Wednesday, 4 March 2015

The problems of account recovery

We have enough services online now, holding enough personal information in each, that it is possible to put together a very comprehensive profile of personal information based on what each company chooses to withhold and reveal, and using social engineering to fill in the rest (tricking customer service to reveal personal info over the phone).

So what can we do about that? Well, until we have better standards for information privacy online, there's not a lot we can do. If each company is free to make up their own minds about what should remain secret and what information is required to verify identity, we, the public, will still be vulnerable to these cross-service attacks.

Getting that legislation into effect is a big, difficult step, though. We still need to be able to identify people worldwide with information that is not unique to a given company, but the person themselves, and that is the exact key to these cross-service vulnerabilities in the first place. If my mother's maiden name is the backup "password" for account recovery on every service I use, then that one bit of info can be used to hijack all of those accounts by just calling customer service, then saying I've lost my password when I moved house. As far as the company knows, then, that invalidates just about everything they know about me - phone number, email and postal address - leaving just name, account number and mother's maiden name. And you can't just allow someone with that info to cancel the account, either, because that's a different kind of attack. You can't use social security number, either, because that's unique to Americans and if it's known in more than one place, then it's a vulnerability, not an account recovery strength.

Unfortunately, there may not be a solution to this problem. What we need for account recovery is a shared secret known only to the customer and that particular company, and one that can't be lost or forgotten. The best way would be to register these details with a trusted third party like an attorney. Generate a truly random key for each company account, register it in person with an attorney and go back to them if account recovery is needed. We give up convenience, but we gain security.

Mokalus of Borg

PS - At this point, any gain in security might be worth it.
PPS - Worth it for customers, that is. The companies won't like it.

No comments: