Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 [2]

Author Topic: How not to perform a critical software update.  (Read 6769 times)

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: How not to perform a critical software update.
« Reply #15 on: September 09, 2015, 08:02:42 PM »

talking about internet security.

ultimately tho allowing people to remotely manage their accounts will always carry loopholes or weaknesses as you put it.

But if you compare banks to how other companies approach web site security there is a clear difference.

By the way my first hand experience differs, I suffered fraud some years back, they put the money back in my account extremely quickly, before they even sent out the form for me to fill in.

Glad to hear you had good experience.

My own only relevant experience was when a major discrepancy (several £1,000) appeared on my statement.  The error was in my favour, a cheque I paid in a few weeks previous had been credited multiple times.    I quickly researched the legal situation and concluded, sadly, that to have kept it would legally be theft. So I had to tell them.  But it was really quite a struggle to persuade the bank to correct it, simply because they had it ingrained that such errors cannot happen:D

Eventually, having worked my way up the management chain, I persuaded them to take back the money  ::) . But it left me with an uncomfortable foreboding that, should I ever suffer bank error in their favour, getting them to admit it would be neigh on impossible. 

No explanation was ever given.  The cheque holder's account had only been debited the once, so the cash had apparently come from nowhere.
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: How not to perform a critical software update.
« Reply #16 on: September 09, 2015, 08:10:53 PM »

A system error is a bit different to a security breach, in addition they will obviously take something more seriously when a customer is losing money rather than gaining it.

I am at a loss as to why you havent noticed web sites of banks are no more secure than non banking companies.

e.g.

I have never seen a bank use an expired cert.
I have never seen a bank rely on only a password for authentication.
I have never seen a bank use ciphers that are considered obselete by the community.
I have never seen a bank send authentication details in unencrypted email.

Maybe some banks do this, but not any I have used, I have seen plenty of other companies follow those kind of practices tho, so I am not saying banks have flawless protection, there is no such thing, but rather that their security is at a different level to non banking operations.

Not to mention there is numerous banks in a high level private security mailing list I am a member off, with the likes of google and microsoft also contributing to that list, but no representatives from places like retailers, social media sites, game companies etc.  They play an active role in how security moves forward.

end of the day if you want a server completely protected, then disconnect the network cable.
Logged

loonylion

  • Reg Member
  • ***
  • Posts: 723
Re: How not to perform a critical software update.
« Reply #17 on: September 09, 2015, 11:02:25 PM »

end of the day if you want a server completely protected, then disconnect the network cable.

And lock the door.
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: How not to perform a critical software update.
« Reply #18 on: September 10, 2015, 07:23:36 PM »

As if on cue, a major breach at Lloyds in the news today...

http://www.bbc.co.uk/news/business-34209500

Quote
I have never seen a bank use an expired cert.
I have never seen a bank rely on only a password for authentication.
I have never seen a bank use ciphers that are considered obselete by the community.
I have never seen a bank send authentication details in unencrypted email.

These are just tick boxes and whilst commendable, are no substitute for a responsible and considered attitude.  Moreover, I have never personally heard of a major breach based on failure to tick these boxes - far more likely, a vulnerability will be found (like recent TLS/SSL bugs), that render the ticks somewhat irrelevant.

I'm not much given to praising Google these days, but I have to admit their 'Bounty' program whereby they reward researchers who find security vulnerabilities is hard to criticise.  The trouble with banks is they seem to honestly think that  think that, as long as they tick all the boxes, there will be no vulnerabilities. 

Which of course is utter nonsense, especially if you leave a data storage box in a vulnerable place.   Or as I stressed earlier, if you accept knowledge of date-of-birth as 'proof of id', or if you condition your customers to freely disclose information to 'phishing' phone calls.




Logged

roseway

  • Administrator
  • Senior Kitizen
  • *
  • Posts: 43467
  • Penguins CAN fly
    • DSLstats
Re: How not to perform a critical software update.
« Reply #19 on: September 10, 2015, 07:31:33 PM »

Quote
Nevertheless customers are being advised to take out identity protection, as an extra layer of security.

That's not security, it's insurance. And it does little or nothing to protect you against the consequences of having your identity stolen.
Logged
  Eric

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: How not to perform a critical software update.
« Reply #20 on: September 10, 2015, 07:54:41 PM »

Quote
Nevertheless customers are being advised to take out identity protection, as an extra layer of security.

That's not security, it's insurance. And it does little or nothing to protect you against the consequences of having your identity stolen.

I agree.

But somebody at Lloyds probably went home with a big bonus today, for having dreamed up a way of turning negative news into an opportunity to promote another insurance product.    ::)
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: How not to perform a critical software update.
« Reply #21 on: September 10, 2015, 09:43:35 PM »

As if on cue, a major breach at Lloyds in the news today...

http://www.bbc.co.uk/news/business-34209500

Quote
I have never seen a bank use an expired cert.
I have never seen a bank rely on only a password for authentication.
I have never seen a bank use ciphers that are considered obselete by the community.
I have never seen a bank send authentication details in unencrypted email.

These are just tick boxes and whilst commendable, are no substitute for a responsible and considered attitude.  Moreover, I have never personally heard of a major breach based on failure to tick these boxes - far more likely, a vulnerability will be found (like recent TLS/SSL bugs), that render the ticks somewhat irrelevant.

I'm not much given to praising Google these days, but I have to admit their 'Bounty' program whereby they reward researchers who find security vulnerabilities is hard to criticise.  The trouble with banks is they seem to honestly think that  think that, as long as they tick all the boxes, there will be no vulnerabilities. 

Which of course is utter nonsense, especially if you leave a data storage box in a vulnerable place.   Or as I stressed earlier, if you accept knowledge of date-of-birth as 'proof of id', or if you condition your customers to freely disclose information to 'phishing' phone calls.






whilst its amusing the date of this event, it bears no relation to their web services. :)

One simple question, is it your belief banks dont take security more seriously than tesco and co on their web portals?
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: How not to perform a critical software update.
« Reply #22 on: September 10, 2015, 10:29:50 PM »

One simple question, is it your belief banks dont take security more seriously than tesco and co on their web portals?

I have no personal experience of Tesco, but I would anticipate their attitude to overall customer security to very probably be even worse than that of the banks.

The fact that others may be even worse does not alter my perception that most banks' approach to overall security of online accounts, in my opinion, leaves an awful lot to be desired.
Logged
Pages: 1 [2]