Think giving out basic personal information on Facebook is harmless? You might need to rethink, as a reformed burglar has given details on how a criminal can use your user account as a tool for committing a crime. Continue reading “Social Hacking”
Why an application server has to be separated from database server?
For medium to large data volume environments, it is advisable to physically separate application and database servers.
Continue reading “Why an application server has to be separated from database server?”
Is 3D Secure Credit card authentication Secure – A Research Perspective
Researchers Steven J Murdoch and Ross Anderson criticise the current method of Credit-Card verification Scheme. They found that the current mechanism used by “Verified by Visa” from Visa and “MasterCard SecureCode” from Master Card are flawed. Banks worldwide are starting to authenticate online card transactions using the “3-D Secure” protocol.
They observe that:
The mechanism used to display the 3DS form is embedded within an iframe or pop-up with no address bar, so there is no indication of where the form has come from. This goes against banks advice to their customers to avoid phishing sites. By only entering bank passwords into sites they can identify as the bank’s own site.
The researchers also criticise the initial password entry process which occurs the first time a card holder uses a 3DS enabled card to shop online. The user is asked to enter a new password as part of the process of making the purchase, which the researchers feel is a bad time to ask for the password as the user is probably more interested in shopping and more likely to choose a weak password.
The 3DS specification only covers the communication between the merchant, issuer, acquirer and payment scheme, not how customer verification is performed. Liability of fraud is transferred to the customers.
What should be done technically?
They believe that single sign-on is the wrong model. What’s needed is transaction authentication. The system should ask the customer “You’re about to pay $X to merchant Y. If this is OK, enter the auth code”. This could be added to 3DS using SMS messaging, or systems like CAP (Chip Authentication Program) as a stopgap.
In the long term we need to move to a trustworthy payment device. This is not rocket science; rather than spending $10 per customer to issue CAP calculators, banks should spend $20 to issue a similar device but with a USB interface and a trustworthy display.
What must be done to make it happen?
Incentives are the key. Visa and MasterCard have managed to get 3DS deployed by arranging so that merchants and banks benefit (at least in the short term) while consumers lose out. What’s needed now is for regulators to intervene on behalf of the consumer. The EU already has the Electronic Signature Directive, which contemplates shifting the liability for electronic transactions to bank customers if they are equipped with a secure electronic signature creation device. The missing word is `only’. If the liability shift is permitted only once the technology actually empowers the customer to decide what transactions she will authorise, then the incentives will line up and finally we might start to move toward a sustainable infrastructure for cardholder-not-present payments.
Reference : https://www.cl.cam.ac.uk/~rja14/Papers/fc10vbvsecurecode.pdf
Some Common Key Management Mistakes
In this article we look at some common cryptography pitfalls relating to the management of keys and other related issues. Some cryptography fundamentals have been listed below for purposes of clarity. Continue reading “Some Common Key Management Mistakes”
Information Security Standards under ISO
When we discuss about Information Security Standards under ISO, the first thing that comes to mind is ISO 27001 – which is the specification for an Information Security Management System.
However, apart from ISO 27001 (which is a standard under which certificate can be obtained), there are many other initiatives under ISO standards covering IT Security – some are published standards, while some are work in progress.
Here is a brief listing of some such standards:
Continue reading “Information Security Standards under ISO”
£480,000 Insider Fraud in Barclays Bank
Currently a trial is going on in British courts against a former customer business manager of the Handsworth branch of Barclays Bank.
Parminder Bhachu, 42, from Birmingham, is accused of authorising the transfer of £480,000 from the bank account of Londoner Barbara Siembida in February last year.
Emerging technologies to improve card security
Card Skimming has become one of the biggest threats in payment card space. Lingering magnetic-stripe technology, rather than the advanced EMV chip standard used in Europe and elsewhere, is part of the problem. Continue reading “Emerging technologies to improve card security”
Mobile Security Software Suite – New Launches
Mobile security concerns have dominated security discussions of late. Conventional threats have also been increasingly applied for mobile based appliances and security companies have introduced products catering to this space. Continue reading “Mobile Security Software Suite – New Launches”
Firesheep is available
Accessing your accounts in public Wi-fi spots such as Airports and hotels has become more riskier with the launch of Firesheep. Continue reading “Firesheep is available”
A Data Center View
When an enterprise is small in size the IT infrastructure consists of a server room with couple of low end servers, some networking devices and client PCs. But as the organization grows the IT infrastructure too grows in size. Medium to large scale enterprises have data centers of their own or outsource the data center (DC) operations to service providers who specialize in DC operations. In this article, let us have a peek into a typical data center and look at what components are deployed.