Social Engineering in the Facebook Era
August 26, 2008 11:34 AM   Subscribe

‘Forgot your password?’ may be weakest link. Herbert Thompson, chief security strategist of People Security, "asked some of his acquaintances for permission to break into their online banking accounts. The goal was simple: get into their online accounts using the information about them, their families and acquaintances that is freely available online."
"Questions about hacking through password resets have been raised before. When Paris Hilton's cell phone was famously hacked in 2005, some tech sites reported that criminals simply used her dog's name, easily found online, to break in. That theory was later discredited, but it likely sent criminals scurrying to find famous people's dog's names.

It also prompted researchers to study the issue, which is also known as 'fallback authentication.' Ariel Rabkin, a researcher at the University of California at Berkeley, is probably the first to attempt to quantify the problem. He recently published a research paper (PDF) titled in part, 'Security Questions in the Era of Facebook.' It examined password reset questions at 20 banks. Of the 215 questions used by the banks, he classified only 75 as secure and usable. The others were either easy for hackers to guess or obtain, or simply too hard for consumers to remember."
posted by ericb (72 comments total) 8 users marked this as a favorite
 
I think I may be forced to invent a fictional identity (my favorite pet is Sammy the Finch; my mother's maiden name is Tomorrowful; I grew up in Metafiltrania, New Jersey...) just to avoid this kind of (mandatory!) absurdity.
posted by Tomorrowful at 11:37 AM on August 26, 2008 [1 favorite]


Alternate idea: Use a universal answer to all "secret questions" as a kind of backup password and hope nobody ever finds it.
posted by Tomorrowful at 11:40 AM on August 26, 2008


Or just use a garble of letters and don't forget your password.
posted by Citizen Premier at 11:43 AM on August 26, 2008


Yeah I always enter a random string at least as strong as my password for those things, then forget about it. What's my mother's maiden name? ZIcmVMAJu3rTlawc7OMuoR. We're from France.
posted by fleetmouse at 11:43 AM on August 26, 2008 [11 favorites]


Don't just invent a new identity, just treat those questions as passwords.

"What was your first pet's name?"

hy^k9(Hn7l0

As long as you keep your a secure log of the questions and answers, you'll be fine. It may be a bit extreme, but until all banks start issuing key fobs for all account holders, it may be best you can do.
posted by PhillC at 11:44 AM on August 26, 2008


God damn it. I've been using Paris Hilton's dog's name as my Password.
posted by Astro Zombie at 11:46 AM on August 26, 2008 [3 favorites]


Living in Puerto Rico, your mother's maiden name is part of your name.
posted by dances_with_sneetches at 11:47 AM on August 26, 2008


I use "Paris Hilton's dog's name" as my password. It's secure because it's so long and contains nonalphanumerics.
posted by ardgedee at 11:50 AM on August 26, 2008 [2 favorites]


I once had a boss who wanted to implement an account reset system, but then insisted that mother's maiden names be at least 8 characters long. Because he know 8 characters was the magic security length for passwords. (No, LANMAN was not involved.)

But yes, this needs to be risk-assessed along with anything else accounted related. I'm glad it's getting the media attention.
posted by These Premises Are Alarmed at 11:52 AM on August 26, 2008


What's my mother's maiden name? ZIcmVMAJu3rTlawc7OMuoR. We're from France.

I do hope that you are saying that in a conehead voice.
posted by Meatbomb at 11:54 AM on August 26, 2008 [3 favorites]


I always use my pet's maiden name. No one knows that but me.
posted by Knappster at 11:55 AM on August 26, 2008 [8 favorites]


We should all use the same password. No, wait...
posted by Alexandra Kitty at 12:03 PM on August 26, 2008


The way I guard against someone stealing my money is by not making much of it. It's pretty foolproof.
posted by Camofrog at 12:04 PM on August 26, 2008 [13 favorites]


I always use my pet's maiden name. No one knows that but me.
I actually do that, in a sense. I use her old registered name.
posted by Wolfdog at 12:06 PM on August 26, 2008


Or just use a garble of letters and don't forget your password.

