My typical answer for a security question is something like "39arsrc uyrsrsaulsr8832r" and that's saved in a password manager
Security questions weakens the security of an account, they are easily found information that people can just guess.
The problem with this is that the "security" question will often be asked over the phone. At this point an answer of "Oh I just mash the keyboard for those" is probably going to get an attacker access to your account..
I used to do this and then lost my password file. Fast forward to a call with AT&T. I told them I forgot my secret answers. They offered that it was "a super weird answer," which let me use the "mashed keyboard" line and got in. TL; DR I think this system is less safe than just making up cars, cities, et cetera.
For sites that force you to set them (and where I care - otherwise they just get random nonsense), and for my bank, I have a set of plausible but false answers I use. Not bulletproof of course, but definitely not googleable and avoids the "I just set it to something random" attack.
"You .. give real answers for your security questions? Seriously?"
I do the same thing, real birthday if it's financial or employee related, but for everything else, I'm a few years older on another date. I often pick a security question that I don't have a real legit answer to as well.
City you were born? Just pick any (random/unrelated) city instead of 2DXSDGREDV@#!
It's easier if you have to go through a person (which is usually forced to go through a script) also easier on the phone
Good times. Except some of my friends actually sent out some money. I'm pretty sure I know who did it.
Since then I enter garbage in these security questions. Better lose my account than that.
I didn't believe you when I read this, but you are right. => https://krebsonsecurity.com/wp-content/uploads/2016/08/unite...
and..
> Yes, you read that right: The answers are pre-selected as well as the questions. For example, to the question “During what month did you first meet your spouse or significant other,” users may select only from one of…you guessed it — 12 answers (January through December).
> The list of answers to another security question, “What’s your favorite pizza topping,” had me momentarily thinking I using a pull down menu at Dominos.com — waffling between “pepperoni” and “mashed potato.”
Wow.
Source: United Airlines Sets Minimum Bar on Security => https://krebsonsecurity.com/2016/08/united-airlines-sets-min...
"What city were you born in" == "city"
"what was the name of your first pet?" == "pet"
etc.
Mom's maiden name: InfectedPussyPimple
How she got dad, I'll never know!
Granted, this most likely was caused by that other Doug providing my email address to the airline, but the airline is at fault too for assuming that access to a given email address is proof of identity. That's a very common mistake, often made intentionally to provide a more "user-friendly" experience. Had I been malicious, I could have caused that other Doug a lot of un-friendly grief.
I was not able to see any contact information on the reservation, and I didn't have full access to his account. (I don't know if a "Forgot Password" request would have given me that, though it probably would have.) I contacted the airline customer support to tell them they had the wrong email address on the reservation and they should contact their customer through some other means if they could. I think I got a form-letter thank you and never heard from them again, but I did get a few more boarding passes for a while.
I also get a lot of online shopping order/shipment confirmations, and plenty of personal correspondence. I try to tell the senders to fix their address books, and when I get a CC with the real address I contact the other Dougs too, but most of the time there's no response. I've had to set up a filter that puts all email with TO addresses that aren't the one I use into an "Other Dougs" folder, which I treat like spam.
I get mail from a bank for someone who misspelled their email but their name is very close to mine.
I called the bank, reported that I was getting their email and they tried to sell me their identity theft service. ( Give us your SSN to check to see if you ... )
American Express didn't care that one of their subscribers personal information wasn't getting to their customer, but wanted to sell me service.
This is one of my repeat-offenders. I see a lot of email out of Kingston with this same variation on my email address, and I've tried many times to reply and get people to tell him he's using the wrong email address, but to no avail. This has been going on for years.
This is most likely intentional.
Most business travel gets booked by assistants / travel agencies / client reps / etc. They are going to use their own account when booking tickets, and then forward reservations or boarding passes to the actual passenger. That passenger then wants to for example reschedule in a hurry when a meeting overruns, or change seats or meal choice without having to explain their seating preferences over the phone (is 25C still available? No? Then get 27A).
Security wise it would be better to have some sort of delegated permissions system, where the travel agent can add email addresses who are allowed to access the booking, you then have to create an account with the airline and prove that you own that email... but I don't see the airlines pissing off their most profitable customer segment with extra hassle to add protection against misforwarded emails.
- Thailand holiday itineraries and airline tickets
- A PayPal money request for $1800
- Congratulations from someone's godfather that I am now able to play the opening riff of AC/DC's "Hells Bells"
- South African real estate quotes
- A bar mitzvah invitation
- A reply to a Thanksgiving invitation sent by someone else
- Inquiries about racehorse sponsorship
- South African Taser training course booking confirmation
- British Heart Foundation cycling team invitations from a BBC reporter
- Complaints from an Ebay purchaser that I'd sent them a Nutribullet with a broken blade
- Confirmation that my NJCAA hardship application had been granted
- Pictures of 5th graders riding trail bikes in Eagle Lake, Maine
- Solicitations from the Greater Palm Harbor Area Chamber of Commerce to run a stall at the 13th Annual Palm Harbor Parrot Head Party
- Sports tipping results
- House painting estimates
I'd be living a much more exciting life if all of these had been intended for me.
