[PLUG-TALK] Challenge Question Authentication Holy S***!
Keith Lofstrom
keithl at kl-ic.com
Mon Apr 4 19:38:59 UTC 2016
On Sun, 3 Apr 2016, Keith Lofstrom wrote:
> The problem is, most websites use the same short list of security
> questions, like "what was the name of your first pet?" and "what was the
> name of your elementary school?"
On Mon, Apr 04, 2016 at 06:03:47AM -0700, Rich Shepard wrote:
> Financial institutions in particular should all authenticate by
> sending a one-time 6-digit number to the user's telephone.
You may be assuming your phone is secure. I am a hardware
designer, who shut down "smart" phone internet access
until our provider tardily patched the Stagefright exploit.
Vastly more weaknesses and even intentional exploits can
be wired into the chips themselves. Got schematic?
I shudder to think of what else is hidden in those small
but hugely complex devices, and what happens when data
collected from those other exploits is used by an angry
anti-Snowden or millennialist zealot still working for
Google or Apple or the NSA.
Human beings are hackable as well, but a network of
trained, skeptical, and competing specialists is probably
less hackable than any machines or software we can build.
Humans result from billions of years of successfully
avoiding Not Being Eaten, though most of us (as always)
will fail the next round.
Besides, when robots replace jobs, our jobs become doing
what robots are worst at. As hard as it is for a near-
Asperger's geek like me to understand, most people are
much better at "suspicious" than I am, and some have
trained themselves to be excellent. Welcome to the
future of employment.
Keith
--
Keith Lofstrom keithl at keithl.com
More information about the PLUG-talk
mailing list