Cisco Registered Envelope Service

Today, while trying to retrieve an invoice for a medical test, I was subjected to the Cisco Registered Envelope Service (CRES). The message I got from the testing company contained an HTML file, that when I opened it in my browser provided a button to register with CRES. I groaned when it asked me to enter my name and to choose a new password, but I had heard about CRES before and I expected that. I didn’t expect what followed:

Screen Shot 2019-05-16 at 2.16.22 PM

The Personal Security Phrase is apparently something that can be displayed when you’re asked to log in; as you can see I have already filled mine in. I guess this gives users some confidence that they’re not connecting to an impostor site, but it provides little actual assurance because users won’t remember to check this, and the site has TLS certificates anyway.

But then: three [in]Security Questions!! The suggested questions are fairly standard, and common to all three question instances:

Screen Shot 2019-05-16 at 2.17.09 PM

At least the questions aren’t obviously things (like your high school mascot) that can commonly be found on Facebook. But many of these answers have imprecise answers (e.g., TWA vs. Trans World Airlines), so I wonder how well these can actually be used to authenticate anyone.

But the other choice is to supply your own question, and people make bad choices when given this option because they don’t consider how easy it is for an attacker to find out the answer. So they might ask what town they live in, or their mother-in-law’s name. This is very poor practice (as if the use of security questions isn’t already).

Then we get to the Kafka-esque part. The answers that you type are replaced by dots (like passwords), so it’s easy to make a typing mistake and not have them match. If you make this mistake and press Register, it tells you that the answers didn’t match and clears the form. So you have to start all over and hope you typed all the answers correctly. But in my case, I forgot to re-enter one of the self-supplied security questions and — you guessed it — the form got cleared again. So I had to go through this a third time.

When I finally made it through this form, it emailed me a link to activate my account, and then finally I could log in (username and password, no 2-factor options available) to retrieve my email message. And I finally got my invoice.

I vaguely remember CRES being introduced while I was still at Cisco (2011 or before). As I remember the vision was that we’d get a lot of consumers signing up to get their “secure” email and then we’d have a huge user base that could be leveraged by other collaboration products. But the whole premise behind CRES is flawed — sending someone an email to get them to register to receive another email doesn’t do anything to prevent an impostor from registering. While there are other features like message recall, the main selling point for CRES is message confidentiality, and that isn’t achieved here, at least for the first message.

I’m amazed that this product has lived this long at Cisco.

Advertisements

John Muir Health

I visited the doctor yesterday, and was told that they have a new online portal to use to interact with them, including retrieving test results and the like. I was encouraged by the enrollment process: they gave me a form with a 15-character activation code to establish my account. This was significantly better than similar systems I have been asked to enroll at in the past.

After entering my enrollment code, birth date, and postal code, I was able to create an account. But imagine my disappointment when I reached the requirement to provide the answer to a “security” question. Here were the choices:

Screen Shot 2019-04-11 at 5.25.15 PM

The answer to many of these questions is readily available (high school graduation date and mascot and undergraduate college, for example). For many people, whose wedding pictures are on Facebook, the location of their wedding reception is not a very well kept secret. And how much entropy would many of these questions (such as musical genre) have?

As is often the case, I don’t have a clue about how these questions/answers will be used: to reset a password, or will additional evidence be required for that? So, as usual, I gave a non-answer to one of the questions and continued.

The final disappointment was that there seems to be no option for two-factor authentication. Health data is often among the most sensitive data about a person, and there’s no excuse for a standard health portal not to have two-factor authentication at least as an option.

By the way, since I will never be using this as a security answer, my high school “mascot” is the Mountaineer.

Transport for London

Having recently returned from a trip to London, I thought it might be nice to register my “Oyster” card (the contactless card one can use on the London Tube, buses, etc.). That way I could potentially look at my balance and perhaps top up my card before my next trip.

