Re: security questions
IIRC, it used personal data already available to DEC -- so they didn't have to ask their employees for it That works great so long as the personal data is accurate. Banks these days are supposed to verify your identity when you open an account. Online banks pull your credit report anyway, so they make up some verification questions from historical info in the report. I'm regularly asked which of four street addresses I've lived at. Unfortunately, in my case the correct answer is invariably none of them. I'm part owner of a relative's house in New Jersey, and the credit bureaus all are sure that since my name is on the deed, that must be where I live. So that's the address that shows up. Adding to the excitement, they often ask what city, to which the answer would still be none of them even if I lived in that house. It's in Lawrenceville, but I guess it gets mail delivered from the Trenton P.O. so the allegedly correct answer is Trenton. It's not too hard for me to figure these out, but given the amount of plain wrong info in credit reports, this approach must lead to some pretty frustrating failures. Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of The Internet for Dummies, Information Superhighwayman wanna-be, http://www.johnlevine.com, ex-Mayor More Wiener schnitzel, please, said Tom, revealingly. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: security questions
[EMAIL PROTECTED] wrote: John Ioannidis wrote: | Does anyone know how this security questions disease started, and why | it is spreading the way it is? If your company does this, can you find | the people responsible and ask them what they were thinking? The answer is Help Desk Call Avoidance; allow the end-user to fix their own account without having to get someone on the phone. This is simply an available mechanism in the spectrum between easy-to-use and rock-solid security. As the discussion so far indicates, and as published papers show, the security of these security questions is lower than the security of the password. | My theory is that no actual security people have ever been involved, and | that it's just another one of those stupid design practices that are | perpetuated because nobody has ever complained or that's what | everybody is doing. Your theory is incorrect. There is considerable analysis on what Can you reference it please? There has been some analysis on the entropy of passphrases as a password replacement, but it is not relevant. constitute good security questions based on the anticipated entropy of the responses. This is why, for example, no good security question has a yes/no answer (i.e., 1-bit). Aren't security questions just an automation of what happens once you get a customer service representative on the phone? In some regards they may be more secure as they're less subject to social manipulation (i.e., if I mention a few possible answers to a customer support person, I can probably get them to confirm an answer for me). The difference is that when you are interfacing with a human, you have to go through a low-speed interface, namely, voice. In that respect, a security question, coupled with a challenge about recent transactions, makes for adequate security. The on-line version of the security question is vulnerable to automated dictionary attacks. /ji - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: security questions
| | My theory is that no actual security people have ever been involved, | | that it's just another one of those stupid design practices that are | | perpetuated because nobody has ever complained or that's what | | everybody is doing. | | Your theory is incorrect. There is considerable analysis on what | | Can you reference it please? There has been some analysis on the | entropy of passphrases as a password replacement, but it is not | relevant. RSA sells a product that is based on such research. I don't have references; perhaps someone else does. I think the accurate statement here is: There's been some research on this matter, and there are some reasonable implementations out there; but there are also plenty of me-too implementations that are quite worthless. In fact, I've personally never run into an implementation that I would not consider worthless. (Oddly, the list of questions that started this discussion is one of the better ones I've seen. Unfortunately, what it demonstrates is that producing a useful implementation with a decent amount of total entropy probably involves more setup time than the average user will want to put up with.) | constitute good security questions based on the anticipated entropy | of the responses. This is why, for example, no good security | question has a yes/no answer (i.e., 1-bit). Aren't security | questions just an automation of what happens once you get a customer | service representative on the phone? In some regards they may be | more secure as they're less subject to social manipulation (i.e., if | I mention a few possible answers to a customer support person, I can | probably get them to confirm an answer for me). | The difference is that when you are interfacing with a human, you have | to go through a low-speed interface, namely, voice. In that respect, a | security question, coupled with a challenge about recent transactions, | makes for adequate security. The on-line version of the security | question is vulnerable to automated dictionary attacks. Actually, this cuts both ways. Automated interfaces generally require exact matches; at most, they will be case-blind. This is