I realised whilst at work today that my credit card wasn’t in my wallet, after hoping against hope that it would be in yesterday’s trouser pocket when I got home I had to accept that it was lost. Far from the brightest thing I’ve done today, especially given the time of year. So I did the sensible thing and called the card provider to cancel the card.
The number I called was listed as being for (admittedly amongst other things) reporting lost or stolen cards; first question the automated ask was my card number, which I didn’t have; regardless I quickly got through to a person who (I’ll be fair) handled my problem with speed and minimal fuss.
Whilst finding my account without the card number I was asked to confirm my date of birth; once the correct account was identified I was asked a couple of security questions to confirm I was me; all very normal and acceptable. However the second question asked how old I will be come my next birthday; apart from the fact that this is hardly the most protected of information, had I been a fraudulent caller trying to maliciously access someone else’s account I had already correctly provided D.o.B. not 2 minutes earlier; not exactly difficult to extrapolate one from the other.
To be honest, I didn’t worry too much; some of the other security questions were likely sufficiently detailed to limit the chance of someone else getting past the gatekeepers. But being a sarcastic and (hopefully) helpful sort of bloke I jumped on twitter to suggest that asking a ‘security’ question based off a wildly known and shared piece of unchangeable information probably wasn’t the best of ideas.
THIS is where I really started getting concerned, the whole conversation can be read here (Barclays twitter people, I have screengrabs for prosperity if you feel like deleting any of the responses…..).
Some of my favourites:
I wasn’t asking what questions I would need the answers to, but pointing out the questions I was asked weren’t exactly the most robust. Either way, security via obscurity isn’t security, and if knowing the types of questions to be asked really does make accounts vulnerable and I was a fraudster; I’d simply have a number of like minded miscreants call up several times until the pool of potential questions was exhausted….
This is the point that tipped me over the edge, if I need to explain to anyone why believing only the genuine account holder knows their date of birth, I’ve got a bridge I want to sell you. (hint if needed: Do you get cards/presents from those that know you the same time every year?).
Admittedly, at this point I got a bit ‘unprofessional’ and suggested I was either being fobbed off, or Barclays (twitter handler)’ security knowledge is inept, I’m assuming this ‘abuse’ may be the reason I’ve had no further response.
I really hope that this incident is the result of the individual handling the conversation being out of their depth and having an inadequate script to follow. If not, and this is indicative of Barclays security provisions (and someone, somewhere had to OK the question being used in the first place) I need to reconsider where I bank….
P.S. I have no evidence, but I’m getting a creeping felling of deja vu that I’ve had a similar telephone authentication process, and a similar discussion on twitter as to whether this is a good idea
The reaction most people have when you point out people are naive enough to post pictures of credit and debit cards online is to laugh, surely no one could be that unaware of the risks. But the fact is that the situation has become that common place that a number of Twitter accounts have been set-up to automatically identify and repost the images.
Some, like @CancelThatCard/http://cancelthat.cc/ attempt to show the posters the error of their ways, while others merely highlight the posts and request that people “Please quit posting pictures of your debit cards”.
As an example (and as proof for those that don’t believe me), the latest image in the @needadebitcard feed at time of writing:
As a side note, it looks like Twitter is stamping down on the practice of highlighting these posts, the last message posted by @cancel thatcard on April 14th indicate that the service has essentially been censored. I hope Twitter reverse this, providing security information to end-users is not something that should be prevented.
I’ve been following both accounts for sometime; at first my reaction to that I’ve discussed above, having a laugh at the expense of those who don’t recognise the security implications of their actions. As time went by I started messaging the accounts posting their cards to further highlight the error; this didn’t have the impact I was expecting, instead of thanks for providing free advice it more regularly resulted in insults, abuse and full denial that there was any risk imposed.
Recently I came across an image of a card where the owner had attempted to obscure part of the card number and name; smart. Not so smart was that it was the first 5 digits of the 16 digit card number that was obscured. It’s little known, and wasn’t to me until I started following these cards in more depth, is that the first 6 digits don’t identify the account or card holder, but the bank that issued the card. In this case the poster was so helpful to identify the card as a personalised BarclayCard. A quick Google search lead to this page, which knowing the 6th digit of the card lead to the fact that the missing digits could only be one of two possibilities, reducing the potential entropy gained from obscuring part of the card from ~10k possible numbers to two possible card numbers, effectively posting the entire 16 digits online.
