19 December 2014

44975

Retired Member

707Posts 2,218,957Views 868Comments

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...

Reset your password or the cat gets it

27 April 2011  |  4774 views  |  1

Today we gained further confirmation of details around the Sony Playstation network breach; millions of account names and personal details have been lost and potentially payment card details including the payment card number and Expiry dates too, but excluding the security code.

 

The types of data rumoured to be lost include: names, addresses, email addresses, account names, account passwords, relevant date of birth and answers to security questions. By security questions one presumes the questions would be of a similar type to the old password reset classic: What is the name of your pet?

 

So should we be concerned?

 

If I was one of the potential victims of this theft I certainly would be. Why? Because the amount of personal data which has been supposedly taken is more than enough to allow a fraudster to begin the process of taking over my identity. Much of the rumoured stolen data can be used to authenticate and validate a user for example, particularly when that user claims to have forgotten the usual authentication tokens such as passwords and passphrases.

 

These problems arise because we humans are quite forgetful of our authentication details such as passwords. This means we tend to use the same passwords for multiple systems or at the very least similar passwords for similar systems. When we use random passwords then we tend to forget them. The systems we inter-operate with are aware of this and see this forgetfulness as a real inhibitor to their ability to validate and interact with us. They are also aware that an authentication failure could lead to a lost sale or provision of a service. However they know that we remember personal details more successfully, so questions related to address, dates and favourite or personal facts become a fallback authentication process for the service provider. Unfortunately this also means this personal information becomes far more valuable to a hacker as well.

 

Only recently I was with a family member who was paying for some items on an ecommerce website. As often occurs these days, part of the card authentication process included being taken to a 3D Secure card authentication screen where she suddenly found she couldn’t remember her secure password.

 

Helpfully the bank in question gave her the option to select “Forgotten password?” and she was then validated by being asked for her date of birth. Once validated by this information, permission to reset the password was granted.

 

Similarly most on-line applications will provide the capability to retrieve forgotten or lost passwords by asking for personal information such as date of birth, address or some well-known security questions, such as name of pet, birth place etc. – which just happens to sound familiar. The problem is that much of this data can’t be changed -  it’s easy to change a compromised password, but how do you change a compromised date of birth?

 

So if I was one of the potentially compromised users in the Sony Playstation network I’d be working very hard today to change any account details which share similar account names and passwords, change my email address and give serious thought to killing the cat, or at the very least renaming her!

TagsSecurityRisk & regulation

Comments: (1)

Keith Appleyard - available for hire - Bromley | 02 May, 2011, 15:08

Date of Birth & Mothers Maiden Name are so readily available than many years ago I stopped using them, when I realised that no-one was going to be going elsewhere to actually validate them, it didn't matter what values I gave.

So now I use a selection of Dates of Birth that are not really mine, and Mothers Maiden Names of my maiden Aunts; this gives me a few values of each to select from, but doesn't enable anyone to actually impersonate me with serious financial services such as Banking.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Retired

Do you KYC well!

23 July 2014  |  1180 views  |  0  |  Recommends 0 TagsSecurityPayments

My thoughts on Digital and Branchless banking

21 July 2014  |  1909 views  |  0  |  Recommends 0 TagsMobile & onlinePayments

War of the Plastic cards with Mobile wallets

21 July 2014  |  1977 views  |  2  |  Recommends 0 TagsMobile & onlinePayments

7-day account switch: customer empowerment or indifference

18 June 2014  |  1931 views  |  1  |  Recommends 0 TagsRisk & regulationRetail banking

On Reinventing Money.

03 June 2014  |  1297 views  |  0  |  Recommends 0 TagsPaymentsInnovation

Retired's profile

job title
location
member since 2014
Summary profile See full profile »

Retired's expertise

What Retired reads
Retired writes about

Who is commenting on Retired's posts

Rasvan Stanescu
Andrei Charniauski
Sian Bentley
Tony Wenzel
Jorge Yui
Ketharaman Swaminathan
Mark Pavan
Matt Scott
Geoffrey Barraclough
Thad Peterson
Marinka Ryan
Alexander Peschkoff