2019-08-02

Account Recovery, Insecure And Uncertain

Summary

Account recovery procedures (ex: when someone says they lost your password and/or phone) are often the easiest way for attackers to gain access to your account, and unfortunately there is very little advice on how to deal with it, other than "turn your username, email, and security answers into unique, hard-to-guess things", in other words: make everything a password.  But account recovery procedures often make that tactic useless.

Also, I am doubtful that adding extra account recovery options (recovery phone numbers, alternate emails) is a good idea for people who are using a password manager to create and store strong, unique passwords, and have taken steps to make sure they won't lose access to their password database.  Extra account recovery options are extra ways for bad guys to get into your account and are often easier than guessing your password.

Motivation And Background

The computer security field has some things about account security pretty well settled, like use 2FA and use a password manager to generate and store strong, unique passwords for your accounts.  I think one of the big remaining questions is: how should users manage the risk from account recovery procedures (when someone claims to have lost your phone and/or password).

To illustrate how bad account recovery procedures from popular account providers can be, Betfair only required a username and date of birth to change someone's password, and here's the tragic story of Mat Honan from 2012:
At 4:33 p.m., according to Apple’s tech support records, someone called AppleCare claiming to be me. Apple says the caller reported that he couldn't get into his Me.com e-mail – which, of course was my Me.com e-mail.

In response, Apple issued a temporary password. It did this despite the caller’s inability to answer security questions I had set up. And it did this after the hacker supplied only two pieces of information that anyone with an internet connection and a phone can discover....It turns out, a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account.
It also used to be that to take over an Amazon account, you only had to know was a person's name and their shipping address, and to make three calls to customer service.  You could use the name and address to find out the registered email address, then use those three things to add a phony credit card number, then use those four things to change the associated email and then trigger a password reset using the new email address..

This is extremely scary.  To continue the old Amazon example, for a long time your Amazon password (and probably 2FA if they even offered it at the time) offered no protection against someone who knew your name and physical address.  I don't really know what someone could do to guard against that.

A big part of why account recovery is insecure and will probably continue to be so for a long time is incentives faced by the account providers.  The number of legitimate customers that have lost their phones and passwords outnumber bad guys on any given day.  Businesses want to please their customers and convenience-security trade-offs are being made that are probably close to what most customers want.  The average Amazon/Apple customer does NOT wanted to be locked out of their account just because they forgot their password.


When Account Recovery Depends On Things You Choose

There are other account recovery procedures that are better, but still scarily insecure.  For instance, imagine a fictional BankX and its procedure to reset a password:
  • User/attacker clicks "forgot password" link and enters the user's email.
  • User/attacker receives confirmation on the website that an account exists for that email.
  • User/attacker clicks "I lost my phone" when prompted to authenticate via 2FA.
  • User/attacker has to correctly answer the following three questions:
    • Last four digits of Social Security Number?
    • What is your mother's maiden name?
    • What city did you grow up in?
  • If user/attacker can correctly answer the following three questions, they are logged in to the account and are allowed to change the password, disable 2FA, and to change the email address.
  • No alert is sent to the old email address at any point during this process.  There is no rate limiting on attempts to reset the password and guessing answers to security questions.

All of the info needed to reset the password is often public knowledge, especially for bad guys making a career of this.  Knowing/guessing these things is far easier than guessing a strong, unique password.


What can a user do?  Basically, turn everything you can into a unique, hard-to-guess, password-like thing, and you'll be relying on your password manager to remember these things:
  • Make your user id unique to the account and hard to guess, like a password.  Instead of "joesmith", use something more like "hnr93n42qmz".
  • If your login is an email (or it's used in the account recovery process), you could make a new email address just for that account with unique, hard to guess name (and forward email to your primary email account so you don't have to check it individually).  This is very painful though.  The next bullet point is much more convenient.
  • If you use gmail, you can take advantage of the fact that gmail ignores everything after a plus sign so joesmith@gmail.com could become joesmith+234098293048@gmail.com and you'll get emails from BankX just fine.  I've never heard of an account provider requiring an email to be sent from the registered address, just proof that you can receive emails sent to that address.
  • If you're allowed to setup your security questions, you can give password-like answers unrelated to the truth.  You could say your mother's maiden name is Ynmpoqmqnfhe and your birth date is 1921-04-24.
  • If your credit card provider allows you to make virtual credit card numbers (often they are long-lasting and only a single merchant can put charges on them), make a unique virtual credit card number every time an account needs a credit card number.
The downside of these tactics is...
  • Losing access to your password manager's database makes recovering your accounts harder.  Hopefully important accounts will let you do something like go to their office (bank, electric company, etc) and prove your identity in person.
  • Harder to make use of services like haveibeenpwned to see if your accounts were affected by a breach.
  • They're more work.
  • MOST IMPORTANT: Lots of times they won't work.
    • Often you won't be allowed to use them, or the account recovery process makes them irrelevant.
    • It's also hard to tell ahead of time if they'll work.  How often have you figured out an account provider's full account recovery process?  It takes quite a bit of time to try every route of attack.
I'm also pessimistic about telling customer service something along the lines of "make a note that for my account, the caller must also provide the following 8-digit PIN before you'll help them with my account". Customer service people are fallible and imperfectly follow official security policy, and in my experience are horrible in following customer-specific security instructions.  In Mat Honan's story, Apple customer service issued a temporary password to the attacker "despite the caller’s inability to answer security questions I had set up".

Accessible Is Often The Opposite Of Secure

This Auth0 blog post agrees with pretty much everything I've said, but I take issue with the following: "connect multiple ways of identifying yourself to your account, including a recovery email and phone".  A recovery phone is an extra way to access your account if you lose your password, and it is an extra avenue of attack for bad guys to gain access to your account.

In the Mat Honan story, Mat chose to have an alternate email for his Google account.  Google recommends that you provide an alternate email to help you not get locked out of your account.  Unfortunately, this alternate email was how bad guys got access to his Google account.

Security advice seems especially contradictory when it comes to using your phone number.  Security experts like to complain that SMS 2FA is really insecure (but better than no 2FA at all) but we're still encouraged to register recovery phones, which is just as insecure as SMS 2FA.  What's the point of setting up TOTP 2FA or better if we then sabotage ourselves by allowing bad guys to say "I lost my 2FA stuff, please let me use a recovery phone"?  I am not the only person to make this point.  Section "You’re Only As Secure As the Weakest Link" from this How To Geek article says about Google accounts:
Here’s another unfortunate truth that everyone seems to gloss over: Even if you avoid SMS-based two-factor authentication for an account, SMS is probably available as a fallback method. For example, even if you generate codes with an app to sign into your Google account, you can recover your account using your phone number. This is to protect you if you ever lose access to your two-factor phone or token.

In other words, many—probably even most—services let you get into your account with your phone number, even if you use an app-generated code or a physical security key most of the time. You’re only as secure as the weakest link in the system. Try checking the other ways you can sign in if you don’t have your normal method.

That’s why, to really lock down a Google account, you don’t just need to avoid SMS-based two-step authentication. You also need to enroll in Google’s Advanced Protection Program, which is Google advertises for “journalists, activists, business leaders, and political campaign teams.” This free program requires you use a physical security key to sign in, but it also demands much more information to recover your account.
For my Google account, should I remove my phone number entirely so that they can't offer to call my phone?  What all do I have to do to close that off?  Should I have a recovery email?

[this post is still very much a work in progress]

No comments:

Post a Comment