|
Zamujasa posted:Security Fuckup Megathread - v14.1 - "command and control to major fuckup" fixèd
|
#
?
Sep 26, 2017 22:29
|
|
|
|
| # ? Jun 4, 2024 23:32 |
|
|
https://twitter.com/briankrebs/status/912791399619284992
|
|
#
?
Sep 26, 2017 22:35
|
|
|
and there's still four days left of september 
|
|
#
?
Sep 26, 2017 22:38
|
|
|
Thanks Ants posted:and there's still four days left of september
|
|
#
?
Sep 26, 2017 22:42
|
|
|
|
|
#
?
Sep 26, 2017 23:05
|
|
|
ground zero day
|
|
#
?
Sep 27, 2017 00:11
|
|
|
Wasn't this poo poo the reason we all got chip cards?
|
|
#
?
Sep 27, 2017 00:14
|
|
|
sonic BOOOOOOOOOOOOOOOOM
|
|
#
?
Sep 27, 2017 00:43
|
|
|
mrmcd posted:Wasn't this poo poo the reason we all got chip cards? apparently their systems still didn't have emv enabled as of january this year, so that might still be the case
|
|
#
?
Sep 27, 2017 00:51
|
|
|
Thanks Ants posted:are we at this point yet?
|
|
#
?
Sep 27, 2017 01:07
|
|
|
mrmcd posted:Wasn't this poo poo the reason we all got chip cards? oh is it time for this derail again
|
|
#
?
Sep 27, 2017 01:09
|
|
|
flakeloaf posted:oh is it time for this derail again I mean yeah supposedly the chips are also garbage, but breaking them at least takes effort, as opposed to 'even a brain dead Russian mafioso mule can hoover up and clone a bajillion numbers in one go' that you get with mag stripe.
|
|
#
?
Sep 27, 2017 01:30
|
|
|
mrmcd posted:I mean yeah supposedly the chips are also garbage, but breaking them at least takes effort, as opposed to 'even a brain dead Russian mafioso mule can hoover up and clone a bajillion numbers in one go' that you get with mag stripe. Chips have been out in the wild for like a decade in the EU, Russians have long cracked and economized the process of stripping card data.
|
|
#
?
Sep 27, 2017 01:35
|
|
|
Midjack posted:sonic BOOOOOOOOOOOOOOOOM Step back, Bluetooth’s about to skim your number!
|
|
#
?
Sep 27, 2017 03:25
|
|
|
I've been to a sonic once and all I remember are these weird 80's looking ordering terminals with just magstripe.
|
|
#
?
Sep 27, 2017 07:36
|
|
|
no one should be surprised but twitter's new 280 char limit is only checked client-side
|
|
#
?
Sep 27, 2017 14:29
|
|
|
Wiggly Wayne DDS posted:no one should be surprised but twitter's new 280 char limit is only checked client-side "For twelve years, you have been asking: Who is John Galt? This is John Galt speaking. I am the man who loves his life. I am the man who does not sacrifice his love or his values. I am the man who has deprived you of victims and thus has destroyed your world, and if you wish to know why you are perishing-you who dread knowledge-I am the man who will now tell you." The chief engineer was the only one able to move; he ran to a television set and struggled frantically with its dials. But the screen remained empty; the speaker had not chosen to be seen. Only his voice filled the airways of the country-of the world, thought the chief engineer-sounding as if he were speaking here, in this room, not to a group, but to one man; it was not the tone of addressing a meeting, but the tone of addressing a mind.
|
|
#
?
Sep 27, 2017 14:30
|
|
|
Pikavangelist posted:Step back, Bluetooth’s about to skim your number! holy poo poo.wav
|
|
#
?
Sep 27, 2017 14:30
|
|
|
cinci zoo sniper posted:"For twelve years, you have been asking: Who is John Galt? This is John Galt speaking. I am the man who loves his life. I am the man who does not sacrifice his love or his values. I am the man who has deprived you of victims and thus has destroyed your world, and if you wish to know why you are perishing-you who dread knowledge-I am the man who will now tell you." The chief engineer was the only one able to move; he ran to a television set and struggled frantically with its dials. But the screen remained empty; the speaker had not chosen to be seen. Only his voice filled the airways of the country-of the world, thought the chief engineer-sounding as if he were speaking here, in this room, not to a group, but to one man; it was not the tone of addressing a meeting, but the tone of addressing a mind.
|
|
#
?
Sep 27, 2017 14:38
|
|
|
Wiggly Wayne DDS posted:not quite that interesting, more that anyone can tweet to 280 characters, the old 140 limit is only enforced via javascript ah, gdmamit
|
|
#
?
Sep 27, 2017 14:39
|
|
|
Wiggly Wayne DDS posted:no one should be surprised but twitter's new 280 char limit is only checked client-side "front end web development"
|
|
#
?
Sep 27, 2017 14:41
|
|
|
https://twitter.com/ErrataRob/status/912904724063641602 lol it works too https://twitter.com/BonzoESC/status/913040604233211907
|
|
#
?
