Two step authetification

Page 1 of 2 (25 items) 1 2 Next >
This post has 24 Replies | 1 Follower

Posts 30
Artur Wiebe | Forum Activity | Posted: Wed, Aug 6 2014 4:44 AM

Hello,

do you ave any solution according for two step authentification for your website or for the orders I make at Logos.com.

Please consider this for security reasons.

Artur

Posts 6
Glenn Airoldi | Forum Activity | Replied: Wed, Aug 6 2014 9:47 AM

Thank you Arthur,

This is a growing best practice we're definitely keeping our eye on.

Posts 30
Artur Wiebe | Forum Activity | Replied: Thu, Aug 7 2014 2:42 AM

Hello Glenn,

please do this because of this horrible news: http://mashable.com/2014/08/05/russian-hacker-passwords/

 

Artur

Posts 13423
Mark Barnes | Forum Activity | Replied: Thu, Aug 7 2014 4:57 AM

For those who don't know, Glenn is director of e-commerce at Logos. I'm not sure where his Logos badge has gone to :-).

Artur Wiebe:
please do this because of this horrible news: http://mashable.com/2014/08/05/russian-hacker-passwords/

However, I would prefer that resources weren't diverted to this end when there is so many other things that need to be improved.

That's partly because that story isn't quite what it seems: http://www.theverge.com/2014/8/6/5973729/the-problem-with-the-new-york-times-biggest-hack-ever 

Second, two factor authentication would be a big challenge for Logos given the number of different places you can log in (at the website, 5 different iOS apps, 5 different Android apps, Windows RT, Windows app, Mac app).

Third, as most Russian hackers are not going to be that interested in purchasing an electronic copy of Bonhoeffer's complete works, I suspect the risk for our Logos accounts is very low.

Posts 11433
DMB | Forum Activity | Replied: Thu, Aug 7 2014 6:23 AM

Mark, your answer really bugs me.  I'll be the first to admit, even though there's the assumption of Christians at Logos and on the forum, the general rule is 'everyone worry about themselves'.   That sounds bad but it's at the heart of capitalism and is presumed to be the most efficient means of allocating 'stuff'.

But here we have an individual worried about HIS security and the answer is 'don't'.  Huh?

First, smaller sites ARE highly targeted; they're the least protected talent-wise.  And it's the credit card that's sought, not a book.  You knew that.

Second, Logos DOES take chances on not demanding a re-authentication with the cookies. At least for me, it's the only site I use that doesn't re-authenticate within a fairly short time period.  Now, re-authentication is a plus/minus since it requires the user to pass authentication through; another risk.

Third, re-programming for security isn't a major do-over.  Authentication for platforms varies by platform. You knew that too.

Fourth, the protections even AFTER a slip (whether the user's PC or a Logos issue) is the criticality.  As far as I've seen, Logos does go to some trouble to make access to ones account a waste of time (partial CC number, no passwords shown, etc).

And fifth, a poorly thought out article doesn't eliminate the issue of security.  If someone on the forum is concerned about security, it's worthy of a short discussion of where 'leakage' is likely to occur or not.  Security is likely to get worse; not better.

OK ... pardon my questioning your answer.

"God will save his fallen angels and their broken wings He'll mend."

Posts 9712
Forum MVP
Bruce Dunning | Forum Activity | Replied: Thu, Aug 7 2014 7:05 AM

Mark Barnes:
Third, as most Russian hackers are not going to be that interested in purchasing an electronic copy of Bonhoeffer's complete works, I suspect the risk for our Logos accounts is very low.

Well, if this happened and they actually read Bonhoeffer, some good may result Smile

Using adventure and community to challenge young people to continually say "yes" to God

Posts 1035
Mike Pettit | Forum Activity | Replied: Thu, Aug 7 2014 7:28 AM

Bruce Dunning:
 

Well, if this happened and they actually read Bonhoeffer, some good may result Smile

Well that is certainly debatable. 

Posts 13423
Mark Barnes | Forum Activity | Replied: Thu, Aug 7 2014 8:08 AM

Denise:
Mark, your answer really bugs me.

Denise,

I don't think you've understood the issue that two-factor authentication solves. Two-factor authentication does nothing to prevent the Logos site getting hacked and your data stolen. That's an entirely different issue, which Logos should be putting resources into (I'm sure they are). But two-factor authentication only prevents criminals logging in with your details if they have already stolen your password.