I used to do this, but now a lot of banks use the security questions for situations other than forgetting your password. The main use I've seen now is that whenever you use a different computer it forces you to answer a random security question in addition to entering your password.

Back when I did use a garbled answer for a website, I ended up talking to someone on the phone at one point. They asked me "What was the make and model of your first car?" and I said something along the lines of "Uh, it's a bunch of crazy letters. Probably a few semicolons in there too". They accepted that.
posted by burnmp3s at 12:11 PM on August 26, 2008 [3 favorites]


I've only ever seen this 'password security through semi-obscurity' in the US. Not just online, but in dealing with banks over the phone, etc. It's bizarre, right up there with the "3 pieces of local, easy to forge ID instead of 1 national, hard to forge ID".
posted by signal at 12:15 PM on August 26, 2008


People, you are all missing the point. Why is this guys headshot so friggan huge in this article? How am I supposed to learn about computer security with his pasty, eyebrowless smile staring at me?
posted by Mach5 at 12:16 PM on August 26, 2008 [1 favorite]


How am I supposed to learn about computer security with his pasty, eyebrowless smile staring at me?

Because smiles that have eyebrows make you gibber and cry and wail for the loss of your sanity.
posted by Tomorrowful at 12:18 PM on August 26, 2008


My passwords are pretty secure, since they are answers to obscure questions that only I would know, like the title of my favorite 1960's game show or my favorite song by a former Broken Social Scene member.

What?
posted by Someone has just shot your horse! at 12:19 PM on August 26, 2008


My banks has just started this weird scheme where you pick from one of hundreds of pictures, and you also submit a phrase of some kind, so, say, you choose a picture of horses and then you enter a phrase like "Neigh Weigh Joseigh" and then evry time you log in it shows the picture and the phrase together and if you don't see the right picture and phrase you've been phished, or something.

Kind of off topic, but how does that work?
posted by Rumple at 12:24 PM on August 26, 2008


Also, doesn't Paris Hilton have a buttload of pooches?
posted by Rumple at 12:24 PM on August 26, 2008


A mustache is a smile's eyebrow.
posted by Astro Zombie at 12:29 PM on August 26, 2008 [28 favorites]


That's the stupidest thing I have ever said.
posted by Astro Zombie at 12:30 PM on August 26, 2008 [30 favorites]


An eyebrow is a an eye's brow.
posted by Rumple at 12:31 PM on August 26, 2008


What if your dog's name is "Password"? Or better yet, "Empty String"?
posted by rocketpup at 12:35 PM on August 26, 2008 [1 favorite]


Wow, and PayPal isn't even a bank!
posted by mrzer0 at 12:36 PM on August 26, 2008


What if your dog's name is "Password"? Or better yet, "Empty String"?

My dog is named ********.
posted by Lentrohamsanin at 12:37 PM on August 26, 2008


*starts poking around Rumple's *** account*

Someone can set up a fake site that looks like your bank's site. If you blithely login with your account number, they get that, no question. But if your pictures and pass phrase don't show up on the same page that asks for your password -- and the phishing site won't know the specific combo you've chosen -- you should clue in before you mindlessly enter your password.

