dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
5913
share rss forum feed


norwegian
Premium
join:2005-02-15
Outback
reply to Snowy

Re: Secret Security Questions Are a Joke

said by Snowy:

said by norwegian:

... It does highlight the inherent weakness of the authentication system.

Hmm, OK, that I'd be willing to debate.
The weakness is not the 'system' as much as it the users.
But then I suppose it can be argued that the system should have built in self defense mechanisms against a known weak link (users) in the chain.

Okay, I will play along with this.

You can engineer a fail safe system that is perfect; but if it is not designed around the user needs it becomes ineffective in it's end resolve.

You can take a horse to water but you can't make it drink.

This is the dilemma faced.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Time Warner Cable
·Clearwire Wireless

said by norwegian:

You can engineer a fail safe system that is perfect; but if it is not designed around the user needs it becomes ineffective in it's end resolve.

Ok, but the incurable weak link is the user.
Shouldn't the system be held accountable for a weak point that's 100% certain to fail?
There is a system check that would eliminate the common password weak point at a critical stage.
If site A were to ping the associated email account using the same password used for it's domain it would clearly show a common password in use. Then it's just a matter of forcing a unique password.


norwegian
Premium
join:2005-02-15
Outback
reply to Name Game

said by Name Game:

Yes well if you are Mat..you did not complain about security questions.

Funny you should say that, in this case especially in regards to security questions:

quote:
When hackers broke into Mat Honan's Apple account late last week, they couldn't answer the security questions designed to verify his identity.
What could he/her answer then? I have read the full story and it seems quite relevant. I will say I've had an issue not relative to security questions, but the end result was just as scary:

Let me elaborate;
I had a new bank card lost/stolen twice, the second time it had the new pin with it, because it turned up on a Friday and I had no time to deal with changing it to something I'd remember, the end result was.
1. $800 was taken before I notified the bank to seize all transactions until Monday when I would present myself in person.
2. There was a phone call placed to reopen the funds by a third party, lift the daily limit to $2,000, which factually had to be processed on paper with your signature according to the rules they had in place, and by the end of the weekend a vast sum had disappeared.
3. I went into the bank Monday and to my surprise, there was very little left in this account. Luckily the manager was understanding and I wasn't rude, but I did get back every penny after I made that first call to close the account.

quote:
No matter, Apple issued them a temporary password anyway setting off a chain of hacks that laid waste to Honan's digital life.
The Apple support - user to keyboard interface virus has infected the Internet?
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



JALevinworth

@embarqhsd.net
reply to Snowy

said by Snowy:

said by norwegian:

... It does highlight the inherent weakness of the authentication system.

Hmm, OK, that I'd be willing to debate.
The weakness is not the 'system' as much as it the users.
But then I suppose it can be argued that the system should have built in self defense mechanisms against a known weak link (users) in the chain.

That's exactly my take on it and is at the heart of these problems. After all, the system is built by people as well. Development should always include the human factor. It's not how a product is intended it to be used that's important - it's how it IS used in reality that needs to considered in design and re-design.

After all it is the developers who are tasked with making it secure - I'm not taking a swipe at developers, btw. Used to be one myself. So I know ultimately the responsibility lies at the feet of the corporation whom they are in employ to ensure security. Motivating accountability to design secure systems is yet another hurtle.

Granted, there is a lacking of security training and adherence by end-users - But, they will do what they are asked for the most part (ex: answering honestly a security question).

-Jim


norwegian
Premium
join:2005-02-15
Outback

said by JALevinworth :

So I know ultimately the responsibility lies at the feet of the corporation whom they are in employ to ensure security. Motivating accountability to design secure systems is yet another hurtle.
-Jim

And we know big corporations priorities now days do not lie with security and / or an efficient accurate system, but with keeping share holders happy.

So many times a short quick high bearing result, can turn ugly down the road because of the ramifications of the end results failing long term.

Will we see an authentication process adopted across the board that bypasses the needs of big corporations and stick to the essence of the matter, secure authentication methodology as a standard, IE, not patented by one company and charged accordingly?

For the matter of this topic though:
Would allowing the end user make his or her own security questions help the authentication process and help take the weight off the companies involved including liabilities, and provide us with a better system? I don't think it would but it sounds better as a band-aid fix, as long as that same Apple support person did not get involved and just bypass it altogether.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



norwegian
Premium
join:2005-02-15
Outback
reply to antdude

In regards to the Apple support person who bypassed the security questions in Mat's case. In his or her defense, I have seen it numerous times for me, so how they do it for the mass is beyond me.