The process for registering an Oyster card is complex. After asking for your card number, they want to confirm a recent trip you made with the card (presumably to prevent someone from registering a card they find somewhere). Fortunately, I was able to remember what station I started my last trip at, and passed that step.

Next they ask you to create a card security question and answer:

Screen Shot 2018-04-06 at 10.27.43 AM

As has been frequently discussed, one’s mother’s maiden name is often readily obtainable, so this is a poor choice. That leaves a memorable date or place. These hardly seem specific enough — would I pick my birth date/place, wedding date/place, child’s birth date/place, or something else? This is not likely to be helpful in some later telephone conversation. It might as well just ask me to pick a password.

So having picked a nonsensical “memorable place”, the now ask for “Your details”, which includes name, address, telephone number, etc. It also has you choose a password (weak requirements here, only 6 characters with composition rules) and a six-digit security passcode for when you call their customer service (wasn’t that what the security question was for?). And then — another security question!

Screen Shot 2018-04-06 at 10.31.56 AM

Again, poor choices — either readily discoverable answers if truthful (childhood nickname, location of first birthday, town of first job, name of first pet) or few likely choices (type of TV show: comedy, drama, action, …?)

It’s not at all clear what the relationship of this security question is to the one asked earlier. Presumably if I called their customer service I’d just have to answer whatever question they ask.

So again having made a creative answer to one of the questions, I tried to create an account. It turns out that you have to have a UK postal code to register your card; my California ZIP code won’t do. It would have saved me a lot of time if I knew that up front.

United Mileage Plus

Yesterday, Yan Zhu (@bcrypt) pointed out on Twitter that United Airlines Mileage Plus program has started collecting answers to security questions. They have a new twist: you must select one of a menu of answers.

United wants the answers to five questions, chosen from a list:

UALqlist

These are somewhat creative questions, which is good because they’re less likely to be shared with other sites that could be compromised. But what’s also interesting is that one of the questions Yan tweeted about, “What is your favorite pizza topping?” does not appear here. Perhaps United is presenting different question choices to different people, or perhaps they agreed that mashed potato was too strange a choice to have.

What really stands out about United is doing here is that the answers, rather than being typed by the user, must be chosen from a list. As I pointed out in an earlier post analyzing the security answers in the Ashley Madison database, there is a lot of variation in the way these questions are answered, and it’s not possible to store the answers as a salted hash (as one should for passwords, which is what these really are) and allow a fuzzy match.  For example, someone who went to Central High School might enter “central”, “Central”, “Central HS”, etc., or they might spell the answer wrong entirely. Choosing an answer from a list instead removes that problem.

But what other problems are introduced? The most obvious is that the number of choices (and therefore the amount of entropy, or randomness, in the answer) is limited. Here is the number of choices offered for each of the questions:

  • Favorite vacation type: 17
  • Best friend’s birthday month: 12
  • Favorite sport: 54
  • Favorite ice cream flavor: 44
  • Month met spouse/SO: 12
  • What you wanted to be: 91
  • First car: 116
  • Favorite sea creature: 38

and so forth. In the best case (if the answers are equally likely), the probability of guessing the right answer is 1/N. But these answers are far from equally likely: there are going to be many more people whose first car was a Chevrolet than a Tesla. And, as with many security questions, that assumes that the answers aren’t obtainable elsewhere, such as social media. It’s far more likely that someone who has posted a picture of their pet greyhound on Facebook is going to cite that as their favorite dog breed than, say, a Treeing Walker Coonhound.

Many of these questions don’t evoke obvious answers for me. Favorite artist? I like many. Favorite flavor of ice cream? Depends on what mood I’m in.

The use of specified answers also keeps users from supplying nonsense answers to the questions, which can be considerably more secure than direct answers to the questions.

