Every week it seems, we’re reading stories of companies and websites being compromised and consumer data being stolen. For many of us, the worst break-ins are when passwords are stolen. The LastPass Hack being one of the more recent attacks. In may ways, it’s a form of digital terrorism which is only growing. Two-factor authentication and biometrics are nice patches to the problem, but they ignore the fundamental issues related to login management. We have the tools to solve the problem, but they haven’t been applied properly.
Why We Take Off Our Shoes in the United States but not in Israel
Anyone who’s flown in the United States knows about TSA security. We take off our coats, avoid liquids, and take off our shoes before going through security. We have a no-fly list based on names. These are reactions to specific threats. That’s not the way a country like Israel does security. I haven’t flown El-Al (Israel’s national airlines), but friends tell me about the interviews they go through in security. The security officers code threats based on personal characteristics and behaviors.
We’re taking the TSA approach to online accounts and that’s why we have all the security problems. Two-factor authentication is a start. Yet when we add a second-factor to our accounts, we’re lulled into a false sense of security. That second factor protects against someone stealing my password-a specific threat. Could my second factor be compromised? Sure. My phone could be stolen or malware could compromise my second factor.
The Human Factor: Social Engineering
Even with two-factor approaches, humans still have the ability to override security settings. A few years back, an industrious hacker convinced Apple to reset a writer’s Apple ID. GoDaddy was tricked into turning over a domain name that enabled a Twitter account takeover. My identity was accidently merged with another Dave Greenbaum due to a human mistake at MetLife. This mistake almost resulted in me canceling the home and auto insurance of the other Dave Greenbaum.
Even if a human doesn’t override a two-factor setting, that second token is just another hurdle for the attacker. It’s a game for a hacker. If I know when you log into your Dropbox that I need an authorization code for, then all I need to do is get that code from you. If I don’t get your text messages directed to me (SIM-hack anyone?), I just need to convince you to release that code to me. This isn’t rocket science. Could I convince you to give that code back? Possibly. We trust our phones more than our computers. That’s why people fall for things like a fake iCloud login message.
Another true story that happened to me twice. My credit card company noticed suspicious activity and called me. Great! That’s a behavioral-based approach I’ll talk about later. However, they asked me to give my full credit card number over the phone with a call I didn’t make. They were shocked I refused to give them the number. A manager told me they rarely get complaints from customers. Most callers just hand over the credit card number. Ouch. That could of been any nefarious person on the other end trying to get my personal data.
Passwords Don’t Protect Us
We have too many passwords in our life in too many places. Medium has already gotten rid of passwords. Most of us know we should have a unique password for every site. That approach is way too much to ask of our puny earthling brains living a full and rich digital live. Password managers (analog or digital) help prevent casual hackers, but not a sophisticated attack. Heck, the hackers don’t even need passwords to access our individual accounts. They just break into the databases that store the information (Sony, Target, Federal Government).
Take a Lesson From the Credit Card Companies
Even though the algorithms might be a little off, credit companies have the right idea. They look at our buying patterns and location to know if it’s you using your card. If you buy gas in Kansas and then buy a suit in London, that’s a problem.
Why can’t we apply this to our online accounts? Some companies offer alerts from foreign IPs (kudos to LastPass for letting users set preferred countries for access). If my phone, computer, tablet and wrist device are all in Kansas, then I should be notified if my account is accessed somewhere else. At the very least, these companies should ask me a few additional questions before they assume I’m who I say I am. This gatekeeping is especially needed for Google, Apple, and Facebook accounts which authenticate to other accounts by OAuth. Google and Facebook give warnings for unusual activity, but they are usually just a warning, and warnings are not protection. My credit card company says no to the transaction until they verify who I am. They just don’t say “Hey…thought you should know”. My online accounts shouldn’t warn, they should block for unusual activity. The newest twist to credit card security, is facial recognition. Sure, someone can take the time to try to duplicate your face, but credit card companies seem to be working harder to protect us.
Our Smart Assistants (and Devices) Are A Better Defense
Siri, Alexa, Cortana and Google know a ton of stuff about us. They intelligently predict where we’re going, where we’ve been and what we like. These assistants comb our photos to organize our vacations, remember who our friends are, and even the music we like. It’s creepy on one level, but very useful in our daily lives. If your Fitbit data can be used in a court of law, it can also be used to identify you.
When you’re setting up an online account, companies ask you dumb challenge questions like the name of your high school sweetheart or your third grade teacher. Our memories aren’t as rock-solid as a computer. These questions can’t be relied on to verify our identity. I’ve been locked out of accounts before because my favorite restaurant in 2011 isn’t my favorite restaurant today for example.
Google has taken the first step in this behavioral approach with Smart Lock for Tablets and Chromebooks. If you’re who you say you are, then you probably have your phone near you. Apple really dropped the ball with the iCloud hack, allowing thousands of attempts from the same IP address.
Instead of figuring out which song we want to listen to next, I want these devices to protect my identity in a few ways.
- You know where I am: With my mobile phone’s GPS, it knows my location. It should be able to tell my other devices “Hey, it’s cool, let him in.” If I’m in Timbuktu roaming, you shouldn’t really trust my password and possibly even my second factor.
- You know what I do: You know when I log in and with what, so it’s time to ask me a few more questions. “I’m sorry Dave, I can’t do that” should be the answer when I don’t normally ask you to open the pod bay doors.
- You know how to verify me: “My voice is my passport, verify me.” No, anyone can copy that. Instead, ask me questions that are easy for me to answer and remember, but hard to find on the Internet. My mother’s maiden name may be easy to find, but where I ate lunch last week with Mom isn’t (look at my calendar). Where I met my highschool sweetheart is easy to guess, but which movie I saw last week isn’t easy to find (just check my email receipts).
- You know what I look like: Facebook can recognize me by the back of my head and Mastercard can detect my face. These are better ways of verifying who I am.
I know very few companies are implementing solutions like this, but that doesn’t mean I can’t lust for them. Before you complain-yes these can be hacked. The problem for the hackers will be knowing which set of secondary measures an online service is using. It might ask a question one day, but take a selfie the next.
Apple is making a big push to protect my privacy and I appreciate that. However, once my Apple ID is logged in, it’s time Siri proactively protects me. Google Now and Cortana can do that as well. Maybe someone is already developing this, and Google is making some strides in this area, but we need this now! Until such time, we need to be a bit more vigilant in protecting our stuff. Look for some ideas on that next week.