Page 16 - index
P. 16
Proper iCloud security is not a pie-in-the-sky
Cloud Authentication Best Practices
by Oren Kedem, VP Product Management , BioCatch
The iCloud account-hack has resurfaced the fact that secret questions, as a means to
authenticate people, can be easily be broken. While we don't know yet if this was the case in
each celebrity account that was compromised, it's one of the likely options. It has been widely
discussed that personal information can be obtained through the web (e.g. Facebook),
researched via credit reports, bought in the underground market, or simply guessed.
Less discussed is the fact that many genuine users fail the secret question challenge.
Why would a genuine user fail a secret question challenge? Well, there are many reasons.
For example, let's examine a very frequently used question: "In which city did your parents
meet"? There are many ways to get it wrong:
1. Spelling issues (very common with foreign names)
2. Format issues. LA or Los Angeles? New York of New York City? Saint Petersburg or St.
Petersburg?
3. Some people might use the quarter or borough - such as Manhattan rather than New York.
Or sometimes there is no right answer - such as when the parents met on a Cruise.
4. Answers that change over time - Saint Petersburg was called Leningrad
BioCatch US banking customers report that 12%-20% of GENUINE users fail answering
secret questions and get completely locked out of their account.
Many online solutions have added one-time-password sent to the user‘s mobile phone as a
means to improve security. Unfortunately, SMS has not proven to be the panacea for the
maladies of secret question authentication. Banks that use SMS in high-risk scenarios report
20%-25% of failure in authenticating, and the result is a user locked out of their account.
First, operational issues can prevent the text message from reaching the genuine users mobile
device on time. A report by UCLA show that 1%-2% of domestic SMS messages fail
[http://www.txt4ever.com/smsFAQ.php]. The number of failures rises significantly for
international text message delivery - 28% failure rate according to another study by Mob4hire
Labs.[http://mob4hire.blogspot.co.il/2013/02/72-percent-international-sms-delivery.html]. And of
course other mundane reasons are wrong phone number on file, weak battery and bad
reception (like my basement den in which I am sitting now writing this article).
Second, Cybercriminals are able to circumvent these controls using a combination of research,
malware and social engineering. Man-in-the-Mobile malware like Zitmo simply redirects SMS
messages from the victim to criminal. Other form of attack use Man-in-the-Browser or vishing
(phone fraud) to convincing the user into surrendering their ―secret‖ typically in the pretense of
increasing security.
BioCatch has been working with customers on alternative means of authentication that have a
better success at stopping the bad guys while letting the good folks in.
Cyber Warnings E-Magazine – CTIA Special Edition, September 2014
16
Copyright © Cyber Defense Magazine, All rights reserved worldwide
