Alibaba security fail: Brute-force bonanza yields 21m logins Up to 21 million accounts on Alibaba e-commerce site TaoBao may have been compromised thanks to stolen credentials reused on breached third-party sites. TaoBao is a seller-to-seller commerce site like Gumtree or eBay where users rely on reputation to secure the most sales. Reuters reports that China's Ministry of Public …
"Ducklin says the attack serves as a warning for web site owners to apply login rate limiters"
As they say, if they are processing millions of logins a day, if you use a bot net, each trying 5 or 6 different logins every now and again, it's never going to get flagged.
Heck I've done that on websites I've known I have an account on, but have no clue what user name or password I used, usually because of some stupid policy some idiot dreamed up on the back of a fag packet.
2 factor gets trotted out all the time, but how? The cheapest imaginable device is free, on a user's phone for example, but the cost of 99% of users not installing the app and not using your site/store is still too high.
And sending a 2 factor device would cost millions at least, for 99 million users.
2FA isn't the answer in 99% of use cases.
Various mechanisms exist to transparently profile and if necessary validate the client end (agent strings, resolution, input rate and profile, connection origin - residential vs data centre) to assess whether it's a human or a computer but as ever the bad guys are able to move a lot quicker than the good guys and associated malicious activity such ad-fraud has refined the malware industry in making bots act more human. Definitely not an easy problem to address never mind at scale.
Use a different password on each site? Hard*.
Use a difficult-to-crack password? Hard*.
Keep all your eggs in different baskets? Hard*.
Use 2FA? Hard*.
Check email origins to ensure a non-malicious sender? Hard*
Other 'solutions'? Hard*
*Clearly not all hard for the people here, but hard enough that few IT people do all of them all the time, and hard enough that your average punter will glaze over immediately. My dad barely knows what a password is, yet most people online today have the same (low) interest in techy stuff and just want to read about stuff and buy stuff online.
So why have we built a world where the security measures are hard for the average person to deal with? Things are really broken and the bad people are having a field day.
I don't know what the answer is..., but rolling our eyes as the data-exploit-of-the-day is announced isn't going to help. How do we build a secure digital world that ordinary people can use without risk?
The accepted wisdom is that security is hard, and just once in a while wisdom is accepted because it is true rather than simply because it is easy. The problem is that in general you want to offer people the simplest thing that can possibly work, but that either relies on human factors ( such as users being able to choose a good password, which is tricky because users are humans ) or mechanical factors ( such as locking an account to a single machine with a specific certificate on it which become problematic when the user loses access to the exact mechanical configuration they were using or needs to access the service from another system or location.)
There are good ideas around but it doesn't seem as though anybody has really got to the heart of this problem yet and a lot of very smart people on the usability and security sides have been working on it for a long time.
"So why have we built a world where the security measures are hard for the average person to deal with? Things are really broken and the bad people are having a field day."
I think the problem is one of perception. People aren't placing a high enough mental value on their digital accounts. Nobody needs to remind anyone to lock their door or car, because the loss would be immediate and tangible. Yet few complain of the hassle of carrying around a set of keys.
Realistically, it might take identify theft, money theft, or some other personal disaster for most to take their online accounts more seriously.
You can use a password vault like lastpass to store a different password for every site you use. It can generate them for you containing a mix of lower and upper case, numbers, special characters. You can use it on any device. You then protect this with two factor authentication. Preferably with something like duo that provides out of band push notifications to your phone and even better use this with Touch ID if your phone has it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
