I face that all the time as a user of NoScript+Ghostery+Adblock. I have to go through a process of whitelisting trial and error with new websites I come across everyday.
I wish there were a whitelist I could subscribe to that would only enable only those domains that are critical to loading content & comments for websites I visit.
Run Disconnect instead of Ghostery. Ghostery had a big fad following a while ago, but it's not actually good for you. Disconnect is much better.
(and stop running NoScript (nobody is designing sites to work for you), just run with Click to Plugin enabled, Disconnect, and ABP)
I've seen a lot of these "I can't see the article until I disable my 40 extensions" complaints recently, but they all work fine with my combination of Disconnect and ABP.
Thanks. I will try Disconnect. [Edited: I'm curious to know why you say Ghostery isn't good for users, and why Disconnect is better?]
To clarify, I wasn't complaining specifically about this article but in general while browsing the web.
Click to Plugin seems to be a Safari plugin, while I am a Firefox/Chrome user. As for ditching NotScript altogether, I'm not sure I'm ready for that yet, especially when I see sites that seem to be loading scripts from an dozen or two domains in addition to their own!
My paranoia comes with a (discomfort) cost attached, I know.
Oddly, I can see it just fine with JavaScript disabled. I do not use NoScript (I use Opera 12 and whitelist sites to allow JS or not via per site settings[1]). I also have Disqus added to my hosts file (but disabling JS will have the same effect). I would guess perhaps NoScript decides to partially allow some scripts and not others, making for chaos? That just seems like a mess waiting to happen that no developer can 100% predict. No JS or all JS is much easier, but half blocking is not so much when there's dependencies.
However, I realize when sites fail (re-enable JS) and adjust accordingly as anyone that does such things should if they're blocking content (though I'm used to adjusting since I've been using a browser with a minority user base for years). Alternatively, view it via Google cache search (and add strip=1 to the end to remove all images and JS) and run it through readability. While I would prefer all sites to not assume, that's not going to happen and comes down to if I care enough to work around to see the site content or just move along and deem it not worth it.
I use NoScript because essentially every browser exploit in the last decade has had javascript as a necessary component. Running the minimum amount of javascript protects against even zero-day attacks.
I say web developers who put their convenience ahead of my security are bastards.
I block everything or not (if I site has that much stuff, I probably don't want anything loading from it since it's not just third parties that could be problematic as the site probably performs like crap with local stuff too). If I don't trust a certain third party, I just add it to my hosts file as it's probably common on a lot of sites.
Finding them involves using Opera Dragonfly, Firebug in Firefox or Live HTTP headers a Firefox Addon (or whatever similar in your browser of choice). Granted that's not easy for everyone to do, but I think most on HN could do that if they wished. Though that's what works for me and I'm just sharing in response to your request :)
Too late to edit my previous post, but if you would like to see my host file list, I can paste it somewhere. Some of it is from other lists and quite a bit is things I add.
Disabling JavaScript lets me read the site without enabling the social stuff. I noticed that the content seems to be there, but then gets removed, presumably by JavaScript.
It means you don't have a social media blocker plugin installed. Ghostery is one example of such a plugin. With Ghostery enabled, the article content on this particular page is invisible. (That's not how it's supposed to work, and I suspect it's due to a mistake on the website's end.)
I'm surprised the article missed the single biggest problem with requesting copies of "identity documents" - the company you send them to has no way to verify them!
In his example they wanted copies of utility bills and a driver's license either domestic or foreign. Clearly they have no way of verifying the authenticity of foreign driver's licenses from arbitrary countries. At the very best they might have a book that shows samples of valid licenses, but no way can they verify the data on the license.
And if they could do it that would be a pretty serious breach of privacy. The government agency that issues licenses has no business telling arbitrary people if so and so lives at a certain address - back in 1989 the actress Rebecca Schaeffer was shot point-blank at her front door by a stalker who looked up her address at the local dept of motor vehicles precipitating a major change in privacy of license records.
Basically any of these documents can be photo-shopped or even made up completely from scratch and the company requiring them would not be any wiser.
So, these policies don't improve security for anyone - legitimate customers become less secure and the company is just as susceptible to fraud.
> I'm surprised the article missed the single biggest problem with requesting copies of "identity documents" - the company you send them to has no way to verify them!
I'm not so sure about that. Bars have machines to scan your drivers licence and verify if its real, so why can't other companies do the same thing.
As for arbitry licences...they could either not work for the US, or demand passports which can be verified against someone.