Sep 27, 2017 15:00
|
|
|
the longtweets look surprisingly hideous
|
|
#
?
Sep 27, 2017 15:01
|
|
|
cinci zoo sniper posted:the longtweets look surprisingly hideous turn up your brightness
|
|
#
?
Sep 27, 2017 15:03
|
|
|
schranz kafka posted:"front end web development" it's hard to imagine lower security stakes than someone sending a long tweet
|
|
#
?
Sep 27, 2017 15:29
|
|
|
Subjunctive posted:it's hard to imagine lower security stakes than someone sending a long tweet Id even bet someone in Twitter is using the number of people that use the web dev tools to get access as a success/interest metric
|
|
#
?
Sep 27, 2017 15:35
|
|
|
pr0zac posted:Id even bet someone in Twitter is using the number of people that use the web dev tools to get access as a success/interest metric I would take that bet. they know interest is basically 100% (more is better).
|
|
#
?
Sep 27, 2017 15:38
|
|
|
Immanentized posted:Chips have been out in the wild for like a decade in the EU, Russians have long cracked and economized the process of stripping card data. i know the data on the magstripe can be skimmed/shimmed just fine from chip n pin setups, but afaik it can't be used to create another chip card? just a dumb magstripe one? so chip n pin is more secure when it's ubiquitous and using the stripe is such an anomaly that it attracts antifraud attention
|
|
#
?
Sep 27, 2017 15:45
|
|
|
Subjunctive posted:it's hard to imagine lower security stakes than someone sending a long tweet https://twitter.com/gsuberland/status/912995921952157696 
|
|
#
?
Sep 27, 2017 15:46
|
|
|
also can now 100% confirm that the contractor i was talking about previously did not know anything about SSL, or how it worked, or how to use it 
|
|
#
?
Sep 27, 2017 16:06
|
|
|
http://www.cl.cam.ac.uk/research/security/banking/ these are good reads
|
|
#
?
Sep 27, 2017 16:07
|
|
|
coffeetable posted:i know the data on the magstripe can be skimmed/shimmed just fine from chip n pin setups, but afaik it can't be used to create another chip card? just a dumb magstripe one? america isn't implementing chip and pin, we're implementing chip and sign but wait, you ask, doesn't that only make it harder to clone and not actually improve any other security what so ever you would be correct
|
|
#
?
Sep 27, 2017 17:07
|
|
|
duz posted:america isn't implementing chip and pin, we're implementing chip and sign To bounce off of this, it's all about risk transference and less about mitigation. Chip and PIN means the issuers, processors, etc assume more of the risk liability and burden in the even of data exposure or a card breach (PIN is on their part, it's a user-input that is validated by the issuer/acquirer). Chip and Sign is the card holder using really weak validation to effectively make their mark (a 5000 year old method of validation, that offers no deterrence or assurance features). Everybody on the backend is effectively let off the hook completely.
|
|
#
?
Sep 27, 2017 17:15
|
|
|
duz posted:america isn't implementing chip and pin, we're implementing chip and sign moving from stripe to chip reduces fraud in a way that saves the most money moving to mandatory pin increases support costs, increases friction for the user (which means they'll be less likely to swipe and less likely to generate transaction fees) and isn't thought to be as good at saving money because of that security is fundamentally a business decision
|
|
#
?
Sep 27, 2017 17:17
|
|
|
Immanentized posted:To bounce off of this, it's all about risk transference and less about mitigation. IIRC the big push for Chip and PIN in Europe was that it was "secure", so when someone got their account drained it was obviously the customer's fault for not keeping their PIN protected well enough. So there was no risk liability for the banks or processors at all.
|
|
#
?
Sep 27, 2017 18:00
|
|
|
ymgve posted:So there was no risk liability for the banks or processors at all.
|
|
#
?
Sep 27, 2017 18:10
|
|
|
ymgve posted:IIRC the big push for Chip and PIN in Europe was that it was "secure", so when someone got their account drained it was obviously the customer's fault for not keeping their PIN protected well enough. So there was no risk liability for the banks or processors at all. yep
|
|
#
?
Sep 27, 2017 18:12
|
|
|
ymgve posted:IIRC the big push for Chip and PIN in Europe was that it was "secure", so when someone got their account drained it was obviously the customer's fault for not keeping their PIN protected well enough. So there was no risk liability for the banks or processors at all. afaik the liability shift was from card issuers to retailers
|
|
#
?
Sep 27, 2017 18:12
|
|
|
coffeetable posted:afaik the liability shift was from card issuers to retailers Right, that's the Validation bit. Note how the authorization still happens as usual, but I left out authentication. I''m being rather vague as I'm side posting in between summit noes.
|
|
#
?
Sep 27, 2017 18:15
|
|
|
|
| # ? Jun 4, 2024 23:32 |
|
|
evil_bunnY posted:What? Where I live, by law anything you didn't approve isn't your responsibility (this covers skimming, etc), and anything up to 48 hours before you reported your card physically stolen also isn't your problem. same here
|
|
#
?
Sep 27, 2017 18:21
|
|
