Comments on: When Security Increases Exposure to Risk

By: "Cursed" Download Full Movie

"Cursed" Download Full Movie — Wed, 13 Apr 2011 16:03:31 +0000

Great blog! Download: Prancer - Watch Prancer movie Online

By: fast cash pawn

fast cash pawn — Sun, 03 Apr 2011 07:10:05 +0000

This is too guide. I have to say I love reading this article lots. It will help me to become better grasp on the subject. It is very well published. I shall definitely see this kind of content so engaging. I hope you are able to grant more someday.

By: Quinn Balasubramani

Quinn Balasubramani — Mon, 15 Mar 2010 10:09:24 +0000

My mortgage repayments already are behind, do you encourage anything?

By: Brad Niksich

Brad Niksich — Tue, 22 Dec 2009 21:44:56 +0000

Thank you for the reasonable critique. Me and my neighbor were just preparing to do some research about this. I am very glad to see such great information being shared freely out there.

By: Robert

Robert — Tue, 03 Jul 2007 21:05:56 +0000

It seems the right answer is to hash the information yourself (pick something that hashes to a reasonably easy to remember value, at least in the last few digits) and supply the hash as your answer.

Also, there is no value in the answer matching your actual history, just in you being able to match the answer you previously provided. I would be tempted to pick ‘first girlfriend’ as the question and provide the name of the first associate at the institution in question, that you dealt with. This should be possible to remember - or to recover, in case of forgetting, and tied to the individual istitution, hence limiting the exposure. If you only supply a hash of that value, it is double-blinded.

If you REALLY want to get fancy, supply a hash of encryping the value plus a timestamp, hashed, with your private key - that way only you can convince yourself of the correctness of a specific value later. And that way you can update the answer by hashing the value with a new timestamp. But I think this is way beyond the level of justifiable complexity…

By the way, assuming that no human reads this before posting, the name and address above are fake, of course. I am, indeed, paranoid… But you know the old joke: just because you are, it does not mean they are not after you.

By: Patricia

Patricia — Fri, 01 Jun 2007 23:00:11 +0000

Sort of related rant. You know what bugs me about site registrations? Why do they need my physical mailing address? I’m talking about sites that make it a required field. It’s not for verification or log-in purposes. The only explanation is that they’re selling a list to a direct mail company or the like. I’m sure many of us have invented a fake address or decided not to register in such cases.

By: Kelly Sparks

Kelly Sparks — Fri, 01 Jun 2007 02:01:14 +0000

Chris:
You are welcome. I agree with you that the enterprises at large are starting to get a bit too personal. Really all they are doing it digging in deeper and asking more personal information. Over time this new information will not be enough to protect you from identity theft since it’s just more static information about you that is ultimately tied to your other personal information. Masking via hashing helps of course, but phishing schemes are getting better all the time and they will just update their sites to include the new questions…

Thanks for your post.

Kelly

By: Chris

Chris — Thu, 31 May 2007 15:46:24 +0000

Kelly–

That’s a great point. Thank you. I certainly hope CountryWide uses hashing to store responses as one of many layers of security.

And yet, from a marketing and consumer perspective, I still think what they’re doing is a mistake. I think that consumers should be learning more and more how to protect their identity by not giving potentially sensitive data out, and they can start by thinking very critically about what data their financial services companies should be asking. I think, from the perspective of leveraging security as a major brand attribute, CountryWide should be leading their customers on this front, not encouraging them to give up unnecessarily personal data just because it’s requested.

Just my cranky opinion. Thanks for the response.

/chris

By: Kelly Sparks

Kelly Sparks — Thu, 31 May 2007 11:30:35 +0000

You should inquire if CountryWide uses hashing to store your “secret” answers to the personal questions. Hashing is a typical strategy to mask known information into something is unique, but not identifiable in and of itself. For example, many web sites use hashes for Passwords. Let’s say you use yyyPWyyyy. In the Database, these are converted to hashes that are one way only cryptographic function: See details here [http://en.wikipedia.org/wiki/Hash_function ] Once this is stored, the company actually does not have your original PW and can not recreate it if they tried. The new hashed key is used to access your information, but the only way to derive that key - is from the password yyyPWyyy which only you know. This is why so many websites can only send you a temporary “new” password when you forget yours, because they don’t know your current password. If someone got ahold of your hashed PW, it can’t be used to access your information on the site because it will be hased a second time during login- which would be wrong.

So on to the personal questions.. If they use hash functions to store the answers, you should be OK - because once they store it, it can’t be used by anyone for any reason, and can’t be recreated except by knowing the original input. BTW = a hash for yyyPWyyy is: BF0EF9995638B4BB57A537C13F7C011F

I hope this helps..