|
| Authored by: Anonymous on Tuesday, July 02 2013 @ 06:01 PM EDT |
It's funny you say that.
Many years ago, the university I went to use to use student ID cards with your
Social Security Number on it (as the student ID number) mainly because it was
convenient for them since they did not have to come up with a database to store
which non-traceable number goes to which SSN.
A few years later, they redid it in response to some law and all ID cards were
reissued, now with a seemingly untraceable number (which corresponds to a SSN in
their private database).
If they did that to begin with, who knows how much $ they would have saved by
not having to reissue new cards for everyone.[ Reply to This | Parent | # ]
|
|
|
| Authored by: mtew on Tuesday, July 02 2013 @ 08:30 PM EDT |
The encryption does not have to be strong, it just has to be
there. If they had done a ROT 13 on the information, that
would have shown intent to hide the information. The fact
that they did not even do something that simple is what put
AT&T in the hole.
They could also have put '&password=ipad' in the header or
something enough like it to show some kind of authorization
mechanism and checked for that exact value. AT&T chose not
to. Poof!
---
MTEW[ Reply to This | Parent | # ]
|
- Rot13! - Authored by: Anonymous on Wednesday, July 03 2013 @ 05:37 AM EDT
- Rot13! - Authored by: mtew on Wednesday, July 03 2013 @ 10:53 AM EDT
- Rot13! - Authored by: Anonymous on Wednesday, July 03 2013 @ 05:59 PM EDT
- Rot26! - Authored by: Anonymous on Friday, July 05 2013 @ 12:21 AM EDT
|
|
| Authored by: designerfx on Tuesday, July 02 2013 @ 08:39 PM EDT |
you can (and should) do that with encryption. there are plenty
of ways which don't involve needing a customer to type in
*anything*.[ Reply to This | Parent | # ]
|
- wrong - Authored by: Anonymous on Tuesday, July 02 2013 @ 10:00 PM EDT
- Ask Google - Authored by: Anonymous on Tuesday, July 02 2013 @ 11:20 PM EDT
- Ask Google - Authored by: Anonymous on Wednesday, July 03 2013 @ 01:42 AM EDT
- Ask Google - Authored by: Anonymous on Wednesday, July 03 2013 @ 03:07 AM EDT
- Ask Google - Authored by: tknarr on Wednesday, July 03 2013 @ 10:22 PM EDT
- wrong - Authored by: mtew on Wednesday, July 03 2013 @ 11:22 AM EDT
- How? - Authored by: Anonymous on Friday, July 05 2013 @ 12:01 AM EDT
- How? - Authored by: Anonymous on Friday, July 05 2013 @ 12:23 AM EDT
- How? - easily - Authored by: mtew on Friday, July 12 2013 @ 12:36 PM EDT
|
|
| Authored by: JonCB on Wednesday, July 03 2013 @ 03:03 AM EDT |
Or alternatively they could have verified the ICC-ID by other
means (MAC? SSL Client Certificate installed on the IPad?) and
changed the page to remove the need to even put a value in the
login field at all. Which would have been even more
convenient.
[ Reply to This | Parent | # ]
|
|
|
| Authored by: bugstomper on Thursday, July 04 2013 @ 06:09 AM EDT |
| A commenter in another thread had the right answer as to how AT&T should
have done it, with no encryption necessary
This comment
If AT&T knew the email address based on the ICC-ID of
the iPad being used to browse the web site, they could have simply asked for the
password. The users would not have had to enter email addresses unless they
indicated that they wanted to login using a different account. [ Reply to This | Parent | # ]
|
|
|
| Authored by: reiisi on Thursday, July 04 2013 @ 09:33 AM EDT |
It's not clear what information PJ intended to be encrypted.
Others have mentioned the use of a hash, which might or might not be
cryptographic, and ought, at any rate, to be sparse enough that simple
sequential diddling wouldn't produce another hit.
Technically, what should have been done is a sparse mapping (hash) of the card
ID to some number not obviously related to the ID. By sparse, we mean that
simply incrementing any single digit should not produce another valid hash.
AT&T is negligent for not going that far. If the current privacy laws were
to apply to AT&T the way they apply to individuals (like weev), AT&T
should be paying huge fines for this.
How that differs from encryption is not really a subject to argue about unless
you and I are mathematicians working in a certain branch of abstract math, and
maybe not even then. [ Reply to This | Parent | # ]
|
|
|
| Authored by: Anonymous on Friday, July 05 2013 @ 04:37 PM EDT |
What they also could/should have done is leave email-box blank and add some text
saying something like:
"We have an email for this iPad on file. If you are not the owner of this
iPad you will need to enter your email below."
If the server gets a page with a blank email then it would LOCALLY use the
device ID number to look up and fill in the email address without sending it
out. The server should not be transmitting account information to people who are
NOT YET LOGGED IN. Not unless that category of information is intended to be
publicly accessible.[ Reply to This | Parent | # ]
|
|
