home :: security

Sun, 09 Aug 2009

Please answer a few security questions.

I just received an automated call from Santander.

Let's set aside the stupidity of calling me on a Sunday, when all banks are closed, as the parent organisation being in Spain and the call centre being in India and this being a case of cultural stupidity.

What really annoyed me is that they wanted me to answer a few security questions, like what my address is, my date of birth.

They called me.

There is no guarantee that the person who claims to be from Santander is actually from there. It could be any random person calling and pretender to be them.

But what mechanism could they use to validate themselves? What about using two-factor authentication?

They could have called me from a number that they print on the back of the card, which is would have at least been a good starting point. It is not impossible to spoof an originating number but does increase the burden of effort on someone trying to perform identity theft. Fail one.

After explaining this to the women on the other end, she kept asking me to fill in the questions and then hung up in a gruff. Fail two. I had a similar call from HSBC earlier in the week as well. After explaning that since they called me, they either have something to tell / sell to me or they don't. He agreed. HSBC wanted me to come in for an appointment to review some ways they can "help me".

So it was a marketing call. At least HSBC have someone who is able to independently reason. They only score a single fail for trying to have me authenticate to them.

Principals of outbound calling:

[ / security] Trackbacks (0) Comments (0) permanent link permanent link

Mon, 20 Aug 2007

Not even worth the electrons

Whilst checking one of my various mailserver logs, a site presented a certificate signed by VeriSign. It has an embedded URL, so I thought I should check out what it said.

It turned out to be a link to Versign's Relying Party Agreement. In it, it disclaims various liabilities related to Verisign primary function (authenticating identity and certifying trust) but also put monetary damages against things if they fail to do a good job.

Section 11.3 and 11.4 set out the damages. To wit (emphasis mine):

11.3 VERISIGN'S TOTAL LIABILITY FOR ALL DAMAGES SUSTAINED BY ALL RELYING PARTIES CONCERNING A SPECIFIC CERTIFICATE (OTHER THAN AN EXTENDED VALIDATION CERTIFICATE) SHALL BE DETERMINED ACCORDING TO THE CLASS OF THE CERTIFICATE RELIED UPON AND LIMITED, IN THE AGGREGATE, TO THE AMOUNT SET FORTH BELOW.

ClassLiability Cap
Class 1One Hundred U.S. Dollars (US $100.00) (or the local currency equivalent thereof)
Class 2Five Thousand U.S. Dollars (US $5,000.00) (or the local currency equivalent thereof)
Class 3One Hundred Thousand U.S. Dollars (US $100,000.00) (or the local currency equivalent thereof)

THE LIABILITY LIMITATIONS PROVIDED IN THIS SUBSECTION 11.3 SHALL BE THE SAME REGARDLESS OF THE NUMBER OF DIGITAL SIGNATURES, TRANSACTIONS, OR CLAIMS RELATED TO SUCH CERTIFICATE.

11.4 THIS SUBSECTION 11.4 APPLIES TO VERISIGN SSL CERTIFICATES WITH EXTENDED VALIDATION ONLY: IF VERISIGN FAILED TO ISSUE THE EXTENDED VALIDATION CERTIFICATE IN COMPLETE COMPLIANCE WITH THE EXTENDED VALIDATION GUIDELINES, THEN VERISIGN’S LIABILITY FOR LEGALLY RECOGNIZED AND PROVEN CLAIMS SHALL BE LIMITED TO USD$2000 PER RELYING PARTY PER CERTIFICATE.

So, basically, an Extended Validation certificate is not even worth the electrons.

[ / security] Trackbacks (0) Comments (0) permanent link permanent link

About

ॐ (aum) - what was, what is and what will be, wildfire's musing

Anand Kumria
wildfire@progsoc.org

Calendar

Topics

Subscribe

Subscribe to a syndicated feed of my weblog, brought to you by the wonders of Atom.

Music

 

Blosxom

Rendered in only 0.0769 seconds.

Powered by blosxom

Web Standards

Valid XHTML 1.1! Valid CSS! Uses microformats!