Blog

Virtual Identities

By Adrian Lane

I am starting to hear stories from friends in the Phoenix area more and more about identity theft and account hijacking. Two weeks ago we got a phone call from a friend in the wee hours of the morning. She called to ask if we knew if a mutual friend, we’ll call her ‘Stacy’ for the purpose of this post, was in England. Our friend had received an email from Stacy stating she was in trouble and asking for money. We know Stacy pretty well and we assured out friend that she was not in England and was certainly not requesting $2000.00 be wired to her. Seems that everyone Stacy knew received a similar email claiming distress and requesting significant sums of money.

Later in the afternoon we called Stacy and verified that she had in fact not been to England and was not in distress. But she had found that her Yahoo! account had been hijacked and she was getting calls from friends and family all morning who had received the same request. She admittedly had a very weak password, not unlike most of the people we know, and have never even thought someone would be interested in gaining access to the account. We spoke with Stacy again today, and jokingly asked her how much money she has made. She did not find this very funny because, after a dozen or so hours on the phone with the overseas ‘technical’ support , she still has not been able to restore her account nor stop the emails. It seems that the first thing the hijackers did was change the account verification questions as well as the password, both locking Stacy out of the account and removing any way for her to restore it. The funny part of this is the phone calls Stacy has had with the support team, which go pretty much like this:

Stacy: “Hi, my email account has been taken over and they are sending out emails under my name requesting money.”
Support: “OK, just go in and reset your password. I will email you a change password request.”
Stacy: “I can’t do that. They changed the password so I cannot get email from this account. I am locked out.”
Support: “OK Stacy, we will just need to ask you a few questions to restore your account … Can you tell us where you went on your honeymoon?”
Stacy: “Yes, I honeymooned in Phoenix.”
Support: “I am sorry, that is not the answer we have.”
Stacy: “Of course not. They changed the information. That is why I am calling you.”
Support: “Would you like another guess?”
Stacy: “What?”
Support: “I asked would you like another guess on where you spent your honeymoon?”
Stacy: “I don’t need to guess, I was there. I honeymooned in Phoenix. Whatever answer you have is wrong because ….”
Support: “I am sorry, that is not correct.”

And so it goes. Like a bad game of “Who’s on First?”. How to prove you are really you, in a virtual environment, is a really hard security problem to solve. More often than not companies want to deal with our virtual images and identities rather than our real selves, and automate as much as they can to cut costs and raise profits. If you need something out of the ordinary fixed, it is often far easier to simply abandon the troubled account and start over again. At least you can do that with a Yahoo! email account. You bank account is another matter entirely. But we can do a lot better than a single (weak) password being the keys to the kingdom. This is a subject I would not normally even blog about except a) I found the dialog funny and b) it is becoming so common I think think we periodically need a reminder that if you are using a weak password on any account you care about, change it now! If you have two-factor authentication at your disposal, use it!

No Related Posts
Comments

“More often than not companies want to deal with our virtual images and identities rather than our real selves…”

Understatement of the decade.  Seriously.

Account hijacking fallout also tracks the other way, like when an account has NOT been hijacked at all, but the service provider believes it has because of some wacky criteria leading to a false, positive conclusion.  Situations such as this can reveal just how much service providers rely on poor methods to discern identity, virtual or otherwise, compared to when methods they do employ are actually overcome.  My comment (#7) to a recent NYTimes Bits ‘blogicle’ illustrates what I am talking about, especially the lack of regard for the hassles paying customers go through in our web-enabled ‘let the customer do the heavy lifting’ era of doing business.

http://bits.blogs.nytimes.com/2009/06/19/why-paypal-wants-to-know-where-everybody-lives/#comment-296973

By latrop


reppep,

Precisely.

One of the reasons I didn’t specify the email carriers for my email services, the backup/reference ones or some of the other things.

As for webmail services… lol.


But, if you use email from some of the ‘free’ services out there then you have to mitigate as much as you can while keeping it usefully convenient. Scratch that, mitigate anyway regardless of the email provider.


But to borrow some concepts from Rich’s “React Faster, And Better, With The A B Cs” blog (http://securosis.com/blog/comments/react-faster-and-better-with-the-a-b-cs/): if you don’t deal with a provider that is secure and responsive then it don’t matter if you have a strong password; if you don’t have a strong password it doesn’t matter if you have alternate/backup means of accessing and owning your email/address; [pretend I wrote something here to make it a set of 3 items to reflect the referenced blog].


