DB Bahn

Anders B (@abjoerne on Twitter) contributed the following example from DB Bahn:

DB

Scattered among the typical security question options is passport/ID number. While it’s not something you’re likely to post on Facebook (unlike favorite animal or holiday destination, perhaps), it isn’t something that is a secret: very often people are asked for their passport numbers when registering for hotels, for example. In addition, I have always been given a new passport number when I renew my passport. Will I always know which passport number I used? Will I still have access to it?

System for Award Management – then and now

About three years ago, the startup I was working for was bidding on a US Government contract, and that required us to register with what at the time was called Central Contractor Registration (CCR). The “security” questions were notable enough that I kept a record of them at the time, which I ran across recently.

Then

The old registration required that I supply the answers to five security questions. This is more than I have seen anywhere else:

CCR question prompts

Fortunately, although the prompts were the same for each of the questions, there was a long list of prompts from which to choose:

CCRq1

The list was long enough that I had to scroll down to see the whole thing:

CCRq2

While having a longer list of questions is helpful (and probably essential, if five questions are involved), there isn’t really anything new here, and some questions have little entropy, even for those for which you can’t get the answers from social networking sites.

I also captured some of the password requirements:

BPNpasswordFairly standard, but unfortunately I didn’t capture the “additional password rules” (despite a search through Internet Archive).

Now

CCR has been incorporated into GSA’s System for Award Management (SAM) [sound like someone’s uncle?]. The process is somewhat different, and more conventional now, with three “security” questions. I suppose the answer to a “Security Question” is a “Security Answer”:

SAMfieldsAll three questions draw from the same, shorter, list of prompts. Nothing unique here:

SAMquestionsOne thing they do that I haven’t seen elsewhere is display a popup that explains why they’re asking for this. A nice gesture for the 0.01% of people who don’t already know:

SAMexplanation

Note the “one or more”. Your account could be taken over by someone knowing only one of these answers. Scary.

The username/password rules are interesting too. SAMpwrulesWhy the 15 character upper limit? As a rule, longer passwords are better, so why not let users use longer ones?  Longer hashed passwords don’t any more storage space than short ones, and they are hashing the passwords aren’t they?

Update 29 August 2015: I ran across a podcast talking about “the worst government websites on the internet” that cited SAM as their poster child of bad government websites. Their issues apparently aren’t limited to their use of security questions.

Palo Alto Networks

Networking company Palo Alto Networks has an example of a website that allows users to pick their own “security” questions:

Empty security question form

As you can see, the questions and answers can range from the unhelpful (given that you’ve forgotten your password) to the obvious:

Tongue-in-cheek questions

I’d be careful about this; it’s never obvious how many correct answers are needed for account recovery, so a single weak answer might be the Achilles’ Heel for the security of your account. Some users might also choose questions that aren’t secrets, like “Who shot J.R.?”, “What is 2+2?”, or “What is the airspeed velocity of an unladen swallow?”

And it’s never obvious how this information is stored. Is it salted and hashed like passwords should be? Or is it available to customer service people in plaintext?

Wondering how the answers are stored

So now to test out the recovery process. An identifier and CAPTCHA to start:

4

And presumably the user still doesn’t know their password. But they also got the capitalization and punctuation on “No!” wrong:

5

Didn’t work. Let’s try again. But look, the user has another option to get a password reset email:

6

So why do we need the security questions at all? They’re just an additional way into your account:

7

Sure enough, the email was sufficient:

8The “security” questions were not needed to recover the account, but just provided an additional way in. So why have them?

 

Contributed by Per Thorsheim.

Account Recovery at Wells Fargo

A long time ago, I had to answer a set of three “security” questions for Wells Fargo Bank, and at the time I blogged about it internally at a previous employer, a blog post I no longer have access to. I have contemplated repeating and documenting the process, and asked them once how to do it, and it required that I phone and ask them to clear the answers so it would prompt me again — there was no other way I could change the question/answer choices.  I never followed through with that.

Today I got an email message I was initially suspicious of, telling me that my account had been disabled (this is a common variety of phishing message). I manually scrutinized the message headers and noticed that the message had a good DKIM signature from wellsfargo.com, and used the special email address that only they use. So it looked legit, and it was: my account had apparently been locked out, probably by multiple tries by someone who thought they had my username.

