Cisco Registered Envelope Service

Today, while trying to retrieve an invoice for a medical test, I was subjected to the Cisco Registered Envelope Service (CRES). The message I got from the testing company contained an HTML file, that when I opened it in my browser provided a button to register with CRES. I groaned when it asked me to enter my name and to choose a new password, but I had heard about CRES before and I expected that. I didn’t expect what followed:

The Personal Security Phrase is apparently something that can be displayed when you’re asked to log in; as you can see I have already filled mine in. I guess this gives users some confidence that they’re not connecting to an impostor site, but it provides little actual assurance because users won’t remember to check this, and the site has TLS certificates anyway.

But then: three [in]Security Questions!! The suggested questions are fairly standard, and common to all three question instances:

At least the questions aren’t obviously things (like your high school mascot) that can commonly be found on Facebook. But many of these answers have imprecise answers (e.g., TWA vs. Trans World Airlines), so I wonder how well these can actually be used to authenticate anyone.

But the other choice is to supply your own question, and people make bad choices when given this option because they don’t consider how easy it is for an attacker to find out the answer. So they might ask what town they live in, or their mother-in-law’s name. This is very poor practice (as if the use of security questions isn’t already).

Then we get to the Kafka-esque part. The answers that you type are replaced by dots (like passwords), so it’s easy to make a typing mistake and not have them match. If you make this mistake and press Register, it tells you that the answers didn’t match and clears the form. So you have to start all over and hope you typed all the answers correctly. But in my case, I forgot to re-enter one of the self-supplied security questions and — you guessed it — the form got cleared again. So I had to go through this a third time.

When I finally made it through this form, it emailed me a link to activate my account, and then finally I could log in (username and password, no 2-factor options available) to retrieve my email message. And I finally got my invoice.

I vaguely remember CRES being introduced while I was still at Cisco (2011 or before). As I remember the vision was that we’d get a lot of consumers signing up to get their “secure” email and then we’d have a huge user base that could be leveraged by other collaboration products. But the whole premise behind CRES is flawed — sending someone an email to get them to register to receive another email doesn’t do anything to prevent an impostor from registering. While there are other features like message recall, the main selling point for CRES is message confidentiality, and that isn’t achieved here, at least for the first message.

I’m amazed that this product has lived this long at Cisco.

John Muir Health

I visited the doctor yesterday, and was told that they have a new online portal to use to interact with them, including retrieving test results and the like. I was encouraged by the enrollment process: they gave me a form with a 15-character activation code to establish my account. This was significantly better than similar systems I have been asked to enroll at in the past.

After entering my enrollment code, birth date, and postal code, I was able to create an account. But imagine my disappointment when I reached the requirement to provide the answer to a “security” question. Here were the choices:

The answer to many of these questions is readily available (high school graduation date and mascot and undergraduate college, for example). For many people, whose wedding pictures are on Facebook, the location of their wedding reception is not a very well kept secret. And how much entropy would many of these questions (such as musical genre) have?

As is often the case, I don’t have a clue about how these questions/answers will be used: to reset a password, or will additional evidence be required for that? So, as usual, I gave a non-answer to one of the questions and continued.

The final disappointment was that there seems to be no option for two-factor authentication. Health data is often among the most sensitive data about a person, and there’s no excuse for a standard health portal not to have two-factor authentication at least as an option.

By the way, since I will never be using this as a security answer, my high school “mascot” is the Mountaineer.

Transport for London

Having recently returned from a trip to London, I thought it might be nice to register my “Oyster” card (the contactless card one can use on the London Tube, buses, etc.). That way I could potentially look at my balance and perhaps top up my card before my next trip.

The process for registering an Oyster card is complex. After asking for your card number, they want to confirm a recent trip you made with the card (presumably to prevent someone from registering a card they find somewhere). Fortunately, I was able to remember what station I started my last trip at, and passed that step.

Next they ask you to create a card security question and answer:

As has been frequently discussed, one’s mother’s maiden name is often readily obtainable, so this is a poor choice. That leaves a memorable date or place. These hardly seem specific enough — would I pick my birth date/place, wedding date/place, child’s birth date/place, or something else? This is not likely to be helpful in some later telephone conversation. It might as well just ask me to pick a password.

So having picked a nonsensical “memorable place”, the now ask for “Your details”, which includes name, address, telephone number, etc. It also has you choose a password (weak requirements here, only 6 characters with composition rules) and a six-digit security passcode for when you call their customer service (wasn’t that what the security question was for?). And then — another security question!

