Archive for the ‘Security’ Category

Glad to see it moving along, hopefully the browser support for it will continue to solidify. These standards were a key part of delivering some json web services and making them securely available in the cloud. Very diligent of them to mention me for a meager contribution to the specification.

http://www.w3.org/TR/cors/ (W3C Candidate Recommendation 29 January 2013)

Read Full Post »

Your password managers are all good products, but suffer from one key flaw, if my PC is compromised, I’m better off without them.

In some cases I’d be lucky, and the thieves would only manage to capture a “master password” as I enter it to access one of my passwords. In the worst case the thieves make off with my entire password database and destroy my digital life.

There is potentially a simple solution to this problem though. Simply put I can trust my phone more than I can trust any of my PCs. When I need a password on my PC, my phone is normally sitting next to me. I would like my password manager (on my PC) not to actually have access to the passwords, unless I authorise that access on my phone, and even then it would only have access to one particular password for a short period of time.

It may sound clumsy, but sliding a push notification on my iPhone home screen and entering my phone PIN would be a whole lot easier than typing in a 30 character master password!

Yours in anticipation ;-/

Read Full Post »

There’re a number of attacks around modifying the EFTPOS smart card terminals. This is especially a problem when the same PIN can be used for the CHIP n PIN entry as is used for the magnetic strip. I.e. take a copy of the magnetic strip, and even if the user then uses CHIP n PIN you can send those details (magnetic strip + pin) overseas and make withdrawals from ATMs that don’t use a CHIP reader.

See a detailed story on the issue here, “Criminals hijack terminals to swipe Chip-and-PIN data”

Most of the problems come down to the one simple problem; the user does not have the technical skills to determine whether they should trust a particular ATM or EFTPOS machine.

One simple answer to all this problem of trusted hardware may be to have smart cards with PIN pads built in and a small display. 

  1. You would insert your card in the ATM/EFTPOS machine.
  2. Choose the transaction (I.e. withdrawal $100, or pay $12.34 for some goods).
  3. Remove the card from the ATM/EFTPOS terminal.
  4. The card would then have a small display showing how much you were authorising and potentially who you were paying as well.
  5. You would then enter your PIN on keys / touch sensor built into the smart card.
  6. Re-insert your card in the ATM/EFTPOS terminal to complete the transaction.

I don’t think the technology is too much of a problem. Building a display and pin-pad into a card that remains as thin as current ones may be a challenge, though not an insurmountable one I suspect.

But then again, why not just use a trusted computing device with short range communications to authorise payments. i.e. Swipe your phone past the eftpos machine, transactions under $100 automatically authorised, up to $300 user clicks OK on phone to authorise, phone requires a pin number to authorise anything more.

Read Full Post »