appropriate and understood for passwords. It is inappropriate for what people perceive as natural-text questions and answers. When I first started running into such systems, when asked for where I was born, I would answer New York - or maybe New York City, or maybe NY or NYC. I should have thought about the consequences of providing a natural- text answer to a natural-text question - but I didn't. Sure enough, when I actually needed to reset my password - I ended up getting locked out of the system because there was no way I could remember, 6 months later, what exact answer I'd given. A human being is more forgiving. This makes the system more vulnerable to social engineering - but it makes it actually useable. The tradeoff here is very difficult to make. By its nature, a secondary access system will be rarely used. People may, by dint of repetition, learn to parrot back exact answers, even a random bunch of characters, if they have to use them every day. There's no way anything but a fuzzy match on meaning will work for an answer people have to give once every couple of months - human memory simply doesn't work that way. I learned my lesson and never provide actual answers to these questions any more. -- Jerry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: security questions
Another useful piece of research on the topic: V. Griffith and M. Jakobsson. Messin' with Texas, Deriving Mother's Maiden Names Using Public Records. ACNS '05, 2005 and CryptoBytes Winter '07 http://www.informatics.indiana.edu/markus/papers.asp Cheers, Scott - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: security questions
Wells Fargo is requiring their online banking customers to provide answers to security questions such as these: Does Wells Fargo really use the term security question here? Just wondering, Stefan. Symposium Wirtschaftsspionage 03.09.2008 KA/Ettlingen http://www.symposium-wirtschaftsspionage.de/ - Stefan Kelm Security Consultant Secorvo Security Consulting GmbH Ettlinger Strasse 12-14, D-76137 Karlsruhe Tel. +49 721 255171-304, Fax +49 721 255171-100 [EMAIL PROTECTED], http://www.secorvo.de/ PGP: 87AE E858 CCBC C3A2 E633 D139 B0D9 212B Mannheim HRB 108319, Geschaeftsfuehrer: Dirk Fox - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: security questions
Does anyone know how this security questions disease started, and why it is spreading the way it is? If your company does this, can you find the people responsible and ask them what they were thinking? My theory is that no actual security people have ever been involved, and that it's just another one of those stupid design practices that are perpetuated because nobody has ever complained or that's what everybody is doing. /ji - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: security questions
Stefan Kelm wrote: Wells Fargo is requiring their online banking customers to provide answers to security questions such as these: Does Wells Fargo really use the term security question here? Yes it does. I'm a Wells Fargo customer and I had to set my security questions yesterday in order to keep using their online banking system. The resulting email notification said in part: Thank you for taking the time to set up your security questions. If we ever need to confirm your identity, your ability to give the correct answers to these questions will help us verify it's you. /psa smime.p7s Description: S/MIME Cryptographic Signature
Re: security questions
On Thu, 7 Aug 2008, John Ioannidis wrote: | Does anyone know how this security questions disease started, and | why it is spreading the way it is? If your company does this, can you | find the people responsible and ask them what they were thinking? | | My theory is that no actual security people have ever been involved, | and that it's just another one of those stupid design practices that | are perpetuated because nobody has ever complained or that's what | everybody is doing. As best I can determine - based on external observation, not insider information - the evolution went something like this: - It used to be when you needed to access an account by phone, whoever you called just believed you were who you said. - Social engineering of such calls started to become a pain, so something else was needed. Call centers started to ask for some additional data - mother's maiden name, birthday, last four digits of SSN. This was data that was usually available anyway - SSN's have been used as account id's for years, birthday and mother's maiden name have been standard disambiguators among people with similar names forever. - In parallel, passwords started to infiltrate everyday life. It's hard to recall that before ATM's became widely used (mid to late '70's) there would really have been no place the average consumer ever used a password. Account numbers, sure - but they came pre-printed on your statement or credit card and no one expected to memorize them - and no one really thought of them as passwords. - Once people had to remember passwords, they started to forget them. Of course, before resetting a password, you have to validate that the person asking for the reset is who he said he is. The cheapest approach is to use the validation system you already have: Those simple security questions about birthdays and mothers. - Password resetting became a significant cost; people to talk on the phone to some idiot customer who's managed to forget his password for the 3rd time in a month is expensive. So password reset services moved on-line. But now identity validation became more of