Security is hard, and 2FA is not the answer
I’ve become a one-note-Cassandra about identity authentication, especially insecurity questions and their subset, out-of-wallet questions. I even tried to create an insecurity-questions tag on StackOverflow, adding the tag to several related questions in the hope of getting some outside-the-box thinking done. It failed, probably justifiably so—I’ve been on StackExchange for several years now, but really don’t understand how the system works.
Often, when this topic comes up, someone in the comments—or even the blog author—suggests two-factor authentication as the answer—even in this article at KrebsOnSecurity detailing the dangers of phone authentication. I have never done so. For one, it doesn’t even make sense. Taken literally, it’s a non-sequitur. Two-factor authentication means that the person needs to know both their password and have some other identifying factor, and insecurity questions are technically meant for when someone does not know their password.
The suggestion makes more sense, however, when you realize that the real problem is trust, and that 2FA inevitably devolves to ½FA at the drop of an appropriate sob story.
In many ways, despite the claims of incredible divides today, we trust far too much. Banks still hand out checks, meant to be given to third parties, that contain all of the information needed to drain checking accounts. Every time we write a check, we are implicitly trusting that the person we give the check to, as well as everyone in the chain of handling the check, on down to the people who trash it or shred it, can be trusted with full access to our money. And don’t think you’re above the problem because you don’t write checks; the information that matters is the information you give to every system that offers to put money into your checking account. The same information that puts money into your account can take money out of your account.
When you enter that information into PayPal, or Amazon, or whatever other service gives you money, you’re adding not just everyone in the chain of handling the information, as with a check, but also everyone who programmed their database systems.1
We trust that only the account owner will attempt to bypass not knowing the password to their account, despite mountains of evidence otherwise.
We trust that fingerprints aren’t 3-D printed, that eyeballs aren’t photographs from the Internet.
We trust the return addresses on the letters we receive. We trust that if we get an email from an email address, it was sent by the owner of that address. And we trust that if we get a phone call from a phone number, it is coming from that phone number. We trust that if we get a request for proof of identity after sending a verification code, that it’s a valid request.
This is why social engineering attacks are so often successful. And the problem with 2FA is that it pretty much always devolves to the two things being (a) the password and (b) your cell phone; so when someone calls a service using “your” cell phone and says they’ve forgotten their password, this only reinforces that “you” should be trusted.
Even though cell phones themselves are hardly secure, and phone numbers are even less secure. Phone numbers are so insecure that some companies make legitimate businesses out of hacking them. Google Voice, for example. If you have a Google Voice number, and someone calls you using that number, they’re not calling you. They’re calling Google. Google passes it on to you, from a Google call center. But you still see the original caller’s number on your phone, because Google is pretending to be that number. This is not some special trick that Google invented. It’s how the phone system works.
This goes way further than just someone pretending to be your phone while talking to your service provider. The hacker can also pretend to be your service provider’s phone while talking to you. Two-factor authentication trains us to trust incoming messages, something that in the email domain we are warned against all the time, for the simple reason that email addresses are easily faked. But so are phone numbers.
This is not easily solvable, because pretty much any multi-factor authentication we can think of will handle the multiple factors on the portable computers that we carry with us at all times—that is, our cell phones.
The promise of two-factor authentication was that it would improve security by requiring two factors for accessing services: a thing that we know (a password) and a thing that we have (a phone2). But if it’s going to devolve, as it seems it will, into a thing that we know or a thing that we have, and that thing we have is easily stolen or easily faked, 2FA isn’t an improvement. It becomes part of the problem.
More and more, I think that in our current environment a good password is still the best of several bad answers. At least with a password, I am in control of what the authentication is.
I think one of the biggest problems, if not the biggest problem, with how we look at security today is that we blame it on the end user. So often, our understanding of social engineering is that it’s the user’s fault. But social engineering works best when applied against the service. The service, after all, does not know who you are, and so is open to being fooled.
The top-rated answer on this StackExchange question gets so many things wrong it’s hard to start.3 The more complicated a system is, the easier it becomes for attackers. Why? Because the people using the system and the people managing the system are more likely to make a mistake. The more mistakes, the more potential attack vectors for attackers to bypass or break security. Further, complicated systems train the service’s support employees—who are already probably trained to make the caller happy—to accept that the system will need to be bypassed regularly. This helps those attackers who use social engineering rather than or in addition to programming to break in.
Multi-factor authentication seems to me to be part of a trend toward more complicated. If it were truly a “you need your password and you need your phone”, it could improve security (at the expense of a whole lot of people locked out of their accounts). But there seems no way to ensure that 2FA/MFA doesn’t end up becoming “you need one or the other”. Despite the good intentions of those who created it, its effect is to make good security harder for the end-user to maintain and easier for the attacker to bypass.
In response to Security questions will always be insecure: Insecurity questions are insecure because their purpose is to allow access to someone who does not know the access credentials. This trait is shared by zero or one person who has forgotten their password, and an infinitude of people who never knew it in the first place—because they shouldn’t have access.
