Two step authetification
Hello,
do you ave any solution according for two step authentification for your website or for the orders I make at Logos.com.
Please consider this for security reasons.
Artur
Comments
-
Thank you Arthur,
This is a growing best practice we're definitely keeping our eye on.
0 -
Hello Glenn,
please do this because of this horrible news: http://mashable.com/2014/08/05/russian-hacker-passwords/
Artur
0 -
For those who don't know, Glenn is director of e-commerce at Logos. I'm not sure where his Logos badge has gone to :-).
Artur Wiebe said:please do this because of this horrible news: http://mashable.com/2014/08/05/russian-hacker-passwords/
However, I would prefer that resources weren't diverted to this end when there is so many other things that need to be improved.
That's partly because that story isn't quite what it seems: http://www.theverge.com/2014/8/6/5973729/the-problem-with-the-new-york-times-biggest-hack-ever
Second, two factor authentication would be a big challenge for Logos given the number of different places you can log in (at the website, 5 different iOS apps, 5 different Android apps, Windows RT, Windows app, Mac app).
Third, as most Russian hackers are not going to be that interested in purchasing an electronic copy of Bonhoeffer's complete works, I suspect the risk for our Logos accounts is very low.
This is my personal Faithlife account. On 1 March 2022, I started working for Faithlife, and have a new 'official' user account. Posts on this account shouldn't be taken as official Faithlife views!
0 -
Mark, your answer really bugs me. I'll be the first to admit, even though there's the assumption of Christians at Logos and on the forum, the general rule is 'everyone worry about themselves'. That sounds bad but it's at the heart of capitalism and is presumed to be the most efficient means of allocating 'stuff'.
But here we have an individual worried about HIS security and the answer is 'don't'. Huh?
First, smaller sites ARE highly targeted; they're the least protected talent-wise. And it's the credit card that's sought, not a book. You knew that.
Second, Logos DOES take chances on not demanding a re-authentication with the cookies. At least for me, it's the only site I use that doesn't re-authenticate within a fairly short time period. Now, re-authentication is a plus/minus since it requires the user to pass authentication through; another risk.
Third, re-programming for security isn't a major do-over. Authentication for platforms varies by platform. You knew that too.
Fourth, the protections even AFTER a slip (whether the user's PC or a Logos issue) is the criticality. As far as I've seen, Logos does go to some trouble to make access to ones account a waste of time (partial CC number, no passwords shown, etc).
And fifth, a poorly thought out article doesn't eliminate the issue of security. If someone on the forum is concerned about security, it's worthy of a short discussion of where 'leakage' is likely to occur or not. Security is likely to get worse; not better.
OK ... pardon my questioning your answer.
"If myth is ideology in narrative form, then scholarship is myth with footnotes." B. Lincolm 1999.
0 -
Mark Barnes said:
Third, as most Russian hackers are not going to be that interested in purchasing an electronic copy of Bonhoeffer's complete works, I suspect the risk for our Logos accounts is very low.
Well, if this happened and they actually read Bonhoeffer, some good may result [:)]
Using adventure and community to challenge young people to continually say "yes" to God
0 -
Bruce Dunning said:
Well, if this happened and they actually read Bonhoeffer, some good may result
Well that is certainly debatable.
0 -
Denise said:
Mark, your answer really bugs me.
Denise,
I don't think you've understood the issue that two-factor authentication solves. Two-factor authentication does nothing to prevent the Logos site getting hacked and your data stolen. That's an entirely different issue, which Logos should be putting resources into (I'm sure they are). But two-factor authentication only prevents criminals logging in with your details if they have already stolen your password.
That makes two-factor authentication a major issue only for certain websites (not all websites). There are two crucial questions:
- How much would it matter if thieves got into my Logos account? Honestly, the answer is "Not that much". Yes they could change your password/email address and take over your account - but Logos customer service could sort that fairly easily. They could buy lots of Logos books (but they'd be tied to your account, so would be not benefit to them once your account was restored).
