Olympus-OM
[Top] [All Lists]

Re: [OM] I'm done with PayPal

Subject: Re: [OM] I'm done with PayPal
From: David Thatcher <davidt@xxxxxxxxxxxxxxxxxxx>
Date: Sat, 18 Jun 2011 03:31:54 +0930
On Thu, Jun 16, 2011 at 01:56:00PM -0400, classicvw@xxxxxxx wrote:
> 
>  I know you are all internet savvy and hopefully careful with your accounts, 
> but I just want to relate what happened to me.
> At approx 7AM Sunday June 4th, I received three email notifications from 
> PayPal that they were processing my requests 
> to send money to an unverified Yahoo address. $310 total. These were time 
> stamped around 2 AM. I was unable to report 
> these as fraudulent to PayPal since their customer service didn't start until 
> 10AM local. (First annoyance) 
> When I did get through to them and notified them that I was certain that I 
> did not send any money out at 2AM that date, 
> the only thing they said to me was they would look into it and get back to me 
> in 10 days with their findings! (Second annoyance)


Hi George,

Sooner or later this sort of thing will happen in any financial
institution that is internet-connected. So far, I have been able to
resist the urge to have 'internet banking' for just this reason. I work
in the communications and security sphere & our team maintains a few
hundred internet firewalls. The way I see it (for want of a better
analogy), there is a dial control, at one extreme is 'security' and at
the other 'usability' (or perhaps 'convenience'). At maximum security
there is an air-gap & nothing is internet-connected, and everything has
to be done at a personal level with certified bona-fides. At the other
is maximum online access (but no safety from exploitation). 

The basic problem is that average people (which seems to include
high-level management) are uninterested in the risks, they just want
something that is easy to use. This relates to many aspects of the
information technology realm - not just money services. The result that
I see is  many requests from customers to 'just open this port to our
<something internal> server'. Part of what I do is to outline the risks
of doing this (trying  to push the dial towards 'security'), & if they
wish to continue, to use the functions available on our products to
control (and log) whatever access IS allowed in an attempt to mitigate
the problems. The type of initial requests- even across our small
customer base, however, are indicative of the lack of understanding of
the risks or potential harm by the average IT person (note that this is
not a criticism of the people as such -more of the IT education system).

All that said, my son's bank account was compromised with a random
signature at a bank counter, so human error (or is it just a worldwide
shortage of rat's arses (sorry, 'Cynical Dave' coming out)) is also a
factor even towards the 'security' end of the dial.

The usual credentials for network access are username and password, and
in most cases this is sufficient, i.e. the user is already inside the
building or the network. This is extended to external access from he
internet at large, & this is where problems arise- fine if it's
something mostly useless outside the organisation like manufacturing
figures, but if it's money, the hackers will find it worthwhile to try
to brute-force account access with, say, basic 'dictionary attacks' (&
I'm ignoring the small percentile of people in positions of
responsibility that can be bribed or are disgruntled & want to harm 'the
company'). Users are often the problem with low-strength passwords (the
number of really silly passwords I have encountered is scary...)

In general terms, for outside access, I would recommend a two-factor
authentication process to our clients. 'Something you know': i.e. a PIN,
& 'something you have' i.e a token device.  Paypal do offer a secure
access token:
https://www.paypal.com/us/cgi-bin/?&cmd=xpt/Marketing_CommandDriven/securitycenter/PayPalSecurityKey-outside
Regrettably they cost money, personally I think they should just supply
them for free (there is an SMS code option, charged on a per-message
basis).

davidt


-- 
_________________________________________________________________
Options: http://lists.thomasclausen.net/mailman/listinfo/olympus
Archives: http://lists.thomasclausen.net/mailman/private/olympus/
Themed Olympus Photo Exhibition: http://www.tope.nl/

<Prev in Thread] Current Thread [Next in Thread>
Sponsored by Tako
Impressum | Datenschutz