Burton Group Identity Blog

Blogger: Mark Diodati

The number of Twitter data breaches seems to be increasing. I’d like to focus on several of them, described here and here. Both breaches were exploits based upon social engineering.

In both cases, a hacker compromised the Yahoo mail accounts associated with Twitter employees (a product manager and an administrator) by guessing the answer to each employee’s secret question. The secret question is an example of static knowledge-based authentication (KBA), the insufficiency of which Burton Group has discussed (Can We Finally Commit to the End of Knowledge-Based Authentication? and Static KBA: Lipstick on the Weak-Authentication Pig). The latter blog entry discusses the same exploit on Sarah Palin’s Yahoo mail account. Both Google and Yahoo support a better identity proofing mechanism – Short Message Service (SMS) delivery via mobile phone. Burton Group calls this mechanism out-of-band identity proofing, and it is a big step up from static KBA. I recommend that register your mobile phones for these services ASAP.

The hacker associated with the first breach claims to have located the product manager’s Twitter password in the Yahoo emails. This seems unlikely. However, Twitter enables a password reset by other means. First the user must provide Twitter with the pre-registered phone number in the “forgotten password” web form. Twitter asks for the phone number solely as an answer to static KBA question, and does not use the phone in the identity proofing process. The hacker does not need physical access of the phone, only knowledge of the correct phone number. After providing the correct phone number, Twitter sends an email with a link to the password reset screen. If the hacker has compromised the email account and knows the phone number, he now has access to the Twitter account.

If Twitter’s password reset process applies to its administrative applications, Twitter’s risk exposure is “sky high”. Burton Group believes that stronger authentication mechanisms are a requirement for administrators who access confidential user data via the Internet. There are plenty of cost-effective, portable stronger authentication solutions. Examples include delivery of a one-time password (OTP) via SMS (as described above) and software OTP on a mobile device. These solutions would eliminate these exploits because the compromise of the email account does not give the hacker access to the authenticator.

In the first breach, the hacker claims that once he had access to the Twitter administrative application, he was able to access confidential information about Twitter users. If this is the case, it presents one final question: why does a product manager have access to a production system with confidential user data? If this is the case, it seems like an issue of excessive privileges.

Blogger: Mark Diodati

Since 2005, Burton Group has discussed the dangers of static knowledge-based authentication (KBA) for identity proofing. Identity proofing steps are the organizational processes to authenticate the user when their primary authenticator is not available. Identity proofing is used throughout the authentication lifecycle, including onboarding/account origination, emergency access, and authenticator re-enablement (e.g., password reset and one-time password unlock)  You can check out our posts on P2P identity proofing, EMC’s acquisition of Verid, and another post on KBA

Static KBA systems utilize a non-changing set of easily-guessed or self-selected questions to prove a user’s identity at these authentication lifecycle milestones. The problem with KBA is that the answers are generally easily guessed by a fraudster. We now have some scientific data on the feebleness of static KBA. Robert Lemos at Technology Review has written an excellent article on the work of researchers from Microsoft and Carnegie Mellon University:

Amen.

Let’s hold our financial services organizations to a reasonable standard. Static KBA should never be used to authenticate the holder of an account which has material access to confidential data or financial transactions (language similar to the FFIEC guidance on multi-factor authentication has been used here on purpose). Let’s put an end to static KBA for these use cases (preferably for all use cases), and move to stronger technologies for customers who have an existing relationship with financial services organizations.  A variety of technologies are available; out-of-band (OOB) identity proofing is much stronger than KBA and should be the strategic future direction of identity proofing for these use cases. Dynamic KBA is stronger than static KBA, but it’s probably not strong enough in the long term; any technology which depends on public information for authentication will eventually fail in the age of Google.

While we’re at it, let’s look beyond password-based authentication for important updates to accounts.  If I want to change the phone number from which I perform banking transactions, the bank should do some background investigation to make sure the new phone number isn’t associated with known fraud.  The risk analytic engines from the consumer authentication suites exist to perform this function; they ought to be used.