Blue for Reset?

Published: 2013-01-04
Last Updated: 2013-01-04 00:24:35 UTC
by Daniel Wesemann (Version: 1)
9 comment(s)

Over the holidays, a friend of mine was busy trying to repossess her online accounts that had been hacked and taken over. While her experience wasn't quite as bad as Mat Honan's, it still was a mess to untangle. Initially, we had suspected spyware, and spent some time looking through her PC for the presence of a keylogger. None was found. Once the first few accounts were returned to her, including an email account, we were able to (partially) reconstruct what had happened. Like in Mat Honan's case, it wasn't the password, but rather the "I forgot my password" functionality that had been breached. Duh-oh.

We took this as incentive to analyze the password reset options of some of her accounts, and what we found was not pretty. It seems that "I forgot my password" comes in (at least) three variants:

(1) New password is sent to the email address on file
(2) New password can be set after answering a couple of "Secret Questions"
(3) New password is set after "authenticating" out-of-band (via phone or fax)

Let's start with (2). Not only since the Sarah Palin attack do we know that password reset functions can be dangerous. Having a 10-character complex password with >60 bits of entropy is of little use if same password can be reset by answering what the color of your first car was  - about 3 bits of entropy, or roughly equivalent to having a one digit password between 0 and 9! Still, call centers are expensive, and the economic incentive is strong for companies to provide a password reset function that is trivially EASY. And since the corresponding fallout is on the user and rarely on them, they don't care much.

Variant (3), the "out of band" confirmation, comes in two flavors - one is really competent and quite secure, and very very rare, because a real person asks really hard and not scripted questions about your past relationship with the company or institution. The other is silly and near useless, and very very common: Unfortunately, usually such calls go to call centers overseas, where the agent answering the phone will "identify" the caller by asking for .. yes, the color of the first car again. Some web sites, for example domain registrars, also require a faxed copy of a driver's license. "Fax" is that 1980's technology of image transmission with a picture quality that manages to make the most authentic passport look like a forgery. Hence, the hardest part for the attacker is probably to make sure his forgery doesn't look too authentic ...

Which leaves (1) .. an option that works reasonably well, presumed that the email doesn't get intercepted in transit, and that it isn't the email account itself that was compromised. If it is, then this function becomes deadly real quick, because the attacker can readily reset all your other passwords, pick up the new credentials in the compromised inbox, and continue hacking at his leisure. In our tests, we actually also found two web sites where the password reset email contained the correct password that my friend had set, which means that the web site in question had committed the cardinal sin of storing user passwords in cleartext. But that's a story for another time.

For now .. I suggest you start 2013 with taking a close look at the "chain of trust" between your important accounts: Which one can reset which others? If an attacker gets access to this one, what information does the account provide that allows to breach which other credentials? Also, click on the "I forgot my password" or "I forgot my userid" button, just to see what happens. You might discover that in a state of naive trust and delusion, some years ago, when you set up your account, you actually truthfully answered that your first car was blue.

How are you handling password reset functions to reduce the risk of them becoming an easy avenue for attackers? Please let us know in the comments below!



9 comment(s)


First trick is to answer a different question than the one that was asked. For instance, if they ask the color of your first car, give them the make, or the tire size -- anything but the color. If they ask your favorite pet, give them your favorite playboy bunny or something. Always answer a different question than the one that was asked, but develop a method to your madness, so you can correctly answer later on if you need to!
Or use another password that seems random, but with something site specific inserted.

Like dG5wisc2Wdw - the prefix dG5w and postfix 2Wdw can be written down. The middle part isc is something site specific.

Better than dictionary words. But of course canbe broken if somebody gets access to too many of your "secrets"
Mat Honan from wired magazine wrote an article on how is icloud account was compromised. What I found interesting is that the attacker built a profile on Mat Honan just from gathering information on the net. Then the attacker figured out the weak holes in process in amazon/apple in order to implant false information to allow him to reset his password, interesting read:

The question around now being asking is how to authenticate a user on a telephone/email. I like the idea that a text/SMS is sent to you your mobile phone. This way a user will know if the password reset mechanism has been invoked.
Of course as in the case of Mat Honan, if an attack could somehow implant a false peace information (IE cell number) then game over.
How do you feel about an e-mail address that is used for account recovery -- and nothing else? I've seen this sort of thing in GMail but don't know if the strategy is worth using...personally I like multi-factor authentication despite its inconvenience.
for stock questions (e.g. "1st car", "fave drink"), use a pass phrase instead: misspell or leetspeek a real answer is a simple solution (c@mAr0, bakardi). difficult if you have to talk to a real person, but should satisfy the web form. Face it, if you give the real answer to "best friend" as "Suzanne", its easily hackable/searchable and your wife wont be happy either. The question I havent resolved is to use the same (password or answer) for all accounts or different for each account? I have about 100 accounts (I do group password 1 for bank, 1 for CC, 1 for email, etc.). Same method for the Forgot form?
Decembers wired magazine with "Kill The Password" is an interesting read and as I continue my SANS accreditation will glean some of his data.

One thing that it did not address was refrain from scanning QR codes, you never know what you might be getting.

Currently I have an account that PW's and other sensitive data is sent to and have a dedicated PC for it. It goes nowhere but to one of two email addys.

Additionally, considering a mirror approach to Credit Cards or other sensitive data. CC's mothers maiden name, start using complex pass phrases and use one per card or account. This way, only you and the company know it. If the account is breached, damage will not be as severe.

Creating passwords for passwords only leads to headaches for people other than security professionals. I've tried showing people to use a password or mixing it up with 733t speak for security questions and it's only helped make it difficult for them (and myself included) to recover a password to places that they rarely use. Now I mostly tend to tell them to answer using more than one word. Or if the answer was "blue" I would suggest answering in Hex "#0000ff" or RGB "0 0 255" or just something to break the norm and make it harder.

Just my 2 cents.
Why is "SMS Text Message to phone" not in section (3) from above? This seems to be a valid and good alternative option for password resets, no?

SMS text message to phone is fine for low and perhaps some medium level security accounts. Anything high level (banking, health care, etc.) should not use SMS as a determined bad guy has ways to take over your smartphone and MitM it. Even a voice call to your cell can be redirected this way (temp forward the call to another number, then unforward).

SMS doesn't protect against your local PC being hacked and intercepting/redirecting the session as soon as you the code into the PC:

Then there is just plain gaming the cell network:

Diary Archives