Tuesday, November 15, 2011

Implementation

In addition to stupid questions there can also, as my previous post shows, be failures in implementation rather than the questions themselves. Having a single security question being the only thing protecting your account from password reset is relatively high-risk. Using it too frequently makes it no better than a password that's annoying to type in and easy to guess.

In addition to the list of attributes of a good security question I am interested in compiling a list of best practices regarding the implementation of security questions. I'll be putting ideas for this out in some of the next few posts, but my first, and perhaps most important, suggestion is: Don't make security questions the only thing standing between the attacker and full account compromise.  Other bits of biographical info like date of birth should be security questions for the purpose of this rule.

My suggestion would be to require the security question and either access to an email account (send a confirmation email with a password reset link), or some kind of physical token, e.g. a cell phone that can receive text messages. One of those things might change (new phone number, close an old email account) but both at once is much less likely.  In this case a security question actually adds security (as compared to using a confirmation email/text only), because it prevents somebody who has compromised one of your email accounts (or your phone) from also compromising this account.  That's assuming, of course, that the question is private and unpredictable and that the answer can't be found by searching through your email.

The fundamental requirement of password reset, and therefore the purpose of most security questions, is to authenticate a user in the absence of their normal authentication method (their password).  Security questions do this by essentially asking the user for a second password, one that's easier to remember but also easier to guess or research.  The confirmation email/text uses a different method: The alternate email or text message utilizes a preexisting private channel of communications with the user.  This is more secure than the security questions but means that even if you were using the best practice of having a different password for each account (which almost nobody does) an account compromise can still spread.  Adding a security question to that process will keep your account safer, rather than relying on a security question alone, which opens up your account to anybody who can figure out your mothers maiden name.

Thursday, October 20, 2011

Credit History questions

One thing I've noticed while retrieving my free annual credit report is that credit bureaus will often verify your identity by asking you security questions based on your credit history.  These aren't security questions that you set yourself, they're multiple choice questions like "From which of these companies do you currently have an auto loan?"

Being multiple choice they don't exactly have all that much strength, especially since a wrong answer doesn't necessarily mean that the person is an attacker.  A question such as "What state was your Social Security card first issued in?" might not be easy to answer for somebody who moved around a lot as a child.  Even if you know what website to log into when you pay student loans you may not know exactly which company owns them or how they appear on your credit report.  And that's all assuming your credit report is even accurate, which isn't always true!  Some implementations at least take this into account and have a "not sure" option.

Privacy may be an issue as well: if you can figure out what bank your target uses, what brand of car they drive, etc then--since the questions are multiple chocie--you probably have good chance of getting some of them right.

Are they better than nothing?  I suppose they're a sensible way of adding a little security in authenticating somebody who doesn't have an existing account on the credit bureau's website.  In previous years I was able to get a credit report just by entering my SSN and standard personal information.  Now I have to do that plus play multiple choice with what I remember of my credit history.  I'm not sure exactly how they decide whether or not you're you, and perhaps they could be more of a fraud detection tool than an access control mechanism, but they don't inspire much additional confidence on my part.

Wednesday, September 28, 2011

An Insurance Company Website

This company is a disability insurance company similar to Aflac.  I recently had the ‘pleasure’ of signing up for their online system and was presented with the following questions:

What is your father's middle name?
What is your mother's maiden name?
In what city were your born?
What is your mother's middle name?
What is the last name of your favorite grade school teacher?
What is the first name of your favorite relative when you were a child?
What is your greatest fear?
What is the first name of your best friend from childhood?
What was the make and model of your first car (Make Model: e.g. Jeep Wrangler)?
What was your first job (Company Name no abbreviations)?
What was the name of the first grade school you attended?
What was the name of your first pet?
What is the last name of your favorite author?

I usually try to avoid the easily-researchable things like parents middle names or my place of birth, and I couldn’t really answer any of the ‘preference’ questions since I liked many of my teachers, had several best friends in childhood, etc.  So right away lots of questions fail on ambiguity and sometimes privacy as well.

I was amused by the question “What is your greatest fear?” partly because it’s not a great question for me--my answer could be phrased a lot of different ways--but also because do you really want your customers thinking about their greatest fear while they’re visiting your website?  It just seems a bit weird to me.

I kind of liked the “What was your first job (Company Name no abbreviations)?” because it made some attempt to remove ambiguity by specifying exactly what it was looking for (e.g. not ‘cashier’ or ‘paralegal’) and how it should be entered (not using abbrevs. or ACRONYMS).  I could answer that but first I go onto other questions.

The next question is no longer a bad question for me:  I’ve gotten a new car since I last posted about this, so the answer to the question is no longer sitting in the parking lot outside my apartment.  So I put that in.

I put in my first grade school and the standard, made-up name of my first pet since I don’t really have a real first pet, and hit Continue.

It says that I need to fix the answer to my first car.  It doesn’t say why.  Not helpful.  I try again with the first company I worked for.  It makes exactly the same complaint!  l try a few other things before realizing:  Spaces aren’t allowed in your answers.  For a question that gives the example “Jeep Wrangler” that’s sheer jaw-dropping idiocy.  This apparently applies to all of the answers, so my answer for first job is also not allowed (and now you know that my first job has a space in it!).