That makes two-factor authentication a major issue only for certain websites (not all websites). There are two crucial questions:

  • How much would it matter if thieves got into my Logos account? Honestly, the answer is "Not that much". Yes they could change your password/email address and take over your account - but Logos customer service could sort that fairly easily. They could buy lots of Logos books (but they'd be tied to your account, so would be not benefit to them once your account was restored).
  • How likely would thieves attempt to log-in as me into my Logos account? Honestly, the answer is "very unlikely". What would they gain?

Two-factor authentication is a massive deal for organisations that provide login services to other accounts (so particularly, Google, Facebook and Twitter). It's very important for organisations that provide email addresses (because once you have control over email you can wreak havoc). And it's very important for companies that sell desirable goods that can be converted into cash (so Apple with its iTunes and App Stores, etc.), or financial institutions (PayPal, your bank, etc.).

But for most web companies like Logos, it's both low risk and low damage — which in my book makes it low priority.

So the security priorities for Logos should be protecting customer data by ensuring their systems are not vulnerable to attack, and ensuring that all log-ins take place over HTTPS (which they already do). I don't think it's a priority to add additional protection for individual customers who have allowed their passwords to be compromised. The low risk and low potential damage means I don't think it's worthwhile.

Posts 8967
RIP
Matthew C Jones | Forum Activity | Replied: Thu, Aug 7 2014 8:57 AM

Denise:
And it's the credit card that's sought, not a book.

If a Logos customer feels overly concerned about their credit card number being stolen from the Logos site, they can always use a reloadable VISA cash card. I use a debit card tied to a low-balance checking account and replenish it when I intend to make a purchase.

I am not worried. Logos has already got all my money. Embarrassed

Logos 7 Collectors Edition

Posts 2223
Mark | Forum Activity | Replied: Thu, Aug 7 2014 8:57 AM

Thanks for letting us know who Glenn is.  I was wondering...

Posts 11433
DMB | Forum Activity | Replied: Thu, Aug 7 2014 9:09 AM

The issue I was speaking to wasn't the specific ins/outs of security.  Rather, answering someones concern for their own security with, 'It's not an important issue for me, so Logos should ignore you.'

Better a reasonable discussion of the issue. 

Personally I view 'Bellingham' as the bigger issue (internal management of systems/servers). And I agree with ST; minimize the risk.  We conceptually want to eventually minimize the cc's to Amazon, Apple, and Paypal, with smaller sites like Logos to be closed down cc-wise.

"God will save his fallen angels and their broken wings He'll mend."

Posts 5573
Forum MVP
Rich DeRuiter | Forum Activity | Replied: Thu, Aug 7 2014 9:18 AM

Mark Barnes:

But for most web companies like Logos, it's both low risk and low damage — which in my book makes it low priority.

So the security priorities for Logos should be protecting customer data by ensuring their systems are not vulnerable to attack, and ensuring that all log-ins take place over HTTPS (which they already do). I don't think it's a priority to add additional protection for individual customers who have allowed their passwords to be compromised. The low risk and low potential damage means I don't think it's worthwhile

Mark, there are two issues that Logos faces, one is the issue you describe here: an actual attack. I agree that hacking my Logos account would not likely be very lucrative for any cyber criminal, given the way Logos is set up. The fact that I can change my credit card # is not the same as giving a cyber criminal access to my current ones (and even if they did, credit cards - as distinct from debit cards - are required by law to protect their owners from fraudulent use). 

But there's a second issue: the perception of vulnerability. Do Logos customers feel safe doing online business with Logos? If they don't, they may choose not to do business at all, just to be on the safe side. Not everyone does background research on the actual vulnerabilities they face, they simply react to the information they have. 

To deal with this secondary issue (essentially a marketing issue), Logos can choose to 1) ignore it since many people don't pay attention to such matters, even when they make the news; 2) tell its users why there is no actual threat to them (educate via FAQ's, end notes, hover text, etc. - though almost no one reads those anyway; 3) adjust their practice to accommodate those users who believe such is required (and put up with other frustrated users who don't like 2-step log-ons).

Clearly, Logos should spend considerable effort protecting it's databases of personal information, email addresses and credit cards, as this was more in line with how that attack actually worked. And I'm sure they do. 

 Help links: WIKI;  Logos 6 FAQ. (Phil. 2:14, NIV)

Posts 13423
Mark Barnes | Forum Activity | Replied: Thu, Aug 7 2014 9:26 AM

Denise:
Rather, answering someones concern for their own security with, 'It's not an important issue for me, so Logos should ignore you.'

