Ashley Madison (Norway)

Ashley Madison, a website that facilitates affairs for married people, has gotten considerable publicity recently because of a breach of its user database. Per Thorsheim (@thorsheim on Twitter), the organizer of the PasswordsCon conferences, checked out the Norwegian version of Ashley Madison and found an interesting “security” question:

AM1There is a single security question with a choice of (only) four prompts, which in English are:

  • What is your mother’s maiden name?
  • What is the name of the middle school you went to?
  • What is your favorite team?
  • What are the 4 last digits of your social security number?

The last question, fairly common in the US, works differently in Norway. Their ID numbers have the following characteristics:

  • 11 digits
  • First 6 digits are date of birth
  • Next 3 are selected individually, with a limited range of 500 depending on century of birth
  • Last two are check digits (calculated from the rest)
  • Gender is encoded somewhere

So if you know the target’s date of birth (often easy to find on Facebook, genealogy databases, etc.), there are immediately only 500 choices. There are also services that can tell whether a given number is in use, which cuts the number of choices down even further, especially for older members of the population that don’t share a birth date with as many other living people.

This shows that in designing “security” questions, it isn’t good enough just to translate the text of the question. In some other countries, the mother’s maiden name wouldn’t be a good choice if it’s part of a child’s name.

 

Advertisements

Published by

Jim Fenton

I'm a networking technologist who likes to travel, bicycle, run, and various other things.

One thought on “Ashley Madison (Norway)”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s