Defending The Kingdom

As always, a company’s security is only as good as its weakest link. Often, social engineering is the easiest way in for someone who wants to steal passwords or account information. Password reset procedures are pretty bad, too (“What is the name of the street where you grew up”? Give me a break).

Here is a sad combination example. I doubt the companies discussed are outliers in terms of their security standards.

Any site that asks for a username and password pertaining to another site should raise red flags for you, but apparently contact scraping is getting results:

Once you enter your credentials, like your [email] user name or password, the company sweeps through your contact list and sends everyone an invitation to join the site.

Nothing new here, but the tactic can be tough to spot. Facebook has nearly tricked me into giving up all of my email contacts a couple of times.

If your secret question is easier to guess than your password, your password is effectively useless. From the abstract of a recent Microsoft research paper:

All four of the most popular webmail providers – AOL, Google, Microsoft, and Yahoo! – rely on personal questions as the secondary authentication secrets used to reset account passwords. The security of these questions has received limited formal scrutiny, almost all of which predates webmail. We ran a user study to measure the reliability and security of the questions used by all four webmail providers. We asked participants to answer these questions and then asked their acquaintances to guess their answers. Acquaintances with whom participants reported being unwilling to share their webmail passwords were able to guess 17% of their answers.

Since you often need to provide answers to secret questions when signing up for online accounts, I suggest using strings like “lJOcK6gS”. You can employ something like Password Safe to generate those strings and store them.

Strong passwords are important, and I recommend using eight or nine digits whenever you can. Sometimes, however, you can’t avoid using a short password. For example, many ATMs outside North America will not accept long passwords, so you have to use a short ATM password if you live or travel outside of North America. In such an instance, is using a four digit password unsafe?

The answer, as far as I can tell, is no. A longer password would be better, but a four digit password for your ATM card is good enough.

Why is a four digit password okay for your ATM card, but not for other accounts? Many ATMs limit the number of failed entries for a given card, eating the card if a user enters an incorrect password four times in a row. This reduces the chance that someone would be able to guess your password.

What are the chances, exactly?

Suppose an ATM limits the number of failed password entries to four, after which it will eat the card. Let’s calculate the probability of guessing a four digit password in four tries.

First, we need to know the number of four digit passwords that can be created from a keypad that includes numbers from 0-9. There are ten usable numbers, each of which can be used as the first, second, third, and fourth digits. That means there are ten ways you can choose the first digit of your password, ten ways to choose the second, ten ways to choose the third, and ten ways to choose the fourth.

These ways multiply to give us 10*10*10*10 = 10,000 different four digit passwords that can be made from ten numbers. Your password is one of those 10,000 passwords. The probability, then, that someone could guess your password in one try is 1/10,000 = 0.0001. The probability that someone could guess your password in four tries is additive: 0.0001+0.0001+0.0001+0.0001 = 0.0004.

Some perspective

If you’re like me, you need some way to interpret this risk. We know 0.0004 is a small number, but can we do better than that? To put that figure into perspective, we can calculate the expected loss (a term that describes the probability of an event multiplied by its cost). Consider the following events: you lose your ATM card, your card is found by someone who tries to extract cash from your savings account, and you don’t notice that your card is missing for a week. What is your expected loss in this case?

We start by calculating your maximum possible loss. Someone who correctly guesses your ATM card password would be able to withdraw or spend up to your daily limit on each of the seven days you are unaware of your missing card. Let’s say this limit is $3,000 and the person who has your ATM card knows it (perhaps he learned it by starting with an attempt to withdraw $5,000, then trying smaller and smaller amounts until the machine capitulated). Your maximum loss in this instance is 7*3,000 = $21,000.

Now all we have to do is multiply the maximum loss by the probability of experiencing that loss. We get 21,000*0.0004 = $8.40. You will probably agree with me that this is no big deal compared to the other threats you face. It’s too bad that you are sometimes forced to use shorter passwords than you would like, but at least in this instance, it’s not worth worrying about.

The Economist, reporting research by Symantec, has an interesting chart of the most common goods and services offered by cybercriminals.

You can use the prices on the right of the chart as a sort of risk indicator: if a criminal steals your bank account details, you can expect to lose the amount another criminal is willing to pay (plus the value of the second criminal’s time) to get those details. Keep in mind that these values represent the average (mean) amounts victims will lose and criminals will gain – in reality, some victims will lose a lot more and some a lot less.

Most interesting feature of the chart: email passwords sell for more than full identities. If you think your email password isn’t very valuable, you should know that cybercriminals think otherwise!