Attention Discovery Card: 2006 called. They want their PIN reset procedure back.

DiscoveryCard are giving human beings access to your PIN when they reset it. On top of this they actually call you and read you your new PIN *over the phone*.
In an age where SIM-swap banking fraud syndicates infiltrate mobile phone operators, I don’t believe this is a very prudent or secure thing for DiscoveryCard to do.

And the convoluted process also takes anything up to 48 hours. Welcome to the modern fast-paced world of technology.

I discovered this by having the misfortune of my PIN being blocked – something I’m not willing to take responsibility for either: VISA Online Secure/Verified by VISA was down on Tuesday as I attempted to make online purchases. This transaction failed a number of attempts before I gave up and called Discovery, to which I was redirected first to FNB and then back to another call centre agent who confirmed the stupid VISA verification service, which by the way only actually protects the bank – not the consumer, was down. It came back later in the day and I completed my online transaction.

Later that evening I may have mistyped the PIN once while paying my bill, and then used the correct PIN, but suddenly it was already blocked. I proceeded to try a few more times before I saw a flood of text messages about a blocked PIN – please contact Discovery during office hours. I know I used the correct PIN because it’s a new one and I had it written down. I suspect this is linked back to the Online Secure problems.

After trying the Discovery website and FNB online banking and getting shoved from link to useless link I became aware the PIN reset functionality that was previously available online was no longer there, although there were many stale and outdated links still suggesting the feature. So I called Discovery, gave them answers to the really basic security questions they use to verify one’s identity, and then was told a PIN reset had been requested, and would occur at midnight. I figured I could survive for an evening without this credit card, but the next thing I heard blew me away:

Within 48 hours someone from Discovery Card would phone me and read my new PIN to me over the phone!

But that’s my PIN! My PIN. MY PIN! The most personal 4 digits in my financial existence. How can they let some stranger see my PIN? And read it to me. What if I don’t change it? Then that PIN exists in someone’s memory. And what if the telephone line is not secure? Wait, I know the telephone line is not secure! Run that by me again: Someone will call and read you your new PIN. Haha, Get out!

This shocked me, so I asked Discovery about the insecurity of this process on Twitter:

and received this reply:

This is crazy. This is a human element introduced into a system that third persons do not belong in. Anybody with devious intentions could get a PIN out of that department easily. Surely these people go to lunch? Or they go home at night? They leave the building at some stage at least, and remembering a 4 digit number for a short period is trivial. Or one could steal a document. Or they could just phone the “wrong number” and give the PIN out that way. Or there are so many ways to compromise this system. And even if all the staff are 100% honest, they’re still susceptible to blackmail.

Previously one could just manage one’s PIN online. It was a simple secure transaction between you and a cool patterned printed piece of paper that cleverly concealed the PIN. Or it was between you and the computer. Nobody else’s eyes were involved or could get involved.

I can’t believe Discovery have stepped so far backwards. Honestly, it’s a joke.

But still, I guess I’ll wait for my PIN, and then change it at an FNB ATM.
What’s that? Capitec have a credit card account now? Aha.

politics Rants Security Technology Web

FIFA World Cup Durban Site Cookie Fail

Apparently the 2010 Durban FIFA World Cup site cost 6.5 million bucks to develop. Yeah. R6.5 million. R 6 500 000. I’m making that a tax deduction on my IRP5 next year.

I asked for more details, but only time will tell if they release that info.

Anyway, according to their Privacy Policy the site does not use cookies. Firefox has something else to say about that.

Durban 2010 Website does make use of cookies.
Durban 2010 Website does make use of cookies.

It doesn’t really matter, but it adds to the general feeling of incompetence coming from Adapt-IT, the site “developers”.

Hacking Security Technology

Ph33r the D0n th4t i5 LowVoltage [FUD]

Bruce Sterling, author of The Hacker Crackdown
Image via Wikipedia

Here’s one that’s good for a laugh. This ‘LowVoltage’ guy sounds pretty evil. Shew!

The ‘Low Voltage’ hackers

He runs with the name “Low Voltage” and is the don of South Africa’s underground movement of techno trouble-stirrers who could, with the click of a mouse, cause your company to fall into the 90% bracket of enterprises which will suffer significant financial loss by 2005 through breaches in security.

Delegates attending a presentation on computer hackers, hosted by the KwaZulu-Natal branch of the Institute of Directors, in Durban on Wednesday, were told there was a huge hacking community in South Africa run by someone who calls himself “Low Voltage”.

This information – along with other shocking statistics – was released by Pragasen Morgan, assistant manager of Global Risk Management Solutions, a security division of PricewaterhouseCoopers.

“They meet regularly in Johannesburg to share information, programs and secrets as well as methods and passwords for hacking into certain systems. They work together to overcome different types of security measures,” said Morgan.