Again, poor choices — either readily discoverable answers if truthful (childhood nickname, location of first birthday, town of first job, name of first pet) or few likely choices (type of TV show: comedy, drama, action, …?)

It’s not at all clear what the relationship of this security question is to the one asked earlier. Presumably if I called their customer service I’d just have to answer whatever question they ask.

So again having made a creative answer to one of the questions, I tried to create an account. It turns out that you have to have a UK postal code to register your card; my California ZIP code won’t do. It would have saved me a lot of time if I knew that up front.

United Mileage Plus

Yesterday, Yan Zhu (@bcrypt) pointed out on Twitter that United Airlines Mileage Plus program has started collecting answers to security questions. They have a new twist: you must select one of a menu of answers.

United wants the answers to five questions, chosen from a list:

These are somewhat creative questions, which is good because they’re less likely to be shared with other sites that could be compromised. But what’s also interesting is that one of the questions Yan tweeted about, “What is your favorite pizza topping?” does not appear here. Perhaps United is presenting different question choices to different people, or perhaps they agreed that mashed potato was too strange a choice to have.

What really stands out about United is doing here is that the answers, rather than being typed by the user, must be chosen from a list. As I pointed out in an earlier post analyzing the security answers in the Ashley Madison database, there is a lot of variation in the way these questions are answered, and it’s not possible to store the answers as a salted hash (as one should for passwords, which is what these really are) and allow a fuzzy match.  For example, someone who went to Central High School might enter “central”, “Central”, “Central HS”, etc., or they might spell the answer wrong entirely. Choosing an answer from a list instead removes that problem.

But what other problems are introduced? The most obvious is that the number of choices (and therefore the amount of entropy, or randomness, in the answer) is limited. Here is the number of choices offered for each of the questions:

• Favorite vacation type: 17
• Best friend’s birthday month: 12
• Favorite sport: 54
• Favorite ice cream flavor: 44
• Month met spouse/SO: 12
• What you wanted to be: 91
• First car: 116
• Favorite sea creature: 38

and so forth. In the best case (if the answers are equally likely), the probability of guessing the right answer is 1/N. But these answers are far from equally likely: there are going to be many more people whose first car was a Chevrolet than a Tesla. And, as with many security questions, that assumes that the answers aren’t obtainable elsewhere, such as social media. It’s far more likely that someone who has posted a picture of their pet greyhound on Facebook is going to cite that as their favorite dog breed than, say, a Treeing Walker Coonhound.

Many of these questions don’t evoke obvious answers for me. Favorite artist? I like many. Favorite flavor of ice cream? Depends on what mood I’m in.

The use of specified answers also keeps users from supplying nonsense answers to the questions, which can be considerably more secure than direct answers to the questions.

In conclusion, United seems to have traded one problem (imprecise answers to security questions) for some others (low entropy, low memorability of the correct answer). United is giving us 30 days to complete the security questions (and change our password, by the way) before this becomes mandatory. Let’s hope there is enough of an outcry to convince them that this is an ineffective technique that potentially degrades, rather than improves, security.

 

 

Cisco Online Benefits Management

Cisco Systems, my former employer, has an external-facing website* to allow employees, and others like me that still receive benefits (e.g., insurance) from them, to manage their benefits online. I recently discovered that I didn’t have a username/password for their site, so I requested and received a temporary password via postal mail to establish my online account.

After finding out, by calling their telephone support line, that the temporary username to go with that password is my social security number, I logged in and, as expected, was told that I needed to change by username and password on the site.

I chose and entered a new username and password (twice each) and entered my temporary username and password to authenticate the change. Uncharacteristically, I hadn’t read the fine print, which included:

Apparently they are treating the user ID as somewhat secret, rather than just as an identifier. On the third try, my username change was accepted. But all this time, I was entering my old and new passwords, and as soon as the username was accepted, I got the following message:

Six to nine characters, in this day and age? Eight is a more acceptable minimum, and it’s not clear why there should be a maximum at all. So I shortened my password to nine characters:

Only six to nine characters, AND no special characters allowed? Why didn’t they tell me that before? Maybe I should have chosen a more random username!

At this point I can’t remember how many times I have had to enter my temporary password, but eventually I got a password that was acceptable.

You probably think I thought that this blog is about [In]Security Questions. But that’s of course what came next:

All three challenge questions used the same list of seven prompts, and I would be hard pressed to find three of the above that can be easily discovered unless I just make something up. But there’s a bright spot: The first question asks whether you want this form of recovery at all. I said “No” and didn’t have to do the rest. Hurray! It’s much better to do this than to fill in, and then have to manage and perhaps lose made-up answers to the questions.

