SoylentNews is people
SoylentNews
Bruce Schneier's blog talks about the recent hack of CIA director John O. Brennan's AOL account (among others) and says when it comes to social engineering attacks:
The problem is a system that makes this possible, and companies that don't care because they don't suffer the losses. It's a classic market failure, and government intervention is how we have to fix the problem.
It's only when the costs of insecurity exceed the costs of doing it right that companies will invest properly in our security. Companies need to be responsible for the personal information they store about us. They need to secure it better, and they need to suffer penalties if they improperly release it. This means regulatory security standards.
Schneier goes on to suggest the government should establish minimum standards for results and let the market figure out the best way to do it. He also partly blames consumers because they demand any security solutions be easy to use, ending with:
It doesn't have to be this way. We should demand better and more usable security from the companies we do business with and whose services we use online. But because we don't have any real visibility into those companies' security, we should demand our government start regulating the security of these companies as a matter of public safety.
Related: WikiLeaks Publishes CIA Chief's Personal Info
(Score: 2) by jelizondo on Thursday October 29 2015, @04:14PM
And that is the entire problem: good security is less convenient, so we use less-secure methods for comfort.
If the government sets minimum standars as Schneier suggests, will it be more or less convenient?
I deal with a Mexican Bank (BANORTE) which mandates the use of a token for online transactions which are almost all the transactions I do, and it becomes a royal pain. Want to see your statement? Enter the token code. Want to transfer money between your own accounts? Enter the token code, twice. Want to transfer money to someone else? Enter the account info, the token code in two different fields, wait 30 minutes; then, transfer the money entering the token code twice.
I understand it is for better security, but if some SOB already has my token and credentials, entering it twice or three times is not going to stop him/her from taking money from my account... so why make it so cumbersome?
Sigh
(Score: 0) by Anonymous Coward on Thursday October 29 2015, @05:10PM
Perhaps your session could be hijacked, so requiring the code prevents such an attack from being able to access anything. If they get your code, then ya you're screwed.
(Score: 2) by NotSanguine on Thursday October 29 2015, @08:49PM
And that is the entire problem: good security is less convenient, so we use less-secure methods for comfort.
If the government sets minimum standars as Schneier suggests, will it be more or less convenient?
I deal with a Mexican Bank (BANORTE) which mandates the use of a token for online transactions which are almost all the transactions I do, and it becomes a royal pain. Want to see your statement? Enter the token code. Want to transfer money between your own accounts? Enter the token code, twice. Want to transfer money to someone else? Enter the account info, the token code in two different fields, wait 30 minutes; then, transfer the money entering the token code twice.
I understand it is for better security, but if some SOB already has my token and credentials, entering it twice or three times is not going to stop him/her from taking money from my account... so why make it so cumbersome?
Sigh
That sounds a lot more convenient than needing to make and save your money all over again if/when it's stolen because you have a more convenient (and less secure) mechanism. Just sayin'.
No, no, you're not thinking; you're just being logical. --Niels Bohr