Transport for London

Having recently returned from a trip to London, I thought it might be nice to register my “Oyster” card (the contactless card one can use on the London Tube, buses, etc.). That way I could potentially look at my balance and perhaps top up my card before my next trip.

The process for registering an Oyster card is complex. After asking for your card number, they want to confirm a recent trip you made with the card (presumably to prevent someone from registering a card they find somewhere). Fortunately, I was able to remember what station I started my last trip at, and passed that step.

Next they ask you to create a card security question and answer:

Screen Shot 2018-04-06 at 10.27.43 AM

As has been frequently discussed, one’s mother’s maiden name is often readily obtainable, so this is a poor choice. That leaves a memorable date or place. These hardly seem specific enough — would I pick my birth date/place, wedding date/place, child’s birth date/place, or something else? This is not likely to be helpful in some later telephone conversation. It might as well just ask me to pick a password.

So having picked a nonsensical “memorable place”, the now ask for “Your details”, which includes name, address, telephone number, etc. It also has you choose a password (weak requirements here, only 6 characters with composition rules) and a six-digit security passcode for when you call their customer service (wasn’t that what the security question was for?). And then — another security question!

Screen Shot 2018-04-06 at 10.31.56 AM

Again, poor choices — either readily discoverable answers if truthful (childhood nickname, location of first birthday, town of first job, name of first pet) or few likely choices (type of TV show: comedy, drama, action, …?)

It’s not at all clear what the relationship of this security question is to the one asked earlier. Presumably if I called their customer service I’d just have to answer whatever question they ask.

So again having made a creative answer to one of the questions, I tried to create an account. It turns out that you have to have a UK postal code to register your card; my California ZIP code won’t do. It would have saved me a lot of time if I knew that up front.


United Mileage Plus

Yesterday, Yan Zhu (@bcrypt) pointed out on Twitter that United Airlines Mileage Plus program has started collecting answers to security questions. They have a new twist: you must select one of a menu of answers.

United wants the answers to five questions, chosen from a list:


These are somewhat creative questions, which is good because they’re less likely to be shared with other sites that could be compromised. But what’s also interesting is that one of the questions Yan tweeted about, “What is your favorite pizza topping?” does not appear here. Perhaps United is presenting different question choices to different people, or perhaps they agreed that mashed potato was too strange a choice to have.

What really stands out about United is doing here is that the answers, rather than being typed by the user, must be chosen from a list. As I pointed out in an earlier post analyzing the security answers in the Ashley Madison database, there is a lot of variation in the way these questions are answered, and it’s not possible to store the answers as a salted hash (as one should for passwords, which is what these really are) and allow a fuzzy match.  For example, someone who went to Central High School might enter “central”, “Central”, “Central HS”, etc., or they might spell the answer wrong entirely. Choosing an answer from a list instead removes that problem.

But what other problems are introduced? The most obvious is that the number of choices (and therefore the amount of entropy, or randomness, in the answer) is limited. Here is the number of choices offered for each of the questions:

  • Favorite vacation type: 17
  • Best friend’s birthday month: 12
  • Favorite sport: 54
  • Favorite ice cream flavor: 44
  • Month met spouse/SO: 12
  • What you wanted to be: 91
  • First car: 116
  • Favorite sea creature: 38

and so forth. In the best case (if the answers are equally likely), the probability of guessing the right answer is 1/N. But these answers are far from equally likely: there are going to be many more people whose first car was a Chevrolet than a Tesla. And, as with many security questions, that assumes that the answers aren’t obtainable elsewhere, such as social media. It’s far more likely that someone who has posted a picture of their pet greyhound on Facebook is going to cite that as their favorite dog breed than, say, a Treeing Walker Coonhound.

Many of these questions don’t evoke obvious answers for me. Favorite artist? I like many. Favorite flavor of ice cream? Depends on what mood I’m in.

The use of specified answers also keeps users from supplying nonsense answers to the questions, which can be considerably more secure than direct answers to the questions.

In conclusion, United seems to have traded one problem (imprecise answers to security questions) for some others (low entropy, low memorability of the correct answer). United is giving us 30 days to complete the security questions (and change our password, by the way) before this becomes mandatory. Let’s hope there is enough of an outcry to convince them that this is an ineffective technique that potentially degrades, rather than improves, security.UnitedSecQ



Cisco Online Benefits Management

Cisco Systems, my former employer, has an external-facing website* to allow employees, and others like me that still receive benefits (e.g., insurance) from them, to manage their benefits online. I recently discovered that I didn’t have a username/password for their site, so I requested and received a temporary password via postal mail to establish my online account.

