Re: security questions
On Aug 6, 2008, at 12:17 PM, Leichter, Jerry wrote: For Web sites these days, I generate random strong passwords and keep them on a keychain on my Mac. Actually, the keychain gets synchronized automatically across all my Mac's using .mac/MobileMe (for all their flaws). When I do this, I enter random values that I don't even record for the security questions. Should something go wrong, I'm going to end up on the phone with a rep anyway, and they will have some other method for authenticating me (or, of course, a clever social-engineering attacker). An except from my recent blog post: Now, this topic is not new. Bruce Schneier wrote about it a few years ago [2]. Schneier says that he “type[s] a completely random answer,” but consider this anecdote: a colleague of mine uses the same technique. He called up customer service once, who then asked him, “what’s the answer to your security question?” He said, “some random numbers.” The response was “okay.” So picking random numbers might be less secure than picking a realistic answer? :-) [2] http://www.computerworld.com/securitytopics/security/story/0,,99628,00.html -- Apu Kapadia, Ph.D. UIUC 2005 Research Assistant Professor Department of Computer Science, Dartmouth College, USA http://www.cs.dartmouth.edu/~akapadia/ - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: security questions
Peter Saint-Andre wrote: [list of security questions snipped] *** It strikes me that the answers to many of these questions might be public information or subject to social engineering attacks... You might enjoy reading Ari Rabkin's recent paper at SOUPS 2008 on this issue: "Personal knowledge questions for fallback authentication: Security questions in the era of Facebook" Ariel Rabkin http://www.cs.berkeley.edu/~asrabkin/bankauth.pdf He has slides as well: http://www.eecs.berkeley.edu/~asrabkin/rabkin.pdf -David Molnar signature.asc Description: OpenPGP digital signature
Re: security questions
On Wed, Aug 6, 2008 at 9:23 AM, Peter Saint-Andre wrote: > > Wells Fargo is requiring their online banking customers to provide answers to > security questions such as these: > > *** > > What is name of the hospital in which your first child was born? ... > What was your most memorable gift as a child? > > *** > > It strikes me that the answers to many of these questions might be public > information or subject to social engineering attacks... > > Peter Of course, this problem isn't limited to Wells Fargo: I think pretty much all banks do it. I've given this some thought, and am writing a program called "maiden" (short for "mother's maiden name") for cryptographically answering these questions. The basic idea is that you take either a pass phrase or strong secret, combine it with the question, compute the SHA hash, and use this to create a word that looks semi-pronounceable as the answer to the question. Right now, I don't answer any of these questions with any guessable information -- it's all the result of a cryptographic operation on the question and a hidden secret. Cheers, -Matt -- Thanks! Matt Ball, IEEE P1619.x SISWG Chair M.V. Ball Technical Consulting, Inc. Phone: 303-469-2469, Cell: 303-717-2717 http://www.mvballtech.com http://www.linkedin.com/in/matthewvball - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: security questions
Chris Kuethe wrote: On Wed, Aug 6, 2008 at 8:23 AM, Peter Saint-Andre <[EMAIL PROTECTED]> wrote: Wells Fargo is requiring their online banking customers to provide answers to security questions such as these: *** ... *** It strikes me that the answers to many of these questions might be public information or subject to social engineering attacks... Lie. I don't actually give the real answers to those questions for just that reason. Make up some plausible and memorable words (maybe using a tool like "yould"), and pick your mother a new random name from the phone book. Oh, I know we're smart enough to do that, but I doubt that your typical Facebook user will realize that their high school and best friend's first name (etc.) are public information. Peter smime.p7s Description: S/MIME Cryptographic Signature
Re: security questions
On Wed, Aug 6, 2008 at 8:23 AM, Peter Saint-Andre <[EMAIL PROTECTED]> wrote: > Wells Fargo is requiring their online banking customers to provide answers > to security questions such as these: > > *** > ... > *** > > It strikes me that the answers to many of these questions might be public > information or subject to social engineering attacks... Lie. I don't actually give the real answers to those questions for just that reason. Make up some plausible and memorable words (maybe using a tool like "yould"), and pick your mother a new random name from the phone book. -- GDB has a 'break' feature; why doesn't it have 'fix' too? - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: security questions
