Well that was the promise of OAuth. But then that service company (in this case Google and Facebook) have full and perfect visibility on all the websites you use which raises some other problems. Which is why I never wanted to touch it and why I think they are not so popular.
What I really like is concepts like Steve Gibson's SQRL, which provides a pretty secure alternative to passwords, but in a fully decentralised way, i.e. SQRL only provides the protocol and the cryptography, but the authentication only involves you (and your devices) and the website, no reliance on a third party.
I see a lot of people who find these privacy issues creepy. They might not necessary care enough to get off google, gmail or facebook, but care enough to install an ad blocker, and I presume declining to use facebook to login to some place.
Why is it a no-brainer? Consider their perspective - it'll cost money, their customers won't thank them, and in fact will probably be frustrated by the experience, and it won't enhance shareholder value.
Don't give them ideas. I have 1 security token for each bank over here in Singapore and a few others. I wish they use something like Google Authenticator rather than cook up their own.
It's entirely their prerogative as to whether or not they provide a decent level of security, and it's entirely up to consumers to choose whether or not to work with them.
The vast majority of people do not know what 2fa is, and sure as hell don't care to know, so the only people irked by their misleading messaging are IT professionals, who, again, can fly with someone else.
Essentially, there is clearly no incentive for them to improve their security unless it hurts their bottom line - and there's no point from their perspective in investing in something which makes no money.
Of course, if they have a major hack there will be some brief PR damage (none of the high profile hacks of major companies seem to have inflicted any reputational damage - instead the public blame the "terrorist hackers" the media parade), and their insurers will cover any direct losses, including those as a result of a class action, which they're probably indemnified against anyway.
In short, they have no reason to change, so probably won't. If anything, they'll be upheld as the golden standard, because legislators will buy into their PR, not being in any way technical themselves. Perception is reality.
> It's entirely their prerogative as to whether or not they provide a decent level of security, and it's entirely up to consumers to choose whether or not to work with them.
Entirely? Does the security of their website rank anywhere in the top ten of reasons anyone chooses an airline?
> The vast majority of people do not know what 2fa is, and sure as hell don't care to know, so the only people irked by their misleading messaging are IT professionals, who, again, can fly with someone else.
And it is the IT professionals who might raise the bar, and protect those who do not 'care to know'.
> Of course, if they have a major hack there will be some brief PR damage (none of the high profile hacks of major companies seem to have inflicted any reputational damage - instead the public blame the "terrorist hackers" the media parade), and their insurers will cover any direct losses, including those as a result of a class action, which they're probably indemnified against anyway.
So all that matters is PR damage, and anything that someone is willing to sue for?
Yes, entirely. It is up to them how they choose to operate their business, so long as it is within the bounds of law.
And it is the IT professionals who might raise the bar, and protect those who do not 'care to know'.
Correct, but how will you raise the bar or protect other passengers, if United do not care about your opinion, as you are a small minority? Unless you can hurt their bottom line by persuading people to not fly with them, they won't budge - and just you try persuading aunt Tilda not to fly with United because their website security is poor, even though their tickets are $200 cheaper than $competitor. I mean, that television ad said they had the best security in the business. Why would they lie about something like that, and what do you know about it anyway?
so all that matters is PR damage, and anything that someone is willing to sue for?
> Yes, entirely. It is up to them how they choose to operate their business, so long as it is within the bounds of law.
I guess the law needs to change then. A shop cannot sell you an item of food that might seriously harm you, because it's unreasonable for the average consumer to carry out the required testing on every piece of food they purchase for consumption. Ultimately (I'm not saying this can necessarily happen overnight), the same should go for online security. Now, it's a difficult-enough thing that responsibilities need to be very carefully defined; every mom-and-pop site should do the reasonable minimum themselves, but a good centralised system should be available for them to use for the trickier aspects.
I couldn't agree more - but then, what incentive is there for legislators who are technically illiterate, and have attended many cheque-laden seminars in which airline lobbyists have told them they don't need to do anything about that nasty regulation stuff. Imposing strict universal security requirements would be deemed anti-competitive, and could potentially result in businesses suing the federal government for loss of profits.
