|
ewiley posted:https://twitter.com/GossiTheDog/status/1163753873351356417?s=20 three weeks
|
#
?
Aug 20, 2019 14:23
|
|
|
|
| # ? Jun 7, 2024 23:18 |
|
|
My bank just magnanimously informed me via email that my contactless credit card that I never wanted nor asked for is now on the way since I'm such a good customer. How currently hosed is this technology and do I have to wrap my card in tinfoil now?
|
|
#
?
Aug 20, 2019 15:05
|
|
|
can't you just ask them to disable contactless on the card? both my bank card and credit card have it, but it's not active on my bank card because lol if anything that can directly debit money from my accounts is going to have pinless access. also, i have a small metal case for my cards, but ymmv.
|
|
#
?
Aug 20, 2019 15:10
|
|
|
Volmarias posted:My bank just magnanimously informed me via email that my contactless credit card that I never wanted nor asked for is now on the way since I'm such a good customer. Tap is better than chip because you’re not having liability shifted to you.
|
|
#
?
Aug 20, 2019 15:27
|
|
|
Lain Iwakura posted:Tap is better than chip because you’re not having liability shifted to you.
|
|
#
?
Aug 20, 2019 16:24
|
|
|
chip liability is UK/euro only.
|
|
#
?
Aug 20, 2019 18:18
|
|
|
Volmarias posted:My bank just magnanimously informed me via email that my contactless credit card that I never wanted nor asked for is now on the way since I'm such a good customer. it’s fine no
|
|
#
?
Aug 20, 2019 18:19
|
|
|
a bunch of wallets advertise NFC protection but I have no idea if any of it is legit.
|
|
#
?
Aug 20, 2019 18:20
|
|
|
Shaggar posted:a bunch of wallets advertise NFC protection but I have no idea if any of it is legit. my wallet breaks my building's security badge (gf gifted it without checking first) so it works that much. no idea if it would stop an intentional attack with a stronger antenna
|
|
#
?
Aug 20, 2019 18:27
|
|
|
I use a Secrid and it's very needs suiting and totally blocks rfid/nfc
|
|
#
?
Aug 20, 2019 18:29
|
|
|
haveblue posted:my wallet breaks my building's security badge (gf gifted it without checking first) so it works that much. no idea if it would stop an intentional attack with a stronger antenna mine claimed to be NFC blocking but I hit it against the badge reader and it works. I wonder if the leather is just thick enough to block normal credit card nfc stuff.
|
|
#
?
Aug 20, 2019 18:40
|
|
|
Shaggar posted:a bunch of wallets advertise NFC protection but I have no idea if any of it is legit. it sucks rear end and the mesh breaks rapidly at the bend points. “rf shielding” wallets are every bit the security theater the tsa is. the big bags are better by virtue of heavier construction, double folds, and overall fewer flex cycles.
|
|
#
?
Aug 20, 2019 18:40
|
|
|
Carbon dioxide posted:Screenshot for when they delete the tweet I used to work for a company that was hired by an intermediary to pentest Virgin's sites, and sent this to a pal who still does. Based on how they described the past few days it seems that advertising how bad your security practices are on social media is open season to hackers, ethical or otherwise. Who knew? It's been a few years since I did any work for them, but at the time anything that couldn't be mitigated by updating to a newer product version was marked as 'won't fix'. That includes the passwords in plain text and low-entropy passwords that they've been aware of for a long long time. IIRC the 10-character password limit was enforced, because at the time their lovely home routers also had a 10-char limit on the admin login, so they encouraged people to use the same password for both their router and their online services. Naturally, connecting to the router over wifi was HTTP-only and the password was sent as plaintext in a GET request. Clyde Radcliffe fucked around with this message at 19:28 on Aug 20, 2019 |
|
#
?
Aug 20, 2019 19:22
|
|
|
BMX Ninja posted:I used to work for a company that was hired by an intermediary to pentest Virgin's sites, and sent this to a pal who still does. Wiggly Wayne DDS posted:the frankenmodem has some issues: https://www.nccgroup.trust/uk/about...for-a-backdoor/
|
|
#
?
