to perhaps keep in the back of your mind. --Lauren-- NNSquad Moderator - - - On 01/29 13:33, Richard Clayton wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > In message <20100128204341.GA6159@vortex.com>, Lauren Weinstein > <lauren@vortex.com> writes > > > >Researchers fault 3-D Secure (3DS) online credit card system > > > >http://bit.ly/a1ygc6 (PC World) > > > >I have never been a fan of birthday-based and "secret-question"-based > >systems. Birthday data is widely available, and many "secret" > >questions tend to have answers that are more widely available than > >one might think. > > in point of fact, one of the other University of Cambridge Security > Group papers at the same (FC10) conference was: > > http://www.cl.cam.ac.uk/~jcb82/doc/fc2010_name_guessing.pdf > > Joseph Bonneau, Mike Just, Greg Matthews: What's in a Name? Evaluating > Statistical Attacks on Personal Knowledge Questions > > Abstract. We study the efficiency of statistical attacks on human > authentication systems relying on personal knowledge questions. We > adapt techniques from guessing theory to measure security against > a trawling attacker attempting to compromise a large number of > strangers' accounts. We then examine a diverse corpus of real- > world statistical distributions for likely answer categories such > as the names of people, pets, and places and find that personal > knowledge questions are significantly less secure than graphical > or textual passwords. We also demonstrate that statistics can be > used to increase security by proactively shaping the answer > distribution to lower the prevalence of common responses. > > >I usually suggest that when there's a concern, secret questions > >should be answered with anything memorable other than the > >"real" answer. > > Indeed so, setting your mother's maiden name to 6fdg$Gk4 will improve > your security posture considerably > > - -- > Dr Richard Clayton <richard.clayton@cl.cam.ac.uk> > tel: 01223 763570, mobile: 07887 794090 > Computer Laboratory, University of Cambridge, CB3 0FD > > -----BEGIN PGP SIGNATURE----- > Version: PGPsdk version 1.7.1 > > iQA/AwUBS2LjlpoAxkTY1oPiEQJKtACeMBKnOquMSimum1V77Gbf0soCsXYAoMqU > s1fcqrpp83nNpFczzFAzEV// > =qwVC > -----END PGP SIGNATURE-----