Personally, I think the future comprises a frothing sea of crapware, leaky everything everywhere, and nobody taking responsibility. The most probable ultimate response will be a "war on hackers", after someone pulls something spectacular off, which will generate trillions of dollars in profits for enforcement agencies, and give the public that warm fuzzy "somebody is being bombed and it isn't me" feeling.
"According to the new TSA's new Airline Security Regulation, your password must be between 12 and 16 characters long, and must contain an uppercase character, a lowercase character, a numeral, and a special character. The following characters are forbidden: \/'";(){}[]|*. All characters must be unique. You must change your password every 30 says. For each failed attempt you will be charged a $1 password processing fee."
The author seems to use authorization and authentication interchangeably multiple times in the text. They may be right about the point they are making, but it leaves a bad taste.
> Your security questions will also be used as part of upcoming two-factor authentication to further protect your account
The stupid nature of the 'enum answers' aside, this doesn't necessarily mean they're not implementing 2FA properly. They might have 2F set up as securely as the very best practitioners, then have this security question crap layered on top. We need to know for sure that they think the security question is one of the two factors before tearing them a new one.
They apparently think that those security questions, combined with the password, are the 2FA.
Unfortunately , this is not true. 2FA authentication means something that you know and something that you have. The advantage is the second one: if the attacker has compromised your PC/password wallet, they still can't get into your account because they are missing something (you have).
With UA's approach, an attacker can still successfully hijack the vicitims account if they have a key logger because UA's authentication only requires "something(s) that you know"
It's as bad as it seems. Every time you log in from a new machine, it asks for you to answer security questions, and calls it two factor, which it's obviously not.
security questions as a recovery mechanism are fucking terrible.
most people are going to fill in the same response for their security q/a over multiple sites so pretty much any bad actor in any organization could possibly look at the security q/a, guess that their question/answers are the same on other sites and exploit that avenue.
also fuck remembering all of that.
but i think hsbc was even worse than what united is asking for. for their online banking you had to enter in your password then enter in another password using a browser based keyboard (AVOIDS KEYLOGGING!) and then answer a security question or something like that. i must have asked for a new passcode to reset everything every couple of months (they mail these to you via snail-mail).
of course the problem with the system was (and i forgot exactly how) there was a way sometimes to reset all these systems so you didn't have to remember your answer for each security measure. i was pretty sure it was a bug with the system but fuck if i want to endure the hell in trying to explain to a website with terrible security that you've found a bug in their terrible system and please don't put me in jail and what do you mean, 'what is a hash function?'
Apple also uses security questions like this for Apple ID accounts. I don't like it, but where's the outrage? Is there is a way to do this correctly, other than the user asking their own question?
The dropdowns are hilarious for non-security reasons, you have to choose your favorite artist... from a list of about 12 artists. I suppose it could be an improvement on the misogynist, homophobic, and Facebook-able "mother's maiden name".
I'm almost disappointed that they're not having their phone staff ask for your actual password - I'd love to have the experience of reading my 1Password-generated password to them.
25 comments
[ 3.0 ms ] story [ 55.0 ms ] thread(In passing jest to: https://news.ycombinator.com/item?id=12246490 )
Does no company in this space know how to sell to conservative IT organizations like air lines?
What I really like is concepts like Steve Gibson's SQRL, which provides a pretty secure alternative to passwords, but in a fully decentralised way, i.e. SQRL only provides the protocol and the cryptography, but the authentication only involves you (and your devices) and the website, no reliance on a third party.
I can't see why they would.
Where is your god now?
The vast majority of people do not know what 2fa is, and sure as hell don't care to know, so the only people irked by their misleading messaging are IT professionals, who, again, can fly with someone else.
Essentially, there is clearly no incentive for them to improve their security unless it hurts their bottom line - and there's no point from their perspective in investing in something which makes no money.
Of course, if they have a major hack there will be some brief PR damage (none of the high profile hacks of major companies seem to have inflicted any reputational damage - instead the public blame the "terrorist hackers" the media parade), and their insurers will cover any direct losses, including those as a result of a class action, which they're probably indemnified against anyway.
In short, they have no reason to change, so probably won't. If anything, they'll be upheld as the golden standard, because legislators will buy into their PR, not being in any way technical themselves. Perception is reality.
Entirely? Does the security of their website rank anywhere in the top ten of reasons anyone chooses an airline?
