I’ve written about this before: too many websites ask you to confirm your identity via questions that are comparatively easy to crack.
Today, like buses, two very-well argued essays argue that this is a major shortcoming of Internet, or indeed banking in general, security as a whole.
The anatomy of the Twitter attack:
Each new service that a user signs up for creates a management overhead that collapses quickly into a common dirty habit of using simple passwords, everywhere. At that point, the security of that user’s entire online identity is only as strong as the weakest application they use - which often is to say, very weak.
[…]
Giving the user an option to guess the name of a pet in lieu of actually knowing a password is just dramatically shortening the odds for the attacker. The service is essentially telling the attacker: “we understand that guessing passwords is hard, so let us help you narrow it down from potentially millions of combinations to around a dozen, or even better, if you know how to Google, just one”. The problem is not the concept of having an additional authorization token, such as mothers maiden name, that can be used to authenticate in addition to a password, the problem arises when it is relied on alone, when the answer is stored in the clear in account settings, and when users end up using the same question and answer combination on all of their accounts.
And via Danny O’Brien, why credit card security is flawed also:
Too much customer data is used for multiple purposes, in ad hoc stop-gap fixes for security problems.
[…]
biographical data and service history are now useless as authenticators. But they should never have been used as such in the first place. It might have seemed clever at the time to use “shared secrets” like account balance on an ad hoc basis to authenticate customers, but as a weapon against identity theft, it’s precisely like putting out fire with gasoline.
[…]
Privacy suffers the more so because regular data becomes attractive to thieves when it re-used in authentication. And customer convenience deteriorates as each service takes its own idiosyncratic approach to knowledge-based authentication, and what’s worse, keeps changing its own approach in the cyber crime arms race.
Yesterday I was messing about with banking websites, and they were asking me “security questions” such as my father’s first name. I felt faintly proud that my father went by his middle name, so his first name was slightly more obscure. We can do better than that.
Leave a comment