So while I would give this site very poor grades for their username/password rules, if they have to have recovery questions at all, making them optional is wonderful.

—–

* To be fair, Cisco contracts out their benefits management, so while it’s a Cisco-branded website, it’s really run by a contractor (Xerox Services, apparently).

 

 

Security Question Humor

McSweeney’s Internet Tendency, a daily humor website, has published several articles poking fun at password rules and security questions.  The latest, which I highly recommend, is a list of nihilistic password security questions.

Along a similar vein, about a year ago McSweeney’s published security questions for single, childless people.

Like articles from The Onion that leak over into the mainstream press, I’m anxiously waiting for some of these questions to appear on actual websites. Be on the lookout for them!

 

Delta Air Lines

I recently got a mailing implying (but not actually saying) that some of my frequent flight miles on Delta were about to expire, so I thought I should check my status online. Very surprisingly, I didn’t have an online account associated with my frequent flight account, so I got exposure to another registration process.

I eventually got to a page where I could reset my password (I guess there aren’t enough people in my situation to have a separate “set your password” page:

These days, a 6-character password is far too short, and it’s uncommon not to permit special characters at all. The minimum should be at least 8-10 characters. The bright spot is in the fourth bullet where they imply that they are checking submitted passwords against a corpus of common passwords. This is an excellent practice if, in fact, this is what they are doing. I didn’t try any common passwords to check.

Naturally, this was followed by a requirement to answer a couple of security questions:

The best I can say is that there weren’t any particularly ridiculous questions (besides the perennial “first pet”), and about half the questions were a little unusual and travel themed. They shared many of the problems of more usual questions (you might be able to figure out the coolest landmark I have visited from my travel blog, so I didn’t use that one), but at least they are less likely to be shared by many other sites one registers with.

By the way, my miles weren’t expiring; the mail I received just wanted to have me use some of them to buy magazines.

 

Quest Diagnostics

A recent healthcare experience pointed out issues with both security questions and knowledge-based authentication used to associate my account with my in-person activities.

I recently had some lab work done in connection with my annual physical examination, and as I have many times in the past, went to a nearby Quest Diagnostics center to have my blood drawn. What was new this time was that in the usual email asking me to answer a survey on my experience, Quest now offers the opportunity to view my test results. I get this information from my doctor, but thought I’d check it out.

The email had a link to their website, but the personalization of the link appears to only be used for tracking responses; it redirected me to a generic registration site. This means that they missed the opportunity to use the email link to get some additional assurance about who I am.

The registration page was minimal, with standard password rules and only two “security” questions:

What was disappointing was the availability of only 5 fairly standard prompts, with question 2 using the same ones (with the chosen prompt eliminated). The questions had the usual problems, ranging from ability to make an educated guess to low entropy (particularly in the case of father’s date of birth).

Following the account setup there was an attempt at identity proofing using dynamic knowledge-based authentication (dynamic KBA). I was asked the last 4 digits of my social security number (apparently to confirm who I claimed to be in the event of a name collision), which I declined to provide. I was then presented with three multiple choice questions, with 5 choices per question:

The answer to the first question, of course, is on LinkedIn. The former address in the second would have been easy to obtain from the Internet Archive. The third answer could have been determined by someone who knew where I grew up, since they’re assigned geographically. Or they could just guess.

Once I completed this, my account was set up. I was particularly unimpressed with the weak dynamic KBA. The best I can say is that I’m glad I created my account so nobody else could do so.

Insights into Security Questions from Ashley Madison

The Ashley Madison breach has gotten a great deal of attention because of the circumstances and nature of the data breached. For some of the records in the database, it also contains the choice of security question and associated answers for a number of the users, from which we might get some insight into user behavior.

At the outset, we must note that the Ashley Madison dataset is far from a scientific sample: there were a number of test accounts, and other accounts were created by other than the purported owner. The results reported below should be viewed as uncorroborated, at best.

Here is the distribution of security questions in the approximately 32 million record database:

Selection	Question	Number	Frequency
-1	Unknown	9002
0	No selection	27,945,313	87.41%
1	Mother’s maiden name	1,614,785	5.05%
2	High school name	1,054,227	3.30%
3	Favorite team	1,034,651	3.24%
4	Last 4 digits SSN	313,597	0.98%

As pointed out previously, the questions varied in some other countries. For example, in Norway the school prompt was for “middle school”, and the prompt for social security number was instead for national ID number.