When authenticating your account, what ever means required, security questions and the like, as in this case, if you can not remember the correct login details for the phone conversation or online transaction, and remember you are not allowed to write them and store in your wallet, you quite often find your birth date, address etc become the next line of clearance, similar to the credit card's last 4 numbers in Mat's case. If your wallet is stolen or somewhere on the Internet your credentials are freely visible, say for argument's sake a google search gave you enough for the process, then you are already had your accounts hacked, cracked by social engineering (sorry Kilroy See Profile couldn't help it).

The support person can not be blamed for this also inherent weakness in the systems process and sorry I don't have a magical answer to it all either.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



JALevinworth

@embarqhsd.net
reply to norwegian

said by norwegian:

said by JALevinworth :

So I know ultimately the responsibility lies at the feet of the corporation whom they are in employ to ensure security. Motivating accountability to design secure systems is yet another hurtle.
-Jim

And we know big corporations priorities now days do not lie with security and / or an efficient accurate system, but with keeping share holders happy.

So many times a short quick high bearing result, can turn ugly down the road because of the ramifications of the end results failing long term.

Will we see an authentication process adopted across the board that bypasses the needs of big corporations and stick to the essence of the matter, secure authentication methodology as a standard, IE, not patented by one company and charged accordingly?

For the matter of this topic though:
Would allowing the end user make his or her own security questions help the authentication process and help take the weight off the companies involved including liabilities, and provide us with a better system? I don't think it would but it sounds better as a band-aid fix, as long as that same Apple support person did not get involved and just bypass it altogether.

To the first part; Exactly. Couldn't have said it better myself.

As to the second; allowing a free-form question is a better alternative but how many end users (now already trained with the standard type questions) would just create one that could be answered with publicly available or easily socially engineered info anyway? Probably many.


JALevinworth

@embarqhsd.net
reply to norwegian

said by norwegian:

said by Snowy:

said by norwegian:

... It does highlight the inherent weakness of the authentication system.

Hmm, OK, that I'd be willing to debate.
The weakness is not the 'system' as much as it the users.
But then I suppose it can be argued that the system should have built in self defense mechanisms against a known weak link (users) in the chain.

Okay, I will play along with this.

You can engineer a fail safe system that is perfect; but if it is not designed around the user needs it becomes ineffective in it's end resolve.

You can take a horse to water but you can't make it drink.

This is the dilemma faced.

Exactly. Not having seen this, I just finished posting the same point (sorry in advance to Snowy too for the unintended duplicity)


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to antdude

Account recovery is really the issue and that is broken.

»www.oneid.com/thoughts/epic-acco···dnt-help


MaynardKrebs
Premium
join:2009-06-17
kudos:4
reply to antdude

Apple Hires Former NSA for Security Post

»www.cultofmac.com/78455/apple-hi···ty-post/

Judging from what we've seen, I'd guess that little has been going into consumer-side security. I wonder if this hire was to bolster the NSA's view into Apple customer data in the cloud


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
reply to antdude

My Amazon Web Services security questions are:

Security Response #1?
Security Response #2?
Security Response #3?

(this is one of the choices offered by AWS, not something I made up)

which gets round the public-records aspects of the matter, but it means now I have to remember a three-part password that I never use, just in case I forget the password that I use more frequently. So while this seemed like a good idea at the time, now I'm not so sure.


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
reply to Snowy

said by Snowy:

If site A were to ping the associated email account using the same password used for it's domain it would clearly show a common password in use. Then it's just a matter of forcing a unique password.

And of calling the email provider to reset my password because Site A was the 10th site I've been changing my password on today, and all those wrong-password probes from Sites ABCDEFGHIJ have locked out my email account.


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 recommendation

reply to antdude

quote:
Bridgekeeper: Hee hee heh. Stop. What... is your name?
King Arthur: It is 'Arthur', King of the Britons.
Bridgekeeper: What... is your quest?
King Arthur: To seek the Holy Grail.
Bridgekeeper: What... is the air-speed velocity of an unladen swallow?
King Arthur: What do you mean? An African or European swallow?
Bridgekeeper: Huh? I... I don't know that.

Didn't work out so well for the Bridgekeeper
--
Don't feed trolls--it only makes them grow!


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

Click for full size
You must only use sites that give you the pledge.


Spy
Premium
join:2001-09-22
NE
reply to MaynardKrebs

said by MaynardKrebs:

Apple Hires Former NSA for Security Post

»www.cultofmac.com/78455/apple-hi···ty-post/

Judging from what we've seen, I'd guess that little has been going into consumer-side security. I wonder if this hire was to bolster the NSA's view into Apple customer data in the cloud

shit not the NSA again, my plastic gloves and garter belts need repairing so i will be forced to buy more blow up dolls with puckered lips if you keep mentioning that agency.


