|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Why doesn't Amazon enforce a password policy?
From: Gunnar Rene Řie (gunnarre
nvg.ntnu.no)
Date: Wed Nov 01 2006 - 06:10:13 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Fri, 27 Oct 2006, Jeff Robertson wrote:
> Well then I take back what I said.. I must be mixing them up with a
> different site.
Excuse me, but no, you should not take that back.
Amazon *does* force you to re-enter you credit card number every time you
add a new recipient address. And the only part of the credit card number
that is shown to a logged on user is the last 4 digits, so that the user
can recognize the different cards. If you get into a cracked account, all
you get access to is
- ordering products and having them sent to one of the addresses that the
user has used before - not very profitable, unless the identity thief is
the usual family member or colleague. But if you're John Q. Cracker
running around on the internet, you can't get any product.
- previous order history
- whish list if it was not public before
- previous addresses
- last digits of credit card numbers
- making mayhem by submitting spam/insane reviews, but these are moderated
anyway
So a randomly cracked account can't give any direct material benifit to a
cracker. They are only useful for learning something about the user or to
annoy them by having them receive product that they didn't order. In any
case, that product can be returned and Amazon doesn't lose any money
(unless they refund the shipping to be kind to the customer).
As said by others here: You need to do a risk analysis and
return-on-investment calculation based on YOUR situation. If you're
selling goods in the same way as Amazon, then do it like Amazon, i.e. the
user is responsible for protecting his/her own information, but anything
of value to your company is not sent out without a re-confirmation of the
credit card number. If your bread and butter is the secrecy of information
IN the system then Amazon is not a good comparison.
Finding examples of companies that require a certain password length and
strength is easy. You can probably find a competitor in your field who
does it.
--
Regards , Vennlig hilsen
Gunnar René Řie, MSc. IDI/NTNU
PGP public key available
--
Regards , Vennlig hilsen
Gunnar René Řie, MSc. IDI/NTNU
PGP public key available
-------------------------------------------------------------------------
Sponsored by: Watchfire
AppScan delivers new remediation capabilities, key regulatory compliance
reporting, and productivity enhancements that dramatically improve,
automate and streamline users' ability to quickly find, remediate and
manage web application security vulnerabilities. Change the way you think
about application security testing - download AppScan today!
https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTE
--------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]