Getting security almost right



  • I've recently started trying to consolidate my four superannuation accounts into one, as the tax office keeps pestering me to do. (Well, actually they mainly pester me to update my contact details with the old ones, but they also suggest consolidating them.) While the whole process has been replete with WTFs, I thought this one was particularly worth sharing. It's the story of a site that gets security [i]nearly[/i] right, although they do get a number of other things wrong.


    Access to your information on the website requires your employee code and a numeric Access Code. Among the WTFs: you can't register for an Access Code through the website. The website gives you an editable PDF which you have to fill out, and then either save and email or print and post to them. So I did the postal option (I had to buy stamps; normally the only things I send through the post are parcels for which I pay the required amount at the post office when I send them).


    After a week or two I got a letter in the post telling me that my Access Code would be arriving in a few days in the mail, and giving me instructions on how to use it. This letter had my employee number on it. Another week or two later I duly got the letter with my Access Code, which was one of those deals where it's printed on a transparent strip of plastic in the letter and there's a mottled backing to make it unreadable until the backing strip has been removed, along with pictures saying "if it looks like this it has been tampered with", etc. This letter did not have my employee number on it anywhere. The Access Code they send out also expires on first use, so you have to create your own once you log in.


    So, the things they did right:

    • Can't view someone's information just by knowing or guessing their employee number and personal information
    • Employee number and Access Code are not included in the same set of mailings, so interception of one does not allow access
    • Tamper-evident packaging of the Access Code
    • Automatic expiry of the mailed Access Code
    • Your own Access Code can be a much longer digit string than the one they send you

    However, when you create your new Access Code, you have to pick two of the following security questions to answer in case you forget your Access Code:

    • What is your mother's middle name?
    • What is your father's middle name?
    • What is your lucky number?
    • What was the name of your first pet?
    • What street did you grow up on?
    I facepalmed when I got to that bit.

    In the end I answered one correctly, then picked another and put the answer as something along the lines of "You need to allow a much wider variety of security questions, or preferably allow the user to create their own."

    The ultimate irony is that there's hardly anything you can actually [b]do[/b] on the website. You can view your current account balances and such but that's about it. I went through all ths rigmarole because I want to see if I can transfer the accumulated superannuation in this fund into another fund, but I can't do that through the members portion of the website; I have to download a form, print it, fill it out and post it to them...

    I am down to three super accounts now though. Naturally, the one that I've managed to close was the one that had the best and most usable website. The one that I'm trynig to merge everything into (because it's where my current contributions are going) has a horrible website. I have to log in with a random-looking number as my ID; this number is not on any of the correspondence I have from them and was only presented to me once during the signup process; and in the contact details my gender is correctly entered as Male but my title has been entered as Miss, and the title field is locked. I can update my name, but not my title...



  • Sure, the site not really having much with it is definitely a WTF given how much you had to go through just to get access, but at least they take their security seriously. Security questions are always a WTF, no matter how many options that they provide. I never understood how asking common questions (especially questions that every other website asks) to allow somebody to reset an account password is somehow secure. Sure, it's convenient to the user, but then again anything convenient for the user is inherently insecure to begin with. I would much rather have a more complicated process for resetting my password than asinine security questions - especially with an account that deals with my personal finances (of any kind). If it's difficult for me to reset my own password, then it would be difficult for a malicious user (at least, that's the theory).



  • @Scarlet Manuka said:

    ...and in the contact details my gender is correctly entered as Male but my title has been entered as Miss, and the title field is locked. I can update my name, but not my title...
     

    I occasionally get junk mail (not email, but real mail) addressed to Miss <my name here>. The last one I got was for makeup. The funny thing is my first name is not one that would leave you guessing about my gender.

     



  • @dohpaz42 said:

    Sure, the site not really having much with it is definitely a WTF given how much you had to go through just to get access, but at least they take their security seriously. Security questions are always a WTF, no matter how many options that they provide. I never understood how asking common questions (especially questions that every other website asks) to allow somebody to reset an account password is somehow secure. Sure, it's convenient to the user, but then again anything convenient for the user is inherently insecure to begin with. I would much rather have a more complicated process for resetting my password than asinine security questions - especially with an account that deals with my personal finances (of any kind). If it's difficult for me to reset my own password, then it would be difficult for a malicious user (at least, that's the theory).

    Imagine what it must be like being a celebrity. You get all these fanmags asking you questions like: "What's your favourite colour?" and such like. When it comes the security questions on this website, all they have to do is buy back-issues of the magazines that have interviewed that celebrity, and bingo! You're into his account.



  • @QJo said:

    Imagine what it must be like being a celebrity. You get all these fanmags asking you questions like: "What's your favourite colour?" and such like. When it comes the security questions on this website, all they have to do is buy back-issues of the magazines that have interviewed that celebrity, and bingo! You're into his account.

