If you haven’t read How Apple and Amazon Security Flaws Led to My Epic Hacking from Wired author Mat Honan, you must. It’s a frightening tale of just how easily a hacker can orchestrate an account take over on multiple accounts.
I took a few days to blog about this topic because quite frankly I needed, as a consumer, to double check that some of my personal accounts were better protected.
Nishant Kaushik over at the Talking Identity blog has a great visual mapping out the attack (see below) and provides really good insight in his thorough post on the hack and the problems related to shared secrets aka “static knowledge based authentication.”
Now that I’ve followed Nishant’s advice and made sure I’ve fixed the simple stuff he suggests that we all do…
First, the Simple Stuff
Here’s the basic stuff everyone needs to do.
- Make sure you’re backing up your data, and not just on your laptop or desktop. Backup your devices as well. You can even do that over the air now without having to plug them into a computer.
- Turn on two-factor authentication for GMail and Yahoo mail. One can only hope that Hotmail and other email-based identity providers follow suit.
- Review those little used email addresses that you’ve registered as the backup email accounts for your systems. Chances are, you have a pretty poor password on those. Fix that.
..I’m ready to weigh-in on how businesses can begin to solve this identity dilemma.
First off, I need to point out that the “verification” techniques Apple used were not what IDology would consider true “identity verification.” The practice Apple used is called address and credit card verification in the four levels of verification that businesses use. It’s a lesser form of verification and really is only used to see if a credit card is active and if the name on the account matches the card. It doesn’t really take into account that credit card numbers can be stolen and it doesn’t really tie the person to the credit card – much less prove that anyone is who they say they are. It is not a form of verification that we provide.
I also want to set aside the great password security debate and instead focus on what can be done from an identity verification stand point within the current structure of these businesses today. The easiest and quite frankly simplest solution is for Apple and Amazon to deploy dynamic knowledge based authentication (aka out-of-wallet questions) for high risk transactions both online and in their call centers.
What’s a high risk transaction? Most certainly a password reset. But also anything else related to account take-over activity such as adding a new email address to an account, changing an address, and any other things hackers try to do to gain control. This allows them to continue to service legitimate customers while stepping up their security and authentication methods. And it can be done immediately with a little bit of training and implementation work.
However, the costs associated with a traditional out-of-wallet solution might be rather large – especially when we are talking about 2 of the largest platforms in the market – since these types of security questions are being generated in real time off of information from third party data sources.
What would have worked really well to prevent this situation is if Apple or Amazon had a custom out-of-wallet solution in place. Just imagine how much information Apple and Amazon have at their disposal. Why should they pay for questions from third party data sources when they could create relevant, dynamic authentication questions using their own data? Would a hacker have known the last song Mat Honan purchased on itunes? Or what apps he’s downloaded to his phone?
This type of scenario is the reason why we expanded on our traditional out-of-wallet solution and launched ExpectID Customer Based Authentication, a custom out-of-wallet solution. It allows companies to stop using faulty, insecure authentication methods such as shared secret questions while taking advantage of their own customer data in a way that is meaningful and safe. They never share any of that data with us. And they still get the benefits of presenting dynamic questions without having to become knowledge-based authentication experts or maintain a complete in-house identity verification system.
I like to think of ExpectID Customer Based Authentication as the hybrid Prius of identity security. Why? Well, it’s the first of its kind. And with a Prius you still get all the great benefits of driving a Toyota but at a lesser operating cost and with a greater benefit to the environment than a Camry. It’s this kind of innovation that contributed to ExpectID Customer Based Authentication being selected as a showcase demo solution at the Finnovate show on September 12.
Banking regulators said last summer in the updated FFIEC guidance for online banking authentication that shared secret questions were not effective. If they aren’t safe for Banks – they shouldn’t be safe for anyone — including Apple and Amazon.