an issue: It was always assumed (with little justification) that it was hard to fool a customer service guy into believing you were someone else. But a Web page? You need to provide *something* that a machine can check. Initially, the same information that the humans check was used - but in plain text on the screen, that felt weak. So ... why not have the user provide answers to a couple of security questions that the program can then use to validate him before assigning him a new password? - Fast forward to a couple of years ago. Identity theft is becoming big business. Most of that is due to really bad security practices - laptops with tens of thousands of unencrypted account records left in coffee shops, unencrypted WiFi used to transfer credit card info at large stores - but that's too embarrassing to talk about. Various agencies, government and other get into the act, demand accountability and best practices. One best practice that gets written into actual regulation in the banking business is two-factor authentication. That spreads as a best practice - and your best defense against legal and other problems is that you show you followed the industries established best practice. So now everyone needs to do two-factor authentication. - Ah, but just what does two-factor authentication mean? We in the security biz know, but apparently none of that makes it into the regs. So, some company - I'm sure with sufficient research one could even figure out who - decides that, for them, two-factor means the password plus the answer to a security question. Cheap, easy to implement - they probably already have such a system in place for password resets. People are used to it and accept it; no training is needed. And ... somehow *they convice the regulatory agency involved that this satisfies the regs*. - The rest is history. Everyone must do
RE: security questions
John Ioannidis wrote: | Does anyone know how this security questions disease started, and why | it is spreading the way it is? If your company does this, can you find | the people responsible and ask them what they were thinking? The answer is Help Desk Call Avoidance; allow the end-user to fix their own account without having to get someone on the phone. This is simply an available mechanism in the spectrum between easy-to-use and rock-solid security. | My theory is that no actual security people have ever been involved, and | that it's just another one of those stupid design practices that are | perpetuated because nobody has ever complained or that's what | everybody is doing. Your theory is incorrect. There is considerable analysis on what constitute good security questions based on the anticipated entropy of the responses. This is why, for example, no good security question has a yes/no answer (i.e., 1-bit). Aren't security questions just an automation of what happens once you get a customer service representative on the phone? In some regards they may be more secure as they're less subject to social manipulation (i.e., if I mention a few possible answers to a customer support person, I can probably get them to confirm an answer for me). -Piers -- Piers Bowness RSA - The Security Division of EMC - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: security questions
On Wed, 6 Aug 2008, Peter Saint-Andre wrote: | Wells Fargo is requiring their online banking customers to provide | answers to security questions such as these: | | *** | | What is name of the hospital in which your first child was born? | What is your mother's birthday? (MMDD) | What is the first name of your first roommate in college? | What is the name of the first street you lived on as a child? | What year did you start junior high/middle school? () | What is your oldest sibling's nickname? | What is your dream occupation? | What is your spouse's nickname? | In what city was your father born? | What is the name of the high school you attended? | What is your best friend's first name? | What is the name of the junior high/middle school you attended? | What is the first name of your maternal grandfather (mother's father)? | What is the name of your favorite childhood superhero? | In what city did you meet your spouse? | In what city did your parents meet? | In what city did you attend high school? | What is name of the hospital in which you were born? | What is the last name of your favorite teacher? | In what city was your maternal grandmother (mother's mother) born? | What was your most memorable gift as a child? | | *** | | It strikes me that the answers to many of these questions might be | public information or subject to social engineering attacks... These kinds of questions used to bother me. Then I realized that *I could lie*. As long as *I* remember that I answer What is your mother's maiden name with xyzzy, the site and I can be happy. Well ... happier, anyway. The only way to remain sane if you take this approach is to use the same answer at every site that asks these security questions. But that's not good, especially since most of these sites appear to make the *actual value you specified* available to their call centers. This is nice if you can't remember the exact capitalization you used, but it does, of course, leak more information that you'd rather have out there readily accessible. For Web sites these days, I generate random strong passwords and keep them on a keychain on my Mac. Actually, the keychain gets synchronized automatically across all my Mac's using .mac/MobileMe (for all their flaws). When I do this, I enter random values that I don't even record for the security questions. Should something go wrong, I'm going to end up on the phone with a rep anyway, and they will have some other method for authenticating me (or, of course, a clever social-engineering attacker). The only alternative I've seen to this whole approach is sold by RSA (owned by EMC; I have nothing to do with the product, but will note my association with the companies) which authenticates based on real-world data. For example, you might be asked where you got coffee this morning if your credit card shows such a charge. This approach is apparently quite effective if used correctly - though it does feel pretty creepy. (They were watching me buy coffee?) -- Jerry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: security questions