    You don't even have to be a celebrity to worry about this sort of thing. Imagine all of those asinine Facebook memes that go around asking you all sorts of similar questions, and asking you to repost it. There is a huge security WTF in and of itself. This is only a problem though if the website in question is stupid enough to let you change the password right there on the spot, instead of e-mailing the e-mail on account with a link to change the password. And we all know that websites are smart enough to do this... right? </sarcasm>.


  • :belt_onion:

    @dohpaz42 said:

    Sure, it's convenient to the user, but then again anything convenient for the user is inherently insecure to begin with.
    QFT.



  • @mott555 said:

    @Scarlet Manuka said:
    ...and in the contact details my gender is correctly entered as Male but my title has been entered as Miss, and the title field is locked. I can update my name, but not my title...
     

    I occasionally get junk mail (not email, but real mail) addressed to Miss <my name here>. The last one I got was for makeup. The funny thing is my first name is not one that would leave you guessing about my gender.

     

    When I was 17 I got some physical junk mail from a sofa company addressed to Mr and Mrs <my name here>. As no other spammer has attributed me with a non-existent spouse, I still haven't worked out where they got my address.



  • @heterodox said:

    @dohpaz42 said:

    Sure, it's convenient to the user, but then again anything convenient for the user is inherently insecure to begin with.
    QFT.

    I would argue a token like a SecureID (or software equivalent in a smartphone) is simultaneously more secure, and more convenient, than having to answer a random security question.


  • 🚽 Regular

    @QJo said:

    Imagine what it must be like being a celebrity. You get all these fanmags asking you questions like: "What's your favourite colour?" and such like. When it comes the security questions on this website, all they have to do is buy back-issues of the magazines that have interviewed that celebrity, and bingo! You're into his account.
     

    I do recall a news item about Paris Hilton's cellular account or something getting "hacked" because her security question was "What is the name of your dog?"

    I, personally, use a very specific pattern to answer my security questions to thwart any possible attack. I won't divulge you with details, but I will tell you that my answers are never one-liners and require good mind-reading (or I suppose a keylogger) to successfully get into my account. There's simply no way to figure them out simply by knowing me personally or reading my Facebook page.


  • Considered Harmful

    Miss Scarlet, I would say my lucky number is 936,072,100,782,816,020,114,232,553,841,404,974,572,543,186,010,387,380,788,419,232,674,239,976,828,452,659,077,146,955,642,299,915,398,977,036,632,870,716,084,731,463,541,156,966,679,936,842,785,169,458,211,943,427,429,359,249,971,883,179,506,218,736,892.



  • @blakeyrat said:

    I would argue a token like a SecureID (or software equivalent in a smartphone) is simultaneously more secure, and more convenient, than having to answer a random security question.

    TFA is generally more secure, at least in the sense that it's more difficult for a hacker since the token is generated every N seconds/minutes/whatever. But, as with all other security, it's still vulnerable to attack(s).


  • ♿ (Parody)

    @blakeyrat said:

    @dohpaz42 said:
    Sure, it's convenient to the user, but then again anything convenient for the user is inherently insecure to begin with.

    I would argue a token like a SecureID (or software equivalent in a smartphone) is simultaneously more secure, and more convenient, than having to answer a random security question.

    It's generally less convenient to "reset" a lost SecurID than something that can be done only with "something you know," since you have to wait for another physical device to be sent in addition to getting it set up. Obviously, this is more expensive than a password reset, too. In my experience, you still have to have some sort of PIN to go along with it, and you have to associate that with the device and your user, though this sort of thing probably varies by organization and how they want to do thing.



  • @pjt33 said:

    When I was 17 I got some physical junk mail from a sofa company addressed to Mr and Mrs <my name here>. As no other spammer has attributed me with a non-existent spouse, I still haven't worked out where they got my address.
    I don't care if it's true or not: I've decided to believe that you were still living with your parents (and that you use their name) and TRWTF was that you thought the mail was addressed to you...



  • @Scarlet Manuka said:

    The one that I'm trynig to merge everything into (because it's where my current contributions are going) has a horrible website.

     

    Have them go down to the local street corner and hire a prostitute.  They'll do a good job with security, or so I've read.

     


  • :belt_onion:

    @blakeyrat said:

    I would argue a token like a SecureID (or software equivalent in a smartphone) is simultaneously more secure, and more convenient, than having to answer a random security question.
    Agreed. I'm a big of of SecureIDs but don't see them taking off anytime soon for Web applications due to cost and difficulty of maintaining one for each site. I've only used one, and it got bollixed up pretty quickly. A smartphone application would be all right, but two-factor authentication by text message makes my head explode (incurring the cost and difficulty of cleanup of grey matter).

     



  • @pjt33 said:

    @mott555 said:

    @Scarlet Manuka said:
    ...and in the contact details my gender is correctly entered as Male but my title has been entered as Miss, and the title field is locked. I can update my name, but not my title...
     

    I occasionally get junk mail (not email, but real mail) addressed to Miss <my name here>. The last one I got was for makeup. The funny thing is my first name is not one that would leave you guessing about my gender.

