(May 28, 2015 at 12:10 am)Tiberius Wrote:(May 27, 2015 at 4:15 pm)KevinM1 Wrote: Hey Tib, thoughts on the veracity of this AV chart?
http://chart.av-comparatives.org/chart1.php
I'm currently using BitDefender for my PC and Android phone based on the numbers there.
Also, what would you have done differently than the IRS to prevent the breach? In case you're not aware, 100,000 people's tax records were stolen from the IRS' transcript site. It used weak authentication - just a SSN and valid email address - and people who had stolen others' identities simply entered their stolen info, provided an email address, and had unfettered access to those individulals' records.
Talking with a friend, I suggested two factor authentication, but access could be a problem since not everyone owns/has access to a cellphone or PC. Is there anything else that could be done in that case?
AV-Comparatives are pretty thorough and open about their testing techniques, so I'd definitely trust them as an independent testing organisation. From the looks of the graph, BitDefender seems like a good choice. Might have to switch over from Kaspersky when our license runs out.
Cool beans. I know something about security on the web side of things, given what I do. Like, not falling for database injections, XSS, that sort of thing. I'm not too familiar with desktop solutions, however, which is why I asked about the chart. Seems like there's a ton of different sources pointing at different products for different reasons, and since I'm the family's 'computer guy', I want to make sure I don't self-sabotage.
Quote:As for the IRS breach, I believe more validation of the user identity should have been performed. For instance, you should not be able to take a social security number and a mailing address (both of which are pretty easy pieces of information to get...your employer likely has both) and get copies of tax records. Rather, what should happen is the following:
1) User without an IRS.gov account enters their SSN and address.
2) IRS.gov checks the SSN and address match what they have on file, and asks user to enter an email address / username.
3) IRS.gov then mails a randomly generated password to the user's mailing address, which they can combine with their username to log in.
It's not a perfect system, as a really dedicated attacker could sit and wait for the mail I suppose, but ultimately those cases of fraud are going to happen one way or the other anyway.
Yeah, the problem really lies with the SSN. If someone else has it, it doesn't matter what else you do. The thief can simply provide an address (electronic or otherwise) that exists, or a secondary identifier (phone #). I wonder if working backwards would make more sense. Have someone enter in their real name, real address, and an email address. Then send out a tokenized link that brings them to a SSL-protected form where they enter in their SSN as the final check. Lock them out after 3-5 failed attempts. It won't stop an identity thief from succeeding, since they'll already have the SSN, but on the surface it seems a little better than just giving everything away to a specified email address when the SSN matches. At the very least, there are more breakpoints involved, as every piece of data entered up to the SSN would be checked.
"I was thirsty for everything, but blood wasn't my style" - Live, "Voodoo Lady"
