The Perils of Password Reset

The story of Naoki Hiroshima and how he lost his $50,000 Twitter username has been making the rounds of technology blogs in the last week. While there is still some confusion about the initial vector of the attack, with PayPal denying that they handed over the last four digits of Mr Hiroshima’s credit card, there are no doubts over GoDaddy’s contribution. In response to the situation, GoDaddy has updated its user protection policies to mitigate against similar social engineering-based attacks in the future.

While the specific details of how this attack proceeded are still slightly unclear, the overall story has a depressingly familiar ring to it. In execution, it is very similar to the highly-publicised attack on Wired editor Mat Honan in 2012, whose target again was a Twitter username, @mat. In both cases however, the attacks succeeded thanks to the flaws inherent in the password reset policies of the technology giants on whose services we grow increasingly more reliant.

In Mr Hiroshima’s case, using the last four digits of his credit card, the attacker was able to use some simple social engineering tricks to convince GoDaddy’s support engineer that he was the real Naoki Hiroshima, and to reset the password on his customer account. And herein lies the problem. Password reset processes generally rely on secret questions, or “what you know” scenarios, such as your mother’s maiden name or the last four digits of your credit card. Unfortunately, “what you know” is becoming ever less challenging to determined attackers with some basic Google search skills and a willingness to be polite and bluff their way through a conversation with a support agent.

There has recently been a move towards 2-factor “what you have” scenarios, such as the Google Authenticator which requires that you enter a code generated by a smartphone app before the password reset is confirmed. However, Mr Hiroshima had 2-factor authentication enabled on many of the affected accounts, to no avail.

So what can be done? In this case, as well as in Mat Honan’s case in 2012, the attack could have been stopped in its tracks by the use of biometric verification in the password reset process. The user creates a biometric voiceprint during the account sign-up stage. This requires receiving a phone call and repeating a short phrase. Whenever the user wishes to make significant changes to their account, such as a password change, they receive another phone call and again repeat the phrase. Changes are not applied to the account unless the voiceprints match. The process no longer relies on “what you know” or “what you have”, it’s now “what you ARE”.

The VoxLoc voice-verification system can be used in a number of scenarios, from securing password resets to confirming the identity of a user attempting to transfer funds from a bank account.

Try the VoxLoc voice-verification demo for yourself and see how easy it can be to protect your customers.

Comments are closed.