PS: I wasn’t trying to answer all the issues with email and protecting your email, just trying to provide a ‘direction for thought to follow’. Also, they call it ‘low hanging fruit’ for a reason: it’s easy to pick (read accomplish) - thus everyone should learn to do it even if it is just for CMA reasons.

PPS: the primary point I tried to make (and maybe obscured) was: mitigate the risks that you can’t eliminate - something Stacy above did not accomplish

By Zac B


Zac,

I know there is much lower hanging fruit, but this all started with Stacy (remember Stacy, this song is about Alice^H^H^H^H^HStacy?). Yes, strong passwords help, but you seemed to be recommending cross-linking email accounts, which is what I’m addressing.

If Stacy had yahoo, gmail, & hotmail all linked to each other, then after they broke yahoo, they’d check her account and see the other email addresses, and probably manage to do ‘password recovery’ on all 3 accounts, setting them to different passwords and Insecurity Questions as they went. Endgame: 3 compromised and difficult/impossible to recover accounts (do you think you could convince <strong>all three</strong> companies that you’d been hacked, despite such strong evidence that you were the imposter?), very strong credibility (“Stacy told me she’s having trouble with gmail, so please use hotmail this week.”), and a lot of data, including password reminders for other services she doesn’t even remember.

Webmail services are just not very trustworthy, so you can’t make much of a security model out of them.

By reppep


reppep,

Maybe… but first the blackhat would (a) have to break a strong password with 10+ characters, (b) get the alternate email address, and (c) break another strong password with 10+ characters.

I have multiple things on my side though: First, the blackhat would have to <i>want</i> to steal my email addy from me. Second, strong passwords with 10+ characters are “expensive” in both time and resources to break - and the blackhat would have to process multiple instances of strong passwords. Third, there are a lot of easier ways to “steal” my email addy - primarily and probably easiest is to just have a ‘display name’ match my normal email’s ‘display name’ - after all, only a few of those I communicate with outside of work would even notice such a deception. (Another way would be to create a probable and likely email address with a service provider I don’t use - but that of course would be illegal!)

Lastly, you will never, never… NEVER… have a completely secure system, process, lock/encryption/what-ever. Never. All you can do is make it take as long as possible for them to break/hack/steal and thus cost more than it’s worth to them.


So is it possible for a blackhat to compromise more than one of my email addresses? Yes. Likely… probably not in the near future. Do I have other means of communicating reliably with others, you bet.

Over all, I’d say my risks are [much] lower than those that have only a single email address that they use to communicate with particularly if that single email address is only protected with a simple weak password.


Remember, it’s about <b>mitigating</b> risk since you aren’t able to eliminate risk.

By Zac B


Zac,

But that means people can cascade from a compromise of one of your email accounts to taking over others. You’ve used stronger passwords, but spread the vulnerability.

By reppep


“But we can do a lot better than a single (weak) password being the keys to the kingdom.”

Adrian hit this particular nail on the head with that statement.


I admit that not everyone can keep track of 20 or 30 passwords in their heads (or 2 or 3 even for some!)... and that even mnemonic methods can fail for helping you recall them. But even if they write things out (and I know some that store such writings with their passport and other important papers, namely in a safety deposit box), a simple password is just asking for trouble in these days.


Not to sound like I’ve got it completely covered… but personally I use 10+ alphanumeric passwords on ‘throw away’ email accounts I only intend on using once (don’t ask… but there are legit reasons for these sometimes). I also ensure that my “permanent” email services have alternate “permanent” email addresses they can use to contact me for purposes of validating that I am who I say I am.


Printing out the email initial setup response form the server, printing out the challenge/response stuff - and then storing in as physically secure a manner as possible (i.e.: safety deposit box) - while this may not provide complete assurance in case things go awry… at least you could say “I could fax you the proof I am the owner of xxxx”.

Not foolproof (yes, I too have talked to ‘customer [dis]service’ before)... but it can help.


This area like many others can benefit from so-called ‘layered security’.

By Zac B


And they don’t want to spend time on dispute resolution, or be liable for deciding who really owns accounts. What if a husband registers an account for a wife, they separate, and he (who knows password and secret question—which he never told her) starts sending nasty emails in her name.

A 10-foot pole is not enough distance from that for Yahoo…

By reppep


@Adam

No, I am not familiar with this particular paper. I just grabbed the PDF.  Thanks for the link!

-Adrian

By Adrian


Adrian, have you seen the work on social authentication by Stu Schecter, Rob Reeder and Serge Egelman?  http://research.microsoft.com/apps/pubs/default.aspx?id=79349

By Adam


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.