warn
Member of DD Central
Curmudgeon
Posts: 637 
Likes: 658
|
Post by warn on Oct 13, 2016 8:18:40 GMT
Fixed now, I think.
|
|
beechside
Member of DD Central
Posts: 152
Likes: 197
|
Post by beechside on Oct 13, 2016 8:19:05 GMT
Looks like a Rackspace error. Yes, it might be... Forgive me if I seem harsh but this is so important that someone should have checked. Since the business model is predicated on trust and given that there are journos out there looking to sensationalise the industry, why not simply look at the certificate to make sure that it's been installed correctly? Had I got such an email from Rackspace, the first thing I would have done would be to check it. Don't you love hindsight??? 
|
|
|
|
Post by supernumerary on Oct 13, 2016 8:24:24 GMT
I am now alright too, with the login. 
|
|
|
|
Post by dodgeydave on Oct 13, 2016 8:44:39 GMT
Sadly fixed to late to do some selling and a withdrawal today. So will have to wait for tomorrow now
|
|
elliotn
Member of DD Central
Posts: 3,064
Likes: 2,681
|
Post by elliotn on Oct 13, 2016 10:19:23 GMT
Sadly fixed to late to do some selling and a withdrawal today. So will have to wait for tomorrow now That's an early log in. Teerak can wait a day .
|
|
|
|
Post by dodgeydave on Oct 13, 2016 10:57:09 GMT
Sadly fixed to late to do some selling and a withdrawal today. So will have to wait for tomorrow now That's an early log in. Teerak can wait a day . Different time zone.
|
|
|
|
Post by Deleted on Oct 13, 2016 15:12:39 GMT
Maybe I'm being thick, but how does use of a security certificate a day after its expiry in any way allow hackers more access to passwords than at any other time? No, you're not being thick at all. However, modern hacking is not what it once was where bots simply scanned ports, injected malicious messages, looked for buffer overflow and software weaknesses in thousands of sites. I used to run the development shop for a large ISP and we were targeted all the time. The modern hacker is picky and looks for soft targets that are lucrative. It's easy to find out when a security certificate expires and I might just use that as a smoke screen. Is SS such a site? Let me give an example of how it might be to get money, should a breach be made. I get your password (no suggestion that it's happening now) I pay a pound into your account from my bank account (would you notice?) My bank account gets associated with your SS account I sell your loan parts in a highly liquid market I withdraw to my bank account and disappear Yes, there are checks, manual interventions, notification emails etc but manual == insecure. The rewards might be massive... So, does two-step verification help? Yes it does and I have it on my account. Not perfect but it adds an element of physical security (the location and ownership of my phone, as well as its own security). Sorry to be harsh, but I worked for high-security applications and all the above is GROUNDLESS speculation. 1) The certificate is THERE and the encryption SSL layer is working all the time, wheter your browser thinks so or differently. So physically NOTHING at all changed since your last login yesterday. I repeat: NOTHING IS DIFFERENT IN ANY WAY. 2) IN NO way an expired certificate gives anyone access to the (encrypted as well) password server. 3) In NO way the process described above is any different with a perfectly recognised certificate or with an expired certificate. Phishing passwords can be done with or without certificate and the new bank account association is dependent only on the knowledge of the username/password, not on the existence or less of a certificate which is recognised by your browser. So all the above is PURE SPECULATION of a potential (and not very easy, as the most difficult part is the nont-described way to get your username/password) attack that anyone can do to *any* server (including directly into your online banking account). Please don't spread rubbish. Yes, SS showed lack of attention to important details, which might be not too good for their image. But NO RISK WHATSOEVER WAS EVER exposed in the link this morning. It is the sort of image problem you would get filing your annual returns a day late (happens to lots of companies). It DOES NOT MEAN YOU ARE DEFAULTING. It just means your staff is under pressure....
|
|
beechside
Member of DD Central
Posts: 152
Likes: 197
|
Post by beechside on Oct 13, 2016 15:59:53 GMT
@hor1997 - You're not being harsh but I don't think you read what I said. I was trying to assuage fear, not generate it. In particular, I said in this thread: - The data was still encrypted so the session was safe
- There's no suggestion or evidence that the servers have been compromised
- There's no suggestion that passwords were being obtained
Having tried to help those who expressed concern, I did want to point out one serious system weakness - the procedure for adding another bank account seems rather facile. Indeed one of the other platforms I use insist that there is only one bank account, to prevent money laundering. If someone did discover a user ID and password, it seems pretty straightforward to drain an account. Two-step authentication seems to help so I recommend that, though I know others do not... That's about it. Forgive me if I don't want to get into a "he said, she said" conversation. It's not helpful to other readers of the forum. At worst, we're having a heated agreement ;o) |
|
mikes1531
Member of DD Central
Posts: 6,453
Likes: 2,320
|
Post by mikes1531 on Oct 13, 2016 17:00:22 GMT
Two-step authentication seems to help so I recommend that, though I know others do not... I'd be happy to use it if it could be limited to specific operations -- like withdrawals -- and didn't have to be renewed so frequently. I don't want to find myself in a situation where I have wifi but not a phone signal and therefore can't access my account.
|
|