I can kind of understand not allowing special characters in some cases, but what if your mother’s maiden name was O’Leary!.  It’s probably better to just ignore the special characters when comparing by stripping them out.  But a space is not a ‘special character’.  Even worse, they didn’t tell me what was wrong with my answer!  I had to figure it out through trial and error.  I’ve had that problem a few times with sites that don’t allow special characters in passwords too: Things don’t work, and they don’t tell you why, or even give an inaccurate error message like ‘invalid password’.  I once used a website that let me change my password to one with a special character in it, but then Javascript on the login page prevented me from entering that same password to access my account!

Best practices lessons:
1. Be wary of prohibiting special characters: there are quite a few questions whose answers will require them.  Names can have apostrophes.  Even if you ask for just a last name it can be hyphenated or even have two parts.  Companies names can have numbers in them (“Cash4Gold” for example), and sometimes they can even have foreign characters.  These cases may be rare enough that the user can select a different question if you offer plenty of choices, but not allowing a space in the make and model of your car is just terrible.


2. Give the user a useful error message if their answer isn't allowed for whatever reason.  It took me forever to realize that such an obvious and essential character as space was the cause of that vague error message.

Monday, September 12, 2011

Contest

And NOW it's TIME for... Guess my Security Question, the only online blog-based gameshow where you get to guess (or uncover) the answer to my security question. In the future I'll be using questions submitted by users for this, but I think I'll start with one that my bank uses:

What is my High School mascot?

Answer in the comments. First person to guess correctly gets mentioned in the next post. Maybe in the future I'll put up a few bucks for a prize but for now you just get the glory.  You may submit as many guesses as you want but each guess has to be in a different comment.  Also, minor props to the first person to identify which attribute(s) this lacks.

Thursday, September 8, 2011

Working vocabulary (What makes a good security question, redux)

Helpful reader Rick Auricchio has informed me that the numbering I was using in previous posts was rather opaque, especially since the list it drew from wasn't actually numbered, and suggested instead using more descriptive adjectives. He had a good list of adjectives to match the numbers, and I made just a few changes. The list is as follows:

Applicable: It actually applies to you and has an answer. Sites should either provide security questions that apply to a large portion of their user base or have many questions to choose from. Where you met your spouse is probably not a great question for a singles dating site.
Private: It's something that few other people know, that's not in public records or all over your blog or resume. First grade teacher is a good question for a site with an adult user base, but not great for one that caters to high-schoolers who probably all have the same answer.
Unpredictable: The answer is hard to guess. 'Favorite Color' fails this hard: one third of people have Blue as their favorite color. If you're a bank with one branch in one city then birthplace is also not ideal.
Unforgettable: You will definitely know/remember the answer. Otherwise you've defeated the purpose.
Invariant: The answer won't change even if your home, job, tastes, or even spouse changes. It happens more often than you'd think.
Unambiguous: There's only one good answer AND that answer is only typed/phrased in one way. God help you if it's case sensitive.
Allowable: The users answer is not blocked due to technical limitations (e.g. length, special characters). What state were you born in doesn't work if you have a 6 character minimum (poor buckeyes!).

It's not perfect. For example, some of the adjectives describe the questions whereas other describe ideal answers. But I think it's important to try and develop a vocabulary for talking about security questions. goodsecurityquestions.com (which I hadn't come across when I first made this blog) has done something similar, and has some great tips, but I'd like to go into a bit more detail to figure out problems with security questions.

I'm going to go back a bit and clarify some of the older posts as necessary so they have more than just numbers in the discussions.

And I'm back

A post on Bruce Schneier's blog about stupid security questions reminded me that this blog exists, and so I'm thinking about trying to start updating again. One of the comments on his post also links to a great entry in The Daily WTF about Multiple-choice security questions, which are beyond stupid: They fail the 'easy to guess' criteria (Assuming it's a bank in North America, what do you think's the safest bet as to where his father was born) and they don't even allow the user to actually pick their real least-favorite vegetable (mine is eggplant) but I'll bet 'beets' or 'brussel sprouts' are good guesses for a large portion of the population, given that list of choices.

Since I hadn't updated this blog in a while I had forgotten the password to the gmail account that I created with it: stupidsecurityquestions@gmail.com. Yeah, you can guess where this is headed. I opted to use my security question to recover my account and it asked me one thing: "What was your first teacher's name". I answered, and then it let me set a new password. I didn't even have to give it a birthday or answer more than one question.

I had apparently opted for the pre-set one out of laziness because I couldn't think of a security question truly fitting an account about bad security questions. I didn't realize that the account could be completely taken over by anyone who could answer it. Anyone in my family would know that, and if I ever mentioned what school I went to you could just check their website to narrow it down to just one or two teachers (small school) since the teacher is still working there.

One thing about security questions is that you often see several of them. If you have to answer all three every time you log into your bank (no joke, I have to do this) it's a huge pain. But if you can take control of somebody's account with just a little bit of research that's a failure in a completely different direction.