On Wed, 6 Aug 2008, Peter Saint-Andre wrote: | Wells Fargo is requiring their online banking customers to provide | answers to security questions such as these: | | *** | | What is name of the hospital in which your first child was born? | What is your mother's birthday? (MMDD) | What is the first name of your first roommate in college? | What is the name of the first street you lived on as a child? | What year did you start junior high/middle school? () | What is your oldest sibling's nickname? | What is your dream occupation? | What is your spouse's nickname? | In what city was your father born? | What is the name of the high school you attended? | What is your best friend's first name? | What is the name of the junior high/middle school you attended? | What is the first name of your maternal grandfather (mother's father)? | What is the name of your favorite childhood superhero? | In what city did you meet your spouse? | In what city did your parents meet? | In what city did you attend high school? | What is name of the hospital in which you were born? | What is the last name of your favorite teacher? | In what city was your maternal grandmother (mother's mother) born? | What was your most memorable gift as a child? | | *** | | It strikes me that the answers to many of these questions might be | public information or subject to social engineering attacks... These kinds of questions used to bother me. Then I realized that *I could lie*. As long as *I* remember that I answer "What is your mother's maiden name" with "xyzzy", the site and I can be happy. Well ... happier, anyway. The only way to remain sane if you take this approach is to use the same answer at every site that asks these security questions. But that's not good, especially since most of these sites appear to make the *actual value you specified* available to their call centers. This is nice if you can't remember the exact capitalization you used, but it does, of course, leak more information that you'd rather have out there readily accessible. For Web sites these days, I generate random strong passwords and keep them on a keychain on my Mac. Actually, the keychain gets synchronized automatically across all my Mac's using .mac/MobileMe (for all their flaws). When I do this, I enter random values that I don't even record for the security questions. Should something go wrong, I'm going to end up on the phone with a rep anyway, and they will have some other method for authenticating me (or, of course, a clever social-engineering attacker). The only alternative I've seen to this whole approach is sold by RSA (owned by EMC; I have nothing to do with the product, but will note my association with the companies) which authenticates based on real-world data. For example, you might be asked where you got coffee this morning if your credit card shows such a charge. This approach is apparently quite effective if used correctly - though it does feel pretty creepy. (They were watching me buy coffee?) -- Jerry - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
security questions
Wells Fargo is requiring their online banking customers to provide answers to security questions such as these: *** What is name of the hospital in which your first child was born? What is your mother's birthday? (MMDD) What is the first name of your first roommate in college? What is the name of the first street you lived on as a child? What year did you start junior high/middle school? () What is your oldest sibling's nickname? What is your dream occupation? What is your spouse's nickname? In what city was your father born? What is the name of the high school you attended? What is your best friend's first name? What is the name of the junior high/middle school you attended? What is the first name of your maternal grandfather (mother's father)? What is the name of your favorite childhood superhero? In what city did you meet your spouse? In what city did your parents meet? In what city did you attend high school? What is name of the hospital in which you were born? What is the last name of your favorite teacher? In what city was your maternal grandmother (mother's mother) born? What was your most memorable gift as a child? *** It strikes me that the answers to many of these questions might be public information or subject to social engineering attacks... Peter smime.p7s Description: S/MIME Cryptographic Signature
Security breeches of the day
[From my daily New York Times news summary] 11 Charged in Theft of 41 Million Card Numbers By BRAD STONE Authorities said the scheme was spearheaded by a Miami man who hacked into several retailers' computer systems. http://www.nytimes.com/2008/08/06/business/06theft.html Russian Gang Hijacking PCs in Vast Scheme By JOHN MARKOFF The gang has infected thousands of PCs in corporate and government networks with programs that steal passwords and other information, a security researcher has found. http://www.nytimes.com/2008/08/06/technology/06hack.html [The depressing bit is how banal both stories have become. --Perry] -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]