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Time Warner Cable
·Clearwire Wireless
reply to dave

said by dave:

And of calling the email provider to reset my password because Site A was the 10th site I've been changing my password on today, and all those wrong-password probes from Sites ABCDEFGHIJ have locked out my email account.

We are talking about security/account hijacking.
Looks good to me.

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:4
reply to Name Game

said by Name Game:

I like them too. Some others that are used at sites one can choose from include.
What is you childhood nickname ?
What is your father's middle name?
What was your mother's maiden name?

If you want to get fancy just use those questions..but put in info as if it was your spouse for your own account.

Many other sites are now including a small avatar type graphic that you must confirm..that you chose when setting up the account. And then even asking if you are now at the login on your home computer or a public one.

My local bank has been requiring a graphic I chose and must confirm each time I login since about forever....well, not that long, but a for a long time now. This is nothing new ....but then my local bank was the FIRST bank in the nation to have online banking. I got an invitation to join the beta many years ago. I was doing online banking when the percentage of those doing it was very tiny. This bank has won many awards (especially back in the beginning of online banking) as being the best banking site (along with being the best bank in America now for three straight years according to Forbes and others).

This same bank uses those questions you mentioned and also questions like "Where was your mother born"? "What is your father's astrological sun sign"? They have really good questions. Usually, I am asked two questions. They also request to register your personal computer and have been quite responsive the couple of times, over the years, that I have noticed something not as secure as should be. This bank also practices proper privacy/security by asking for User ID on the first secure page and then collecting your password on the next secure page.

What throws me is when a different local bank, or the landline phone company here, asks me for the answer to my security question and I have no idea what that is. I don't know what triggers the teller/CSR asking for that as it has happened rarely. They won't tell me what the security question is and, when this happened the first time many years ago, and then years later again, at both places I
didn't even remember ever setting a security phrase on the phone or bank account. It took me several days to remember because I had no clues at all to help me remember. When I finally recalled it, I was proud of myself because I had used a question (made up by me) and answer that no one but me would know the answer to.

Then about a year ago, out of nowhere, my cable company suddenly asked me for a pin number when I called them about an internet connection problem. I did not remember ever setting a pin number with them as they had never wanted me to set one as far as I could recall and I didn't think that was necessary anyway with the cable company as I pay my bill in person each month and never login to my billing account at their website which I suppose you can do if you have set it up but I never set anything like that up. Yet, they suddenly demanded a pin number before they would help me with my internet problem. I had to hang up with no help because I had no idea what it was. I thought about it for awhile and called back and gave several possible pin numbers (of course, not the same pin numbers I use for automatic teller machines) until the CSR said one of them was the correct one. I still don't understand why they need that and I have not been asked recently when I have called them so something triggers needing it sometimes I guess.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:4
reply to hortnut

I was in grad school at the Ohio State University in 1970 and got tear gassed by the National Guard more than once. I was just trying to teach my speech communication class that happened to be in Derby Hall where all the Administration's records were housed in the basement...I wasn't trying to destroy the records. The student riots and then Kent State got OSU shut down for the rest of that spring semester.

Making up a name is good...IF you can remember it!
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



DrDrew
So that others may surf.
Premium
join:2009-01-28
SoCal
kudos:12

2 edits

1 recommendation

reply to Mele20

Click for full size
said by Mele20:

What throws me is when a different local bank, or the landline phone company here, asks me for the answer to my security question and I have no idea what that is.
...

Then about a year ago, out of nowhere, my cable company suddenly asked me for a pin number when I called them about an internet connection problem. I did not remember ever setting a pin number with them as they had never wanted me to set one as far as I could recall and I didn't think that was necessary anyway with the cable company as I pay my bill in person each month and never login to my billing account at their website which I suppose you can do if you have set it up but I never set anything like that up. Yet, they suddenly demanded a pin number before they would help me with my internet problem. I had to hang up with no help because I had no idea what it was. I thought about it for awhile and called back and gave several possible pin numbers (of course, not the same pin numbers I use for automatic teller machines) until the CSR said one of them was the correct one. I still don't understand why they need that and I have not been asked recently when I have called them so something triggers needing it sometimes I guess.

The "extra" security is required by companies providing phone service (including cable companies) due to a 2007 FCC regulation of CPNI. You can usually find your initial PIN code on your billing statement although it may not specifically be called a PIN code. They don't need the codes when conducting transactions in person because they should be checking ID instead when making account changes or asking for certain account info.

