Account Recovery May be the Weakest Link

About a year ago, I read an article in Wired by Mat Honan called “How Apple and Amazon Security Flaws Led to My Epic Hacking.” At the time I was working as one of Gartner’s two main anti-malware analysts. I was affected by the article and actually beefed up my own security afterwards/

If you didn’t read the piece, check it out and also Wired’s follow up articles. There’s much to be learned there, particularly if you haven’t thought a lot about personal protection online. Although specific Apple and Amazon process flaws described may have since been fixed, the basic pattern of vulnerable account recovery processes hasn’t changed one bit.

Here’s a brief summary of Mat’s epic hacking article.

“In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.

In many ways, this was all my fault. My accounts were daisy-chained together. Getting into Amazon let my hackers get into my Apple ID account, which helped them get into Gmail, which gave them access to Twitter. Had I used two-factor authentication for my Google account, it’s possible that none of this would have happened, because their ultimate goal was always to take over my Twitter account and wreak havoc. Lulz.

Had I been regularly backing up the data on my MacBook, I wouldn’t have had to worry about losing more than a year’s worth of photos, covering the entire lifespan of my daughter, or documents and e-mails that I had stored in no other location.”

Though Mat made some mistakes, the online house of cards he was living in wasn’t too different than the average person’s today. Unlike some, according to the article, Mat didn’t make the mistake of using weak passwords, or the same password, on all his accounts. He actually used a password generator tool to randomize his passwords.

Some people’s online lives are so chaotic that half the time they’re actually logging on to different services through their email account! That is, constantly going through the account recovery process to get a password reset link by email. This anti-pattern has multiple debilitating effects on security: not only can the email account can be used by hackers to compromise other accounts, but denial of service or phishing attacks can exploit the account recovery process itself. Still, online services like to reset passwords by email because its an automated process that doesn’t cost them much.

The other way we typically recover our online accounts, including the all-important email account itself, is using questions and answers. Q&A, or shared secret techniques, are also called knowledge based authentication (KBA). The challenge for KBA is that hackers can potentially obtain secrets and users frequently forget them – especially if the system is automated and the answers must be typed in exactly correct. When too many legitimate users fail to answer the questions online services have a problem. They can’t afford to lock their customers out and have limited help desk and security budgets for proper verification. Account recovery security processes may get watered down to the lowest common denominator and there’s plenty of ways for hackers to game the system using social engineering techniques..

Weak account recovery processes were Mat Honan’s bane in the epic hacking story. At the time of the article Mat indicated that “Since [the hacker] already had the e-mail [address] all he needed was my billing address and the last four digits of my credit card number to have Apple’s tech support issue him the keys to my account.” Matt then described how the hacker got the last-four credit card digits by gaming Amazon’s account recovery system using an easily replicable trick. Mat also noted that lots of people have access to credit card numbers.

One additional line of defense users should have is to watch their email account for notifications of account recovery or other anomalous activities. For example, Facebook will tell you if someone accesses your account from a previously-unseen computer. When you reset your password – even with Q&A – you’ll usually get an emailed notification. Those alerts should have warned Mat. However, in his case hackers had also compromised Mat’s email account and sent the notifications to the trash. Later, they locked him out of the email account entirely.

Here are a few very basic recommendations for users on account recovery:

  • Use a password management tool to generate different, strongly randomized passwords on all your online accounts. Keep the most important passwords (such as the ones to your password generator tool, computer, email account and bank account) in your head. 
  • Make your really important, manually-generated passwords hard to guess. If you write them down, store them in a locked room where you keep your will and other important papers.
  • Fortify your email account, bank account and other important accounts by using a two factor authentication option, such as Google’s two step verification. Important: Read A Two Factor Authentication Makeover for Your Protection, it describes exactly what to do.
  • Check your email account regularly and pay attention to notifications about account recovery or other security issues on sites you use.
  • Periodically review your practices for protecting your computer from malware and physical compromise. Be careful to avoid opening email attachments or clicking links from unknown sources, or if something seems unusual about them. 

Meanwhile, online services should audit their account recovery practices to ensure good practices are followed, such as:

  • Don’t use extremely weak “secrets”, such as birthdays or mother’s maiden name, in KBA. Consider using administrative secrets, such as the user’s prior hard-to-guess but easy-to-remember activity on your site last week.
  • Don’t automatically reset passwords until the user has confirmed the request by email.
  • Properly train all staff involved in account recovery and develop a formal, well-thought out escalation process for situations where a customer is locked out. 
  • Protect all account management flows with the user via TLS.
  • Monitor logs for anomalous activity and follow up on incidents and anomalies.
These are just very preliminary lists to get service providers started within the framework of the status quo for account recovery. More analysis is needed, so if you’re working on this issue or just concerned about it, please take these recommendations as just your starting point and perhaps add to them in the comments to this blog.
In another post I’d like to write sometime, I’ll ask the question: “How could we develop a higher assurance account recovery process to cover a broad set of use cases?” and put forth some ideas about that.
Subscribe to Blog Notifications...  HERE