Look, pal, it’s YOUR password so it’s YOUR fault that it's gone AWOL

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.theregister.co.uk/2014/05/23/look_pal_its_your_password_so_its_your_fault_we_lost_it/

This doesn’t bode well: I am not the sort of person who is able to make
private purchases on account. As much as I’d love to swan into a shop,
point at various things and drawl “Send them over, will you, darlings?” as
I saunter off into a waiting limo, retailers don’t seem to like me doing it.

Rather, they eye me warily as soon as I enter their premises. Their fingers
move instinctively to the panic button under the counter and the store
detective trails me everywhere with the enthusiasm of an Apache scout and
the subtlety of a nightclub bouncer. If I fail to bring anything to the
counter within two minutes, a whispered phone call is made, other customers
move silently to the exits and I find myself stranded on the shop floor as
the noise of barking dogs and an approaching helicopter grows ever louder.

I do not enjoy shopping. Going shopping is shit.

So it is with a little surprise that I am reading a letter containing a
bill for half a dozen iPhones. Apparently I walked into a high street
mobile phone shop a few weeks ago, bought the handsets on account and
walked off with the lot under my arm. And now the invoice has turned up.

One call to customer services sorts it out without argument, as it always
does. I have to put up with one of these scams every 18 months or so, and
I’m getting used to the routine. The first time it happened, however, I was
baffled how the scammer managed to associate his naughtiness with my name
and address. According to customer services, he must have been in
possession of hacked identity documents.

Showing ID, as anyone working in retail security will tell you, is
irrelevant. Proof of identity and proof of payment are not the same thing
at all. It is not possible to stride into a mobile phone shop, demand half
a dozen iPhones and shuffle off without paying, even if I show a driving
licence with a photo of the Queen on it.

No, all that has happened is that a disgruntled or dodgy employee at the
mobile phone shop or one of his mates has walked away with armfuls of
handsets, leaving a misleading trail of customer names randomly nabbed from
the database to throw the scent before scarpering. It could be the shop
assistant, the work experience kid, the delivery man, anyone.

Basically, it’s all too tempting. The goods and the customer database are
just sitting there, pleading to be raided. Just borrow the key to each – or
easier still, nick them – and you’re away.

The scam may not even be that smart. Every time I take out a phone contract
with a new provider, I am handed a cheap ballpoint pen and ordered to
complete a complicated paper form while the shop assistant toddles off to
photocopy my passport and electricity bill. Who needs to hack into a
database of customer addresses when the original paper versions are already
kicking about the shop in various unmonitored filing cabinets and in-trays?
Forget name and password, these sheets of triplicate contain my bank and
credit card details, inside leg measurement and DNA samples.

Which brings me to eBay.

I am not suggesting that an eBay employee is responsible for the recent
hack, although the generic concept of insider data theft is more than a
scare fantasy invented by security consultants, as Bank of America found to
its ($10m) cost a few years ago.

On that note, I’m tempted to say also that businesses that routinely
outsource their customer relations operations to flaky foreign call centres
deserve all they get, but that’s unfortunately not the case because these
businesses don’t “get” anything. It’s the customer who ends up in a world
of shit. The kind of business that allows its customers’ data to be ripped
off as the indirect result of yet another round of vicious cost-cutting
isn’t run by people who serve customers but by cost-cutting accountants,
and cost-cutting accountants couldn’t give a flying fuck.

Back to eBay, though. The consensus appears to be that a hack into a
relatively small number of eBay employees’ login credentials was enough to
lay open 145 million user account passwords. These passwords may or may not
have been adequately hashed or encrypted; no-one outside eBay knows because
eBay isn’t saying.

This is worrisome but not my immediate focus. Surely the key problem at
eBay isn’t what it did or didn’t do to disguise customer records, so much
as how feeble the protection must have been to prevent anyone from entering
in the first place. Nick a few eBay employees’ logins and you see
everything? Surely not. That would be like fitting Fort Knox with leaded
windows.

Compare this to what you and I have to put up with on a daily basis. Most
of the IT departments at places where I work deliberately inflict
multi-login hell on their users, apparently for no practical purpose other
than the sheer fun of it, like a smirking school bully. Every stupid little
app and utility requires a unique username and password, and those
automatic password security evaluators are getting so demanding they have
become positively highly strung.

Yesterday, I was working on a database of utterly non-sensitive material
that demanded I change my password... and rejected every attempt to do so
for half an hour. Sure, silly alphanumeric sequences such as abcd,
qwerty,1234 and 0000 are automatically disallowed but I soon discovered
that so were any combinations that included what it recognised as names of
streets, places, English regions and nearby restaurants. The inclusion of
any proper noun, even with substituted numbers for letters, rendered an
entire password invalid.

Eventually, having tried to create an adequately long password based on a
line from a Shakespeare sonnet interspersed with numbers, dashes and
underscores only to be informed by the system that this would be too easy
to guess, I called the IT desk for assistance.

“Yeah, Shakespeare,” came the unphased reply. “It won’t let you do him
either.”

But what really, really bugs me is being told to change my password again
and again, not for sound security reasons but – as eBay, Adobe, SSL
developers and countless others have ably demonstrated over the years – bad
security reasons. Sure, I should change all my passwords regularly anyway
in case someone hacks my live connection or steals my hardware. The
argument that regularly changing my passwords held by a third party will
keep my details more secure at that third party, however, is one that has
been carefully constructed from a veritable mountain of smelly arses.

What’s the point of changing my login credentials if the third party simply
keeps giving them away? No end of Shakespearean sonnets will protect me
from eBay’s lead windows or a Ministry of Defence civil servant leaving his
laptop in a taxi. Accidents happen just like hacks happen, but surely it
would make more sense to beef up security where the passwords are stored,
not whether the person thinking up a password chooses to compare thee to a
rose or a summer’s day. Where’s the logic?

The logic is this: they want to put the blame on YOU.

Hackers stole 145 million passwords on our servers but actually they’re
YOUR passwords so it’s YOUR fault and YOU have to sort it out. Read our
T&Cs, pal. It’s up to YOU to change YOUR passwords (did we mention they’re
YOURS?) and make damn sure YOU do it more frequently than WE can give them
away.

Remember, your security is our top priority (snigger).

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!