Tuesday, May 22, 2012

Password Security: When the Problem Exists Between Keyboard and Chair

Tl;dr When a third party asks for information that allows them to reset your passwords for other services, you should be very wary.

Technology Review has an interesting story about a potential security hole in gmail. Basically, it works like this:

1. Hacker site offers a user a discount/teaser/whatever and asks them to enter their gmail address.
2. Hacker site sends request to gmail to have an account verification code to the cellphone of the user.
3. Hacker site requests user to enter the verification code sent by gmail into their site.
4. Hacker uses verification code to hijack gmail account.

As the comments in that article point out, this is not actually a technical loophole. It is a prime example of PEBKAC: Problem Exists Between Keyboard And Chair. Specifically, one would hope that your average user would be smart enough not to give a password reset verification code to a third party that they had only just encountered.

Unfortunately, there is no foolproof way to protect gullible users from themselves, and it is far more important that the millions of gmail users who do properly use SMS password reset protocols have access to this functionality than it is to simply disable it for everyone. In other words, this is not really a security flaw, so much as an unfortunate externality of a very useful password reset system. In the same way that a bank safe cannot be secure if the bank manager writes the combination on the front door, no password security protocol can stand up to a user divulging sensitive information.

Moral of the story: anytime a third party requests secure information from another service you use, whether that is login info, password info, security questions, etc., alarm bells should go off. Before you supply any such information, try your hardest to determine the provenance of the requesting party.

No comments:

Post a Comment