> She explains to me how she got an email from Apple about her account and there was a phone number in it. I tug my collar several meters into the next room, knocking over several carefully-potted indoor plants.
"I reach under my desk, unwrap a parcel addressed to “DIRECTOR OF CYBER, NSA”, slide out a yellow and black canister labelled “CHINA”, break open the safety seal, and use safety tongs to extract the following red-hot phish."
I have personally experienced a CS rep accepting “it’s just a bunch of random characters” as an answer. Combined with the fact that you just went on the record as using that scheme, your opsec just took a dramatic hit.
The first time I had a CS rep require me to recite my 64-character alphanumeric answer was what prompted me to switch my strategy. Now I generate a list of four arbitrary words for every answer to security questions... so much easier to answer.
it just goes to show that these questions are useless as a security barrier. Any institution still using them are doomed to have social-engineering vulnerability.
I think I would refine that like this: among companies that train workers against social engineering, ones that pay workers peanuts are going to still be more susceptible than the others simply because of the don't-care factor.
Other than that, anyone is susceptible to social engineering, regardless of pay. Social engineering is crafted to suit demographics.
What's the absolute worst that could happen if you crack my free account on some cooking website?
Maybe you favorite a bunch of recipes with lima beans (which I hate). Instead, you discover that I was really into lentil dishes for a while, but have been more interested in dumplings this fall. Maybe this could be used in some sort of elaborate social engineering scheme that nets you more valuable information, but I'm not seeing how....
> What's the absolute worst that could happen if you crack my free account on some cooking website?
The worst that could happen is that you used the same password there as for your online banking, or important e-mail account and such.
If you didn't do that, then the impact is approximately zero.
Of course, that cooking site still wants you to use a sufficiently long password with at least one digit, capital and lower case letter, and special character ...
Okay, I set myself up for this by saying "absolute worst", but this strikes me as so unlikely that it's not really worth worrying about. After all, someone could make a new account using your name (+ some numbers) /right now/!
I disagree. I do the same for certain sites. I have a gmail that I use for weird sites that I most likely won't visit again or any time soon and answer the security questions much the same. If this account gets compromised I literally lose nothing other then make a new gmail and do it again. This shows nothing about my bank or Facebook or actual gmail account security as those I do take steps to protect.
Hopefully they're using unique usernames and not using the same username all over the Internet. Or, worse, a variation of their real name as a username.
In this case a password like “to be repeated exactly: <random string>” has the same properties and can be divulged without affecting opsec particularly.
(Un)fortunately, normal people don't think like programmers. That's why security questions exist, in the first place. Do you think they won't accept "It's to be repeated exactly, and then gschgschgsch. Ahh, youth. Those were the days."
If you think that's bad: I always enter a fake phone nr. Once, a company turned out to use them as verification for phone support. I didn't know, and had forgotten, so gave my actual number. "Oh, it says something else here. Shall I just go ahead and remove that, then?". I wanted to cry.
Not that I condone this strategy, but what is the threat model where an impersonator knows to say, "It's to be repeated exactly, and then adso&#fjsou..."?
Well yeah, in this case that's the weakness. But before parent announced their strategy on this forum, what was the threat model? Hell, let's assume OP obfuscated the introductory part in their comment to avoid that leak.
If they're willing to brag about their passwords on the internet, I'd be willing to bet that family and friends have the same information.
Assuming that wasn't true, a customer service rep for the phone company could call the customer's bank and try to impersonate the customer, assuming it's used often (like the poster stated).
Im always shocked by how small the fields for some of those inputs are though. How much space for entropy do you have left after including the notice about needing an exact match?
Well, hell, I got off with just saying "I don't remember it" an then following up with details of _recent_transactions_ not one time. This whole "personal question" scheme is useless.
I just reset my password for American Airlines. They ask me 3 (what I would consider public questions) about myself, then let me reset the pw in browser. No emails or any other authentication. Im still blown away.
Got bitten by this when I had to give a 32-character alphanumeric answer over the phone. I groaned and asked, "Can I just give you the beginning and the end?" The rep laughed and accepted my compromise. Since then, I use a collection of random words (in the style of correct-horse-battery-staple) for security questions.
What are some of the ways this blows back? Having to answer them over the phone when they're not passwords, but more like customer service gatekeepers?
I do this as well and it has yet to blow up in my face, though it does seem like an inevitability.
I got pretty good at memorising alpha bravo charlie[1] so I just jump straight into that, and for characters like #, * and ! I try and use the word I know is most common, e.g. in english "pound", "star" and "exclamation mark". "hash" and "bang" get me what I suppose are the equivalent of blank looks..
So I have nicely complex passwords generated by Keepass and the staff usually don't think anything of it once I mention I work in "computers".
I used to do a slightly different system where I'd have ridiculous answers, sort of a word game play on the question itself, and forgetting your secret answers with a company like Verizon can take days to figure out.
My bank (HDFC India) specifically states while setting up the security question that the bank will never ask for these (over phone or elsewhere), so I'm happily using random UUIDs
HDFC appears to have truly terrible security, someone managed to sign up with my email address and a really weird mailing address - like an airport warehouse or something, then proceeded to fill up the card and never paid it back. I emailed HDFC about it but they never responded.
Apparently they don't even do e-mail verification.
I treat them as less secure passwords -- passwords that often a representative at the company has access to. (I've experienced instances of people on the phone (upon my calling the organization at a known number) soliciting their answers and checking them against what they have on their screen. Usually these days, with actual passwords, they undergo a computerized check and members of the organization have no access to their values -- or at least to their unencrypted values. (Although, don't blindly depend upon that assumption.)
Security questions introduce insecurity. I remember being mightily puzzled when they were considered a "best practice" and the organization I was at was all "het up" to implement them.
The real reason? They save head count / expense -- at least, in the short run. One less "I can't remember my password" interaction -- one that, from an optimistic perspective, at least doesn't just blindly depend upon emailing the email address of record... Only, many sites seem to implement that alongside their security questions flow, so...
> At this point Diana has been completely gaslighted as to what her hotmail password is, because my phishing site said the wrong password was right, and then said the right password was wrong, and she thinks it’s the real Hotmail.
the content of the article is good - but the writing style does not sit well with me. It's an odd sense of humour and a writing style more suited to instant messages perhaps rather than a blog.
Going off on quirky tangents can be an effective tool for keeping a reader interested. It reminds me a little of Douglas Adams. He punctuates the hard science fiction with goofy anecdotes to get the reader thinking about the subject from another perspective and to keep them entertained.
It is not a tutorial on how to phish or a vulnerability report, but rather a story about how motivation is potentially more important to phishing than technical skill. Without the casual writing style, the main character (and author) might have seemed more sophisticated, which would have diminished the point of the story.
I guess the threshold isn't the same for all of us, I didn't get irked by he jokes at all... however around halfway through I started wishing for it to be over soon(tm)
Eh, I liked it. Many writers in the tech space are trying to be as concise and clear as possible. If this article had been more 'academic' in that sense I think I would have lost interest after a few paragraphs because, well, nothing in this article is really new. It's just a fun anecdote about the reality of cyber security.
That's pretty funny. I didn't like the writing style at first either, but it got funnier as I carried on (or maybe the writing got better too). By the end I was questioning why I was so resistant to light-heartedness in the first place.
Overall, a really great breakdown of a textbook phishing attack.
> Please don't insinuate that someone hasn't read an article. "Did you even read the article? It mentions that" can be shortened to "The article mentions that."
That line was fucking gold.