I'm not so sure about that. Bars have machines to scan your drivers licence and verify if its real, so why can't other companies do the same thing.
No, those machines don't work that way. They just check for integrity in the physical license itself hologram in the right place, etc -- something you can't do with a scanned copy of a license. They don't have a master database that they phone home and check in with to see if the data on the card is forged.
Actually, they do have a database - of the info they read off the cards. The bars use that info for two things: (1) if you are enough of a troublemaker, they put you on the list to reject next time. (2) they also sell all of their card scan info to the data brokers. That's right, places like Equifax, TRW, etc know the time and date of every time you went to a bar that scanned your ID.
If I saw this in my inbox, I would think it is a phishing attack. By sending a legitimate email like this, Big W is making it much easier for their customers to succumb to phishing.
Paypal asked me for the same data 6 years ago to unblock my account. (I was not a merchant, just doing a purchase on my card)
I told them to fuck off but haven't been able to open a new account since they manage to keep linking such to my old blocked one. They pretend it's for my security as well to protect against fraudulent acts.
It's none of your business. In Denmark the bank will protect us against fraudulent acts.
Related story: After updating to iOS 7, Google Authenticator lost my AWS 2-factor token. The reset process requires me to hand over my drivers license, proof of address, and a notarized affidavit confirming my identity.
As cleartext email attachments.
So anyone who gets into my GMail Sent Items folder has enough to take out loans in my name, get into all my hosting accounts, etc. I requested a GPG public key but the rep didn't have one and wouldn't create one. Wouldn't even let me send an encrypted archive and share the password over the phone. It had to be email attachments or a link. I went with Dropbox so I can at least shut off the link later, but anyone in a position to observe that email could have already downloaded my identity documents.
I appreciate Amazon's resistance to social engineering there, but refusal to use email encryption in the single most sensitive kind of email I will probably ever send is just awful. Companies that require cleartext transmission of proof of identity need to be held responsible for the identity theft that inevitably occurs as a result.
"Fines will be levied in all cases where merchants are the subject of a security breach and upon investigation are found to be non-compliant. The average fines levied for a small merchant total around £15,000 which is payable on top of any forensic investigation and remediation costs."
This is mitigated quite a bit by the extreme difficulty to report PCI-DSS violation before they lead to outright fraud.
I believe there is a PCI requirement that a company's system must be evaluated once every three months by a PCI approved vendor to ensure that data is being kept secure.
To me, it seems kind of contradictory because if a company is being approved by said vendors, then how could they be found non-compliant in a breach? Maybe the quarterly vendor assessment isn't mandatory. digs through documents
EDIT: This quarterly scan by an ASV and only evaluates the network in regards to external IP addresses, so it does not check anything regarding how the data is stored/transferred.
I had to go through a similar process when ordering a machine from an outfit called "Mac of All Trades" (http://www.macofalltrades.com/) recently (on behalf of a client). They requested my driver's license and the front and back of my business credit card.
I went back and forth with their customer support over this. I pointed out how easy it was to use free software to fake the "credentials" they were asking for; I pointed out that the business email address they used to contact me + the business phone number they used to contact me + the business website that listed both + web.archive.org were at least as useful for verification of identity; I pointed out that we order piles of stuff from tons of different vendors and they were one of only two that requested this. They stonewalled and I eventually acquiesced. (They were the only non-eBay source for a machine that this client wanted at anything resembling a decent price.)
I pointed them to SiftScience and Bruce Schneier's article on security theater. In the end it didn't seem to do any good. I was friendly with them about it at the time but have gotten grumpier about it since.
I think I'll send them a link to this article and this thread.
HostGator pulled this exact crap with me. I said forget it and moved onto a different host for a client. I am just SHOCKED as it was "policy" for them to have a copy of drivers license/passport and a credit card on file!!!!
HG is generally pretty good, I've been a customer for over 5 years. It sounds like your transaction was flagged which is why they needed more information. I do find it funny/ironic that their "fraud protection" system for billing then raised another issue of ... fraud protection for you as a customer.
Nost hosting companies require a drivers license or similar, very few don't anymore.
Softlayer and Hetzner are the two that I remember needing this, both seemed fine with my expired one I scanned ages (2008 or something) ago - I couldn't be bothered scanning my new one.
But really, it might stop some people but it's easy enough to fake it if you really wanted to do something bad.