Aug 20, 2019 19:34
|
|
|
i've found that a metal credit card will block an nfc card sample size n=1, but multiple times tho
|
|
#
?
Aug 20, 2019 21:04
|
|
|
it probably doesn't so much "block" it as create a bunch of noise and reflections that make the signal unusable
|
|
#
?
Aug 20, 2019 21:08
|
|
|
haveblue posted:it probably doesn't so much "block" it as create a bunch of noise and reflections that make the signal unusable near field stuff generally doesn't work the same as normal radio stuff, basically the card and the reader couple together like a transformer and the card "signals" the reader by adding and removing a load to its side of the transformer, so putting a conductive thing in between them really does "block" that coupling to an extent
|
|
#
?
Aug 20, 2019 21:14
|
|
|
my wallet was stacked [out] train pass metal CC plastic debit card [inside of wallet] and the turnstile was like "lol nope", moved the IC card to the other side of the wallet and it was fine
|
|
#
?
Aug 20, 2019 21:17
|
|
|
Wiggly Wayne DDS posted:ya i mentioned the frankenmodem a few threads back and it shows their approach to everything: Much appreciated.
|
|
#
?
Aug 20, 2019 21:25
|
|
|
yeah, contactless seems to get pretty easily blocked by other cards for me too. also i'm not sure there's much point being paranoid about contactless skimming. it's been in common use for a long time now and i'm not sure i've ever heard of it happening
|
|
#
?
Aug 20, 2019 21:26
|
|
|
Shame Boy posted:near field stuff generally doesn't work the same as normal radio stuff, basically the card and the reader couple together like a transformer and the card "signals" the reader by adding and removing a load to its side of the transformer, so putting a conductive thing in between them really does "block" that coupling to an extent nfc is inductive? neat Chalks posted:also i'm not sure there's much point being paranoid about contactless skimming. it's been in common use for a long time now and i'm not sure i've ever heard of even a poc attack the smart ones use a challenge/response protocol instead of transmitting credentials (I know for sure this is how apple pay works and I'm sure all the other good ones also do it)
|
|
#
?
Aug 20, 2019 21:29
|
|
|
Chalks posted:yeah, contactless seems to get pretty easily blocked by other cards for me too. every once in a while some local affiliate does a really stupid card skimming expose that involves holding a reader to someone's rear end to show that the card can be exposed through your wallet/pants
|
|
#
?
Aug 20, 2019 21:31
|
|
|
Yeah, not sure I've ever heard of a real world case, just local news station features bringing on a local 'hacker' to demonstrate. Anecdotal, of course.
|
|
#
?
Aug 20, 2019 21:37
|
|
|
Raere posted:Yeah, not sure I've ever heard of a real world case, just local news station features bringing on a local 'hacker' to demonstrate. Anecdotal, of course. yeah agreed. if someone can show a good nfc at range poc i'd love to see it, seriously. too much of my life revolves around nfc read range.
|
|
#
?
Aug 20, 2019 21:40
|
|
|
haveblue posted:my wallet breaks my building's security badge (gf gifted it without checking first) so it works that much. no idea if it would stop an intentional attack with a stronger antenna hell, the nfc is my phone is enough to gently caress up the badge readers if I'm trying to swipe in through my bag and they're sitting on top of each other. it's a very weak signal
|
|
#
?
Aug 20, 2019 21:54
|
|
|
Wasn't there a link to some email client (Outlook?) pre-fetching all the links in an email upthread? I can't find anything about it for the life of me.
|
|
#
?
Aug 20, 2019 22:28
|
|
|
Hed posted:Wasn't there a link to some email client (Outlook?) pre-fetching all the links in an email upthread? Might have been Microsoft thread, I read it as "MSFT-hosted OWA" when I saw it.
|
|
#
?
Aug 20, 2019 22:50
|
|
|
Hed posted:Wasn't there a link to some email client (Outlook?) pre-fetching all the links in an email upthread? James Baud posted:Might have been Microsoft thread, I read it as "MSFT-hosted OWA" when I saw it.
|
|
#
?
