When my father passed away my mother was in the hospital. I needed to access her bank account to pay some bills. They asked me for the account “password”. I told them I did not know, that my mother was unconscious and in the hospital. Then they asked the account security question: what was her mother’s maiden name? Fortunately I knew it, but I had no idea how to spell it! Somehow I talked the person on the phone into giving me the balance and I paid her mortgage.
Mat Honan wasn’t so lucky. Hackers really messed him up, resetting his passwords, wiping his devices and so forth. Check the link to learn the story.
I wrote recently about google’s two-step authentication. This will at least help, and it might be a good solution. But the problem is far deeper.
The real problem is “social engineering”. This is the practice of, in this case, pretending to be someone else in order to gain a particular advantage. In this case the advantage was the passwords to Honan’s accounts. We have other examples of social engineering in our Comprehensive Introduction to System and Network Security course, by the way. How can we help mitigate this threat?
It appears that one of Honan’s hackers used the phone to get a password change. The people on the other end of the phone had no way to authenticate the caller. How might you do it? Ask for some personal information? (You’d better hope it’s not available on the ‘net.) Call the person back on a mobile phone? (Hopefully the attacker did not steal it.) Send the person a text? (See the last issue.)
A while ago someone (Bruce Schneier?) pointed out the weakness of security questions on the web: if one has a security question of “What is your dog’s name?” that then becomes the “password. “It is unimportant what long string of gibberish the user supplies in the password box normally, if the attacker knows the dog’s name, he or she can compromise the system. Recently I have seen people suggest using nonsense answers to these questions. Consider:
Those are probably harder for an attacker to guess than the real answers.
What’s the answer? Well, if you’ve been reading this blog, you know getting rid of passwords is one of my favorite answers. Two factor authentication will likely help but sometimes one loses a factor and we’re back to a point where social engineering can allow a compromise. Part of the answer is to keep your email password(s) safe and secure, use a security pin or password on your mobile phone and don’t use security questions and attacker can easily guess. What else? Share your suggestions below.