- How likely would thieves attempt to log-in as me into my Logos account? Honestly, the answer is "very unlikely". What would they gain?
Two-factor authentication is a massive deal for organisations that provide login services to other accounts (so particularly, Google, Facebook and Twitter). It's very important for organisations that provide email addresses (because once you have control over email you can wreak havoc). And it's very important for companies that sell desirable goods that can be converted into cash (so Apple with its iTunes and App Stores, etc.), or financial institutions (PayPal, your bank, etc.).
But for most web companies like Logos, it's both low risk and low damage — which in my book makes it low priority.
So the security priorities for Logos should be protecting customer data by ensuring their systems are not vulnerable to attack, and ensuring that all log-ins take place over HTTPS (which they already do). I don't think it's a priority to add additional protection for individual customers who have allowed their passwords to be compromised. The low risk and low potential damage means I don't think it's worthwhile.
This is my personal Faithlife account. On 1 March 2022, I started working for Faithlife, and have a new 'official' user account. Posts on this account shouldn't be taken as official Faithlife views!
0 -
Denise said:
And it's the credit card that's sought, not a book.
If a Logos customer feels overly concerned about their credit card number being stolen from the Logos site, they can always use a reloadable VISA cash card. I use a debit card tied to a low-balance checking account and replenish it when I intend to make a purchase.
I am not worried. Logos has already got all my money. [:$]
Logos 7 Collectors Edition
0 -
Thanks for letting us know who Glenn is. I was wondering...
0 -
The issue I was speaking to wasn't the specific ins/outs of security. Rather, answering someones concern for their own security with, 'It's not an important issue for me, so Logos should ignore you.'
Better a reasonable discussion of the issue.
Personally I view 'Bellingham' as the bigger issue (internal management of systems/servers). And I agree with ST; minimize the risk. We conceptually want to eventually minimize the cc's to Amazon, Apple, and Paypal, with smaller sites like Logos to be closed down cc-wise.
"If myth is ideology in narrative form, then scholarship is myth with footnotes." B. Lincolm 1999.
0 -
Mark Barnes said:
But for most web companies like Logos, it's both low risk and low damage — which in my book makes it low priority.
So the security priorities for Logos should be protecting customer data by ensuring their systems are not vulnerable to attack, and ensuring that all log-ins take place over HTTPS (which they already do). I don't think it's a priority to add additional protection for individual customers who have allowed their passwords to be compromised. The low risk and low potential damage means I don't think it's worthwhile
Mark, there are two issues that Logos faces, one is the issue you describe here: an actual attack. I agree that hacking my Logos account would not likely be very lucrative for any cyber criminal, given the way Logos is set up. The fact that I can change my credit card # is not the same as giving a cyber criminal access to my current ones (and even if they did, credit cards - as distinct from debit cards - are required by law to protect their owners from fraudulent use).
But there's a second issue: the perception of vulnerability. Do Logos customers feel safe doing online business with Logos? If they don't, they may choose not to do business at all, just to be on the safe side. Not everyone does background research on the actual vulnerabilities they face, they simply react to the information they have.
To deal with this secondary issue (essentially a marketing issue), Logos can choose to 1) ignore it since many people don't pay attention to such matters, even when they make the news; 2) tell its users why there is no actual threat to them (educate via FAQ's, end notes, hover text, etc. - though almost no one reads those anyway; 3) adjust their practice to accommodate those users who believe such is required (and put up with other frustrated users who don't like 2-step log-ons).
Clearly, Logos should spend considerable effort protecting it's databases of personal information, email addresses and credit cards, as this was more in line with how that attack actually worked. And I'm sure they do.
Help links: WIKI; Logos 6 FAQ. (Phil. 2:14, NIV)
0 -
Denise said:
Rather, answering someones concern for their own security with, 'It's not an important issue for me, so Logos should ignore you.'