In conclusion, United seems to have traded one problem (imprecise answers to security questions) for some others (low entropy, low memorability of the correct answer). United is giving us 30 days to complete the security questions (and change our password, by the way) before this becomes mandatory. Let’s hope there is enough of an outcry to convince them that this is an ineffective technique that potentially degrades, rather than improves, security.UnitedSecQ

 

 

Cisco Online Benefits Management

Cisco Systems, my former employer, has an external-facing website* to allow employees, and others like me that still receive benefits (e.g., insurance) from them, to manage their benefits online. I recently discovered that I didn’t have a username/password for their site, so I requested and received a temporary password via postal mail to establish my online account.

After finding out, by calling their telephone support line, that the temporary username to go with that password is my social security number, I logged in and, as expected, was told that I needed to change by username and password on the site.

I chose and entered a new username and password (twice each) and entered my temporary username and password to authenticate the change. Uncharacteristically, I hadn’t read the fine print, which included:

Screen Shot 2015-12-03 at 4.38.15 PM

Apparently they are treating the user ID as somewhat secret, rather than just as an identifier. On the third try, my username change was accepted. But all this time, I was entering my old and new passwords, and as soon as the username was accepted, I got the following message:

Screen Shot 2015-12-03 at 4.40.11 PM

Six to nine characters, in this day and age? Eight is a more acceptable minimum, and it’s not clear why there should be a maximum at all. So I shortened my password to nine characters:

Screen Shot 2015-12-03 at 4.42.24 PM

Only six to nine characters, AND no special characters allowed? Why didn’t they tell me that before? Maybe I should have chosen a more random username!

At this point I can’t remember how many times I have had to enter my temporary password, but eventually I got a password that was acceptable.

You probably think I thought that this blog is about [In]Security Questions. But that’s of course what came next:

Screen Shot 2015-12-03 at 4.44.38 PM

All three challenge questions used the same list of seven prompts, and I would be hard pressed to find three of the above that can be easily discovered unless I just make something up. But there’s a bright spot: The first question asks whether you want this form of recovery at all. I said “No” and didn’t have to do the rest. Hurray! It’s much better to do this than to fill in, and then have to manage and perhaps lose made-up answers to the questions.

So while I would give this site very poor grades for their username/password rules, if they have to have recovery questions at all, making them optional is wonderful.

—–

* To be fair, Cisco contracts out their benefits management, so while it’s a Cisco-branded website, it’s really run by a contractor (Xerox Services, apparently).

 

 

Security Question Humor

tendencyMcSweeney’s Internet Tendency, a daily humor website, has published several articles poking fun at password rules and security questions.  The latest, which I highly recommend, is a list of nihilistic password security questions.

Along a similar vein, about a year ago McSweeney’s published security questions for single, childless people.

Like articles from The Onion that leak over into the mainstream press, I’m anxiously waiting for some of these questions to appear on actual websites. Be on the lookout for them!

 

Delta Air Lines

I recently got a mailing implying (but not actually saying) that some of my frequent flight miles on Delta were about to expire, so I thought I should check my status online. Very surprisingly, I didn’t have an online account associated with my frequent flight account, so I got exposure to another registration process.

I eventually got to a page where I could reset my password (I guess there aren’t enough people in my situation to have a separate “set your password” page:

deltapw

These days, a 6-character password is far too short, and it’s uncommon not to permit special characters at all. The minimum should be at least 8-10 characters. The bright spot is in the fourth bullet where they imply that they are checking submitted passwords against a corpus of common passwords. This is an excellent practice if, in fact, this is what they are doing. I didn’t try any common passwords to check.

Naturally, this was followed by a requirement to answer a couple of security questions:

deltasecq

The best I can say is that there weren’t any particularly ridiculous questions (besides the perennial “first pet”), and about half the questions were a little unusual and travel themed. They shared many of the problems of more usual questions (you might be able to figure out the coolest landmark I have visited from my travel blog, so I didn’t use that one), but at least they are less likely to be shared by many other sites one registers with.

By the way, my miles weren’t expiring; the mail I received just wanted to have me use some of them to buy magazines.