Hi James, Thanks for the response! Please allow me to clarify, the title of the post was a bit of dark humor for the benefit regular list readers who are by now used to my ranting a bit about broken account management. Stuart can probably tell you that in the security community "name and shame" is a standard technique (oft the only thing that gets results) and that my application of it with vendors friendly to this list is about as mild as it gets. We've traded emails in the past on the list concerning stealth trackers on the miicard privacy policy page. This was our "second round" so I went with a boxing metaphor and I was hoping you'd get the reference. I wouldn't consider us at odds. National Planning Corp sent me a plaintext email with account credentials and my SSN during routine maintenance on my account. In discussion with their tech support, I learned it had happened previously and they thought it had been fixed. I'll be reporting the incident to the FTC, the state of NC (which has breach reporting laws) and Privacy Rights Clearing House, plus blogging and possibly screen capture videos. NPC and I are at odds. Huge difference in response. But, in all fairness, miicard asked for credentials to my bank account so I have as much riding on their security as with NPC. I have these discussions on-list specifically for community awareness. Some of the VRM and Personal Clouds web sites have great account management, TLS on all pages, multi-factor authentication and so on. However, a significant portion of those I've tested do not, and subsequent discussion suggested web site security isn't a core competency of our community at large. I've been having this same discussion on the WebSphere MQ mailing list and have featured security in my conference presentations for many years. It took about 5 years of public discussion before enough customers knew enough and cared enough to demand IBM add some missing security features to the product. As a consultant I could have quietly fixed one customer's security at a time. The public discussion resulted in a sea change that helped 10,000 customers. Also, if I get hit by a bus tomorrow I hope I've said "OWASP" enough times on-list that people now know how to spell it, can spot broken account management when they see it, and will apply community pressure to raise the floor on what is considered acceptable web site security, especially as new participants come on-line. If I understand your reply re the URL thing, it seems like someone will look into it. My main point here was that everything visible on the marketing and sales side, as well as the company info page, shows a human-readable URL but that ordinary users upon receiving their card find a short string with a hash value. It's either a matter of managing expectations or "whoops, we put the wrong URL on the card!" Either way, not a big issue, just an annoyance. However, I've invested many hours in trying to get the miicard verifications done and the card usable so I figured I was entitled to a little grousing. My understanding of the SSL Labs test is they confirm the BEAST vulnerability by actually executing it part way. Possibly a false negative but when I reported it to two banks, they immediately updated their configuration and raised their grades to an A. There have been many such reports. If we apply the "what's more likely" test, either it isn't a false negative or else a lot of banks and high security web sites recently made their security *worse* in order to upgrade their Qualsys rating. That doesn't discount the testing you described, but Qualsys does seem a credible source and not casually dismissed. I leave it to your team to do the due diligence on the SSL config but in any case, a "B" isn't that bad considering the choices are between BEAST exposure or relatively weak cipher since TLS is pretty much broken at the moment anyway. I'm not terribly worried about BEAST. I'm also actually not worried about One Time Password over SMS. OTP over SMS is fairly weak but when combined with account management that isn't broken the two are quite good. What I was attempting to point out was that the combination of the weaknesses in miicard's account management and those inherent in OTP over SMS add up to the real possibility of account takeover. I would not recommend anyone checking their miicard account whilst at Defcon for example, lest they end up on the Wall of Shame. Half the people in the room at that conference possess both the SMS hacking and network hacking skills to pwn the account. What I am worried about is that the moment someone (not necessarily that user) runs password recovery the password is changed and locks the user out of their account. I'm sympathetic to the usability concerns but the ability for strangers to lock you out of your account *is* a usability issue. Most high-security sites send a recovery email that says approximately: "Someone tried to reset your password. If it wasn't you and it only happens once, then it was most likely a mistake and you need not take any action. If it happens more than once, please report it to us immediately." The result is that an unsuccessful account takeover raises an alert but does not otherwise impact the account. On the other hand, with miicard an unsuccessful account takeover locks the account immediately. And if the object is not takeover but to lock the account, mission accomplished. Bad guy wins. The answer here isn't to refer advanced users to Yubikey or other 2 Factor Authentication. The answer is to raise the bar so that you don't have to be an advanced user to get account recovery that doesn't let strangers lock you out of your account and create an opportunity to intercept your password and OTP. Glad to hear this will be reviewed next week. Looking forward to see what develops. I'm a miicard user and booster, genuinely interested in contributing to its improvement over time. -- T.Rob From: James Varga [mailto:
] First of all I just wanted to thank you for taking the time to look at the service and spend some time with it. We are always looking for constructive feedback as we try, with everyone else in the industry (and the respect network), to push for more trust and security online. I'm also sorry if I missed something but I wasn't aware that we were at odds? Maybe you could let me know why you felt it was necessary to name check those involved? I'm more than happy to send time with you can get your feedback personally. I'm also not sure what can be fixed for tomorrow or indeed what is broken. I'll catch up with Stuart and Jenna on Monday but I wanted at least to reply on the mailing list here first. There are a few things I can quickly clarify for you. The first is with regards to the short url. This was originally intended for the QR codes ( to keep the url short) and is currently restricted to a few characters. We have some unreleased functionality that we have been working on to support full url's for public profiles but this isn't released yet. If the point of your post was to get a customised one then I'm happy to sort that out as a supporter of miiCard. Again however this functionality isn't released to our members yet. There are a few other 'non elite user' that have these so again happy to sort this out for you but please remember it will change in the future and this was just really for the card image. The intended url would be the full card image such as my.miicard.com/card/james.varga which as you can see is pretty friendly in itself. In regards to the BEAST attack I'll have to check but I believe this is a false negative reading as we are hosted on Azure with the latest Server 2008 Guest 2.14 where the Beast vulnerability was patched in MS12-006 in the 2.10 platform. We do go through regular security audit and a penetration test so would be very surprised if this was undetected by Microsoft, ourselves or our security company. With the password system there is always a balance between usability and security. This is something that I'll raise with the team this week. The reason we support other authentication services such as yubikey's is to offer more options for our users. If you are worried about use of OTP over SMS then I suggest you configure your account to use this or Toopher. If you have any other suggestions on third party auth services then we can put it on the list and look to integrate in future releases. Finally thank you again for taking the time to look at the service. I'm personally disappointed that you had to take such an aggressive stance on providing feedback as you seem like you were just trying to help. I'll get back to you about the password process early in the week. Regards, James From: T.Rob In my never-ending quest to make the world make sense, I have turned my attention to miicard.com once again. They are pretty good, use HTTPS where it counts, don’t email my stored password around, and I even let them verify bank accounts. But they are not without some issues. Some cosmetic, some functional and urgent. In the interest of cutting to the chase, I’ve emailed James Varga (CEO) & Stuart Fraser (CTO) links to this post. I expect these will all be fixed by tomorrow. :-) Or if you don't like me tracking your clicks: https://ioptconsulting.com/duking-it-out-with-miicard/ Stuart, James, I can't imagine that you aren't' on this mailing list but if you are not and wish to reply on-list, you can sign up at: http://cyber.law.harvard.edu/projectvrm/Mailing_list -- T.Rob |
Archive powered by MHonArc 2.6.19.