Hostgator did the same to me too! I also moved onto a different host. Here's the email they sent me when I asked for more info:
Hello, Thank you for your response.
We would like to provide you with an explanation of why we request verification.
If there are any billing discrepancies, missing information, or if the order is selected randomly for fraud prevention, the account is suspended until the verification is complete and an email is sent to the customer asking them to verify the account that they signed up for. We do not obtain anything for marketing purposes and are simply trying to confirm billing details or halt fraudulent accounts. It is our goal to make verification as easy and painless as possible and appreciate your patience.
If you review the Section 1 of our Terms of Service, you will see that we do state that we will continue with the set up of your account after we have received payment and we and/or our payment partner(s) have screened the order(s) in question in case of fraud. Additionally, we do require valid contact information and may terminate an account if none is given, but we prefer to request this information from you up front.
We apologize for any inconveniences that may result from this process. This extra verification is done for your security and to ensure that orders are not duplicitous. The web hosting industry, unfortunately, has a high rate of fraudulent orders, and this sort of verification helps us drastically reduce fraud and ensure our customers remain secure.
If you are unable to verify your account with us or do not wish to proceed with the activation of your account, then no further action needs to be taken on your part. We have only authorized the charges and have never fully received the payment. We do not fully receive the payments until an account has been activated. Since we were unable to verify your account we will not proceed with activating the account.
The initial payment made to us will be reversed with in 48 hours. If you paid with PayPal, the purchase will be refunded automatically at this time. Though, if you paid with a credit card, the authorization reversal will post to your account typically 5-7 business days after that. Depending on the establishment you bank with would determine on how fast you receive the funds. Once we release the payments your bank holds the funds until they are able to fully process the transaction and show the amount that you paid in your account.
If you have any questions, comments, or concerns, please do not hesitate to contact us.
Best regards,
[Name redacted]
Senior Verifications and Fraud Prevention Agent
It's scary that this kind of thing ever comes up, you would think this kind of thing is blindingly obvious. Having said said, I seem to recall even Paypal asking me to send them copies of the my passport/ID and various other info when there was an issue on my account. I can't recall whether it was by email or uploaded through their site though...
Question: Before writing these articles* does Troy Hunt go through a responsible disclosure with the businesses in question, much like you would if you found a security flaw in Microsoft/Facebook/Google/etc?
Having recently changed my password with PayPal, I somehow doubt they are serious about security. They enforce a maximum length limit, disallow spaces and other "non-printable" characters (!), etc.
The amount of sites that disallow "special characters" is annoying me, esp when they "encourage" tough passwords... it would also be nice, before sending me a password reminder, if you reminded me of your rules of your password policy - that is often enough to trigger me to remember my password!
So say a restaurant wants me to give them my card details to make a reservation but I'm in a crowded place (like on a train). I offer to email the details and they accept. I know it's bad but I would rather email my details then say it loudly over the phone and have everyone hear it. Now did they break PCI? Or not because I was the one who offered to send my details.
How does one send their credit card details securely to a brick and mortar store?
Via email I know it's insecure but if unauthorized charges do appear I can (and will) contest them and get a new card, so really the bank is taking on risk.
The credit card is designed for the use case of reading it out over the phone. Part of the reason they aren't free is that credit card usage includes insurance fees against fraud and such. By design, the credit card is designed to be used in an only "mostly secure" manner.
This goes back to the fact that security is not about building impenetrable walls around the thing being secured, and if there's the slightest breach the security is "failed". It's about raising the costs of penetrating the security above the value of penetration. When computers aren't involved [1], it's "hard enough" to gather enough cards to make fraud worthwhile, and even harder to get away with it. (Not impossible... just "hard enough".)
[1]: One of my favorite personal sayings: "To err is human. To fuck up a million times per second, you need a computer." Fraudulently obtaining ten cards by working as a waiter and stealing them over the course of a day is one thing, stealing 25 million in ten seconds from a computer is quite another.
If it can be read over the phone, or written on the outside of mail order catalogs. Why is it not ok to send it via email?
Reading it over the phone people around you can hear it, and say you have children who then go on to use it, are you going to call that fraud (and potentially have something brought against your children)?
Because the physical distance your voice can be heard is a much, much smaller pool of people, and it is safe to assume that it generally excludes credit card fraudsters. edit to add: This is also why it is suggested that you wait until you are off the subway to make a purchase over the phone, for example. Who knows who's listening.
