02 September 2014

Prevent Protect Pursue

Robin Adams - The Logic Group

14 | posts 66,869 | views 0 | comments

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...

Reset your password or the cat gets it

27 April 2011  |  4731 views  |  1

Today we gained further confirmation of details around the Sony Playstation network breach; millions of account names and personal details have been lost and potentially payment card details including the payment card number and Expiry dates too, but excluding the security code.

 

The types of data rumoured to be lost include: names, addresses, email addresses, account names, account passwords, relevant date of birth and answers to security questions. By security questions one presumes the questions would be of a similar type to the old password reset classic: What is the name of your pet?

 

So should we be concerned?

 

If I was one of the potential victims of this theft I certainly would be. Why? Because the amount of personal data which has been supposedly taken is more than enough to allow a fraudster to begin the process of taking over my identity. Much of the rumoured stolen data can be used to authenticate and validate a user for example, particularly when that user claims to have forgotten the usual authentication tokens such as passwords and passphrases.

 

These problems arise because we humans are quite forgetful of our authentication details such as passwords. This means we tend to use the same passwords for multiple systems or at the very least similar passwords for similar systems. When we use random passwords then we tend to forget them. The systems we inter-operate with are aware of this and see this forgetfulness as a real inhibitor to their ability to validate and interact with us. They are also aware that an authentication failure could lead to a lost sale or provision of a service. However they know that we remember personal details more successfully, so questions related to address, dates and favourite or personal facts become a fallback authentication process for the service provider. Unfortunately this also means this personal information becomes far more valuable to a hacker as well.

 

Only recently I was with a family member who was paying for some items on an ecommerce website. As often occurs these days, part of the card authentication process included being taken to a 3D Secure card authentication screen where she suddenly found she couldn’t remember her secure password.

 

Helpfully the bank in question gave her the option to select “Forgotten password?” and she was then validated by being asked for her date of birth. Once validated by this information, permission to reset the password was granted.

 

Similarly most on-line applications will provide the capability to retrieve forgotten or lost passwords by asking for personal information such as date of birth, address or some well-known security questions, such as name of pet, birth place etc. – which just happens to sound familiar. The problem is that much of this data can’t be changed -  it’s easy to change a compromised password, but how do you change a compromised date of birth?

 

So if I was one of the potentially compromised users in the Sony Playstation network I’d be working very hard today to change any account details which share similar account names and passwords, change my email address and give serious thought to killing the cat, or at the very least renaming her!

TagsSecurityRisk & regulation

Comments: (1)

Keith Appleyard - available for hire - Bromley | 02 May, 2011, 15:08

Date of Birth & Mothers Maiden Name are so readily available than many years ago I stopped using them, when I realised that no-one was going to be going elsewhere to actually validate them, it didn't matter what values I gave.

So now I use a selection of Dates of Birth that are not really mine, and Mothers Maiden Names of my maiden Aunts; this gives me a few values of each to select from, but doesn't enable anyone to actually impersonate me with serious financial services such as Banking.

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Robin

New Requirements for Point to Point Encryption

18 October 2011  |  5101 views  |  0  |  Recommends 0 TagsSecurityPaymentsGroupInformation Security

Are compromised certificates the root of all Evil?

15 September 2011  |  4129 views  |  1  |  Recommends 0 TagsSecurityRisk & regulationGroupInformation Security

Comparing Mobile and Contactless Payments

25 July 2011  |  6423 views  |  3  |  Recommends 0 TagsCardsPaymentsGroupInformation Security

Assessing Risk? Ask a pigeon.

14 July 2011  |  5761 views  |  0  |  Recommends 1 TagsSecurityRisk & regulationGroupInformation Security

The PCI SSC Publish Virtualisation and Cloud Advice

23 June 2011  |  5014 views  |  0  |  Recommends 0 TagsSecurityRisk & regulationGroupInformation Security
name

Robin Adams

job title

Director of Security Fraud Risk Mgmt

company name

The Logic Group

member since

2010

location

Fleet

Summary profile See full profile »
Robin Adams, Director of Security, Fraud and Risk Management is a Qualified Security Assessor (QS...

Robin's expertise

Robin's blog archive
2011 (8)2010 (6)

Who is commenting on Robin's posts