Again Change is the only Constant and this applies to security systems. The long 'Life' bio's posted on QRZ and other social media systems are also 'fodder' for the hackers. G3SEA/KH6
Unless you were a cop who had me pulled over for a traffic violation, my banker, doctor, or some government agency that needed my ID, I most certainly would NOT allow you to see my drivers license...so you would suspect wrong. As far as data crossing the internet being "completely encrypted"...there is no such thing. One need only ask any one of the number of multi-billion dollar corporations and world wide government agencies that have been "hacked" in recent years, and you will find that internet encryption and an empty sack...is worth a sack. I agree that the 2FA is a good idea and would be a quite effective security measure...but the verification thing is "iffy" at best. It's a question of weighing security risk. Frankly if my QRZ account gets hacked...it's not really that big of a deal compared to the damage that can be caused by my ID falling into the hands of unknowns as it is being sent across the WWW.
In my imaginary scenario, you would be approaching me, asking for something I was offering. I would say "lemme see your license", and if you said "no", then fine. Next, please. This really isn't a big deal. If you don't want to play then I won't stop you. There are enough verified members already to support a vibrant and active swapmeet. We're good. My last few replies have been with contrarians. I'm done with that.
Just bringing something to your attention related to that. It's a minor thing and simple to fix but important. I'm sure it's just an oversight. The forums don't redirect from http to https like they should. It's standard practice. If someone lands on http://forums.qrz.com for some reason, they should be redirected to https://forums.qrz.com. This does happen on the rest of the site but not on the forums. Links on the site are inconsistent. For example: https://www.qrz.com/site.html I'm on https Click on Discussion Forums Now I'm on http. I've seen http links in forum posts that point to other posts which will cause someone to lose the encryption. On unencrypted public wifi? Someone can now steal my session cookie. If the redirect is fixed then I guess the inconsistent links don't really matter.
Well, not really I think. HTTPS is secure for sending an image of your license to QRZ (or anything else), once the encryption is established between your browser and the QRZ server indicated by the lock symbol on the URL bar. But other parts of online communications may be plainly visible to the ISP or to anyone on a public WiFi network if using one (which is where VPNs are useful). Also, HTTPS certificates can be had cheaply so a crook can set up a phishing site with HTTPS that looks like a legitimate one with a similar URL and harvest login credentials to then hack into an account. This is probably the biggest risk, so you always need to look carefully at the URL (and/or at the certificate) if you type it in or copy/paste from an untrusted source. Your IDs are probably already in multiple databases anyway, hopefully in encrypted form but you never know if someone got sloppy. For example, I just got back from an international trip. My photo was taken and my passport was scanned by the US immigration entry kiosk which verified my identity. Is that secure? I hope so, but there wasn’t any choice. At least QRZ deletes the ID image right away as they have no reason to keep it, in fact it would be a liability to keep it.
Fred, How does 2FA affect applications such as DX Lab and JTAlertX that reach out to QRZ for data? 73, Howard
I think there is a little more to it than that. There is a difference between asking to see someone's license, and asking to take a picture of it and forward it to your office for employees to check it out. The QRZ verification is more like the latter. But the 2FA is a good thing. The "picture ID" may or may not prove anything, since a photo ID would be pretty easy to mock up, by anyone with more than rudimentary skills in Photoshop or equivalent software. I don't think the QRZ employees have all sources available to verify every sort of ID that comes their way, since there are hundreds of permutations. And, since the ID is deleted immediately, there is no way to go back and double check at a later time. Here is a scenario that would prove problematic. The scammers "get wise" and realize that the 2FA makes it hard to "phish" for existing accounts. But there are hundreds of thousands of valid callsigns of people that are not members of QRZ. The "bad guy" contacts QRZ and claims a callsign as his, gets assigned a user name with that call, then sets up 2FA to his own cellphone and gets verified via a fake ID with photo. He can do this multiple times, with no one being the wiser. Then he lists items for sale as a "verified" user. It might be several weeks before it was realized that the guy was a scammer, he could take US Postal service money orders or checks for payment, thus avoiding Paypal totally, and bypassing any protection that might have been afforded. I don't know what the solution is, scammers are smart at scamming. The best thing I can think of is to call the person on the phone and talk with them when you are making a purchase of more than a few bucks. If "Bill Anderson" sounds like a Nigerian woman (or knows nothing about ham radio), you may be getting played.
I agree 100% up to 1,000,000,000% true; ,,Thank you Fred for sharing this info with us here,,, Best Regards 73's de Hilton - N3GY
In my real job we routinely intercept SSL and HTTPS streams to decrypt, then analyze the contents and "re-inject" the data with the same encryption. This is transparent to the sender and receiver and they have no idea we just peeked at their stuff. We don't even need access to your system, just a IP. (and sometimes even less) Really, nothing is safe. What if I told you we had equipment that could capture screen images and keystrokes from an air gapped system from across the street? That's why I don't put too much confidence in HTTPS, but if it helps you sleep better at night then that's fine.
I would say you're working for an alphabet agency and using something that was built on the success of TEMPEST...
Nothing is safe but, from whom and with what effort? Clearly intelligence agencies can intercept and decrypt many things (all the traffic routed through agency hardware at the ISP or...?). Correct me if I'm wrong, but I really doubt many hackers have that sort of capability in place. And if they did, I don't think they would bother with relatively low level stuff like scamming hams for a few hundred or maybe a thousand dollars when there are juicy financial or commercial targets to go after. I think that QRZ is doing what they reasonably can to throttle the typical scammers and I'm glad they are. That it wouldn't necessarily stop the NSA, FBI or some other country's intelligence service is really irrelevant to me.
