Recently, I was on a call with the CISO of a customer whose CEO’s account had been hacked. The CISO and his team were trying to understand how this had occurred, and, following a short investigation, we discovered that the hacker had been able to compromise the CEO’s password via the company’s software solution that enables end users to reset forgotten passwords.
After reviewing logs and other audit mechanisms, we determined that the hacker had used the solution’s self-service password reset (SSPR) capability to reset the CEO’s password. Once the password was reset, the hacker had free reign over the CEO’s account.
During an ensuing discussion about security policies for self-service password reset, the customer revealed they had implemented a Q&A-based SSPR, allowing SSPR based on correctly answering any one of three questions. During the call, it was mentioned that the CEO was somewhat of a celebrity and fairly well-known, so, with that information in hand, it seemed apparent that this was a classic example of a social engineering attack. The hacker guessed ‒ or knew ‒ the CEO’s email address and used that to access his SSPR Q&A profile. They then trolled Facebook, LinkedIn and other sources to find answers to his SSPR questions.
Physician, heal thyself!
A few days later, I had the opportunity to create an account on a third-party system that used SSPR for password reset, and -- based on my earlier conversation with the customer -- saw the questions I was asked to answer in a completely different light. They included:
- What was the name of your first pet?
- What was the name of the first school you attended?
- In what city was your father born?
- In what city was your mother born?
- In what city did your parents meet?
- What was your childhood nickname?
When I thought about how easy it would be for someone to hack my own SSPR Q&A via social engineering, I realized that, over the years, the answers to every one of these questions has appeared in a Facebook post or comment. If someone had access to my Facebook feed, they easily could figure out the answers and use them to gain access to my personal accounts. You can judge for yourself how easy or hard it would be for someone to find the answers to these questions via your own public Facebook or LinkedIn information.
These types of attacks are certainly on the rise. According to the recent 2016 Verizon Data Breach Digest, social tactics are being used in around 20 percent of confirmed data breaches, and when looking at the previous three years, the frequency increases to almost 30 percent of data breaches.
So, what was the outcome of my call with my customer’s CEO? Based on the fact that the company operates a worldwide business with thousands of employees and partners who access their systems, I offered the following advice:
- Require more than one correct answer to the SSPR Q&A profile to reset a password.
- Require more than three questions to be registered in the SSPR Q&A profile.
- Pick a number of the out-of-the-box choices, but also require an end-user to register at least three “custom” questions and answers to which only they know the answer.
- Employ multi-factor authentication (MFA) as one means to reset a password – especially for high-value or executive accounts.
- Consider using step-up authentication to increase security in situations that include an end-user trying to reset a password outside of normal working hours, or perhaps trying to reset a password from an unknown location or device.
- Utilize an out-of-band mechanism to deliver the password or reset code. For example, send the password or reset code to the end-user’s registered mobile phone.
How did I handle my own SSPR Q&A profile that I was asked to fill out a few days later? I answered some of the questions in an opposite fashion. For example, my first pet’s name became the name of my current pet, and I switched the birthplaces for my parents. I registered my mobile phone for password reset codes, something I thought particularly important after our recent customer call.
Lastly, let me offer a final piece of advice: If you already have an SSPR profile set, check it. In my own case, I realized that my corporate Q&A profile was set in 2005, nearly 11 years ago. The answers to all those questions very easily could be guessed if someone had access to my Facebook profile. I’ve since changed a number of them, including my custom questions and answers, to make it harder for any hacker to use social engineering techniques to compromise my account.
Can anyone be 100 percent safe? Of course not. But the lesson here is that end users – at all levels -- should carefully evaluate their SSPR Q&A profiles in light of a social engineering attack. At the end of the day, SSPR Q&A profiles should not be the only mechanism for resetting a password.
- Google To Eliminate Passwords For Android Apps
- Security Lessons From My Doctor
- Anatomy Of An Account Takeover Attack
Find out how access keys will kill you before you kill the password when Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 - Aug. 4, 2016. Click here to register.