« February 2007 | Main | August 2007 »

April 2007 Archives

April 2, 2007

Problems with composing security "best practices"

My local bank has been frustrating me with its current security “improvements”. I have not chosen my bank on the basis of its technological savvy, and if I didn’t have such inertia with this bank I would probably look for another bank.

Clearly, this bank has been chasing the security improvements made by the big boys. Unfortunately, blindly applying these changes particularly when starting from some rather weak security underpinning does not make for an attractive result. You get the worst of both worlds. A system with weak security plus intrusive security features that annoy the end user.

On the face of it, each security improvement sounds quite reasonable, but in total it just doesn’t work. I’ve seen all these errors on other sites, but my bank seems to have more than its fair share. First is the issue of password safety. The bank site implements a three strikes and you’re out policy. If you miss the password three times, your account is disabled and you must call a person during normal business hours. The security goal is admirable. You want to protect vulnerable accounts from a brute force attack. However, with the proliferation of passwords and different requirements on passwords at different sites (alpha-numeric only, must have a non-alpha-numeric character, at most 8 characters, at least 12) you either must write down your passwords or probably miss a few times as you enter the variants of your password families. If you can call a human 24×7 to reset as you can with most credit card companies this wouldn’t be so back, but for me it is invariably Sunday night as I’m trying to get the accounting done that I lock myself out. An alternative to defeat the brute force attackers is a timed backoff. After one failure pause 1 second, after two failuers pause 5 seconds, etc. Somewhat annoying to the legitimate user, but fatal to the brute force attacker.

Of course, we all lose our passwords, and my bank has the recover your password option that emails a password to your previously registered email account. That is all pretty standard. As long as you reset your password immediately, your exposure is pretty low. However, most sites will reset your password and send you a new randomly generated password. This way your password can be stored in a form that can never be retrieved in plaintext by bank employees (e.g. in a cryptohash), but my bank actually sends your previous password. Not only is my password being sent through insecure email, but presumably some bank employees can retrieve my password at will. If you tend to use families of passwords this not only exposes your bank account security, but it also exposes all other accounts that have passwords in the same family.

Recently, the bank has added a ninety day lockout. If you don’t use the bank web interface for ninety days, the interface is disabled. Again, sounds like a great idea. Closing unneeded holes can only improve security. But how is the account reactivated? You call the bank and give them the secret 4 digit number that was given to you on account creation. This magic number has a close correaltion to your social security number. It isn’t too infeasible for a random person to find an account number and 4 digits of the social security number (through dumpster diving or social engineering). Then the attacker enters the information in the web, picks a new password and away he goes.

Finally, the bank web interface has added the pictures to avoid phishing links and the personal questions. I’m ok with the pictures. If I’m presented with a picture I’ll probably remember it is the one I selected (recognition vs recall), and If I’m not going to remember the picture it doesn’t deter me from getting to my account. I just don’t gain from the additional security. However, the personal questions are quite annoying. This is a growth from the “Mother’s madien name” question that we’ve had for years. Anyone who is somewhat paranoid will put in a fake name that only they recall. But in the last year, I’ve seen a number of web sites add more presonal questions. Generally, you get to pick one or two that are meaningful for you. However, my bank site had an unusually large number of personal questions. Some questions are factual and easy enough to recall, e.g. what city were you born. Others might have answers that are hard to spell, or variations that are hard to recall, e.g. what was your first car? Did I enter “Volkswagen” “Beetle” “Bug” or some combination? But the worst are the favorites. Who was your favorite teacher? What is your favorite movie, book, sports team? My favorite 2 years ago when I registered for the site may have changed or been forgotten. This is a classic issue of security vs usability. Either the user tries to play along and answer legitimately, or he might write down the answers and post them on sticky notes on his desk, or he just answers the same word for all questions. If the security is too annoying the user will seek ways to avoid it.

Hmm… As I’m writing all of this down, I think it might be time to reconsider my bank selection inertia or no inertia.

April 19, 2007

Should jaded people be allowed to teach?

I find much self-recognition when reading Dilbert. While I enjoy technology and building things, much of the real world of engineering sadly has a very strong human element. And unfortunately not the good warm and fuzzy aspect of the human element.

There are many good and noble efforts that get co-opted by silly humans and mutated into something ridiculous. Sadly many activities that I teach about fall into this category: Software Development Process, Risk Analysis, Security Policies Development. These are all important areas, and I’m sure that many good and earnest folks have done great work in these areas. Unfortunately, I’ve run into many other folks who have made a mockery of these processes through willful ignorance or just plain stupidity. Like my experience with “Agile” programming where only the unpleasant aspects of the process were cherry-picked, e.g., daily meetings but each meeting lasting an hour rather than ten minutes. So I can really empathize with items like the Elbonian Software Process in Dilbert.

Because these are important topics, I try to keep a positive spin when teaching about say risk analysis or security policy development. I try to show how these processes can solve real problems, and only point how they can be misused. Unfortunately, by the end of the lecture it becomes all too easy to tell stupid industry stories. So perhaps jaded, sarcastic people should not be allowed to pollute the minds of young people. Or maybe I should just stop reading Dilbert.

About April 2007

This page contains all entries posted to Trustworthy Thoughts in April 2007. They are listed from oldest to newest.

February 2007 is the previous archive.

August 2007 is the next archive.

Many more can be found on the main index page or by looking through the archives.

Powered by
Movable Type 3.34