Tag: Security

An exciting Sunday

· 2 Comments ·

So we had a nice breakfast – some nice Apple smoked bacon form Trader Joe’s, my special scrambled eggs, and some grill toasted french bread.

Then a realization was made, we don’t have any toilet paper or paper towels. That’s a crisis.

Booked a car for a couple hours and got to the car and realized I’d locked us out of the house. Hence the excitement.

But I’m the confident one – even at work they remark that I’m the most confident person leading I.T. they’ve ever had. And it carries into regular life. I’m pretty damned sure of myself. I’d have made a really good con artist but too much integrity for that. But Someone was getting nervous and I tried to re-assure him that we’d be in the house. If you’re reading this you can be certain we got into the house.

One of his worries is what if someone called the police. I had my ID on me that shows the same address. And knowing what I know the local  gendaremerie would have likely had assisted.

But you see I learned a few things way back when I worked at the Rhode Island Department of Attorney General vis a vis how to break into a home among MANY MANY other things.

And of course my lock pick kit was on the other side of the locked door. I suppose I should start carrying a rake and a torsion wrench with me at all times, and maybe a shallow pick. Never know when I might have to practice the art. But I digress.

What I learned was you can do all you want to secure a space, but there are always vulnerabilities. In my case the south facing dining room window – it was unlocked. And the screen window latches – all you had to do was push in the carrier rod and lift the screen, then the window. Had to swing the gate over, then boost myself up on that, through the window, after handing out the plants that reside in said window. Walked to the door grabbed my keys and then opened said door.

I did mention had that not worked, we’d have had to break some glass. Alas it didn’t come to that though.

 

Related – on Securing debit and credit cards

· 1 Comment ·

I wanted to elaborate a bit on the PIN side. Six digits would buy you approximately a million possible PINS. And the time factor of 30 seconds per PIN means one would have to run through a million (10^6) PINS in 30 seconds to use the card. You’d need to try 33,333 PINS per second. That’s not impossible but extremely difficult and beyond the reach of most people.

And it doesn’t guarantee you’ll break the PIN. It’d be better if you knew the algorithm that generated the PIN. That’s what happened to RSA recently – someone got a hold on the algorithm. But that was fixed by the changing the something you know portion from 4 characters to 8 characters. Order of magnitude more difficult to hack, or so they think.

But with all of that in mind – I’ll revise my suggestion. To make a transaction you must know be in physical possession of the card, your regular 4 to 8 character PIN, plus the six characters from the Authentication app. And it would programmaticly trivial to make it so the PIN you know could be prepended, appended or maybe in the middle of the six generated digits. It would have the effect of expanding the ‘PIN’ composite to 14 positions if we choose an 8 digit PIN. That means 100,000,000,000,000 or a hundred trillion possible PINS give or take a few hundred thousand since the known PIN will always be the same, only it’s position would change. Keep the same 30 second limit on the authentication PIN and it means they have to scan 3,333,333,333,333 or 3.3 Trillion per second. Now we’re talking.

If they really wanted to secure Credit and Debit cards

· 1 Comment ·

It would be fairly trivial to implement. At this point even WordPress does it – offers two factor authentication. All you have to do is install Google Authenticator on your phone, turn on two factor and presto. Username, password and six digit ever changing PIN. 

So I read that they want to force all credit card transactions to use a PIN. That will partially solve the problem. But if someone has a skimmer on the POS terminal which is wont to happen with far more alarming frequency lately. In fact you can always tell when a business using a particular type of credit card acceptance terminal got hacked at the end node level. They suddenly roll out all new end nodes but so do other businesses. I note Trader Joe’s and even Wally World are doing that now. 

But we could eliminate even that potential if you implemented either Google Authenticator of an RSA token or even better if Google produced their own token that didn’t have to rely on having a cell phone. Just have the banks issue them with the cards. 

Image

Image

The beauty of this is that the PIN would change every 30 to 60 seconds. So even if they were skimming there’s no way they’re gonna hit on a pin that has a 1:100000 shot in that short time span.