Over the holidays, a friend of mine was busy trying to repossess her online accounts that had been hacked and taken over. While her experience wasnt quite as bad as Mat Honans, it still was a mess to untangle. Initially, we had suspected spyware, and spent some time looking through her PC for the presence of a keylogger. None was found. Once the first few accounts were returned to her, including an email account, we were able to (partially) reconstruct what had happened. Like in Mat Honans case, it wasnt the password, but rather the I forgot my password functionality that had been breached. Duh-oh.
We took this as incentive to analyze the password reset options of some of her accounts, and what we found was not pretty. It seems that I forgot my password comes in (at least) three variants:
(1) New password is sent to the email address on file
(2) New password can be set after answering a couple of Secret Questions
(3) New password is set after authenticating out-of-band (via phone or fax)
Lets start with (2). Not only since the Sarah Palin attackdo we know that password reset functions can be dangerous. Having a 10-character complex password with 60 bits of entropy is of little use if same password can be reset by answering what the color of your first car was - about 3 bits of entropy, or roughly equivalent to having a one digit password between 0 and 9! Still, call centers are expensive, and the economic incentive is strong for companies to provide a password reset function that is trivially EASY. And since the corresponding fallout is on the user and rarely on them, they dont care much.
Variant (3), the out of band confirmation, comes in two flavors - one is really competent and quite secure, and very very rare, because a real person asks really hard and not scripted questions about your past relationship with the company or institution. The other is silly and near useless, and very very common: Unfortunately, usually such calls go to call centers overseas, where the agent answering the phone will identify the caller by asking for .. yes, the color of the first car again. Some web sites, for example domain registrars, also require a faxed copy of a drivers license. Fax is that 1980s technology of image transmission with a picture quality that manages to make the most authentic passport look like a forgery. Hence, the hardest part for the attacker is probably to make sure his forgery doesnt look too authentic ...
Which leaves (1) .. an option that works reasonably well, presumed that the email doesnt get intercepted in transit, and that it isnt the email account itself that was compromised. If it is, then this function becomes deadly real quick, because the attacker can readily reset all your other passwords, pick up the new credentials in the compromised inbox, and continue hacking at his leisure. In our tests, we actually also found two web sites where the password reset email contained the correct password that my friend had set, which means that the web site in question had committed the cardinal sin of storing user passwords in cleartext. But thats a story for another time.
For now .. I suggest you start 2013 with taking a close look at the chain of trust between your important accounts: Which one can reset which others? If an attacker gets access to this one, what information does the account provide that allows to breach which other credentials? Also, click on the I forgot my password or I forgot my userid button, just to see what happens. You might discover that in a state of naive trust and delusion, some years ago, when you set up your account, you actually truthfully answered that your first car was blue.
How are you handling password reset functions to reduce the risk of them becoming an easy avenue for attackers? Please let us know in the comments below!
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.