However, if your password is weak and easily guessed, the phishers have your account number and will probably hit on your password pretty soon, too. So you still should avoid crap passwords.
posted by maudlin at 12:40 PM on August 26, 2008


I named my dog after myself and added to Is. That way the hackers don't get us confused.
posted by Dumsnill at 12:40 PM on August 26, 2008


Even if you think up a really cool unpronounceable fictional pet name, the government can still declare you an enemy of the state and seize your Lycos account. So what's the point?
posted by RobotVoodooPower at 12:42 PM on August 26, 2008


I change my dog's name every 3 months just to be on the safe side; yet ironically, that just seems to make my dog increasingly insecure.
posted by It's Raining Florence Henderson at 12:46 PM on August 26, 2008 [52 favorites]


Yeah, the questions and 'answers' go in the same encrypted file as passwords. It was fun over the phone "and what's your mother's maiden name?" "alphA to the -1 equals 137.035999 That second a is capitalized, and all the punctuation except the period and minus sign is written out." "... What was the name of your elementary school?" "FlubatasticScallions No space." "..."
posted by a robot made out of meat at 12:52 PM on August 26, 2008


Uh... no. I will not be creating a dozen new passwords to serve as security question answers. I already have a head full of passwords, and with policies now that old ones can't be re-used (a good policy of course) I'm constantly calling tech support to reset new passwords I've forgotten.

Unless you'd like me to write them all down, and then we can have a nice discussion about stolen wallets.
posted by Durn Bronzefist at 1:03 PM on August 26, 2008 [1 favorite]


Thanks maudlin. The picture + pass phrase comes up *after* I enter my password, so I guess at that point I am meant to call the bank or something if it doesn't show. Seems a little post-hoc, but better than nothing.
posted by Rumple at 1:14 PM on August 26, 2008


That's why I use this nifty password pad.
posted by Dragonness at 1:20 PM on August 26, 2008


Welcome, Astro Zombie!

Since you've forgotten your password, please answer the following security question in the space below. A new password will be sent to your email address.

Q: What is the stupidest thing that you've ever said?

A: A mustache is a smile's oh jesus god that's dumb
|

posted by koeselitz at 1:25 PM on August 26, 2008


Thanks maudlin. The picture + pass phrase comes up *after* I enter my password, so I guess at that point I am meant to call the bank or something if it doesn't show. Seems a little post-hoc, but better than nothing.

With one of my accounts, you do user/pass to log in, with the Security Questions thing if you can't remember that info, and then, yeah, there's your antiphishing mark. But! After that you can't actually do anything with your account until you put in another PIN, so that's another speedbump even on a compromised account, which is something.
posted by cortex at 1:33 PM on August 26, 2008


That's why the answers should have fuck-all to do with the questions.

which is also why I can't get back my allan@hotmail.com account
posted by bonaldi at 1:34 PM on August 26, 2008


My mother's maiden name is always ZANGIEF.
posted by Eideteker at 1:38 PM on August 26, 2008


It's obvious that the vast, vast majority of people use poor password security - and that there isn't any way to avoid that. Good password security requires lots of different things:

1) Don't use the same password everywhere and don't re-use old passwords.
2) Don't use easy to guess passwords. Use random mixes of numbers and letters.
3) Don't write down your passwords and carry them around with you.

It is completely impossible for most people to meet all three of these guidelines. If you need passwords at 25 different websites how the hell are you supposed to remember 25 different random strings of letters and numbers and which websites they are for without writing them down? Answer: Most people can't, and so either use the same password everywhere, use easy to remember passwords, or write their passwords down. And telling them not to do so won't help; there isn't any other way to do it for most people.

Now, if you're tech savvy you could keep an encrypted master list on your computer. Then you only have to remember one password: The password to the encrypted file. But that's simply unrealistic to expect of most people. You can also come up with an algorithm to generate a pseudo-random looking password for a website involving the websites name and a key you select yourself which will be the same for all websites. That, again, is unrealistic to expect of most people.

The truth? Most people need to either use the same (or one of a few) passwords everywhere, or they need to write down a list of passwords which they store on their computer and/or in their wallet.

And telling them that's bad is ridiculous; in this day and age of needing dozens of passwords it's the only reasonable way most people can get by.
posted by Justinian at 1:39 PM on August 26, 2008 [2 favorites]


I love my picture passkey online bank thingy. So much. It brings joy to my heart every time I see it. Too bad I can't tell anyone what it is.

