HUGE downfall to SecureID, I know, I have one, for my work. We use that at AOL, and it is common knowledge, that if a Hacker where to get your SecureID number by tricking you, which is done, at times, they can use a database, to figure out the next number, as it has a formula that it uses to get the next number, so I the hacker puts the number into it's tool, he'll get what the next number will be.
Granted, they maybe upto 59 seconds off, but they could easily get around that. I've seen it happen. The only way to get SecureID to work all the time, would be for it to have multiple formulas, actually a lot of them, then, go back and forth between the formulas at random to determine the next number, that would therefore, make it hard for the hackers to know which formula it used, and they would only have upto 65 seconds (60 + the extra 5 it gives you) to get the correct code. That too would eventually be cracked, but it would work for awhile. Again, NOTHING is uncrackable. If a Cracker, really wants something, and it's connected, their is NOTHING that can stop them, except disconnecting the web. I'm not talking about script kiddies who use tools like B.O. or SubSeven. I mean a real renegade hacker, a.k.a. a Cracker. They pretty much just leave us alone, and I'm all for that. If you try to make the security REAL tight, that will just attract them, then they'll do it just to piss us off. Kind of like an alligator, if it don't know your there, your safe, but if you draw attention to yourself, Then it's all over. Sure they may see something they want every now and then, but for the most part, they leave us alone. I am not saying to have no security at all, but don't OVER do it, cause it's not really a big threat right now. Sure it can be, but a bigger threat would be to make it HARD to get around, cause hackers AND crackers love a BIG challange. If it's hard for the common average person to do, that is good enough, cause if you make it hard for the crackers, then like I said above, You'll be a target, from just about every single cracker AND hacker out there. The Hackers would just do it, but then do nothing with it, but the crackers would change things, even if they did not change it to own it for themselves, they'd make it to where YOU don't own it, just so you'd know they did it. Richard. ----- Original Message ----- From: "George Kirikos" <[EMAIL PROTECTED]> To: "Scott Allan" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Thursday, January 24, 2002 2:11 PM Subject: RE: Some improvements we would like feedback on.... > Hello, > > --- Scott Allan <[EMAIL PROTECTED]> wrote: > > I can commit to exploring enhanced security options for all our > > registrations - I will send out a draft (once we explore and > > assemble) for > > your comment here. > > In addition to the digital certificate (client-side, like banking > clients get from Entrust, etc.) and other suggestions I made earlier, I > had another that I just remembered. It's a 2-factor security solution, > from RSA, called SecurID, discussed here: > > http://www.rsasecurity.com/products/securid/ > > Basically, things would work just like now (i.e. one has a standard > password). BUT, one also is issued a credit-card sized authenticator, > based on time synchronization. For a picture, see: > > http://www.rsasecurity.com/products/securid/hardware_token.html > > When logging in, one is challenged to enter the authenticate code that > is generated automatically (based on time) on the authenticator. Thus, > a malevolent individual needs not only your password, but also the > physical authenticator (each authenticator generates different time > codes, and the server knows which are valid). An advantage of this > system is that it's fairly easy to implement on the client side (i.e. > send them an authenticator by snail mail), and doesn't require that > they have Windows or a specific operating system. Brokerage firms tend > to use these a lot when giving clients remote logins. > > Sincerely, > > George Kirikos > http://www.kirikos.com/ > > __________________________________________________ > Do You Yahoo!? > Great stuff seeking new owners in Yahoo! Auctions! > http://auctions.yahoo.com > >