On your Oceanic bill the code is listed as your "Customer Code":
»www.timewarnercable.com/Hawaii/s···e-and-ho
»www.oceanic.com/help/about_your_···ead_bill

Examples of from other cable companies requiring PIN codes:
Charter: »www.myaccount.charter.com/custom···eid=1955
Cox: »ww2.cox.com/residential/centralf···00000000
Comcast: »forums.comcast.com/t5/Voice-Serv···p/863267
--
If it's important, back it up... twice. Even 99.999% availability isn't enough sometimes.


workablob

join:2004-06-09
Houston, TX
kudos:2
Reviews:
·Comcast

1 recommendation

reply to antdude

My company just gave us all access to our payroll info online and the company that provides it asks you to set a reminder phrase for your password.

Like if your password is your dogs name they say "use My Dog".

No need for stinkin' complex passwords on a payroll site.

Just...WOW! Really?

D'Ave
--
I may have been born yesterday. But it wasn't at night.


Cheese
Premium
join:2003-10-26
Naples, FL
kudos:1
reply to Name Game

such a beautiful cat!


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:4

1 recommendation

reply to DrDrew

That customer code on the bill is NOT my pin number. Plus, Oceanic has a sign now (where the line starts) when you go into pay your bill that you need to know your pin number because the CSR will ask for it (although they don't ask me for it...but then they all know me). That is the same as with my bank and the security question. The bank asks for it when you are there IN PERSON. Photo ID is not acceptable by itself. PIN must be supplied at the bank and (according to their new sign) at Oceanic customer service desk. Your PIN for Oceanic is 4 numbers but not what is on your bill. Your PIN wouldn't be on your bill for anyone who had access to your bill to see. Besides, your pin would be chosen by you not assigned by Oceanic which is how that customer code is arrived at...it is assigned by Oceanic.

That Customer code is for those who have TWC phone service which I do not have. The FCC regulation of CPNI applies to phone service not to internet service. So, I still don't know why SOMETIMES Oceanic has asked for my pin when I have called about a Road Runner problem. I don't get the point of the FCC's requirement if it also applies to something like internet service. You can change your internet service via email and no pin number is asked for. Seems to me the FCC regulation is to protect from outside parties getting access to the phone calls you have made. Another reason to keep a landline (with unpublished and unlisted number even though the monthly fee for that has more than doubled starting next month). Bundling things is never a good idea privacy wise.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Snowy

Click for full size
said by Snowy:

said by dave:

And of calling the email provider to reset my password because Site A was the 10th site I've been changing my password on today, and all those wrong-password probes from Sites ABCDEFGHIJ have locked out my email account.

We are talking about security/account hijacking.
Looks good to me.

Friend of mine was going to do that last week..but alas we lost him...was a good man..we all knew him well He did give me the answers to all his security question.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Time Warner Cable
·Clearwire Wireless

said by Name Game:

He did give me the answers to all his security question.

He messed with your head till the end, goodhearted trooper that he was.
Here's the answers to 3 of my security questions that I can recall.
1. Alice
2. Rust
3. nowayjose


norwegian
Premium
join:2005-02-15
Outback

1 recommendation

Post your passwords to facebook, they should be safe there for when you forget - even list the site they are for in categories.

/sarcasm



Burntone

@rr.com
reply to antdude

You should NEVER make the answers to security questions "real" or true.

Some sites allow you to create your own question, make sure the answer doesn't make any sense related to the question.

Hey we still have people that use the same password for everything, enter all their personal information responding to an email from their "Bank", and give their bank information so their "winnings" can be deposited into their account .


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:4

Why not answer them truthfully? No one would know my mother's maiden name or my father's astrological sun sign, etc. Maybe for you tons of people know your mother's maiden name and your father's astrological sun sign but that doesn't mean this would necessarily be true for other folks. Common sense needs to be applied by each person answering security questions. It is not a blanket deal.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

1 recommendation

I feel fairly safe since I didn't grow up in this country and am not famous, so the average hacker would have a hard time finding out where I went to 'high school', or even if I ever went to anything called a high school.

The only risk is that the pool of possible questions seems a little small, so the 'high school' question is apt to show up on multiple sites; it's therefore got the same risk factor as username-and-password reuse.



AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1
reply to Kilroy

said by Kilroy:

I don't have a better solution, other than don't forget/lose your password.

Lose you password, go to a local agent (bestbuy, apple store, dell store) and show your state issued photo ID or passport.

Edit: actually a local bank would probably do nicely as "local id agent".
--
--Standard disclaimers apply.--
The preceding posting is null and void in Arizona and any other jurisdiction where prohibited by law.