After finding out, by calling their telephone support line, that the temporary username to go with that password is my social security number, I logged in and, as expected, was told that I needed to change by username and password on the site.

I chose and entered a new username and password (twice each) and entered my temporary username and password to authenticate the change. Uncharacteristically, I hadn’t read the fine print, which included:

Screen Shot 2015-12-03 at 4.38.15 PM

Apparently they are treating the user ID as somewhat secret, rather than just as an identifier. On the third try, my username change was accepted. But all this time, I was entering my old and new passwords, and as soon as the username was accepted, I got the following message:

Screen Shot 2015-12-03 at 4.40.11 PM

Six to nine characters, in this day and age? Eight is a more acceptable minimum, and it’s not clear why there should be a maximum at all. So I shortened my password to nine characters:

Screen Shot 2015-12-03 at 4.42.24 PM

Only six to nine characters, AND no special characters allowed? Why didn’t they tell me that before? Maybe I should have chosen a more random username!

At this point I can’t remember how many times I have had to enter my temporary password, but eventually I got a password that was acceptable.

You probably think I thought that this blog is about [In]Security Questions. But that’s of course what came next:

Screen Shot 2015-12-03 at 4.44.38 PM

All three challenge questions used the same list of seven prompts, and I would be hard pressed to find three of the above that can be easily discovered unless I just make something up. But there’s a bright spot: The first question asks whether you want this form of recovery at all. I said “No” and didn’t have to do the rest. Hurray! It’s much better to do this than to fill in, and then have to manage and perhaps lose made-up answers to the questions.

So while I would give this site very poor grades for their username/password rules, if they have to have recovery questions at all, making them optional is wonderful.


* To be fair, Cisco contracts out their benefits management, so while it’s a Cisco-branded website, it’s really run by a contractor (Xerox Services, apparently).



Security Question Humor

tendencyMcSweeney’s Internet Tendency, a daily humor website, has published several articles poking fun at password rules and security questions.  The latest, which I highly recommend, is a list of nihilistic password security questions.

Along a similar vein, about a year ago McSweeney’s published security questions for single, childless people.

Like articles from The Onion that leak over into the mainstream press, I’m anxiously waiting for some of these questions to appear on actual websites. Be on the lookout for them!


Delta Air Lines

I recently got a mailing implying (but not actually saying) that some of my frequent flight miles on Delta were about to expire, so I thought I should check my status online. Very surprisingly, I didn’t have an online account associated with my frequent flight account, so I got exposure to another registration process.

I eventually got to a page where I could reset my password (I guess there aren’t enough people in my situation to have a separate “set your password” page:


These days, a 6-character password is far too short, and it’s uncommon not to permit special characters at all. The minimum should be at least 8-10 characters. The bright spot is in the fourth bullet where they imply that they are checking submitted passwords against a corpus of common passwords. This is an excellent practice if, in fact, this is what they are doing. I didn’t try any common passwords to check.

Naturally, this was followed by a requirement to answer a couple of security questions:


The best I can say is that there weren’t any particularly ridiculous questions (besides the perennial “first pet”), and about half the questions were a little unusual and travel themed. They shared many of the problems of more usual questions (you might be able to figure out the coolest landmark I have visited from my travel blog, so I didn’t use that one), but at least they are less likely to be shared by many other sites one registers with.

By the way, my miles weren’t expiring; the mail I received just wanted to have me use some of them to buy magazines.


Quest Diagnostics

A recent healthcare experience pointed out issues with both security questions and knowledge-based authentication used to associate my account with my in-person activities.

I recently had some lab work done in connection with my annual physical examination, and as I have many times in the past, went to a nearby Quest Diagnostics center to have my blood drawn. What was new this time was that in the usual email asking me to answer a survey on my experience, Quest now offers the opportunity to view my test results. I get this information from my doctor, but thought I’d check it out.

The email had a link to their website, but the personalization of the link appears to only be used for tracking responses; it redirected me to a generic registration site. This means that they missed the opportunity to use the email link to get some additional assurance about who I am.

The registration page was minimal, with standard password rules and only two “security” questions:


What was disappointing was the availability of only 5 fairly standard prompts, with question 2 using the same ones (with the chosen prompt eliminated). The questions had the usual problems, ranging from ability to make an educated guess to low entropy (particularly in the case of father’s date of birth).