On Wed, Aug 6, 2008 at 8:23 AM, Peter Saint-Andre [EMAIL PROTECTED] wrote: Wells Fargo is requiring their online banking customers to provide answers to security questions such as these: *** ... *** It strikes me that the answers to many of these questions might be public information or subject to social engineering attacks... Lie. I don't actually give the real answers to those questions for just that reason. Make up some plausible and memorable words (maybe using a tool like yould), and pick your mother a new random name from the phone book. -- GDB has a 'break' feature; why doesn't it have 'fix' too? - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: security questions
Chris Kuethe wrote: On Wed, Aug 6, 2008 at 8:23 AM, Peter Saint-Andre [EMAIL PROTECTED] wrote: Wells Fargo is requiring their online banking customers to provide answers to security questions such as these: *** ... *** It strikes me that the answers to many of these questions might be public information or subject to social engineering attacks... Lie. I don't actually give the real answers to those questions for just that reason. Make up some plausible and memorable words (maybe using a tool like yould), and pick your mother a new random name from the phone book. Oh, I know we're smart enough to do that, but I doubt that your typical Facebook user will realize that their high school and best friend's first name (etc.) are public information. Peter smime.p7s Description: S/MIME Cryptographic Signature
Re: security questions
On Wed, Aug 6, 2008 at 9:23 AM, Peter Saint-Andre wrote: Wells Fargo is requiring their online banking customers to provide answers to security questions such as these: *** What is name of the hospital in which your first child was born? ... What was your most memorable gift as a child? *** It strikes me that the answers to many of these questions might be public information or subject to social engineering attacks... Peter Of course, this problem isn't limited to Wells Fargo: I think pretty much all banks do it. I've given this some thought, and am writing a program called maiden (short for mother's maiden name) for cryptographically answering these questions. The basic idea is that you take either a pass phrase or strong secret, combine it with the question, compute the SHA hash, and use this to create a word that looks semi-pronounceable as the answer to the question. Right now, I don't answer any of these questions with any guessable information -- it's all the result of a cryptographic operation on the question and a hidden secret. Cheers, -Matt -- Thanks! Matt Ball, IEEE P1619.x SISWG Chair M.V. Ball Technical Consulting, Inc. Phone: 303-469-2469, Cell: 303-717-2717 http://www.mvballtech.com http://www.linkedin.com/in/matthewvball - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: security questions
Peter Saint-Andre wrote: [list of security questions snipped] *** It strikes me that the answers to many of these questions might be public information or subject to social engineering attacks... You might enjoy reading Ari Rabkin's recent paper at SOUPS 2008 on this issue: Personal knowledge questions for fallback authentication: Security questions in the era of Facebook Ariel Rabkin http://www.cs.berkeley.edu/~asrabkin/bankauth.pdf He has slides as well: http://www.eecs.berkeley.edu/~asrabkin/rabkin.pdf -David Molnar signature.asc Description: OpenPGP digital signature
Re: security questions
On Aug 6, 2008, at 12:17 PM, Leichter, Jerry wrote: For Web sites these days, I generate random strong passwords and keep them on a keychain on my Mac. Actually, the keychain gets synchronized automatically across all my Mac's using .mac/MobileMe (for all their flaws). When I do this, I enter random values that I don't even record for the security questions. Should something go wrong, I'm going to end up on the phone with a rep anyway, and they will have some other method for authenticating me (or, of course, a clever social-engineering attacker). An except from my recent blog post: Now, this topic is not new. Bruce Schneier wrote about it a few years ago [2]. Schneier says that he “type[s] a completely random answer,” but consider this anecdote: a colleague of mine uses the same technique. He called up customer service once, who then asked him, “what’s the answer to your security question?” He said, “some random numbers.” The response was “okay.” So picking random numbers might be less secure than picking a realistic answer? :-) [2] http://www.computerworld.com/securitytopics/security/story/0,,99628,00.html -- Apu Kapadia, Ph.D. UIUC 2005 Research Assistant Professor Department of Computer Science, Dartmouth College, USA http://www.cs.dartmouth.edu/~akapadia/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