That's hardly a fair paraphrase of my response, because I was not suggesting that "it's not an important issue for me", I was arguing that it wasn't an important issue period, by highlighting and analysing the risks that apply to all of us. I could be wrong, and I'm open to any response that deals concretely with the points I raised. But this discussion isn't about me.
Denise said:Better a reasonable discussion of the issue.
A "reasonable discussion" surely means that we talk about "the specific in/outs of security" (which is exactly what I was doing).
This is my personal Faithlife account. On 1 March 2022, I started working for Faithlife, and have a new 'official' user account. Posts on this account shouldn't be taken as official Faithlife views!
0 -
Yes, Mark, you did exactly proceed to a reasonable (and good) discussion of the merits of two-step authentification ... after your chain got (gently) pulled.
And my point continues to be about forum members expressing security concerns and be given flavored-candy answers. Better your second answer.
"If myth is ideology in narrative form, then scholarship is myth with footnotes." B. Lincolm 1999.
0 -
As someone who travels internationally and who has lived overseas for years let me tell you that two-step authentication is a huge headache. I definitely would not recommend that we be forced to use it. If they want to make it an option for those who are concerned that's fine but please don't make it mandatory to purchase books. Thanks!
0 -
Denise said:
And my point continues to be about forum members expressing security concerns and be given flavored-candy answers. Better your second answer.
How about everyone calling a sales rep and placing orders by phone? I make all my non-Pre-Pub orders through Dave Kaplan. I have never had him make a mistake or fail to please. I lament this option is not easy for users outside the US and Canada.
Logos 7 Collectors Edition
0 -
May I ask a naive question of you who know infinitely more about these things than I do? If one tends to stay logged on on their platform or platforms of choice; are you more or less (or neither) vulnerable than if you log in and out regularly?
You may consider this question posed within the framework of either logon procedures.
Meanwhile, Jesus kept on growing wiser and more mature, and in favor with God and his fellow man.
International Standard Version. (2011). (Lk 2:52). Yorba Linda, CA: ISV Foundation.
MacBook Pro MacOS Sequoia 15.4 1TB SSD
0 -
Hello,
thank you for this interesting discussion. Seems that I am a german security guy ;-)
I feel safe at Logos.com, but I also want my personal infomation (adress, credit card, etc.) locked safe in the Logos safe.
What about a text message to the mobile phone when you purchase something like on PayPal?
Or using the Google Authenticator or AlterEgo (www.alteregoapp.com) for logging in?
Artur
0 -
Beloved ... Mark's the better source, but from a practical point of view, the less times you type in your credentials the better, presuming Logos' cookies are not easily read.
That said, as you've probably noticed, Amazon, banks, etc 'time-out' the authentication, requiring you to re-log in (as does Apple even with a hardware ID/connect/control). So there has to be a larger risk on the Logos approach relative to the re-authentication. But again, Logos just sells books with no access to your full CC.
Artur, a text message is more secure than an email?
"If myth is ideology in narrative form, then scholarship is myth with footnotes." B. Lincolm 1999.
0 -
Beloved said:
If one tends to stay logged on on their platform or platforms of choice; are you more or less (or neither) vulnerable than if you log in and out regularly?
Like many security questions, there are advantages and disadvantages to each approach.
If you stay logged on to a website, then anyone who has physical access to your computer and your computer's account will be able to access that website, and make changes. So if you share a computer with someone you don't trust 100% then you're vulnerable. In that circumstance you should log out of each site that you visit.
On the other hand, if you are frequently logging into sites, you increase the likelihood that somebody 'listening in' might steal your username and password, either through malware installed on your computer, or by intercepting the traffic between you and the server. However, this possibility is greatly reduced by (a) ensuring you have good security software on your PC, and (b) websites making sure you log in over an encrypted connection (i.e. over https), which Logos does.
