One of the big topics this past week has been the severe hacking of Wired columnist Mat Honan’s accounts. The impact on Mat was severe, including the loss of personal data due to the remote wiping of his MacBook Air, and there has been an enormous amount written on the subject. One particularly useful analysis I have found is here.
It’s clear that the exploitation of weaknesses in account recovery processes was the key factor in the attack. Information was available online that allowed the attackers to reset Mat’s Apple password, from which they were able to do the most damage. In this particular case, the attackers were able to obtain a critical piece of information from Amazon (the last 4 digits of his credit card number), but in other situations it could just as easily have been the answers to “security questions” used to recover accounts. Amazon has since closed that particular loophole.
I’m puzzled, however, by the reaction of so many, prompted in large part by Matt Cutts’s blog post “Please turn on two-factor authentication“, that two-factor authentication would somehow have prevented the problem. I’m a big fan of two-factor authentication in general; it can be a bit of an inconvenience but it’s a big step up in security. I’m quite well convinced that it wouldn’t have prevented the attack on Mat Honan, though. Account recovery typically trumps all forms of authentication, including two-factor. Recovery may actually be required more frequently because users will sometimes lose whatever access token (what they have) that they are using to access the account.
If a burglar was targeting an area and breaking windows to enter homes, would you suggest homeowners install deadbolt locks? Even though deadbolts are a good idea, I wouldn’t characterize them as a solution to the broken-window attack. But that’s basically what’s happening here.
The problem is that account recovery procedures vary widely and are often very non-transparent. Companies don’t like to publicize the criteria they use to verify users prior to account resets, because that might be tipping off the attackers about what they need to do to take control of the account. This amounts to the poor practice of security by obscurity. This lack of transparency also makes it very hard for users, even professionals like Mat, to know what information they need to protect in order to make sure their accounts are secure. And all of this assumes that the procedures for account recovery are followed rigorously, which also seems not to have been the case here.
Best practices for account recovery are not well understood. Driven by cost minimization, there has been a strong trend toward the use of “security” questions to enable account recovery. This practice has serious security concerns that I have written about before. We need better and more consistent mechanisms for account recovery, and adherence to those processes, in order to give users the tools they need to have control over their online identity.
Image “New Doorknob” by Flickr user karindalziel used under Creative Commons license.
Update 10 Aug 2012:
Nishant Kaushik and Identigral point out that Google’s account recovery procedures don’t bypass two-factor authentication, and therefore would have helped. As it happens, Google’s account recovery (password reset) procedures are vastly different, and more secure, for accounts that have two-factor authentication enabled as compared with those that don’t. My perspective on this is that it is the improved recovery procedures that came as a side effect of two-factor authentication, and not two-factor per se, that actually helped here.
Update 13 Aug 2012:
As Alex, one of our commenters (see below) has done, I also set up a test account with two-factor authentication to see what the recovery process is like. I was asked several questions like how long I had the account and the last time I successfully authenticated, which I answered erroneously, because an attacker would not have that information. I was told that it would take 3-5 days to recover the account.
Google sent a warning message to my recovery address giving me an opportunity to abort the recovery process. This was a great improvement over the instant recovery process usually available, but still would have been defeatable by an attacker with control over the recovery address.
Over the weekend, 48 hours after my original request, I received the following message:
Subject: Re: [#1091137852] I cannot access my account
Date: Sun, 12 Aug 2012 05:20:30 -0000
Good news — you’re just steps away from regaining access to your account! It looks like you are having trouble with 2-step verification, so we’ve removed it from your account. Click this link to reset your password and sign in to your account:https://www.google.com/accounts/RP?c=[removed]&hl=en_US
If you have any feedback on 2-step verification, we’d love to hear it! Fill out our contact form at: http://support.google.com/accounts/bin/request.py?hl=en&contact_type=2step_feedback.
If you want to reenable 2-step verification, please visit our help center:http://support.google.com/accounts/bin/static.py?hl=en&guide=1056283&page=guide.cs&answer=185839&rd=3.
We’re glad to have you back as a Google Accounts user again.
The Google Account Recovery Team
It’s possible that my account recovery was that easy only because it was a new account that had barely been used. We don’t know, because the procedures aren’t transparent. But in my case, the account recovery procedure used for two-factor authentication would only slow down, not stop, an attacker.