False-Positive Trust
Recently, I was buying a bottle of wine at the grocery store and was asked to show my ID. My license picture was taken about 4 years ago, when I was 20-30 lbs lighter and before I started shaving my head, so it doesn’t look all that much like me anymore. The clerk was skeptical, and he asked me to show another form of ID, which I provided by showing him a few credit cards. Apparently, that was enough to convince him that I was who the license said I was.
What if I had just stolen someone’s wallet, though? I would have easily been able to produce credit cards that accompanied the license in the wallet. Showing that extra piece of ID really didn’t add any authentication to the transaction at all, but it allowed me to complete my age-restricted purchase.
Most IT people have heard of the concept of two-factor authentication; pick two of the three classic categories (“something you have”, “something you know”, “something you are”) for a high level of authentication. I’ve heard it argued, however, that multiple items from the same category (specifically, the “something you know” group), can be considered stronger than one. I disagree with this sentiment.
If you can get “something you know” from someone, such as a network password or other shared secret, it’s generally trivial to get another “something you know” from them. Two pieces of information are almost exactly as strong as one piece of information. However, if an application designer, much like the store clerk that sold me the wine, is willing to accept two of the same authentication factor as a strong assurance of identity, then the application is more of a security risk than one that accepts only one form of identity because of the nature of the information that application is likely to provide.
It’s a common mantra of security theory that I’ve repeated ad nauseam: security controls must be appropriate for what is being protected. Two pieces of knowledge are not better than one, and if they are treated as such, then the application is not secure if it must protect information that requires something more than just a password.
2 thoughts on “False-Positive Trust”
Reminds me of the article we had written some time ago, “Wish it was two factor”:http://securitymusings.com/article/182/wish-it-was-two-factor based on a DailyWTF article. For example your bank’s SiteKey. Is that really helping? No, it’s the opposite. If I break into your account, I also now learn your secret picture, which I can share with you next time you think you’re logging in to the bank.
A proxy-style phishing site could go to the real site and grab the picture as it was fooling the user. You would only need to know a few similar “something you know” factors, like the account number, and the answers to the flimsy security questions the user had set up. A phishing site could easily ask the user for this info, and then relay it to the real site to obtain the picture, which it would then display to the user, Alice-Eve-Bob “man in the middle”-style.
I don’t think the SiteKey was really touted as an extra authentication factor (although it may have been). It’s a server authentication mechanism, not client.
Comments are closed.