iEntry 10th Anniversary RSS Newsletter Advertising
WebProNews Alerts:
Visit Twellow.com
SearchSocial MediaTechnologyMarketingEmail MarketingGoogleFacebookTwitterBingYahooAmazonYouTube Tags
Text: Decrease Font Size Increase Font Size | Print Print Article | Share: Delicious Digg StumbleUpon Post to Twitter Post to Facebook
6 commentsWednesday, April 9, 2008

OpenID? Try Open To ID Phishing

Be aware of the possible downside of single cross-site sign-ons

6 Comments

By Gavin Carr (WPN reader) - Sun, 04/13/2008 - 19:55

OpenID does not tout passwords

The statement that "Usernames and passwords ... [are] the model touted by OpenID" is incorrect - OpenID says nothing whatsoever about how the user is to be authenticated. You can use passwords, secure tokens, out-of-band authentication, retinal scans, or no authentication at all. That's a provider policy decision that has nothing to do with OpenID.

The general point that phishing becomes more valuable in a world of OpenID shared credentials is fair enough. On the other hand, shared credentials are already widespread in practice anyway. I'd hope that as OpenID becomes more popular providers will take the lead in providing and encouraging more secure forms of authentication than simple passwords.

 

 

By Todd (WPN reader) - Sun, 04/13/2008 - 16:07

Paypal and Skype

I had a recent experience that is very similar... the issue of shared credentials being hacked.

My Skype account was hacked and stolen, and as we had been - until this happened - happy paying skype users, we had setup the autorecharge function to add skype credit from our paypal account as needed.  i am sure you can guess where this is going.

The skype thief drained $150 from my paypal before reaching the transfer limit, using it to buy skype credit on the network for other people.

When I reported this to Skype and Paypal, neither company could give a damn that this happened.  Skype out right refused to do anything.  Paypal said, sorry, but the charges "look legitimate to us, so you will have to get Skype to reverse it". No big surprise that both companies are a part of the ebay mafia. 

Eventually I was able to threaten Paypal enough times that they reversed the charges - but only because I use paypal in my business, and $150 is about a weeks fees.  I am amazed it took as long as it did for them to get the business case.  As for Skype, they prefer to keep their network for thieves and criminals, rather than having paying customers.  No problem.  We will never use it again.

So, will I share my credentials on social networking sites?  Not on your life.

I might even go back to rotary phone.

By Kevin Fox (WPN reader) - Thu, 04/10/2008 - 18:46

Phishing Resistant OpenID provider

Interesting post, I would agree that OpenID by itself is not any kind of great leap forward in regards to security.  It is up to the OpenID provider to add layers of security beyond a simple l/p. 

I work for Vidoop and we run a password less OpenID provider which addresses many of the concerns you note about OpenID. Instead of a password, each user chooses from a number of “categories”, like airplanes, cars or keys. At time of login, myVidoop displays an array of images including an airplane, a car, or a key, along with several other unrelated images. Without knowledge of the secret, the display appears completely random to other observers. The user spots the secret categories known only to him and sees a series of digits that act as the one-time access code. Since other observers do not know the user’s categories, they do not know which of the displayed access codes to use as the key. Only the user can interpret the one-time access code from the display.

Its pretty neat technology, we also have a password manager to store your normal logins/passwords…

With regards to spam I believe once you add a reputation component to OpenID and only allow accounts with reputation threshold of X to comment then that will be a valuable tool to help reduce spam.  In the mean time I dont see it being any worse or better for spammers than what is currently available.

Cheers,

Kevin

By Guest (WPN reader) - Wed, 04/09/2008 - 20:47

Problem with OpenID

I cannot send e-mails since I have OpenID.  It presents a series of wiggly combinations of letters and numbers. When I enter the challange in the provided box, it offers another set of combinations to copy for entry.  It will not allow me to proceed past this point.  I was not aware that I joined OpenID but I noticed that I have it now.

Can you help me?

By mags (WPN reader) - Wed, 04/09/2008 - 14:28

Power Spam

I'm personally thrilled at the opportunities OpenID would unlock for blog spam.  I'd only have to defeat one CAPTCHA/Turing Test and I could use my spam account at multiple sites everywhere.

 

It should bring exponential increases in spam and click farm efficiency.

By kael (WPN reader) - Wed, 04/09/2008 - 12:26

Password-less OpenID

Regarding credentials theft, it's possible to use a <a href="http://norman.rasmussen.co.za/107/xmpp-auth-for-openid/>password-less  OpenID mechanism</a>.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
2 + 3 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.

Add new comment

SEARCH
Popular WPN Business Resources
WebProNews Video Blog View All Videos












Subscribe to WebProNews


Send me relevant info


WebProNews Videos | Advertise | About Us | Newsletter | Archive | News Feeds | Terms & Conditions | Login

WebProNews is an iEntry Network ® publication - © 1998-2009 All Rights Reserved