Following the account setup there was an attempt at identity proofing using dynamic knowledge-based authentication (dynamic KBA). I was asked the last 4 digits of my social security number (apparently to confirm who I claimed to be in the event of a name collision), which I declined to provide. I was then presented with three multiple choice questions, with 5 choices per question:

questkba The answer to the first question, of course, is on LinkedIn. The former address in the second would have been easy to obtain from the Internet Archive. The third answer could have been determined by someone who knew where I grew up, since they’re assigned geographically. Or they could just guess.

Once I completed this, my account was set up. I was particularly unimpressed with the weak dynamic KBA. The best I can say is that I’m glad I created my account so nobody else could do so.

Insights into Security Questions from Ashley Madison

The Ashley Madison breach has gotten a great deal of attention because of the circumstances and nature of the data breached. For some of the records in the database, it also contains the choice of security question and associated answers for a number of the users, from which we might get some insight into user behavior.

At the outset, we must note that the Ashley Madison dataset is far from a scientific sample: there were a number of test accounts, and other accounts were created by other than the purported owner. The results reported below should be viewed as uncorroborated, at best.

Here is the distribution of security questions in the approximately 32 million record database:

Selection Question Number Frequency
-1 Unknown 9002
0 No selection 27,945,313 87.41%
1 Mother’s maiden name 1,614,785 5.05%
2 High school name 1,054,227 3.30%
3 Favorite team 1,034,651 3.24%
4 Last 4 digits SSN 313,597 0.98%

As pointed out previously, the questions varied in some other countries. For example, in Norway the school prompt was for “middle school”, and the prompt for social security number was instead for national ID number.

Unlike many sites employing security questions, they were not apparently mandatory at Ashley Madison, and not very popular given that only about 13% of accounts used them. There were only 4 different prompts, much fewer than the 10 or more provided at most other sites.

One might ask how often users enter false data, either out of frustration or to deliberately obscure their answers. The easiest category to observe is the Social Security Number (SSN) category. While in the US the last 4 digits of SSN are uniformly distributed or nearly so, this isn’t the case everywhere, but we’ll ignore that effect for now.

The SSN category breaks down as follows:

Number of values Number of answers
Other than 4 digits 10850 24496
4 digits 10000 289101

Obviously those whose answer wasn’t 4 digits weren’t answering truthfully. In some cases this was clearly intentional, but others were mischosen categories (such as team names). But what about the 4 digit answers? One would expect an average of about 29 instances of each 4-digit answer. But not surprisingly, the distribution of answers was not unlike that of user chosen PINs: The most frequent answer was “1234” (7667 instances), followed by “1111” (1801), “0000” (1461), and “6969” (1157). Years in the latter half of the 20th century were also substantially over-represented, as many members probably used their years of birth or other significant years. The most popular answer in this range was 1969 (134 instances). 58 of those accounts also listed a birth date in 1969.

The other three questions are harder to analyze, but scanning through the answers gives some insight into user behavior. The distribution of mothers’ maiden names provided indicated that many users did answer truthfully (the most common being Smith, Jones, Brown, and Johnson, but some users seemed to answer with women’s names that are not common last names, such as Mary, Maria, and Mom(!). There were also variations in capitalization that would require normalization (converting to a consistent capitalization) if the answers were to be salted and hashed as passwords should be.

School names presented additional challenges. Common school names such as Central (7024 instances), Lincoln (2581), East (2445), West (2381), North (2336), and South (1980) were predominant, but so were initials such as BHS (2012 instances) and CHS (1597). It’s not clear how useful this question/answer would be, given that a user who forgot their password might think they answered “Central” while they actually answered CHS, Central High (432), Central Tech (417), or Central High School (185).

Favorite teams were similar in many respects to schools. There was considerably less diversity in the team name responses, making them easier to guess, particularly considering regional favorites. Yankees (28605 responses), Cowboys (26672), Steelers (20320), and Leafs (20206) were the most popular. Variation on team names were again prevalent, such as Maple Leafs (5558), Toronto Maple Leafs (4354), Mapleleafs (692), and The Leafs (301). There were also many spelling errors.


It’s hard to imagine how the “security” answers could be used for anything. Some of the questions, such as favorite team, were easily guessable, but there were enough possible variations that it was far from assured that the account owner could enter the correct answer. The last 4 digits of the Social Security Number or National ID number was easier to get right, but contained information widely used for account verification at other sites: effectively a shared password. While Ashley Madison used a robust password hashing algorithm, it is easy to see why hashing wouldn’t work for security answers: there are lots of variations to be considered, and that probably requires a human customer service agent. Unfortunately, that customer service agent is likely to be vulnerable to social engineering attacks as well.