You might have chosen a series of magnificently unguessable passwords for your online accounts with various websites – banking, social networking, shopping and so on. But their strength could be utterly irrelevant if the website in question operates a lax "password reset" scheme.
You know the scenario – you've forgotten your password, you click on the "forgot your password?" link, you're prompted to answer some security questions, and bingo, you choose a new password. But the answers to those security questions – which could be as casual as the name of your pet, or your favourite food – can be unwittingly revealed by people on blogs or social networking sites. And one security expert, who attempted to hack online banking accounts by simply doing a bit of research, was shocked by what he discovered.
The password reset on websites is known as "fallback authentication", and the vast majority of questions that are asked of us are either insecure – i.e. easy for other people to guess or get hold of – or just too hard for us to remember. A chap called Herbert Thompson set himself the task of hacking a friend's bank account (with her permission, naturally) using information he found online. And, as detailed in this piece, he managed to get access without too much trouble at all.
The problem is, of course, what questions we should be asked to verify our identity? The question about your mother's maiden name became so ubiquitous that it seems to no longer be considered a valid security question – I certainly can't remember the last time I was asked it. Of course, it does fulfil the two criteria that are required from such a question – difficult for a stranger to answer but easy for the user to remember – but the questions that have replaced it (first school, favourite singer, memorable date) just aren't secure enough. One plan, offered by this website, replaces the single question with a series of preference-type questions; these would be gruelling and off-putting to an impatient hacker eager to access your account, but easy for you – because you instinctively know the answers.
Until such a system gains wider acceptance, however, your best strategy is to avoid blogging about the same subjects that are asked of you by banks – i.e. family, pets, personal history and relationships. That doesn't actually leave that many things to blog about. But perhaps that's not such a bad thing.
CONFUSED ABOUT TECHNOLOGY? SUBMIT YOUR QUERIES TO CYBERCLINIC USING THE COMMENT FORM BELOW, OR EMAIL QUESTIONS HERE.
I once saw a rather nice fallback authentication scheme that showed you lots of photos and asked you to identify the ones that you recognised -- the idea being that you provide a couple of your own photos during signup, and then have to pick those out from among lots of other people's. Pretty clever and certainly gentle on the brain of the user, but probably increasingly insecure now that many people share their personal photo collection online anyway. Ho hum.
Posted by: Tom | Thursday, 28 August 2008 at 04:45 PM
Ciel!! It had never even occurred to me to give the "correct" reply in a question/ answer pair when registering at a website! All you need to do to reset the password is supply the missing word, which can be anything. Proceed like this:
(1) choose a core password, something extremely easy to remember, say wawg2dnb (well, easy to remember if you think of it as 'what are we going to do now butch?')
(2) when you register on a site, add the site name onto the password core: for IndyBlogs (if a password were needed) it could be 'ib', so when prompted for your mother's maiden name, enter wawg2dnbib. You can always claim that your mother was Polish...
I use one core password on low level sites, a second one on personal sites and third for banking. With only three cores I am not in danger of forgetting them, and yet I never repeat a password, nor a password reminder
Posted by: ViewFromTheBoundary | Friday, 29 August 2008 at 07:09 AM