Whenever somebody register on any website using it, I use the recovery options from the emails they send me to disassociate my email address from their accounts (I never ever keep access to those accounts).
For direct / personal emails (usually in Spanish) or anything else with some customer support involved I just send a short reply in English stating that they've got the wrong person and email. Then I usually spam flag everything not English (I'm only a little sorry for doing that).
There was this one day recently when somebody kept re-registering on this one site about a dozen times, and I kept resetting the password because they used my email every time. I have to guess that they eventually figured out their mistake, because it stopped. I hope...
He lives in Texas and teaches a sport. I got a reminder that he had to visit the doctor a while back. I replied and got a real human and asked her to tell him he was giving the wrong email. I don't think it happened, something new showed up later.
I had never considered doing anything to mess up something he had done (like canceling his appointment) to get his attention.
Overall it's not that big of a hassle. It peeves me a bit, but I guess I'll let it continue.
https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carme...
Something like a Qr code saying "this stuff in that position relative to this code is sensitive", giving the user a prompt saying "this was redacted; undo?"
They obviously didn't know the barcode contained the precise house address of the recipient (presumably the user's home address). Anonymization is hard!
Large mailers (billions of pieces per year) get a postage discount by applying such barcode to all the pieces. (edit: any mailer can get the discount. it just adds up for the larger mailers) Those pieces are delivered to USPS facilities, dumped into the auto-sorters and end up at the local post office with no human handling.
It should not be used for anything else except handling mail.
It would be simple to run barcode detection over any post and blur the result (maybe prompt the user just in case they actually wanted to post one?).
Almost any barcode is assumed to be private information, even a barcode on a store receipt can be used for return fraud in certain circumstances.
Saying 'don't post barcodes online' is all well and good, but that message will never reach the general public.
You don’t print a paper with all the information you need to hijack accounts. You don’t use ‘secret questions’. You don’t treat birthdays as secrets. You don’t use a number as a secret if it’s on the ticket.
Edit: An hour later driving and thinking about it, I think it is the right move from the airline. The risk is small because identity theft and authentication hacking is not possible in this case. The Airport is a highly controlled environment and thus someone pulling this will have a higher chance of getting arrested. On contrast, you can't just take anonymous IPs on the Internet for their words. You have to carefully authenticate them and even then you can still have issues.
The system is not set for security only for convenience and assumes a world of 80-90s of regulated travel with never full planes and no change penalties. At the time (US) airlines were even honoring competitor tickets at gate (assuming they has space, which they almost always did) -- show up with AA ticked at a United gate and get it swapped for a United flight by agent on the spot. Gratis.
The system had lots of problems, but malicious changes were not one of them.
No the problem as outlined in the post is people not thinking through what they are sharing on social media.
I don't think that's really the case, I've deliberately embedded QR codes in images on Facebook. Your feature would be very annoying if it could not be toggled off.
Something like “This image contains the following info: <Sensitive info you didn't mean to share>. Would you like us to blur that out? (Y/n)”
Do you really believe the problem here is FB? Do you really believe FB should be the arbiter of what incidental information their users's pictures can and can not convey?
And even if they did parse pictures for sensitive data do you believe that FB, given what we know about them would simply redact that information from photos and then discard that sensitive data? I think we can safely assume that FB doesn't discard data on individuals.
Since there's no obvious single entity to blame (and even if there is, so what?), we should be working together to prevent and reduce attacks like this. Apart from anything, Facebook popping up a warning about a barcode would go a long way to making people realise that they contain easily readable, and potentially private information.
Also, given how well image classifiers work these days, how hard is it to do the same for photos of (physical) keys, bank cards, and other commonly posted things?
Aren't they already do it for other stuff they don't want to see online ?
Surely a nipple isn't a barcode and legal implication aren't the same. And people sharing personal stuff ARE responsible for sharing those stuff.
So I guess it shows us again that FB is not our friend :)
It's a hilarious perversion of the technology to use computers to blur the thing we created so computers could read.
Wouldn't the most common barcode be the EAN-13, which is not private information?
https://medium.com/@da/need-a-last-minute-flight-45af88ec8df... https://www.wired.com/2016/08/fake-boarding-pass-app-gets-ha... https://puckinflight.wordpress.com/2012/10/19/security-flaws... http://www.washingtonpost.com/national/experts-warn-about-se...
And what the OP article is basically copying: https://www.theverge.com/2017/1/10/14226034/instagram-boardi...
I don't see this changing anytime soon (although there are some tests to move towards facial recognition).
I told her numerous times its not a good idea but she never listened! Then I told her publicly on her car photo that she should at least wipe out the plate number, which created a long trail of comments where basically all her friends thought I'm weird and creepy and why would I be warning her (perhaps I want to commit some crime??). No amount of explaining helped. Even telling cops will tell her the same thing got me bunch of her "friends" answering "you ain't a cop, bro". And then one fine Friday I saw her posting they leaving for another state to visit family. Boy it was a discovery when they come back Monday morning their house was cleaned out from every possible valuable belongings. And thieves must have came with a large enough truck to fit that 85" TV screen.
