 |
RE: [RC] Whats New with SERA - David LeBlancTruman Prevatt said:
There are always inherent risk with using the internet for commerce. There is an inherent risk in using a credit card for a payment and there is an inherent risk of using a check. [dcl] Security is about managing risk, not about eliminating it, so you're correct that there is always a risk, and the real point is the relative risk with respect to the asset being protected, how well it is protected, and the threat level against the asset. Credit cards and checks both have safeguards in place against fraud (though to different levels). While you are signed on the internet a hacker can get any information you have stored in your computer - username and password to any site. [dcl] If your system is compromised, yes. If you run a virus (more accurately a trojan), then it's true that anything stored on your system can be revealed. However, that isn't the only angle of attack. I can go directly to a web site and see if I can get into your account. I don't have to always compromise your system. There's also the risk that the server on the other end is compromised. The windows operating system is the most vulnerable OS out there. [dcl] This isn't accurate. It is certainly the most attacked system out there due to the numbers of systems available. UNIX and Linux systems are also highly vulnerable. Macs are open to attack. AOL users are subject to specialized attacks. If you expose an unpatched system, regardless of operating system, to the internet, it will probably get hacked. The key is to a) stay up to date on patches, b) use good sense (don't open attachments you aren't expecting - the current worm uses NO security hole other than user error), and c) enable a firewall on internet-exposed systems. This advice is just as valid whether you're running Windows, Linux, UNIX, Mac, etc. They can then go to the site, e.g. amazon.com and check our your history and download other information. They can hack into a banks files and get all the credit card numbers and information for the bank and use those numbers - that's actually been done. A hacker can install in you computer a background program to capture and report back on you keystrokes. So while you are buying something online, the link between you and the merchant is encrypted and secure, but the hacker knows what you are sending and you credit card information can be derived from that. [dcl] Yes, all of these things can and have happened. This assumes that your system is compromised, and there are people who operate this way. Other people use different attack methods. For example, user-chosen passwords are going to be vulnerable to a simple dictionary attack unless there are password filters in place to prevent this. If I can gather the e-mail addresses of enough PayPal users, I can then launch a pure dictionary attack against them, and I'll harvest a few accounts. This is an extraordinarily low bar - far lower than having to install a keystroke logger, hoping that it stays there and that someone else doesn't take over the same system in the mean time. This is a particular problem with windows and this is why things like firewalls are important and virus checkers are importnat. [dcl] Absolutely not. Keystroke loggers (also known as rootkits) predate what we think of as Windows (say Windows 3.0). In fact, it has only been recently that rootkits have reached the same level of sophistication on Windows systems as have been available on UNIX and Linux systems for years. They have caught up, though, so Windows systems are now subject to the same types of threats as non-Windows systems have been subject to since the 80's. In the mid 1990, a hacker broke into the payroll computer network in the Pentagon and was trying to move funds around. He was initially
sucessful, but was caught.
I know someone who did a white-hat penetration test on a large bank and
moved very large amounts of money around. I know lots of people who test
network security for a living (I have done this myself) and some of the
stories are horrendous. There's a lower correlation between operating system
and security than between how good the operator is and security.
For example, if my Linux system were exposed to the Internet, it would get
hacked in minutes. OTOH, I designed (and in OpenHack 1 and 2 configured
personally) the security of the Windows systems used in eWeek's OpenHack 1,
2 and 4 contests, and they emerged without a scratch in every case. I'm
simply better at securing Windows than Linux.
While there are inherent risk with any movement of funds by electronic means, I suspect the risk with PayPal are no greater than having
a bank card with Chase and a lot less risk than having your credit card
number stored in your windows computer.
[dcl]
IMHO, the risk of using PayPal is high enough that I will not use it. The
user name for the account is public knowledge, and user-chosen passwords
tend to be very weak. There's a serious risk here even if your system isn't
compromised. This is why I think the advice to:
1) Use an account to back PayPal that is completely unassociated with
anything else.
2) Do not keep more funds in that account than absolutely neccesary.
3) If you receive funds via PayPal, transfer them immediately to another
account.
Is very solid advice. It's a risky system with inherently weak
authentication methods. If you choose to use the system, mitigate the risk
by reducing the value of the asset to something you don't mind losing.
Personally, the trouble involved in mitigating the risk outweighs the
convenience of the service, and I'd rather use other methods - especially
for something like a membership I pay for once a year. YMMV, and if you do
something else I hope it works out well.
Ten years algo there were significant risk. Today with the newer technology the risk is much lower. However, nothing is totally risk free including paying by check. [dcl] Very true - taking a shower and driving to work are probably some of the riskiest things we do, and we don't typically worry about it. For example, there's a risk associated with putting outbound checks in your mailbox. I mitigate that by dropping them at the Post Offfice. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Ridecamp is a service of Endurance Net, http://www.endurance.net. Information, Policy, Disclaimer: http://www.endurance.net/Ridecamp Subscribe/Unsubscribe http://www.endurance.net/ridecamp/logon.asp Ride Long and Ride Safe!! =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|