As instructed, I went to their Username/Password Help page, which displayed the following instructions for this:

Screen Shot 2015-03-24 at 10.23.06 PMWhat’s interesting is that none of this has to do with the questions I had answered several years ago. I’m wondering if they abandoned using them (I hope so).

I entered my username (which is fairly easy to guess, but I’m not going to publish it), my credit card number (barely a secret especially considering that the $50 liability limit wouldn’t apply here), and my ATM PIN (only 4 digits), and that was enough to allow me to set up a new password. Wells Fargo did send me an email message telling my password had been changed, which is good. But the process here is still weaker than a good password would have been. The process they’re using isn’t terrible, but once again, account recovery seems to be the weak spot in the security chain. There may be other factors that aren’t visible to me: for example, I did the reset from an IP address I normally use for banking, and that may have made the process easier for me.

I did also get a reminder of their password rules:

Must be 6-14 characters and contain at least one letter and one number. It cannot contain nine or more numbers.

I suppose that by limiting how many numbers may be in the password, they’re avoiding Social Security Numbers, phone numbers, and the like. But given that the most reliable way to generate a more secure password is to make it longer, why limit it to only 14 characters?

Your mother’s maiden name has been a ‘security question’ since 1882

Here’s an article with some history about “security” questions. But I would say that these companies (and government agencies) are more casual about your security, rather than about your privacy. So many of the answers to these questions are already out there, so the privacy issue is already moot.

Fusion

It’s well-established that passwords are a flawed security system. Attackers can guess them, steal them from a database, or watch you type them in. But until we can get our smartphones to take our DNA to confirm our identities, we’re stuck with them.

The processes that let you recover your password if you forget it, though, can be much worse than passwords themselves.

Companies that take security seriously will ask you to authenticate your identity with a “second factor,” such as a code they send to a device they know you own. Companies that don’t care are more casual about your privacy will ask you to answer “security questions” — which are typically questions that anyone could guess after a thorough stalking of your Facebook account: Oh, there’s a photo of you with your high school best friend. Oh, there’s a status update with your “porn star name,” combining your first pet’s name with the…

View original post 275 more words

eDisclosure

As a member of my small city’s Bicycle and Pedestrian Advisory Commission, I am required by California Law once a year to disclose any conflicts of interest I may have. The City has recently adopted eDisclosure, a system to allow us to file those disclosures online.

I was sent a temporary password with which to create an eDisclosure account. It required that I change my password immediately, and had a moderately aggressive set of password rules:

eDisclosureRules

But it also required me to answer a single “security” question, and none of the prompts inspire confidence in the security of this system:

eDisclosureQ“What is your favorite season?” has to be one of the lowest entropy questions I have seen yet. Of course, there are four seasons, so if they are equally popular that is a whopping 2 bits of entropy. Of course, there are other answers, like “ski”, “strawberry”, and “football”, but I only thought of those once I realized how few choices there seemed to be. Many will just answer, “spring”.

My favorite season, of course, is unpronouncable.

 Contributed by myself (Jim Fenton)

 

California Department of Motor Vehicles

I recently got to renew my driver’s license online rather than go to the Department of Motor Vehicles office. Naturally, this required that I create an account at the DMV, and of course they had security questions for me to supply answers to. Two sets this time, but both with the same list of prompts:

DMV question promptsHaving only one list of questions of course is more limiting: you need to pick 2 out of 10 questions to answer (truthfully or not). There is a little creativity here: the question about the prom is not one I have seen elsewhere. But the question about who you voted for is terrible, since a 50 year-old person may have voted in only 7 presidential elections, and most likely voted for one of two people (immigrants have the possible advantage of unusual answers here). This narrows down further if you can estimate the person’s age, since they likely first voted close to the time they became eligible. So no more than 4 bits of entropy here, and perhaps less.

The context of the security questions here is more troubling. The registration form places these questions in between email address (which you need to enter twice) and driver’s license/ID number, date of birth, last 4 digits of Social Security Number, and driver’s license/ID issue date, all of which need to be answered truthfully in order for the registration to succeed. The placement of these questions discourages users from doing the secure thing, which is to make answers up.

Contributed by myself (Jim Fenton)