Also, every time I fill out one of those security question things, I'm just thankful that my mom's not a thief. Because I don't think I've seen a single question my mom couldn't answer.
posted by lampoil at 1:39 PM on August 26, 2008


Wait; are you saying '42' was just some kind of authentication for a meaningless question?
posted by kaibutsu at 1:42 PM on August 26, 2008 [1 favorite]


I've read somewhere that having one very strong password and writing it down and keeping it in your wallet is actually not a bad idea, on the principle that you look after your wallet and most people don't have access to it without your knowledge and thus if someone does have access to it, or you lose it, or whatever, then likely you *know* your password has been compromised and you can then change it. Which makes some sense, really -- knowing it has been compromised is a luxury you might not have with other schemes, and knowing soon is certainly an advantage.
posted by Rumple at 1:46 PM on August 26, 2008


Lentrohamsanin: "What if your dog's name is "Password"? Or better yet, "Empty String"?

My dog is named ********.
"

Seems about time to roll out Little Bobby Tables...
posted by benzo8 at 2:05 PM on August 26, 2008


Now, if you're tech savvy you could keep an encrypted master list on your computer. Then you only have to remember one password: The password to the encrypted file. But that's simply unrealistic to expect of most people

Not really - there are plenty of user-friendly apps knocking about now that will keep an encrypted list for you, and generate strong passwords. (Eg. 1Password - I know a fair few people who use it or similar apps that wouldn't have a clue how to encrypt a text file themselves.)
posted by jack_mo at 2:46 PM on August 26, 2008


The truth? Most people need to either use the same (or one of a few) passwords everywhere, or they need to write down a list of passwords which they store on their computer and/or in their wallet.

Here's what I do: don't remember a given password, so much, across those 25 accounts/programs, but remember my current system of devising a password. I can guess 90% of the time given the program's content what my current password is if I remember my system. Note that this is not some huge string of random characters, but as you pointed out, I can't keep track of that if I'm not writing it down.
posted by Durn Bronzefist at 3:03 PM on August 26, 2008


After working in internet security for an abuse department and seeing the kinds of passwords employed by people who should know better, I've come to realize that if I ever need to gain access to a random account on someone's network, it will probably only take me a couple of days of concentrated work.

This makes me feel both really good and really bad, all at the same time.
posted by quin at 3:05 PM on August 26, 2008


you look after your wallet and most people don't have access to it without your knowledge and thus if someone does have access to it, or you lose it, or whatever, then likely you *know* your password has been compromised and you can then change it.

Well that's true, so long as you use a different password or passwords for anything related to the other contents of your wallet. I still don't like writing down passwords, though. I lose things far too often.
posted by Durn Bronzefist at 3:05 PM on August 26, 2008


I keep a list of passwords, except my list describes the password, instead of listing the actual password. That is, I might have an entry: "lotus notes password: Angie's postal code +xx." I know Angie's postal code, or can look it up if I forget it, but a wallet thief (or in my case, desk-side scratchpad thief) would have to go to a lot of trouble to reconstruct who Angie is in order to look up her postal code (especially since Angie is my mother's great-aunt and therefore doesn't have a facebook account). Or the thief would have to be my Mom.

Plus I have a system for how I replace certain letters with numbers or punctuation.
posted by joannemerriam at 3:33 PM on August 26, 2008 [1 favorite]



Alternate idea: Use a universal answer to all "secret questions" as a kind of backup password and hope nobody ever finds it.


I do this on some sites, when they allow you to set your own question and answer pair. My "question" is a hint to jog my memory, and the answer is a long, random string of uselessness because I never intend to go beyond reading the question.