Aug 20, 2019 22:54
|
|
|
haveblue posted:nfc is inductive? neat yeah, inductive coupling is the "near field" part of nfc, as in the transmitter and receiver are close enough together (within like, e: it's within 1/2pi wavelength actually, which is even shorter than I thought! Shame Boy fucked around with this message at 23:01 on Aug 20, 2019 |
|
#
?
Aug 20, 2019 22:56
|
|
|
Thanks friends! 
|
|
#
?
Aug 20, 2019 23:01
|
|
|
https://twitter.com/zackwhittaker/status/1163465745877147650
|
|
#
?
Aug 20, 2019 23:59
|
|
|
the long form Epstein black book
|
|
#
?
Aug 21, 2019 03:03
|
|
|
*nervously clicks link, reads article, sees name of site, sighs in relief*
|
|
#
?
Aug 21, 2019 05:49
|
|
|
ymgve posted:*nervously clicks link, reads article, sees name of site, sighs in relief*
|
|
#
?
Aug 21, 2019 05:58
|
|
|
ymgve posted:*nervously clicks link, reads article, sees name of site, sighs in relief* hahah who would have that kind of problem, you guys sure are weird!!! oh thank god
|
|
#
?
Aug 21, 2019 06:22
|
|
|
one of our customers, who is heavy on the "can you provide us with 'best practices'?" (aka "we have no confidence in what we're doing and hope our vendor will do free tech consulting for poo poo that isn't their product") train would like to add authentication to their APIs we have several means of adding authentication, but for brevity, it probably makes most sense for them to use OIDC: their identity provider supports it, our implementation is generally robust and feature-complete, if a mass of inscrutable spaghetti code. the customer security architect is adamantly against this, arguing that OIDC's (typical) use of plaintext ID tokens is anathema, and also the vague "it's not industry standard to use OIDC to secure APIs" with no supporting rationale whatsoever. their solution to the unspeakable horror of plaintext ID tokens is to essentially roll their own protocol from bits of other poo poo, banking on their identity provider being able to issue encrypted JWT access tokens that contain identifying information. they will copy the encryption keys to the gateway proxies handling authentication and write their own custom code to handle JWE decryption using them to extract the identifying info. this is lovely in so many ways: * rolling your own crypto libs (in a language i doubt they have much expertise in): always a good idea! * living in a magical world where somehow decrypting a TLS stream to get plaintext is somehow less meaningfully secure than decrypting a TLS stream to get an encrypted token and then decrypting the token * there's a decent chance the key used to do JWE is the same key the IDP uses for JWS, since it's fine for access tokens to be opaque and impossible to decrypt normally. nothing like increasing your attack surface for stealing a key that can then be used to mint valid ID/access tokens. * the OIDC spec literally already provides for ID token encryption in a less stupid way (the client has its own key pair and registers the public key with the identity provider). granted, our client doesn't implement this (because everyone else is fine with TLS), but the customer sure as hell didn't bring it up bonus tangentially related content: i am quite amused that the Azure OIDC implementation has taken the good step of providing client-specific and global unique identifiers that require different permissions (to prevent correlation of accounts across multiple OIDC users), but also mysteriously using plaintext access tokens that apparently include ALL available claims (including, but not limited to, the client-specific identifier, global identifier, and user email address) regardless of what was requested or authorized by the user. the ID tokens only containing authorized claims. their github comments indicate that they intend to encrypt the access tokens sometime in the future.
|
|
#
?
Aug 21, 2019 06:41
|
|
|
ymgve posted:*nervously clicks link, reads article, sees name of site, sighs in relief*
|
|
#
?
Aug 21, 2019 07:02
|
|
|
florida lan posted:one of our customers, who is heavy on the "can you provide us with 'best practices'?" (aka "we have no confidence in what we're doing and hope our vendor will do free tech consulting for poo poo that isn't their product") train would like to add authentication to their APIs they should definitely roll their own crypto op, I lust for secfucks
|
|
#
?
Aug 21, 2019 09:07
|
|
|
|
|
#
?
Aug 21, 2019 12:12
|
|
|
|
| # ? Jun 7, 2024 23:18 |
|
|
should be mandatory on all logins like black box warnings on cigarettes
|
|
#
?
Aug 21, 2019 12:44
|
|