Unlike many sites employing security questions, they were not apparently mandatory at Ashley Madison, and not very popular given that only about 13% of accounts used them. There were only 4 different prompts, much fewer than the 10 or more provided at most other sites.

One might ask how often users enter false data, either out of frustration or to deliberately obscure their answers. The easiest category to observe is the Social Security Number (SSN) category. While in the US the last 4 digits of SSN are uniformly distributed or nearly so, this isn’t the case everywhere, but we’ll ignore that effect for now.

The SSN category breaks down as follows:

	Number of values	Number of answers
Other than 4 digits	10850	24496
4 digits	10000	289101

Obviously those whose answer wasn’t 4 digits weren’t answering truthfully. In some cases this was clearly intentional, but others were mischosen categories (such as team names). But what about the 4 digit answers? One would expect an average of about 29 instances of each 4-digit answer. But not surprisingly, the distribution of answers was not unlike that of user chosen PINs: The most frequent answer was “1234” (7667 instances), followed by “1111” (1801), “0000” (1461), and “6969” (1157). Years in the latter half of the 20^th century were also substantially over-represented, as many members probably used their years of birth or other significant years. The most popular answer in this range was 1969 (134 instances). 58 of those accounts also listed a birth date in 1969.

The other three questions are harder to analyze, but scanning through the answers gives some insight into user behavior. The distribution of mothers’ maiden names provided indicated that many users did answer truthfully (the most common being Smith, Jones, Brown, and Johnson, but some users seemed to answer with women’s names that are not common last names, such as Mary, Maria, and Mom(!). There were also variations in capitalization that would require normalization (converting to a consistent capitalization) if the answers were to be salted and hashed as passwords should be.

School names presented additional challenges. Common school names such as Central (7024 instances), Lincoln (2581), East (2445), West (2381), North (2336), and South (1980) were predominant, but so were initials such as BHS (2012 instances) and CHS (1597). It’s not clear how useful this question/answer would be, given that a user who forgot their password might think they answered “Central” while they actually answered CHS, Central High (432), Central Tech (417), or Central High School (185).

Favorite teams were similar in many respects to schools. There was considerably less diversity in the team name responses, making them easier to guess, particularly considering regional favorites. Yankees (28605 responses), Cowboys (26672), Steelers (20320), and Leafs (20206) were the most popular. Variation on team names were again prevalent, such as Maple Leafs (5558), Toronto Maple Leafs (4354), Mapleleafs (692), and The Leafs (301). There were also many spelling errors.

Conclusion

It’s hard to imagine how the “security” answers could be used for anything. Some of the questions, such as favorite team, were easily guessable, but there were enough possible variations that it was far from assured that the account owner could enter the correct answer. The last 4 digits of the Social Security Number or National ID number was easier to get right, but contained information widely used for account verification at other sites: effectively a shared password. While Ashley Madison used a robust password hashing algorithm, it is easy to see why hashing wouldn’t work for security answers: there are lots of variations to be considered, and that probably requires a human customer service agent. Unfortunately, that customer service agent is likely to be vulnerable to social engineering attacks as well.

Ashley Madison (Norway)

Ashley Madison, a website that facilitates affairs for married people, has gotten considerable publicity recently because of a breach of its user database. Per Thorsheim (@thorsheim on Twitter), the organizer of the PasswordsCon conferences, checked out the Norwegian version of Ashley Madison and found an interesting “security” question:

There is a single security question with a choice of (only) four prompts, which in English are:

• What is your mother’s maiden name?
• What is the name of the middle school you went to?
• What is your favorite team?
• What are the 4 last digits of your social security number?

The last question, fairly common in the US, works differently in Norway. Their ID numbers have the following characteristics:

• 11 digits
• First 6 digits are date of birth
• Next 3 are selected individually, with a limited range of 500 depending on century of birth
• Last two are check digits (calculated from the rest)
• Gender is encoded somewhere

So if you know the target’s date of birth (often easy to find on Facebook, genealogy databases, etc.), there are immediately only 500 choices. There are also services that can tell whether a given number is in use, which cuts the number of choices down even further, especially for older members of the population that don’t share a birth date with as many other living people.

This shows that in designing “security” questions, it isn’t good enough just to translate the text of the question. In some other countries, the mother’s maiden name wouldn’t be a good choice if it’s part of a child’s name.