Like so:

Question: When did it?
Answer: 3lkj8we7f923h@$$khf3p8c&*F&( d98fdf(F*& khfds

I just wish more sites would allow you to set your own question.
posted by davejay at 3:53 PM on August 26, 2008


Oh, and that's how I write down my passwords, too; I have an unencrypted text file that looks something like this:

Site: metafilter.com
username: davejay
password: [when did it?]
posted by davejay at 3:54 PM on August 26, 2008


Alternate idea: Use a universal answer to all "secret questions" as a kind of backup password and hope nobody ever finds it.
...
Here's what I do: don't remember a given password, so much, across those 25 accounts/programs, but remember my current system of devising a password

Using a universal password (or a trivially discernible scheme) is a very bad idea, because at least a few of the places you have accounts with probably store your password (and answers to secret questions) in cleartext. And they typically store them alongside your name and email address. So, when their server gets compromised (which they might never tell you about, if they even find out themselves), somebody has found your universal password. Sorry to crush your hope.

Someone can set up a fake site that looks like your bank's site. If you blithely login with your account number, they get that, no question. But if your pictures and pass phrase don't show up on the same page that asks for your password -- and the phishing site won't know the specific combo you've chosen -- you should clue in before you mindlessly enter your password.

But, what prevents a MITM attack on this type of system? (Why can't the phishing site interact with the bank on the victim's behalf to get the pictures and display them?)
posted by finite at 3:57 PM on August 26, 2008


But all they'd have is categories, finite. They would likely know what they are (famous physicists, root vegetables, countries spelled backward, etc.) but that's still a lot of permutations. They only thing they'd have a lock on are the numbers in between.
posted by Durn Bronzefist at 4:17 PM on August 26, 2008


Ok, I haven't actually used a system like this yet and I'm clearly missing something about how it works.
posted by finite at 4:21 PM on August 26, 2008


Hmm, Bank of America says "We know it's really you - we display your SiteKey when we recognize you as the true owner of your account. If you don't sign in from the computer you told us to recognize, we'll ask a challenge question" which begins to answer my question. (But, how do they know? By the IP address? Using a client cert?)

But they don't say anything about any categories, so perhaps we're not talking about the same thing?
posted by finite at 4:31 PM on August 26, 2008


Sorry to confuse. No, this is just for my own pw's. I can remember associations between things more easily than a dozen garbled character strings. So I remember how the categories fit together, and some vague association with the software or site. All the pw's are different. If someone got ahold of one, I have no doubt they could figure out what makes it up, even with some character shuffling as part of the pattern. But it's the best I can do with as many passwords as I use, writing nothing down.
posted by Durn Bronzefist at 5:58 PM on August 26, 2008


I was disturbed when I found out that you could use the same answer for the entire set of secret questions. What are the odds that my pet's name, the street I grew up on, and my favorite sports team would be 3lkj8we7f923h@$$khf3p8c&*F&( d98fdf(F*& khfds?

Have a system, too. Which turned out to be useless for a lot of stuff when Dodgeit switched to dogit, dagnabit.
posted by Lesser Shrew at 6:29 PM on August 26, 2008


I have written a simple Javascript page that generates different passwords for each site you visit from one master password. (And there's an easy bookmarklet version that fills in login forms automatically.)
posted by nicwolff at 6:43 PM on August 26, 2008


Don't forget about little Bobby Tables!
posted by blue_beetle at 6:55 PM on August 26, 2008


I change my dog's name every 3 months just to be on the safe side; yet ironically, that just seems to make my dog increasingly insecure.

Thank you, this made me laugh so hard I cried. Repeatedly. This is why I read metafilter.
posted by marble at 8:57 PM on August 26, 2008


I don't think I ever answer one of these with less than a dozen characters. Using real information is (obviously) kind of stupid.

If i forget the password, I either have to deal with talking to site admins/proving who I am, or I just make a new account. Odds are the site will have either real live admins who handle these things, or an 800 number I can call.
posted by paisley henosis at 9:59 PM on August 26, 2008


My cat peed on my one-time pad. Now what?
posted by dhartung at 1:08 AM on August 27, 2008


(Why can't the phishing site interact with the bank on the victim's behalf to get the pictures and display them?)