Email is available world-wide. Email is not generally secure, and the message is not protected as it is sent on the wire. It is not very difficult for a determined attacker to harvest your email and scan it for common structured data like credit card details. The potential audience here is much, much bigger and is made up of many sharks.
If your kids use your card it is easy to control, you can probably return the purchases and clear up the matter yourself. If a mob in Russia gets your details and starts making fraudulent charges chances either Visa or your bank are going to have to just give you the money to cover the fraud with no realistic recourse of recovering it themselves.
"It is not very difficult for a determined attacker to harvest your email and scan it for common structured data like credit card details."
In particular, let me highlight that scan part. The attacker in question is probably not attacking you personally... the hacker is simply spreading a dragnet as wide as possible and running a simple RE over the whole thing. The odds that a hacker is attacking "your" email is low, the odds that your email is part of some dragnet somewhere is non-trivial, in a world of bot nets and rampant compromises.
> I can (and will) contest them and get a new card, so really the bank is taking on risk.
No, they company you are purchasing from is taking the risk (hence why they are asking for the additional info). The company that you purchase from is almost always the one who covers the loss in cases of a chargeback caused by CC fraud, not the bank/CC company.
I'm confused. If I give my card to company A, but somehow along the line someone gets the details and uses it buy something at company B. And there was no way to link it to company A. How is company A having any risk whatsover?
I believe it's company B, the one who accepted a fraudulent order the one at risk. The company I have no relationship whatsover. My only risk is to check if I have charges I didn't make.
company A to you is company B to someone else. The point is that the risk is not to the bank but to merchants.
For any given transaction the company does not know if they're "company A" and you're a genuine customer, or if they're "company B" being defrauded out of product with stolen details, so all merchants are taking on risk.
Why do people care so much about guarding their personal credit card details?
In the US, at least, there is zero liability to the cardholder for fraudulent purchases made without the cardholder's signature, by law. Reporting fraud is fairly easy, and getting a new card after your details have been stolen is free and takes just a few minutes on the phone. You're without your card for a few days while it works its way through the postal system, but that's why you have multiple credit cards.
Companies need to care about this a great deal because they're potentially liable for a lot in case of problems. But individuals have no real reason to care about the secrecy their own card details. Yet, people are constantly worried about it anyway. Why?
I always go directly to the companies website to give information like this. You can't fall for the dancing bunny if you never ever respond through email.
That would require them to have an e-commerce presence. I was wondering how one would give it to a brick and mortar store (meaning one without facilities to accept them online securely).
I've had this type of request for certain online things before. I've always assumed it was for the company's security, not mine. While it might be unreasonable for a purchase, if you want secure shell or something on a hosted server, I can see where verifying you are who you say you are would be valuable. I certainly wouldn't hand out shells to random people on my own servers.
Of course, you might use a different method than email to deliver the required documents a little more securely.
Ctrip.com, a Chinese travel site, does this for purchases with a non-Chinese card. I spent a lot of time on the phone explaining why requesting that customers email such information was inexcusable. I've encountered similar problems with badges for site visits at some companies and national labs (which have strict guidelines on PII, including numerous "training courses", but poor implementation and admin staff often overlook the requirements).
Namecheap did this to me a while back. For some reason I must have appeared fraudulent, although I can't imagine why.
They (IIRC) asked for a photo of an ID card with the name of the person on the credit card and a photo of something tying that name to the address provided.
Our drivers licenses have our addresses on them. Sent in a photo of a driver's license with all the other information obscured... So it was just the government's identifying marks, the name, address, and photo. The license number, height, weight, barcode, etc were all obscured. In retrospect, a nice big watermark that said "FOR NAMECHEAP ONLY" would have maybe been a good addition.
It was sufficient for them.
I saw no issues with it as far as a security measure. It wouldn't take much to find my name, picture, or address just digging around online - never mind with access to my email.
It's to verify that you're a real person --the same real person as attached to the bank account -- and that you're in the US (or whatever country). There are tax and liability considerations when you're moving money
Not to mention "Know Your Customer" and Anti-Money Laundering laws for money service businesses. Given that you can't really get "money" out of Mt.Gox at this point in time (only bitcoins), it seems like mostly a formality at this point so that next time the feds come to seize all of Mt.Gox's holdings, they can show that they've been crossing all of the t's and dotting all of the lower-case j's ever since the last time they unwillingly paid $5mil to the government.
In this case, I'm not sure its intentional (looks related to how Disqus is embedded), but this is one of several such cases in the last couple weeks.