Although Morgan couldn’t give any more details on the dark dealings of this group, he did say that there were a number of local “vendors” from whom you could easily pick up the tools for hacking.

“At the end of last year hacking activity increased by 40% worldwide. Hacking among South African corporations is on the increase, but companies won’t talk about it because they run the risk of being branded an unsafe company.

“For example, in financial institutions people would fear leaving their money or information with a company that has been hacked.

“There are a number of local sites where programs can be downloaded, and there are even more advanced international sites which I’d rather not mention because the information available is far too dangerous for people to get hold of,” he said.

You H4ve B33n H4cked (you have been hacked) is just one example of a less vulgar slap-in-the-face reminder that may be left behind after a hacker has had his way with your system.

Morgan said hackers did what they did more for a challenge and very rarely to hold a company to ransom.

“They are in it for the fame and glory, the tougher the security system the bigger the chip on his shoulder.

“August 1 to 19 this year was tabled as the worst period for viruses spread with more financial loss in this week than on September 11 and this is because in that week there was a worldwide hacking competition.

“Other reasons for hacks could be competitors who approach hackers for inside info or disgruntled employees,” he said.

As if having a dark underworld prowling your space isn’t enough, according to PricewaterhouseCooper global statistics, companies need to be wary of an art-of-war type of situation in which the enemy may very well be within your quarters.

Said Morgan: “More than 55% of hacks happen by authorised employees. From a threat point of view the employee poses the greatest threat in hacking. Not only do they know your networks and passwords but they often open e-mails with viruses and spread them.

“The most common form of hacking is through viruses via e-mail spread to cripple a network and hacking into web pages, where they are defaced, leading to major losses in revenue.

“An example of this was a major retail client that we dealt with where an employee hacked into the company’s system resulting in a day-long down time at the cost of around R1 million,” said Morgan.

He said that since the introduction of Windows in the late 1980s, there was an increase in vulnerability.

“Companies need to constantly update their security systems and step up on staff awareness. On a number of social engineered techniques for clients we’ve managed to enter major organisations posing as repair men or cleaners or even just plain suits blending with the environment.

“We then access a computer and get into their network. In most cases you are not stopped if you look confident and like you fit in.

“It’s also very easy to hack in to a system through a home-made wireless mechanism. We were able to construct one of these using some information we got off the net.”

Bala Naidoo, Director of Communi-cations for the South African Police Service in KwaZulu-Natal, said: “We are not aware of this hacking community and if any information regarding this is brought forward we will investigate it.

“So far in Durban we’ve dealt with about 52 cases of internet banking fraud and have no hacking cases reported. We investigate these cases through our commercial crime unit which has the expertise to
handle this,” he said.


Computing Entertainment Security

Handy list of Facebook Privacy Settings recently published a handy list of 10 Privacy Settings Every Facebook User Should Know.

Included in the list are instructions for creating custom friend lists, removing yourself from search results, preventing tagged photos of you from being visible to all, and restricting access to stories and contact information. It’s a very handy guide with some seriously good tips on how to protect yourself in the big bad world of friendface. 🙂


The Fuckers Stole My Bike

Sorry folks, no apologies for that headline. On Friday 4 April at around noon, some criminal fuckheads loaded my bike into a van or a truck and drove off with it. This occurred inside the “secure” complex where our offices are in Centurion. I happened to look out the window at 2pm and my bike was no longer where I had parked it, and it turned out that this was no prank.

There’s a couple things that make this event such a shock:

  1. I can’t believe nobody saw this happening. There’s always someone smoking out there.
  2. I can’t believe the security guards at the entrance saw nothing.
  3. I can’t believe they’d do it in the middle of the day.
  4. I can’t believe criminals think that seeing something means you can take it.
  5. I can’t believe someone would buy that stolen bike from the thieves, but I can’t believe they’ll make any money selling it for parts either.
  6. I can’t believe I only take the bike to work very rarely, based on a whim and on the weather, and the criminals “just happened to see it”.
  7. I can’t believe it was my bike that was taken, and not one of the other two parked two spaces away.
  8. I can’t believe I have to go hunting for a bike again, when I’d found the perfect deal on the perfect bike for me.
  9. I can’t believe I’ve managed to control my burning anger and not punch holes through walls, but then again, I suppose that control is one of the reasons I’ve been such a successful biker thus far.

And in case you happen to see something, here are the bike details:

Black 2007 model CBR 1000 Fireblade
Standard exhaust, standard windshield
Immaculate condition
Right hand side crash bobbin is missing.
Stolen in Central Park, Esdoring Street, Highveld Techno Park, Centurion

Technorati Tags: bike, theft, stolen, fireblade, cbr1000, anger