That's hardly a fair paraphrase of my response, because I was not suggesting that "it's not an important issue for me", I was arguing that it wasn't an important issue period, by highlighting and analysing the risks that apply to all of us. I could be wrong, and I'm open to any response that deals concretely with the points I raised. But this discussion isn't about me.

Denise:
Better a reasonable discussion of the issue. 

A "reasonable discussion" surely means that we talk about "the specific in/outs of security" (which is exactly what I was doing).

Posts 11433
DMB | Forum Activity | Replied: Thu, Aug 7 2014 9:49 AM

Yes, Mark, you did exactly proceed to a reasonable (and good) discussion of the merits of two-step authentification ... after your chain got (gently) pulled.

And my point continues to be about forum members expressing security concerns and be given flavored-candy answers. Better your second answer.

"God will save his fallen angels and their broken wings He'll mend."

Posts 1157
Tom Reynolds | Forum Activity | Replied: Thu, Aug 7 2014 11:59 AM

As someone who travels internationally and who has lived overseas for years let me tell you that two-step authentication is a huge headache. I definitely would not recommend that we be forced to use it. If they want to make it an option for those who are concerned that's fine but please don't make it mandatory to purchase books. Thanks!

Posts 8967
RIP
Matthew C Jones | Forum Activity | Replied: Thu, Aug 7 2014 12:15 PM

Denise:
And my point continues to be about forum members expressing security concerns and be given flavored-candy answers. Better your second answer.

How about everyone calling a sales rep and placing orders by phone?  I make all my non-Pre-Pub orders through Dave Kaplan. I have never had him make a mistake or fail to please. I lament this option is not easy for users outside the US and Canada.

Logos 7 Collectors Edition

Posts 3191
Beloved Amodeo | Forum Activity | Replied: Thu, Aug 7 2014 12:16 PM

May I ask a naive question of you who know infinitely more about these things than I do? If one tends to stay logged on on their platform or platforms of choice; are you more or less (or neither) vulnerable than if you log in and out regularly?

You may consider this question posed within the framework of either logon procedures.

Meanwhile, Jesus kept on growing wiser and more mature, and in favor with God and his fellow man.

International Standard Version. (2011). (Lk 2:52). Yorba Linda, CA: ISV Foundation.

MacBook Pro macOS Big Sur 11.6 1TB SSD 

Posts 30
Artur Wiebe | Forum Activity | Replied: Fri, Aug 8 2014 1:33 AM

Hello,

thank you for this interesting discussion. Seems that I am a german security guy ;-)

I feel safe at Logos.com, but I also want my personal infomation (adress, credit card, etc.) locked safe in the Logos safe.

What about a text message to the mobile phone when you purchase something like on PayPal?

Or using the Google Authenticator or AlterEgo (www.alteregoapp.com) for logging in?

Artur

Posts 11433
DMB | Forum Activity | Replied: Fri, Aug 8 2014 5:57 AM

Beloved ... Mark's the better source, but from a practical point of view, the less times you type in your credentials the better, presuming Logos' cookies are not easily read.  

That said, as you've probably noticed, Amazon, banks, etc 'time-out' the authentication, requiring you to re-log in (as does Apple even with a hardware ID/connect/control).  So there has to be a larger risk on the Logos approach relative to the re-authentication.  But again, Logos just sells books with no access to your full CC.

Artur, a text message is more secure than an email?

"God will save his fallen angels and their broken wings He'll mend."

Posts 13423
Mark Barnes | Forum Activity | Replied: Fri, Aug 8 2014 6:16 AM

Beloved:
If one tends to stay logged on on their platform or platforms of choice; are you more or less (or neither) vulnerable than if you log in and out regularly?

Like many security questions, there are advantages and disadvantages to each approach.

If you stay logged on to a website, then anyone who has physical access to your computer and your computer's account will be able to access that website, and make changes. So if you share a computer with someone you don't trust 100% then you're vulnerable. In that circumstance you should log out of each site that you visit.

On the other hand, if you are frequently logging into sites, you increase the likelihood that somebody 'listening in' might steal your username and password, either through malware installed on your computer, or by intercepting the traffic between you and the server. However, this possibility is greatly reduced by (a) ensuring you have good security software on your PC, and (b) websites making sure you log in over an encrypted connection (i.e. over https), which Logos does.

So it really depends on how secure the computer and its password is. If that's very secure, you don't need to worry too much about logging out of websites like Logos. If it's not secure, then you should.

Page 1 of 2 (25 items) 1 2 Next > | RSS