Anecdotally, I just tried to do a search on whether payment services hash checking account numbers; do a search on whether services hash passwords and you’ll find all sorts of discussion about it. Checking account numbers? Bank account numbers? I can’t see anything.
↑Technically, “something you have” is often replaced with “something you are”, such as fingerprints, retinal scans, and so forth. But because “something you are” has to be translated remotely, it is also going to be “something you have”. And that something you have that takes your fingerprint or your retinal scan is likely to be your phone.
I’m going to repeat this because it’s so important: in the modern world of mobile computing, “something you are” is exactly the same as “something you have”. Treating the two differently will enable successful attacks.
↑In their defense, this was written nearly eight years ago, when 2fa was still a shiny new object.
↑
insecurity questions
- Insecurity Questions tag at Stack Overflow
- Insecurity questions (often called security questions or secret questions) are questions nominally about some public aspect of an account owner’s life—such as their first date, favorite teacher, admired actors, and so on—that while public information are obscure enough to identify a valid user. They are meant to help users who do not know the password to a resource access the resource, usually by resetting the password. Insecurity questions require awkward security tradeoffs and involve difficult design issues, because they: (a) are designed to bypass not knowing a password—a trait shared both with the user who has forgotten their password and the hijacker that never knew it; (b) use information known both by the valid user and by those potential abusers most likely to try to hijack their accounts; and (c) are questions whose answers can be ephemeral, as users’ favorites and even knowledge about their past change over time.
- Why don’t the answers to “security questions” need to be stored securely? at Stack Overflow
- “Given that security questions and answers often allow a user access to an account in a workaround way, without requiring the password, why are they allowed to be stored in plain text?”
phone authentication
- Does two factor authentication prevent social engineering attacks at StackExchange
- “With just password authentication, social engineering attacks seems to be the weak link. Will using any of the two-factor methods described above make social engineering so hard that hackers will not even bother trying?”
- How Hackers Reportedly Side-Stepped Google's Two-Factor Authentication: Kelsey Campbell-Dollaghan
- “Two-factor authentication is generally seen as the safest bet for protecting your Gmail account. But a harrowing tale from indie developer Grant Blakeman, whose Instagram was hacked through Gmail, reveals how not even two-factor authentication can beat every security threat.”
- Privacy on iPhone—Private Side at Apple Computer
- This is the best Apple ad I’ve seen in a long time. It rivals their rip-mix-burn ad from the music encryption wars. (For extra credit, count the number of walls in this video.)
- Verification Code or Cyber Attack?
- “Others explained that they often check their email from public computers in libraries or labs, so requests to verify their identity are common.”
- Why Phone Numbers Stink As Identity Proof: Brian Krebs at Krebs on Security
- “Phone numbers stink for security and authentication. They stink because most of us have so much invested in these digits that they’ve become de facto identities. At the same time, when you lose control over a phone number—maybe it’s hijacked by fraudsters, you got separated or divorced, or you were way late on your phone bill payments—whoever inherits that number can then be you in a lot of places online.”
More insecurity questions
- Security questions will always be insecure
- Insecurity questions are insecure because their purpose is to allow access to someone who does not know the access credentials. This trait is shared by zero or one person who has forgotten their password, and an infinitude of people who never knew it in the first place—because they shouldn’t have access.
- Are insecurity questions designed to help hackers?
- Insecurity questions are being modified to make them easier to hack and harder to remember. It’s as if they’re designed to help hackers and frustrate forgetful account owners.
- Insecurity Questions enable harassment and abuse
- Insecurity questions are designed specifically to let someone who does not have your password access your account without having to talk to a human. The idea is that that person will be you after you forget your password, but the computer does not care. Anyone or anything with that information can access your account.
- Allow men to impersonate exes, transgender activists say
- Some transgender activists want banks to reduce the security on bank accounts, enabling abusive exes to access their victims’ bank accounts.
- Mat Honan should read Mimsy
- “Because the last four numbers of your SSN are what businesses ask for, they are all that a criminal sometimes needs to use your cash or credit.”
- Two more pages with the topic insecurity questions, and other related pages
More passwords
- Security questions will always be insecure
- Insecurity questions are insecure because their purpose is to allow access to someone who does not know the access credentials. This trait is shared by zero or one person who has forgotten their password, and an infinitude of people who never knew it in the first place—because they shouldn’t have access.
- Allow men to impersonate exes, transgender activists say
- Some transgender activists want banks to reduce the security on bank accounts, enabling abusive exes to access their victims’ bank accounts.
- Insecurity questions on phones and at banks
- How important are the last four digits of your social security number? That and a high school yearbook can get a hacker your bank account.
- The most popular passwords at school
- We are still lying about passwords to our community. What are the most popular first words in passwords?
- Embarrassing password tricks
- Never trust anyone over 30 characters.
More social engineering
- How does Apple’s supposed anti-conservative bias matter?
- If you think Apple has a bias against conservatives or Christians, you definitely don’t want Apple to build a tool its employees can use to help guess an iPhone’s password.
- Allow men to impersonate exes, transgender activists say
- Some transgender activists want banks to reduce the security on bank accounts, enabling abusive exes to access their victims’ bank accounts.