In the above example, which is far from uncommon, when suggesting the owner may want to remove the image and cancel the card the response was one of confusion, with no understanding of the risk. Despite further information and links, the image is still online (I have no way of knowing if the card has been cancelled).
To end I’ll echo the plea from @needadebit card: Please quit posting pictures of your cards people.
— Andrew Waite
P.S. I’ve not identified any of the examples directly in this post, but I’ve also not cleared any of the conversations from my Twitter time-line if anyone is interested enough to search. If people post pictures of their account details online, and then don’t remove the same information once several people highlight the stupidity then, well, me deleting a couple of Twitter posts aren’t going to improve their security.
Cleaning the harddrive of any machine, be it desktop, laptop or server, before either repurposing or selling (or even scrapping), should be a basic requirement of any organisation. But there is a seemingly unrelenting stream of reported incident, some of which coming from organisations that really should know better, MI6 and military contractors for example.
Is securely wiping data from drives really that difficult? Not really.
Simply boot the system with nearly any live linux system (I use Knoppix for this kind of work), then simply use dd (discussed previously to image drives) to overwrite the drive with random data. For example:
dd if=/dev/urandom of=/dev/sda
This simple overwrites the entire physical drive, sda, with random data taken from the pseudo device /dev/urandom. For more indepth info on wiping with dd and some different options see this guide.
The downside to wiping drives in this method is the length of time involved, in recent cases I have seen a 80GB drive take a little of five hours to complete.
Disclaimer: this may not make your data completely irratrievable but it should be enough to prevent the data being obtained by the simply curious. To truely ensure irratrievable data, try this method.
Disclaimer’s Disclaimer: Server destruction should only be carried out be trained professionals, InfoSanity accepts no responsibility for loss of live, limb or eyebrow)
Quick heads up to anyone following the Phorm/privacy debates: The government’s response to an e-petition to ask the government to stop ISP’s from breaching privacy laws has been released.
The full response can be read here, it’s fairly short so I won’t go into too much detail, but I’m glad to see the government is taking this seriously and not passing the buck to the ICO (the ICOs view):
ICO is an independent body, and it would not be appropriate for the Government to second guess its decisions. However, ICO has been clear that it will be monitoring closely all progress on this issue, and in particular any future use of Phorm’s technology. They will ensure that any such future use is done in a lawful, appropriate and transparent manner, and that consumers’ rights are fully protected.
“Thank you for bringing this to our attention; your concerns are very important to us; your concern will be answered shortly…”
Once again I’m glad I don’t do business with BT(with the exception of line rental). First Phorm: now this
BT has begun transforming its commercial customers’ Business Hubs into OpenZone hotspots for any passing Tom, Dick or Harry to share, and leaving businesses to figure out how to opt out of the scheme after the fact.
“Free BT public wi-fi hotspot for every business broadband customer” claims the release, proudly suggesting that “Hub owners buy BT Openzone access vouchers … and can choose to pass the vouchers to their customers or resell the prime business service and add revenue”, so you can either screw visitors to your office by selling them vouchers, or pay BT twice for the same bandwidth by giving them away.
Full info can be found here. BT keep managing to setting the bar lower and lower….
Just read an interesting article on El Reg about Adam Laurie, who has supposedly been ‘hacking’ satellite feeds. Unless I’m missing something it appears to be more a case of sniffing unencrypted communication coming from and going to satellites, but it is interesting in any case.
One of the parts of the article I liked was the comment on the UK’s Privacy laws:
A resident in the UK, Laurie says he’s careful to obey the country’s privacy laws. While he is able to identify certain traffic as email, for instance, he doesn’t actually read the contents of the message. Still, he says it isn’t always easy to follow the letter of such laws because they prohibit people from receiving a message if they aren’t the intended recipient.
“It’s a bit of a quandary,” Laurie says. “You can’t tell you’re not supposed to see that data until after you see it. I can’t unsee what I’m not supposed to have seen.”
Whilst I’ll agree that some of the privacy laws are ‘strange’ the actions Laurie took was looking for traffic in which he wasn’t the intended recipient for any of it, as someone pointed out: if you’re concerned you might be breaking the law you can stop looking.