Not long after she removed me from her FB even though I never told her "told you so".
The bottom line is I don't believe people will learn not to give a clues online and I think in these days of age it should be an hour mandatory lesson at the school what NOT to post online.
The real question: Perhaps we can politely convince these services to display safety warnings & blur the sensitive bits? Want to be proactive about it: Help develop a plug & play library for services to use to accomplish this feat.
Doesn't seem to stop them from trying to find naughty photos and block them.
https://www.geek.com/apps/is-it-nude-algorithm-wants-to-find...
This is not their job and not their responsibility, period.
Relevant xkcd: https://xkcd.com/463/ ("You're doing it wrong")
Imagine you break into your friend's car, and rewrire the stereo system so the left speaker doesn't work. Then, you say, "yo, I broke into your car and rewired things. The locks on this car are faulty, better let the car manufacturer know. I should contact them myself and collect my bug bounty." And when your friend, a decent chap, thinks you're joking, and finds out you're not kidding, is his response supposed to be, "Oh shit, you're right. You could have just [rewired my speaker system]. This is crazy." or instead, would he no longer be your friend, and probably report you to the police?
Bad comparison. Breaking into a car is a locally constrained high-risk attack vector.
This is a low-risk unconstrained attack vector. A bored person anywhere in the world could fuck their shit up with no risk or consequence.
I always feel that pointing out vulnerabilities is okay. Penetrating to point it out is another thing altogether. Continuing the analogy here would be pointing out to your friend that they shouldn't leave their car unlocked rather than entering and making a mess of things.[0]
And sure, bored person anywhere can do lots of damage and may be your damage won't be as bad, but just the act of going through someone's belonging is unwelcome.
[0] Also, there's a huge difference I feel from penetrating systems from orgs that have dedicated security teams...and picking on a private individual to make a point.
Someone could write a bot to scrape Instagram for photos with #airport #[name of airline] #[airport code], identify photos with tickets, and steal information that way.
For big-name corps, do the same to catch IPs of script kiddos who don't know/bother to mask those.
There is nothing surprising about that, nothing hard to understand.
What is hard is actually thinking about what you are doing. Maybe, well, showing off your sophisticated and aesthetically perfect password is not such a good idea due to other considerations.
This is nothing short of yelling sensitive information through a megaphone. USERFAIL
Why are any of these facts relevant? He deploys macOS? What? What does this have to do with anything?
And then author makes the reference to his friend Petr a link to his personal website? Seriously?
Incidentally, Petr's webiste is really entertaining as there are no less than 5 pictures of him that take up the entire background. Clicking on the Petr link, is the most entertaining part of the article.
Anyhow, Aztec code? It looks, the one on the watch, pretty much like a QR Code. I've never seen the Aztec code before today. It makes me wonder how many of these barcode things we really need. A quick Google didn't reveal any information demonstrating why this Aztec code is any better than the other options out there.
It does make me grateful that I don't have to work on implementing all these things or, really, even deal with them. I know a bunch of you are developers and I hope you're not the ones stuck with dealing with all these different 'standards,'
Thanks!
I am pretty grateful I'm not tasked with implementing these.
Case does not matter for URLs, HTTP://NEWS.YCOMBINATOR.COM will work perfectly, and can be encoded using qrcode's alphanumeric mode.
Aztec is slightly more efficient regardless, but not by much: qr alpha is 5.5 bits symbol, Aztec is 5 bits per symbol.
It's funny that for a piece intended to warn other's on identity security the author had no problem reproducing the the unredacted boarding pass picture in question, which incidentally also tells us that he is a member of the One World Club with Saphire status. They also go onto let us know their nationality and profession.
The author also has no problem publishing his friend's full name and linking to their personal website which features 5 large high resolution pictures available of his friend's face as well as well as detailing exactly which Apple certifications they posses.
With Oneworld you can only join individual airline’s loyalty program (I think he’s in the BA one judging by the BASILV). Then all the airline programs in the Oneworld alliance have a mapping between their tiers and the Oneworld set, so you can work out the equilivalence between airlines. So a Qantas Gold teir maps to BA’s silver tier and get the same perks on each other’s airlines (BA has Blue, Bronze, Silver, Gold and Qantas has Bronze to Platinum, hence the difference).
‘Club World’ is what BA call their business class.
But your point still stands, be definitely should have at least obscured his frequent flyer membership number...
https://www.oneworld.com/ffp/my-oneworld-tier-status/-/tiers...
there's an alternate title for this one.
post about commandeering accounts on your blog, get the CFAA thrown at you and go to jail.
this is anything but responsible.
No its more like people are so obsessed with curating their "fabulous" lifestyle for social media that they don't care.
The boarding passes are a carefully arranged prop in that picture, intended to reinforce the fact to social media that "yes I lead a fabulous life."
If their intention had only been to communicate to others that they were going on vacation, an "On our way to ____" message would have sufficed.