     

    When I was 17 I got some physical junk mail from a sofa company addressed to Mr and Mrs <my name here>. As no other spammer has attributed me with a non-existent spouse, I still haven't worked out where they got my address.

    I used to run a website for which I was the administrative contact in the whois database. The technical contact was some random woman who worked at my ISP, and whom I had never met or spoken with. One day I got a credit card offer addressed to her and me. It took me a while to figure out who she was. Eventually, I realized that she had the same last name as her husband, which was the only person I had ever spoken to at the ISP. Very odd.



  • @mott555 said:

    I occasionally get junk mail (not email, but real mail) addressed to Miss <my name here>. The last one I got was for makeup. The funny thing is my first name is not one that would leave you guessing about my gender.
    I was once mis-enrolled in a health insurance plan as a female. I found this out when I started getting postcards reminding me that I was overdue for a pap smear.

     



  • @Scarlet Manuka said:

    Well, actually they mainly pester me to update my contact details with the old ones

    Fhtagn!




  • @cconroy said:

    I was once mis-enrolled in a health insurance plan as a female. I found this out when I started getting postcards reminding me that I was overdue for a pap smear.

     

     

    Always read those health insurance benefit statements.  After my late mother spent a couple of weeks in the hospital once, she got a statement saying that the charge had been denied for her prostate exam.

     



  • @mott555 said:

    @Scarlet Manuka said:

    ...and in the contact details my gender is correctly entered as Male but my title has been entered as Miss, and the title field is locked. I can update my name, but not my title...
     

    I occasionally get junk mail (not email, but real mail) addressed to Miss <my name here>. The last one I got was for makeup. The funny thing is my first name is not one that would leave you guessing about my gender.

     

    As my first initials are "M. D.", I quite frequently get junk mail, email, and even a few legitimate communiques addressed to "Dr. North Bus"

    ...



  • @da Doctah said:

    @cconroy said:
    I was once mis-enrolled in a health insurance plan as a female. I found this out when I started getting postcards reminding me that I was overdue for a pap smear.
     

    Always read those health insurance benefit statements.  After my late mother spent a couple of weeks in the hospital once, she got a statement saying that the charge had been denied for her prostate exam.

    It's very important to take your prostate health seriously, whether you're a dead woman or a middle-aged man!


     



  • @Scarlet Manuka said:

    …but my title has been entered as Miss, and the title field is locked. I can update my name, but not my title...
     

    That is because "miss" has nothing to do with you - it is the result of the site's attempt to achieve good security.

     



  • @RHuckster said:

    I, personally, use a very specific pattern to answer my security questions to thwart any possible attack. I won't divulge you with details, but I will tell you that my answers are never one-liners and require good mind-reading (or I suppose a keylogger) to successfully get into my account. There's simply no way to figure them out simply by knowing me personally or reading my Facebook page.

     

    What, initial few numbers from some juicy selections from [url="http://www.oeis.org"]The On-Line Encyclopedia of Integer Sequences[/url]? ;)

     

    mod: fixed yo link -dh



  • @Kuba said:

    @RHuckster said:
    I, personally, use a very specific pattern to answer my security questions to thwart any possible attack. I won't divulge you with details, but I will tell you that my answers are never one-liners and require good mind-reading (or I suppose a keylogger) to successfully get into my account. There's simply no way to figure them out simply by knowing me personally or reading my Facebook page.

     

    What, initial few numbers from some juicy selections from The On-Line Encyclopedia of Integer Sequences? ;)

     

    mod: fixed yo link -dh

    Hey, cool link. I met the guy behind that website (over a video link, but that counts, dunnit?)

    Check this one out - it's a riot: http://oeis.org/A002487



  • @Matt Westwood said:

    Check this one out - it's a riot: http://oeis.org/A002487
     

    I don't really get why it's a riot, but I've run across the site before.  I'm the original author of the list at http://oeis.org/A133377 though it shows someone else as the author; they rejected it when I submitted it earlier because it wasn't an infinite series.



  • @da Doctah said:

    @Matt Westwood said:

    Check this one out - it's a riot: http://oeis.org/A002487
     

    I don't really get why it's a riot, but I've run across the site before.  I'm the original author of the list at http://oeis.org/A133377 though it shows someone else as the author; they rejected it when I submitted it earlier because it wasn't an infinite series.

    Email him about it - he's a reasonable enough guy. As for its index, is that a lleeet number or what?



  • @Matt Westwood said:

    @da Doctah said:
    133377

    leeett?

    FTFY



  • @MascarponeRun said:

    @Matt Westwood said:
    @da Doctah said:
    133377

    leeett?

    FTFY

    wotEVVer



  • @Matt Westwood said:

    Check this one out - it's a riot: [url]http://oeis.org/A002487[/url]

    Wow, look at that scatterplot!! It's beautiful! I approve!



  • @Xyro said:

    Wow, look at that scatterplot!! It's beautiful! I approve!

    Remind me of this sequence if I ever need a procedural approach to creating a particle based fire animation.*


Log in to reply