Tuesday, 23 October 2007

Four ways past the guards

Digital security is important. Who is who is not a trivial issue. Just ask your bank for a refund after an ATM or wire transfer and see how hard it is to prove you are you and you didn't do it. Come to think about it, you know remembering names and faces is hard enough IRL so give the servers a 1/2 chance and they will get it wrong.

Setting up secure and reliable logins to accounts is the 101 of e-commerce. People are lazy, learning a 4 digit pins is too hard, yes but we are OK with a 9 digit phone number. If you are protecting an email/blog account, single delivery point book buying service; user selected names and password are kind of OK. But for the real money I want to be more confident that that it's only me that can get in. If you look around you can see a lot of authentication mechanisms are flawed.

(1) Users make their own user names and passwords. We know thay are lazy so I bet they use the same username and password for most of the accounts that they set up.
I set up a web based service to send ring-dings and cards and then apply the same UN/PW to Amazon, Ebay, Facebook and all those valuable E-services. <\Bad guy>
COUNTER: Pick a password that is two elements that have a varying letter element in between eg fredXblogs! for blogs or fredAblogs! for Amazon. Alternately use a mutating password system such as N letters out of a long word or Secure-ID http://www.rsa.com/node.aspx?id=1159

(2) Secure-ID is in play and widely distributed across all the entry point in our networks. This gives me a new 6 digit number every minute that has to be in the password to access the net account. <\Good guy>

I see your keys strokes in real time. I know the entry points to your net and I reuse the same unique number at another entry portal before it expires. I am in and I look like you so I can do what I like. <\Bad guy>

(3) Because you have implemented Secure-ID as an add-on to the password which is used as well as the Secure-ID code and I see your keys, I just call up the service and say my Secure-ID woggle is broken and get them to reset the account back to just a UN/PW. I have that. <\Bad guy>

I pick 3 letters using drop downs from a long password and you can't copy me.

I see your field selections I save them for later.<\Bad guy>

4) Well the password doesn't change and I see the drop downs you select. Because the chars are always asked for in order eg char 2,5,8 or chars 3,7,8 It doesn't take me many surfings to figure out the order of the letters and solve the anagram of the letters used. COUNTER: Ask for the letters out of order and insist on non-dictionay passwords elements.
<\Bad guy>

Being a pragmatist i know that level of authentication has to match the level of assets protected. No one needs 10's of random chars passwords that change every 90 days just to get through the day but you do have to watch the implementation details to get the security you think you have.


No comments: