Problems with Multifactor Authentication

Roger Grimes on why multifactor authentication isn’t a panacea:

The first time I heard of this issue was from a Midwest CEO. His organization had been hit by ransomware to the tune of $10M. Operationally, they were still recovering nearly a year later. And, embarrassingly, it was his most trusted VP who let the attackers in. It turns out that the VP had approved over 10 different push-based messages for logins that he was not involved in. When the VP was asked why he approved logins for logins he was not actually doing, his response was, “They (IT) told me that I needed to click on Approve when the message appeared!”

And there you have it in a nutshell. The VP did not understand the importance (“the WHY”) of why it was so important to ONLY approve logins that they were participating in. Perhaps they were told this. But there is a good chance that IT, when implementinthe new push-based MFA, instructed them as to what they needed to do to successfully log in, but failed to mention what they needed to do when they were not logging in if the same message arrived. Most likely, IT assumed that anyone would naturally understand that it also meant not approving unexpected, unexplained logins. Did the end user get trained as to what to do when an unexpected login arrived? Were they told to click on “Deny” and to contact IT Help Desk to report the active intrusion?

Or was the person told the correct instructions for both approving and denying and it just did not take? We all have busy lives. We all have too much to do. Perhaps the importance of the last part of the instructions just did not sink in. We can think we hear and not really hear. We can hear and still not care.

Tags: , , , ,

Posted on October 21, 2021 at 6:25 AM37 Comments

Comments

Peter October 21, 2021 6:49 AM

I kind of understand the VP position.

Many system, not necessarily this one, are many times too complicated and flawed.

You can question them. Sometimes you get more insight into them. But far too many times the lesson learned is that you can’t change the flawed design.

So when a new system comes in and you don’t fully understand it, why bother questioning it.

Charlie Todd October 21, 2021 6:54 AM

The one variation I’ve seen work is to give the user multiple choice and they have to select information currently on the screen. Like a dynamic two-digit code. An improvement to the design would be for the Deny/Approve buttons to be “I didn’t request this code” and “Confirm.” Then the deny button results in a notification to the security team.

Ted October 21, 2021 7:19 AM

At my work the IT group sends ‘test’ phishing emails. If you suspect it is a nefarious email, you click a button in Outlook that says ‘Report Phishing.’

You get an immediate pop up box that says “Good job…” if you caught on to their test. Otherwise, they say something to the effect of… thank you and they are looking into it. Then they follow up shortly telling you if the email is actually legit or if it was spam.

The only one I ever got tricked on was a work ‘pet costume contest’ email. When I clicked on a link, I got a popup box that said phishers often use emotional content like this.

Well i didn’t click on that email this year. But i still like cute pet costumes.

flasker October 21, 2021 7:34 AM

At my organization we use Azure Active Directory for our IDP/MFA solution. We spent months trying to develop clear descriptions of when users should receive MFA prompts. The various configurations for token lifetimes did not seem to behave consistently. We could force MFA every time at every sign in, but this was deemed unacceptable from a user experience perspective. With token refresh cycle, if you keep your browser open you might go days without a fresh MFA prompt. This story shows the importance of getting these descriptions into language the users can understand. Maybe it would be easier if we described when they should NOT expect MFA prompts.

edith October 21, 2021 9:00 AM

At my work the IT group sends ‘test’ phishing emails. If you suspect it is a nefarious email, you click a button in Outlook that says ‘Report Phishing.’

Have the IT group ever tried putting a “Report Phishing” button inside the email? That’s how I’d phish a company after hearing about this policy. “Congratulations, you passed the test! Please enter your login to record your success.”

I used to have ssh-agent/gpg-agent set up to prompt for confirmation, but that turns to be a pain in the ass for various reasons. The prompt never said what program was requesting access or why; often I’d started and mostly forgotten about some background task a minute ago. The default button was “yes”, so often I’d press Enter from some unrelated typing and accidentally allow it anyway. The “confirmation” setting was completely ignored for ed25519 keys. And if I were ssh’d into the machine, the prompt would sometimes appear on a different ssh session; I’d be sitting there like an idiot wondering why my command was hanging.

My bank does an automated phonecall for web-banking 2FA. Apart from sucking in general (insecure, and problematic while traveling), it reads the code before saying what it’s for. “Your access code is… 1..2..3..4..5..6… for your… login”—and I’m always glad it didn’t say “giant wire transfer” at the end, because by then I’ve already typed the code. Dammit, Unnamed Bank, use TOTP or better yet my debit (smart)card as the second factor. (Even the old-school method of a printed and mailed set of codes is better than a phonecall or text.) Worse, when I need to phone the bank for whatever reason, the second factor is my birthdate or account balance or some shit like that. (“I’m logged into your site right now; can’t you just send me a random code via that site?”—”No.”)

Peter A. October 21, 2021 9:08 AM

One part of a problem is reliance on customer- or employee-owned devices. Big organizations have to implement the least common denominator technique (such as plaintext SMS) or issue their own devices, which induces extra costs and annoys customers, who expect to have their whole life being dependent on one shiny rectangle in their pocket. Carrying an extra gizmo is out of question for them.

Many years ago a company I worked at issued physical tokens as 2FA for remote access authentication. Then, after a blunder at the well-known token company, for an inexplicable reason they refused to issue a replacement physical token when the current one expired, but told me to go with software token from the same company instead. However, I did not have any device the software would run on. Well, what goes out, must come back in, so I hacked up my own remote access channel (arguably, even more secure than the original one). I left the company some time after that.

Banks used to issue hardware tokens in the past; now they don’t, even if you agree to pay extra. Very few issue OTPs still, which I consider safer than SMS – you can’t remotely hack (think SIM-swap) a piece of paper or plastic. Now the choice is between SMS (sometimes) and an app with push notofications.

I still refuse to own and carry a “smart” phone, but accept the tradeoffs connected to carrying a “dumb” phone – which I can switch off and on as needed.

Fred October 21, 2021 9:11 AM

So I ready the referenced LinkedIn post, and watched Kevin’s video (I wondered what became of him).
WHERE DOES THAT SSH SESSION COME FROM?

He just presents it as a fait accompli

Well, duh. If you can monitor traffic or have some other sniffer running, of course it can compromise a session.

While I agree with the point that all MFA is hackable, this demo is uncomfortably close to snake oil.

Chelloveck October 21, 2021 9:39 AM

@Fred: My employer has inflicted KnowBe4’s training videos on us in the past. They’re not the worst I’ve ever seen, but they’re far from good. One year the annual training told us that the only safe email attachment type was .TXT, which was always safe to click on. Thankfully the next year’s version had that particular bit of foolishness removed. I don’t think there’s been a year yet where I didn’t say at some point, “I know which answer they want me to select. And I know which answer is correct.” Would not recommend. Though they do provide an afternoon’s worth of bemusement around the water cooler / slack channel as people compare wtfs.

echo October 21, 2021 11:10 AM

Or was the person told the correct instructions for both approving and denying and it just did not take? We all have busy lives. We all have too much to do. Perhaps the importance of the last part of the instructions just did not sink in. We can think we hear and not really hear. We can hear and still not care.

This is a generic/strategic problem across the board. Only this past year there is some information I needed to propograte through the UK state administrative system. For one reason or another I have run into protocols and policies and implementation including individual interpretations of what should be done or how people believe the system does or should work and little focus on the “why”. Add in multiple departments and individual interpretations of law etcetera… It all gets a bit messy and circular.

This week I decided to activate a protocol with security and national security policy relevance. (It’s not a fraction as dramatic as it sounds.) The information I passed on, on reflection, lacked one component which normally should be implied so I thought I would get ahead of this. Thankfully the staff I dealt with were helpful which saved resubmitting information.

The annoying thing was I couldn’t get things done on the phone because… national security. On the plus side if anyone wants to cause a mischief… national security.

echo October 21, 2021 11:22 AM

As a follow up: I forgot to add the protocol I invoked involves roots of trust and multi-factor security of various forms.

Coincidentally, on a not directly related issue I also gained lawful access to another system today. There are security checks in place within this system. Getting that sorted out involved passing security checks elsewhere which I organised some months ago so when system X talked to system Y it didn’t throw a hissy fit. Other similar systems have additional gold plating for political reasons with no supporting law and no published risk analysis even when their gold plating contradicts authoritative published opinion by a relevant regulator.

I’m not even going to bother writing up the red faced bulging eyes empire building hissy fits if you have the temerity to fill in a complaint fom.

Impossibly Stupid October 21, 2021 11:26 AM

Panacea? MFA isn’t even a good idea, and I wish security professionals would stop pretending it is. Certainly the VP isn’t without blame, but the biggest error is trying to externalize the cost of security on to someone who has no expertise in that field. If your authentication process requires users to do absolutely everything right at all times, you’ve done a poor job of architecting your system.

I mean, take those 10 mistaken MFA approvals. I’m 100% certain that there were many signs that the activity was suspicious (e.g., access via foreign IPs), but that information was probably completely ignored. Likewise, no single person should be trusted to the extent that apparently this VP was over the operation of their entire IT infrastructure. If that was a management decision, the CEO bears a significant portion of the blame, too.

Ted October 21, 2021 1:08 PM

@Chelloveck

One year the annual training told us that the only safe email attachment type was .TXT

The most used business file 😉

Rombobjörn October 21, 2021 2:20 PM

The paragraphs that Bruce quotes talk about “push-based MFA”. That method has a huge fundamental flaw in that the second factor is sent over a side channel. The authentication is decoupled from the session. I can’t understand how anyone can think that’s a good idea. Obviously authentication must be done in the session that is to to be authorized.

The Swedish proprietary BankID protocol has this flaw, and it enabled an outbreak of fraud a few years ago. The attacker would call the victim and say something confidence-inspiring. They might for example claim to be calling from the bank or the police. Then they’d ask the victim to prove their identity, while at the same time attempting to log in to the victim’s bank account. The bank would then send an authentication request to the victim’s BankID app. The victim, ho had just been told to expect this, would approve the authentication, and the attacker was then logged into the victim’s bank account.

The banks eventually worked around the design flaw by displaying a QR code in the web interface to be read by the BankID app, which links the side channel to the session, but using the QR code is optional on the server side. The BankID cartel has been pushing rather successfully for their proprietary protocol to be used for authentication everywhere, and various other places still use it in fraud-inviting mode.

Clive Robinson October 21, 2021 4:08 PM

@ Fred, ALL

… watched Kevin’s video (I wondered what became of him)

Kevin Mitnick is still around but he’s getting on for 60, so he’s probably slowing down a bit, like many a body around here 😉 I here however he’s still handing out “lock pick business cards”.

His tie up with KnowBe4 back in 2012 did provide some fun reading[1] in the trade press and even MSM,

“The biggest risks to information security are the people. Studies have shown that most security incidents start from within, and are usually accidental,” explained Mitnick, citing the use of social engineering tactics by cybercriminals. “All it takes is one person making a bad decision to compromise the entire business.

So not much has changed in the past decade, if not way longer…

It’s that “one person…bad decision” aspect, that makes one of the first questions I ask,

“What is the business case for having that system connected to the Internet”.

As I’ve mentioned before, when you clear away the MBA Mantras, there often is no real business case at all other than in some limited cases “cost reductions”.

Which brings up another major issue, “short term risk” the “It ain’t going to happen next quater, but bonuses are” thinking that pervades much senior managment means in reality there is little or no buy-in to any real security no mater how many C-suit Execs “mouth the mantras”

The attitude is “Money not spent on costs is there to make profit” or the old “Money left on the table” reasoning. Which actually pervades the US almost every where you go, you can see it in all the infrastructure with “bodge job repairs” and “lowest bid maintainence”.

I suspect that some living in South / West states who have had utility crisis after utility crisis year after year, will be stuned to hear that in London and the South East of England utility outages are so rare they come as a major shock. The same with many other places in Europe.

Near where I was born, back in the early 1950’s they put up electrcity pylons. I know that for atleast the last 50years they have not given any problems and needed very little maintainence. Similarly major underground cables in SW London. The usuall cause of problems is “JCB Jimbo” digging a trench where he should not be and going through armoured cables “eventually” (Yup it’s rare for them to do it without lots of warning signs they just ignore).

It would be unfair of me to say “The US is falling appart” because there are worse places in the world. I just happen not to reside in them and the poverty that results from such short term thinking.

I’ll let others say what they think is good or bad, but seriously an outage once a decade for a utillity where I live is considered to be unacceptable.

[1] Took me a while to find the quote,

https://www.prnewswire.com/news-releases/kevin-mitnick-partners-with-knowbe4-159403195.html

I remember thinking at the time “tell me something I don’t know” as I’d got tired telling it to others knowing full well it would go in one ear, followed by a knee jerk tick in the checkbox, then straight out the other ear…

stevej October 21, 2021 9:44 PM

@Fred • October 21, 2021 9:11 AM

  1. Mitnick is hacking himself for the demo.
    He’s created the phising email, which implies registering a Mail domain,
    and created the Man-in-the-Middle attack (Proxy Website for LinkedIn login).
  2. The SSH session connects to the Proxy Website he’s setup and displays credentials
  3. Is answer to your question, “Where did the SSH session come from?”

    A:. Kevin created that beforehand, connecting to the Proxy Website he was running for the demo.

He left a blank terminal screen to avoid leaking any information,
just as that password would’ve been valid only for the duration of the demo,
and possibly a one-off username for the demo.

wiredog October 22, 2021 6:18 AM

First, MFA works well if it’s a hardware token of some sort. “Something you have”. YubiKeys, for example, or the “RSA SecurID(TM)” token. Here at work we use the latter, and elsewhere I use the former.

One problem that is getting more and more common is that more and more commercial software insists on being connected to the internet so that it can “Phone Home” to validate licensing and, presumably, aggregate data on what you’re doing to sell to third parties. Our customers, in the IC and DoD do NOT like this, and a lot of work is moving from the commercial world to open source as a result.

Biotronic October 22, 2021 7:20 AM

At a previous job I suddenly received an email claiming to be ‘mandatory computer security training’, with a link to some external site where said training was purported to occur. Having received no notification that such training would occur, I deleted the email. The next day, I received a part 2.

This happened for about a week before my manager showed up at my office and asked why I hadn’t completed the mandatory training. I replied I don’t click on links in unsolicited emails.

Ted October 22, 2021 8:18 AM

@Biotronic

This happened for about a week before my manager showed up at my office and asked why I hadn’t completed the mandatory training. I replied I don’t click on links in unsolicited emails.

Lol! I respect that! Those emails would be more appropriate if they notified you there was new training material and then allowed you to navigate there by going through the company intranet site or the like – not clicking an email link. I would have loved to see the look on your manager’s face 🙂

AlanS October 22, 2021 6:09 PM

Bank of America used to issue RSA SecureID cards (SafePass) but they weren’t used for login; I think they just required them for large transfers. For logins they sent OTPs by SMS. A few months ago they did away with SafePass and switched to FIDO security keys such as Yukikey. These can be used for logins instead of SMS OTPs.

echo October 22, 2021 11:11 PM

Google has just proved that 2FA can be repurposed to keep you attached via a lead and obsolete your key any time they like. Is 2FA about security or just another way to sueeze money and data out of us? We already know the answer to that….

Clive Robinson October 23, 2021 7:11 AM

@ echo,

Google has just proved that 2FA can be repurposed to keep you attached via a lead…

At the end of the day 2FA, like encryption, just a “building brick” to producing systems.

Like all bricks it can be used in many ways to do many things. It’s why[1] I say,

Technology is agnostic to use

And that it is,

It is the Directing mind that decides the use.

The observer decides if the use is good or bad.

Which is why I also say, technology should not be used to try to force societal issues, as like so much bad legislation and regulation it will fail in that purpose and almost certainly become weaponised against members of society.

Which means that in what you are saying,

1, Google is the Directing mind.

It owns the systems and services it provides to it’s,

2, users
3, customers

Who are both observers and it is their point of view that decides good or bad.

Google has claimed “To do no Evil” but many observers in the more general case of,

4, Society

Disagree, some vehemently so and with good reason. Because Googles view is they exist to provide value to,

5, Owners and Share Holders.

And that the “value” is obtained by misappropriation of information obtained under duress of Google Alphabets monopolistic position.

Whilst Google Alphabet can be seen as a “flag ship” enterprise in this behaviour the real issue is that of users interacting with other members of society who have not chosen to use Google Alphabets services.

It’s the reason I do not use Email any longer. It is likewise one of the reasons I do not use any consumer level “secure” service or devices that have “connectivity” beyond my desired use[2]. The other being I can show they have all been fundamentally designed so that they will be insecure in use.

One major problem is society supposadly has expectations of how it’s members will communicate. Currently the view point being pushed by corporations and governments –undesirably in my view– is into “total electronic communications” that is all subject to “Collect it all” policy not just of corporations but governments as well. My view point is not just that this is unhealthy for society but it will destroy society as the majority of citizens currently believe and want it to be.

But the question arises as to how to still be part of society without participating in “a pact with the Devil”?

That is how to avoild not just “collect it all” but the “loss of control”. Whilst there are ways to avoid the effects of “collect it all” these are beyond most people. However there are ways manyvcan “take back control”.

For a select few using devices and services where you do have the level of control you want is available but market forces are closing this down.

In some cases this is by using older devices where you still had control, but as they are nolonger made this has a limited future. In others by building your own devices and services, but at some point legislation or regulation will stop this approach.

Which leaves an area I’m looking into which is by introducing new layers. For several millennia mankind has known that there are two parts to a communication, the actual message and the message carrier. They also knew that the carrier could not be trusted, so they introduced a third layer to go between the message and the messenger and that is what we call cryptography etc, that is,

“The art and science of codes, ciphers, and hiding information in plain sight”

All methods were used untill towards the end of the Victorian era, when ciphers gained predominance and slightly later machine ciphers beyond simple mechanical devices were invented.

The problem with ciphers is that they “Turn the ordered into the disordered” and “disordered” is way way to obvious in use at oh so many levels.

More importantly ciphers have become an intellect sink hole at the expense of other methods of securing information in transit. I feel it is time that this should be changed as the product of this like the OTP did for ciphers is possible for plain text. Which if introduced as a layer between the message and the carrier of that message, would secure the actual message from the apparent message that could be given to anyone even brodcast far and wide.

But as importantly there are layers that can be introduced that make even make “collect it all” effectively impotent. There have been small steps in this direction with “mix nets” but we can go a lot lot further with them.

But at the end of the day the question still remains of

“What do we the citizens want society to be?”

And that is a question only society can answer, not technology or even legislation.

[1] Some object to my use of “agnostic” saying it is only about “gods”. Well though I did not start thr use of agnostic in computing as a domain specific term it is used as such and has been for quite some time. See,

https://dictionary.cambridge.org/dictionary/english/agnostic

Under “agnostic adjective (COMPUTING)”. Arguably my use is half way between the two because I am saying that any technology can be used for what are considered “traits of gods” that is good, bad, evil etc.

[2] Put basically any user of a communicating device or service provides information that can be collected by others that is unavoidable if you use them. The question then is “Who has control, the user or the provider of the device?”. The answer these days for by far the majority of devices and services is “Not the user”. So much so that the only way to have any control is by avoiding the “Hobson’s Choice” and “Not participating” in Hobson’s business. That is by,

1, Not traveling,
2, If available use another livery services who’s terms you prefer,
3, Have your own horse etc.

I tend towards 3 as 2 sufferes from the unregulated market spiral problem where they all sink to the lowest common denominator where Hobson already is…

JonKnowsNothing October 23, 2021 5:02 PM

@Clive

re: One major problem is society supposedly has expectations of how it’s members will communicate.

But the question arises as to how to still be part of society without [tech devices]

Sadly I have come to the personal conclusion that there is there is no means for my own future participation as such, given the demands that “you MUST have XYZ device” and “ABC App on it”.

While this will be no great loss in the grande schemes of governments and corporations it will have a serious impact for me.

Recently I was able to get a refinance on my house. It’s a service very much in demand after our initial rounds of SARS-CoV-2 when governments recognized that housing and food was paramount for society to continue (in the same direction). Now that these supports have been withdrawn, refinancing is a must-do.

Of course, nothing during this process went as planned or at least planed by the web-devs because my system is ancient and it cannot display all the whizzbangs and emojis flashing on the screen and they omitted a few important checks in the on-line application that caused the whole thing to collapse into the Great Bit Bucket In The Sky.

Fortunately I had a contact at the bank with a real phone and a real person answering it and doing Voice Over Phone, the bank was able to get the thing moving and 4+ months later and a good number of chasms traversed, the thing is done.

I’m sure it will be the last time this process will/can be done this way. There are no backup methods or options for those without plugged-in devices to access such functions across an entire spectrum of services, Civil and Regulatory.

The upshot of the whole sorry collapse is that the entire population of under served members of society become even more unnoticed and have less and less interactions as those systems become more distant.

The Collect It All falters because as people are no longer able to Connect the numbers skew dramatically. The 3Ls and $$COs have to fill in their reports with the results of “negative space” – where there should be a connection and there isn’t. The AI-Bias becomes more tilted because it can only count what’s there and extrapolate what isn’t there (the negative space).

Samuel R. Delany in one of his stories, (We, in Some Strange Power’s Employ, Move on a Rigorous Line) detailed the interaction between those without connection and a mandatory requirement to have a connection and what changes the connection by its presence alone created.

It will be a different experience no doubt, but what’s expected is not what’s possible. There isn’t enough bandwidth in the society for it to be anything else.

I have one positive fall back, I grew up without such devices. I can read a paper map. I have skills that newer generations never learned.

===

@Clive
re: Have your own horse

Sad to report that my horse developed an inoperable cancer and was put to sleep. Horses that have “pink skin” are susceptible to aggressive skin cancers. Oddly, the cancer rarely appears on the pink skin areas but appears on the belly, external organs and under the tail. The vet was able to keep the cancer under control for a number of years (removal of external tumors) but a cancer tumor grew very aggressively internally. It was not operable.

A farm story for another day: Properly disposing of a 1200 pound animal carcass. You might consider how that applies to all the animal culls involved in the supply chain wobbles and factory farm disease outbreaks.

Clive Robinson October 23, 2021 6:51 PM

@ JonKnowsNothing,

Sad to report that my horse developed an inoperable cancer and was put to sleep.

I’m sorry to hear that. Whilst I am not keen on horses myself and give then more of a wide birth than I do bulls, I have seen the relationship people develop with their horses over the years. In some ways the bond can be stronger than with family members.

I understand the difficulty of aranging for the safe removal etc of a large animal having been on the periphery of mass culls of cattle in the UK some years back. It is I suspect not something that most could stomach watching.

I don’t know what the US regs are but in the UK even burial of farm and similar animals requires one heck of a lot of planning and paperwork. Supprisingly rather more than is required to bury a relative in your back garden.

David Leppik October 24, 2021 12:29 PM

One thing that keeps bugging me about that story is how the person just hit “Approve.” Almost none of the 2FA systems I use work with that. Nearly all of them have you type a number into a login screen.

If your 2FA just says “Approve” or “Don’t Approve” then you have no idea what you are approving, or if you are approving the right thing. If this company’s 2FA system worked that way, the attackers would have had to get someone to tell them a string of digits—which isn’t just an immediate red flag for even the security-naive, but requires them to be able to contact that person.

The one case I work with that has “Approve” or “Don’t Approve” is when an Apple Watch connects to a computer. This isn’t so bad when it specifies “Jordan’s iMac Pro” but not so helpful when it just says “MacBook Pro” in an office with several of those.

echo October 24, 2021 1:39 PM

@JonKnowsNothing

The upshot of the whole sorry collapse is that the entire population of under served members of society become even more unnoticed and have less and less interactions as those systems become more distant.

In the UK there are regulatory and legal obligations including but not limited to the Public Sector Equality Duty among others. Unformtunately the reckless far right government we have in charge at the moment hasn’t just carried on with “light touch regulation” but has filled the majority of public bodies with their own placemen and placewomen and has complete disdain for human rights. You won’t find much coverage of this in the media which is a shadow of its former self and the majority of which are gushing at one end and nod along at the other.

We’ve gone from discussing practical measures to fix the “digital divide” to a narcissistic sociopath and cosplaying Walter Mitty at the top gushing about “levelling up” and the “high quality, high wage economy”. The cognitive dissonance is really quite embarassing.

David Sturt October 25, 2021 6:12 AM

Reminds of when they introduced ATM and some bank manager handed passwords and access codes to the machines to junior staff, which resulted in thefts. The same bank mangers wouldn’t hand over access to the bank’s vaults but felt comfortable handing over access to the ATM because typing in codes was the work of junior staff.

Education is important, though even when the bank managers knew the passwords gave access to the money, they handed them out. In the same way I imagine there will be some always hit approve, for example – if they share the credentials with someone else.

Clive Robinson October 25, 2021 12:53 PM

@ David Sturt, ALL,

Education is important, though even when the bank managers knew the passwords gave access to the money, they handed them out.

Because in most cases that is what someone on a higher paygrade laid down rules to follow…

A true story about a UK Building Society,

As you may be aware bank staff have to take holidays with atleast one being for two weeks as a minimum. This rule has bern in place for what feels like forever, and some have forgoton why it is there. Basically it’s to help prevent fraud or theft by bank staff, the theory was that if they were doing something they should not, it would be discovered by their stand in.

Whilst that works with books and ledgers, where access control is physical it does not work as well where the access control is information. Because whilst you can fairly easily stop physical access, it’s quite hard to make someone forget information like a PIN etc. The only resort is to change the information and sometimes that can be extreamly problematical.

As many know the data traffic between an “Auto-Teller Machine”(ATM) and the backend systems in the banks is by a “leased line” that you could access simply by lifting the right “man-hole” cover, or opening the right “frame cabinate” and connecting to the wire pairs with croc-clips. So they encrypted (DES at the time) the traffic. Unfortunatly the same key was used across their entire ATM network because of the way the back-end systems had been set up…

But the “key” was only held in RAM in the ATM and was easily deleated by tamper sensors etc. Some of which were sensitive enough to be tripped when a heavy vehicle went by, which happened frequently enough that “sending some one from head office” was a pain…

So it was decided that “Branch Staff” should type in the key…

So to stop people knowing what the key was they split it in half giving 1234 to Managers and 5678 to Assistant Managers… Those were the rules that came down from head office…

Well when Managers went on holiday their job would be given to an Assistant Manager from another branch who was likely to be promoted to test them out and give them experience.

Likewise Assistant Managers got promoted to new branches or when a branch Manager was promoted or retired. The rule however was it was always to a different branch “for security” you could not be a Manager in a branch you had been an Assistan Manager in.

As part of the “step up” or “Promotion” most Managers and quite a few Assistant Managers got to know both halves of the “key”…

If all the branches used different “keys” steping up or promotion to a branch they had not worked in would have ment they never got to know the key which was the intention of the split the key in half rules. But because the “key” was the same across all the branches. The security rule about moving branch failed…

Worse they did not change the key for years and as I’ve mentioned in the past, eventually the 1234-5678 halves became public knowledge…

Nick Levinson October 30, 2021 11:05 AM

Especially in big organizations, people are not hired to understand most other people’s jobs in depth, and computer security being understood in depth by unauthorized people is a security risk. (One boss told one of my coworkers in a non-security low-pay context, “[y]ou’re not paid to think.”) People are expected to be loyal and therefore to believe that other departments are doing what they’re supposed to do. Therefore, they shouldn’t ask too many questions. Therefore, IT doesn’t explain much to non-IT people. Also, most people don’t want competition for their jobs and so they limit their explanations about how they do their work.

In a campaign lasting maybe two months, in a small office with the server sitting on a central table everyone could see and having no monitor which made it distinct among computers, at the campaign’s end people were told to save their on-server files because I’ll be thoroughly erasing the server. One staffer, whose job was in fundraising and not in IT, saw all her files on her screen and had no idea what the server was and didn’t ask and didn’t save anything. Fortunately, I did, and put a Windows shortcut to them by itself on a right-hand corner of the screen. She didn’t see it. She told her boss her files were missing. Her boss asked me, the same boss who gave me the prior instructions, maybe 8-12 hours after her complaint. I told him about the shortcut and then he remembered seeing that and all was okay.

IT, of course, could explain more thoroughly, but thoroughness takes time and costs money, eyes may glaze over leading to misunderstanding and accidental misapplication, and info may be misused. I have no easy solution.

Nick Levinson October 30, 2021 11:21 AM

Amazon got me to set up 2FA without telling me that’s what they’re doing or how to reverse it. I don’t have Wi-Fi and cell service in the same place at the same time all the time. I figured out how to reverse the 2FA. They’ve tried again but now I see what’s coming and I don’t set it up.

A server manager should be explicit about 2FA and the reversal procedure. It can be mandatory where product use needing authentication is restricted to places and times where both factors can be used, like in one building.

JonKnowsNothing October 30, 2021 3:53 PM

@All

A number of on-line video games use or want to use 2FA. Stealing gamer accounts is very lucrative. Not only can the thief gain access to account level information but also to any CC on-file for in-game purchases. A good number of games have blocks to exchanging “gold for cash” or “high rank toons for cash” but the penal-leveling crowd (1) is often present and visible. If nothing else there’s the thrill of deleting everything on the account (2).

2FA is a good idea but … (there’s always a but…)

When the required item, software, connection is not available there is No 2FA possible.

tl;dr

A major game used a KeyFob (3) for 2FA. For about $40 USD you got the fob and it would transmit a code that you had to enter to login. The theory being only a person with the fob could access the account.

After a good many years, the fob batteries began to die and the fob maker company was out of business and there was a huge pile up of inaccessible accounts.

There were suggestions for alternatives, but none of them worked for me. I still have the dead keyfob as a souvenir.

===
1. Folks who are in prison and required by their legal jailers to run a scripted routine to rank up toons as fast as possible for sale to people who don’t want to play the entire game – the buyers only want to play the most recent release of the end game (meta). Getting a toon with max rank, armour, gear can be worth a multiple-number-of-zeros.

  1. Most major games have a recovery mode. Nothing is deleted. Loads of toons get deleted during a Gamer-Raid-Rage and for a nominal amount of money you can recover the toon, change the name to avoid embarrassment, and switch out your cosmetic overlay for new patterns and colors.
  2. There’s lots already written up on the 2FA key fob short comings. I’ve had them for games and also for corporate logins. Games are more fun to login to so getting locked out is not fun. No one cares much if you cannot access a corporate system: File A Ticket and go for a early long lunch and maybe an early beat the commute drive home.

Incorrectly November 14, 2021 6:23 PM

@Ted

Our IT department regularly sends out phishing and similar messages, often with something like, “You’ve won a Fangdango $25 give card. Click here…”. Initially, this got about 25% of users, but it’s improving.

We are a large clinic, so we send the physicians different messages, like, “You’ve received patient records from Cedars-Sinai Hospital on your patient. Please log in to the secure portal here.” Just about the same 25% hit rate there as well.

Our best(worst) hit rate was when we sent out a message confirming “Your registration and newsletter preferences for the Justin Bieber Fan Club.”

People could not smash that (phished) unsubscribe button fast enough. I think we got a 78% hit rate on that one!

Ted November 14, 2021 6:49 PM

@Incorrectly

Our best(worst) hit rate was when we sent out a message confirming “Your registration and newsletter preferences for the Justin Bieber Fan Club.”

Haha! Doctor’s don’t take this seriously?

🎶 I know you know that I made those mistakes maybe once or twice
🎶 By once or twice I mean maybe a couple a hundred times

I hope anyone that was phished by this was very, very early in their clinical career! It might be time for that talk. So awesome 😆

Clive Robinson November 14, 2021 7:58 PM

@ Incorrectly,

People could not smash that (phished) unsubscribe button fast enough. I think we got a 78% hit rate on that one!

Did you try with “Rick Astley”? I hear he’s popular with Russians.

Then there is the “Rupert the bear” fan club, I hear they are banned in China and in News International / Sky offices.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.