As I was reading the article detailing Mat Honan’s multiple account compromise (read the Wired article about it), I was surprised at how easy it was to completely subvert standard security processes around user verification. The entire hack was possible because the attackers were able to gather easily attainable information about Mr. Honan and then use that information against Amazon and Apple to gain access to Mr. Honan’s accounts.
So I asked myself, “What could have been done differently? How could these processes have been changed to prevent this attack?” The trick is to find something that is easy to use, hard to forge, and uses information that is hard to discover or intercept. Here are a few of the ideas that I and others have offered.
Here’s how it works. Customers submit a photo of themselves to the company. If a major account change is requested (like, I don’t know, a forgotten password or adding a credit card), the CSR can start a video chat session with the customer and compare the person on the video chat with the photo the company has on record. This would be simple for a company like Apple who sell products that all feature cameras and video chat capabilities.
Some people have raised concerns that the privacy advocates might raise a fuss about companies having pictures on file. But your pictures are already out there (Flickr, Picasa, Facebook, Instagram, et. al.). Honestly, I think the CSRs have more to worry about. What exactly are they going to see in the video chat?
But, despite the concerns, I like this because it would be very, very hard to get around this. If they have a valid photo on file, how are you going to fake the video chat? Of course, the best part about this system is that we can call it Face Auth (not to be confused with terrible John Trovolta movies).
This was highlighted in the Wired article. If Mat Honan had Google’s 2-step authentication turned on, this entire hack probably wouldn’t have been possible. 2-factor auth is good, but not a lot of companies are going to implement this. It just costs the company too much up front and there are a lot of support and maintenance costs that go along with 2-factor auth. I love 2-factor auth as much as the next (security) guy, but I just don’t think it’s realistic to expect companies like Apple, Amazon, and the like to adopt it.
Plus, you have the problem of token sprawl. As a user, how many tokens would you acquire before you said, “Enough!” If Amazon and Flickr and Google and Barnes and Noble and Reddit and Twitter and Facebook and more all required their own token, users would revolt. They would opt out and go back to standard passwords.
This might be a good fit for a lot of organizations. Before any major changes are made, a text message is sent to the user’s phone (their mobile phone number would be kept on file) that would contain a verification code. The user would then read the code back to the CSR to verify that the user is who they say they are.
The nice thing about this method is that it is simple and could be used by almost all users.
Whatever is done, I think Mat Honan’s experience clearly shows that processes around user verification need to be re-examined and better processes need to be put in place.