Your instincts are right, finite, phishing sites can and do this sort of thing. The pictures are basically security theater. Bruce Schneier has two hot buttered punches to the face of the concept.
posted by breath at 2:31 AM on August 27, 2008


The worst thing about passwords not being accessible to others is when someone is incapacitated or dies - others cannot get into the accounts to manage/monitor bill payments.

There should be some method for allowing others to gain access to account log-ins and passwords - how else can this be managed except for writing it down?
posted by mightshould at 5:29 AM on August 27, 2008


Pffft! My voice is my passport.
posted by ssmug at 8:06 AM on August 27, 2008


finite writes "Bank of America says 'We know it's really you - we display your SiteKey when we recognize you as the true owner of your account. If you don't sign in from the computer you told us to recognize, we'll ask a challenge question' which begins to answer my question. (But, how do they know? By the IP address? Using a client cert?)"

Probably using a cookie. Seriously. Even though it's not that secure to keep session cookies on your machine. Chase does this. Makes me get an access code (though email or text messaging) every time, because I clear my cookies after using bank sites.
posted by krinklyfig at 9:21 AM on August 27, 2008


mightshould writes "The worst thing about passwords not being accessible to others is when someone is incapacitated or dies - others cannot get into the accounts to manage/monitor bill payments.

"There should be some method for allowing others to gain access to account log-ins and passwords - how else can this be managed except for writing it down?"


I work for an ISP in a small town. When we get a call regarding a death, we usually take their word. We will handle all the billing right then, but if there are other things they need, like passwords or email on our server, we need them to come in the office. But it's a small town, and it's possible to track down these things pretty quickly.
posted by krinklyfig at 9:59 AM on August 27, 2008


Why are 47-in-1 card readers now standard equipment on desktops and laptops but not fingerprint scanners?

If a thief is going to be able to know my passwords scheme AND be able to replicate my fingerprint, then he probably deserves the money.

But he'll also likely be going after something more substantial than my Sears card.

Also, I don't think there are any perfect solutions to phishing. Phishing is directly related to the intelligence and diligence of the target.

If I am carrying money to my bank, and a guy on the street corner in a refrigerator box labeled BANK in magic marker says "Hey, I can take that, I'm your bank." and I give it to him, well, that's not really a security problem.
posted by Ynoxas at 11:53 AM on August 27, 2008


Why are 47-in-1 card readers now standard equipment on desktops and laptops but not fingerprint scanners?

When I think of fingerprint scan vulnerability, I don't think of some guy with a resin mold he took off my drinking glass, having taken the night shift particularly to catch my midnight-coffee-drinking ass, as he fools the print scanner. I think of the print file in the system, which the thief acquires and then feeds into whatever program he desires. How is that more secure than a crackable db of passwords?
posted by Durn Bronzefist at 7:23 PM on August 27, 2008


When I think of fingerprint scan vulnerability... I think of severed fingers.
posted by finite at 7:48 PM on August 27, 2008


One of our IT consultants told me this week that he won't do online banking because it's not secure. Be that as it may, we had an interesting discussion about passphrases (linked from one of the Schneier articles). One of the interesting things in this discussion is how relatively easy it is to break short passwords.
posted by sneebler at 7:09 AM on August 30, 2008


The Register: Conservative commentator Bill O'Reilly's website hacked
While the information exposed on Wikileaks may seem minimal, it has the potential to imperil the BillOreilly.com subscribers listed in ways they may not have anticipated. A case in point is Carolyn Carpenter, 68, of Henderson, Nevada. The list showed she used a six-letter word from the English language to access her account. Early Friday evening, when told she should change all accounts that used the password, she replied: "Oh damn, I use it all over the place."
posted by finite at 12:59 AM on September 20, 2008


« Older (Comic) Con Anti-Harassment Project   |   MeFi: The Game Newer »


This thread has been archived and is closed to new comments