So it really depends on how secure the computer and its password is. If that's very secure, you don't need to worry too much about logging out of websites like Logos. If it's not secure, then you should.
This is my personal Faithlife account. On 1 March 2022, I started working for Faithlife, and have a new 'official' user account. Posts on this account shouldn't be taken as official Faithlife views!
0 -
Denise said:
Artur, a text message is more secure than an email?
For most people, yes, because intercepting a text message requires physical access to your phone and its PIN, whereas an email can be read/deleted from anywhere (if they have your password).
This is my personal Faithlife account. On 1 March 2022, I started working for Faithlife, and have a new 'official' user account. Posts on this account shouldn't be taken as official Faithlife views!
0 -
Mark Barnes said:Denise said:
Artur, a text message is more secure than an email?
For most people, yes, because intercepting a text message requires physical access to your phone and its PIN, whereas an email can be read/deleted from anywhere (if they have your password).
If I am understanding correctly, you receive a text message with a code that you put in the browser? Only had to deal with companies once of twice where they call with a code or a text message.
Mission: To serve God as He desires.
0 -
Lynden Williams said:
If I am understanding correctly, you receive a text message with a code that you put in the browser?
That's one method of two-factor authentication, yes.
This is my personal Faithlife account. On 1 March 2022, I started working for Faithlife, and have a new 'official' user account. Posts on this account shouldn't be taken as official Faithlife views!
0 -
So what would this protect us against? People logging in and maliciously buying more books for my library?Mark Barnes said:Denise said:Mark, your answer really bugs me.
Denise,
I don't think you've understood the issue that two-factor authentication solves. Two-factor authentication does nothing to prevent the Logos site getting hacked and your data stolen. That's an entirely different issue, which Logos should be putting resources into (I'm sure they are). But two-factor authentication only prevents criminals logging in with your details if they have already stolen your password.
That makes two-factor authentication a major issue only for certain websites (not all websites). There are two crucial questions:
- How much would it matter if thieves got into my Logos account? Honestly, the answer is "Not that much". Yes they could change your password/email address and take over your account - but Logos customer service could sort that fairly easily. They could buy lots of Logos books (but they'd be tied to your account, so would be not benefit to them once your account was restored).
- How likely would thieves attempt to log-in as me into my Logos account? Honestly, the answer is "very unlikely". What would they gain?
Two-factor authentication is a massive deal for organisations that provide login services to other accounts (so particularly, Google, Facebook and Twitter). It's very important for organisations that provide email addresses (because once you have control over email you can wreak havoc). And it's very important for companies that sell desirable goods that can be converted into cash (so Apple with its iTunes and App Stores, etc.), or financial institutions (PayPal, your bank, etc.).
But for most web companies like Logos, it's both low risk and low damage — which in my book makes it low priority.
So the security priorities for Logos should be protecting customer data by ensuring their systems are not vulnerable to attack, and ensuring that all log-ins take place over HTTPS (which they already do). I don't think it's a priority to add additional protection for individual customers who have allowed their passwords to be compromised. The low risk and low potential damage means I don't think it's worthwhile.
If they want to do two step authentication, I'd prefer it be an opt in program. I don't want the extra complexity, and the risks to not having it are low enough that I wouldn't opt in.
L2 lvl4 (...) WORDsearch, all the way through L10,
0 -
I very rarely run into 2-step authentification. Even resetting passwords constantly.
The more common security behavior for us is not using our debit card except in a few types of stores, and limiting the cc on the internet. And the best thing that can happen is when the bank detects a security issue and re-issues the card. All the sloppy marketers that kept the number get stripped.
I used to do 'big data' market research and cc numbers were our claim to fame. Dangerous but profitable. Even if we lost the number, we just needed to 'touch' once and we were good to go. You still see some stores asking for zipcodes to get a 'touch'.
"If myth is ideology in narrative form, then scholarship is myth with footnotes." B. Lincolm 1999.
0
