Another logistical challenge arises if the property is protected by multiple cameras. The blackout period referenced here (generally shy of 90 seconds) could be enough time to force entry, but it’s unlikely to be enough to complete the crime and escape. Hence, a network of nine or ten cameras may make this hole fairly trivial.
Those disclaimers all disclaimed, for the typical home that might have just one camera focusing on the front door, this could be a very significant hole.
So why didn’t Google fix it in the months it was given? Did it fear that confirming the hole’s existence — which a patch would presumably do — would undermine Google’s marketing messaging? That would be a terrible reason to leave a hole unpatched, but without a better explanation offered by Google, it’s a place to start.
Another question: Why was Bluetooth access enabled for a security device designed to be mounted outdoors? Bluetooth generally has weak, if any, authentication, on the premise that extreme physical proximity implies authorization. Does that premise hold up in the case of an outdoor security camera?
Now we turn to eBay. It asked customers who already had good security to soften their defenses.
Part of the rationale is the age-old security-versus-convenience thinking, where companies fear that insisting on robust security will inconvenience customers to the point where they don’t bother or where they will look for companies that are easier to work with. But that doesn’t seem to be the key issue here, since eBay was approaching customers who were already using better security.
The particulars of the eBay situation were laid out in a story in KrebsOnSecurity.
eBay wanted Brian Krebs “to switch from using a hardware key fob when logging into eBay to receiving a one-time code sent via text message,” the story said. “I found it remarkable that eBay, which at one time was well ahead of most e-commerce companies in providing more robust online authentication options, is now essentially trying to downgrade my login experience to a less-secure option. The move by eBay comes just months after the National Institute for Standards and Technology (NIST) released a draft of new authentication guidelines that appear to be phasing out the use of SMS-based two-factor authentication. NIST said one-time codes that are texted to users over a mobile phone are vulnerable to interception, noting that thieves can divert the target’s SMS messages and calls to another device, either by social engineering a customer service person at the phone company, or via more advanced attacks like SS7 hacks.”
eBay apparently said that the change “was more about bringing authentication in-house (the security key is made by Verisign) and that eBay hopes to offer additional multifactor authentication options in the future.”
Sign up for Computerworld eNewsletters.