On Tue, 18 Dec 2012 17:40:24 +0100, Cédric Beust ♔ <[email protected]>
wrote:
This is another aspect of security that very few people realize: using
different passwords on different sites don't make you as safe as you
think.
Your single point of failure is your email account, period. Once a hacker
gets access to your email, they can reset pretty much every single other
account that you own, regardless of how many different passwords you use
for those.
True. But e.g. the procedure for resetting the password to my banks aren't
as easy - they also require some other proof, such as other "secret
information" that has been previously shared, and they involve some phone
call. Still, this can be hacked. The think that people should do (and I've
only partially done, but I'll fill the gap ASAP) is to have a short
security assessment of the accounts and their recovery procedures. Then
you can try to compare it with e.g. the breach reported by Wired. BTW, if
I remember well, Apple was doing something very stupid in the reset
procedure, and that's why no major corporate will ever have my primary
credit card numbers (for them I use a PayPal card with a very tight credit
cap).
It isn't particularly hard, I think that you need just to classify two
levels: one for the bank accounts and all the thing that can cause serious
damage, and the other for all the rest. Then use separate emails. I'm
considering to use, for the first class, the "certified email" that has
become obligatory by law in many countries. Not only the provider
guarantees signing, timestamping and archival (which means it would be
easy to reconstruct an incident, and even proof it), but it's used very
seldom, just for some perodic communications with state agencies and such
(at least in my case). For instance, this means that I don't have
configured my smartphone to connect with it.
I was going to add that some well designed reset procedures make use of
SMS notifications (e.g. banks), but in this case the smartphone can be
again a single point of failure and some malicious app could hack them.
--
Fabrizio Giudici - Java Architect @ Tidalwave s.a.s.
"We make Java work. Everywhere."
http://tidalwave.it/fabrizio/blog - [email protected]
--
You received this message because you are subscribed to the Google Groups "Java
Posse" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/javaposse?hl=en.
