Last Updated: 2013-01-04 00:24:35 UTC
by Daniel Wesemann (Version: 1)
Over the holidays, a friend of mine was busy trying to repossess her online accounts that had been hacked and taken over. While her experience wasn't quite as bad as Mat Honan's, it still was a mess to untangle. Initially, we had suspected spyware, and spent some time looking through her PC for the presence of a keylogger. None was found. Once the first few accounts were returned to her, including an email account, we were able to (partially) reconstruct what had happened. Like in Mat Honan's case, it wasn't the password, but rather the "I forgot my password" functionality that had been breached. Duh-oh.
We took this as incentive to analyze the password reset options of some of her accounts, and what we found was not pretty. It seems that "I forgot my password" comes in (at least) three variants:
(1) New password is sent to the email address on file
(2) New password can be set after answering a couple of "Secret Questions"
(3) New password is set after "authenticating" out-of-band (via phone or fax)
Let's start with (2). Not only since the Sarah Palin attack do we know that password reset functions can be dangerous. Having a 10-character complex password with >60 bits of entropy is of little use if same password can be reset by answering what the color of your first car was - about 3 bits of entropy, or roughly equivalent to having a one digit password between 0 and 9! Still, call centers are expensive, and the economic incentive is strong for companies to provide a password reset function that is trivially EASY. And since the corresponding fallout is on the user and rarely on them, they don't care much.
Variant (3), the "out of band" confirmation, comes in two flavors - one is really competent and quite secure, and very very rare, because a real person asks really hard and not scripted questions about your past relationship with the company or institution. The other is silly and near useless, and very very common: Unfortunately, usually such calls go to call centers overseas, where the agent answering the phone will "identify" the caller by asking for .. yes, the color of the first car again. Some web sites, for example domain registrars, also require a faxed copy of a driver's license. "Fax" is that 1980's technology of image transmission with a picture quality that manages to make the most authentic passport look like a forgery. Hence, the hardest part for the attacker is probably to make sure his forgery doesn't look too authentic ...
Which leaves (1) .. an option that works reasonably well, presumed that the email doesn't get intercepted in transit, and that it isn't the email account itself that was compromised. If it is, then this function becomes deadly real quick, because the attacker can readily reset all your other passwords, pick up the new credentials in the compromised inbox, and continue hacking at his leisure. In our tests, we actually also found two web sites where the password reset email contained the correct password that my friend had set, which means that the web site in question had committed the cardinal sin of storing user passwords in cleartext. But that's a story for another time.
For now .. I suggest you start 2013 with taking a close look at the "chain of trust" between your important accounts: Which one can reset which others? If an attacker gets access to this one, what information does the account provide that allows to breach which other credentials? Also, click on the "I forgot my password" or "I forgot my userid" button, just to see what happens. You might discover that in a state of naive trust and delusion, some years ago, when you set up your account, you actually truthfully answered that your first car was blue.
How are you handling password reset functions to reduce the risk of them becoming an easy avenue for attackers? Please let us know in the comments below!