> The vast majority of people do not know what 2fa is, and sure as hell don't care to know, so the only people irked by their misleading messaging are IT professionals, who, again, can fly with someone else.
And it is the IT professionals who might raise the bar, and protect those who do not 'care to know'.
> Of course, if they have a major hack there will be some brief PR damage (none of the high profile hacks of major companies seem to have inflicted any reputational damage - instead the public blame the "terrorist hackers" the media parade), and their insurers will cover any direct losses, including those as a result of a class action, which they're probably indemnified against anyway.
So all that matters is PR damage, and anything that someone is willing to sue for?
Yes, entirely. It is up to them how they choose to operate their business, so long as it is within the bounds of law.
And it is the IT professionals who might raise the bar, and protect those who do not 'care to know'.
Correct, but how will you raise the bar or protect other passengers, if United do not care about your opinion, as you are a small minority? Unless you can hurt their bottom line by persuading people to not fly with them, they won't budge - and just you try persuading aunt Tilda not to fly with United because their website security is poor, even though their tickets are $200 cheaper than $competitor. I mean, that television ad said they had the best security in the business. Why would they lie about something like that, and what do you know about it anyway?
so all that matters is PR damage, and anything that someone is willing to sue for?
To them, absolutely.
I guess the law needs to change then. A shop cannot sell you an item of food that might seriously harm you, because it's unreasonable for the average consumer to carry out the required testing on every piece of food they purchase for consumption. Ultimately (I'm not saying this can necessarily happen overnight), the same should go for online security. Now, it's a difficult-enough thing that responsibilities need to be very carefully defined; every mom-and-pop site should do the reasonable minimum themselves, but a good centralised system should be available for them to use for the trickier aspects.
I couldn't agree more - but then, what incentive is there for legislators who are technically illiterate, and have attended many cheque-laden seminars in which airline lobbyists have told them they don't need to do anything about that nasty regulation stuff. Imposing strict universal security requirements would be deemed anti-competitive, and could potentially result in businesses suing the federal government for loss of profits.
Personally, I think the future comprises a frothing sea of crapware, leaky everything everywhere, and nobody taking responsibility. The most probable ultimate response will be a "war on hackers", after someone pulls something spectacular off, which will generate trillions of dollars in profits for enforcement agencies, and give the public that warm fuzzy "somebody is being bombed and it isn't me" feeling.
https://s4.postimg.org/5er0ol93h/Screenshot_2016_08_14_17_59...
> Your security questions will also be used as part of upcoming two-factor authentication to further protect your account
The stupid nature of the 'enum answers' aside, this doesn't necessarily mean they're not implementing 2FA properly. They might have 2F set up as securely as the very best practitioners, then have this security question crap layered on top. We need to know for sure that they think the security question is one of the two factors before tearing them a new one.
Unfortunately , this is not true. 2FA authentication means something that you know and something that you have. The advantage is the second one: if the attacker has compromised your PC/password wallet, they still can't get into your account because they are missing something (you have).
With UA's approach, an attacker can still successfully hijack the vicitims account if they have a key logger because UA's authentication only requires "something(s) that you know"
> They apparently think that those security questions, combined with the password, are the 2FA.
What makes you say that? I see nothing that concretely backs this up.
most people are going to fill in the same response for their security q/a over multiple sites so pretty much any bad actor in any organization could possibly look at the security q/a, guess that their question/answers are the same on other sites and exploit that avenue.
also fuck remembering all of that.
but i think hsbc was even worse than what united is asking for. for their online banking you had to enter in your password then enter in another password using a browser based keyboard (AVOIDS KEYLOGGING!) and then answer a security question or something like that. i must have asked for a new passcode to reset everything every couple of months (they mail these to you via snail-mail).
of course the problem with the system was (and i forgot exactly how) there was a way sometimes to reset all these systems so you didn't have to remember your answer for each security measure. i was pretty sure it was a bug with the system but fuck if i want to endure the hell in trying to explain to a website with terrible security that you've found a bug in their terrible system and please don't put me in jail and what do you mean, 'what is a hash function?'
I'm almost disappointed that they're not having their phone staff ask for your actual password - I'd love to have the experience of reading my 1Password-generated password to them.