Site icon Easy Prey Podcast

Data Breaches with Troy Hunt

Easy Prey


Has your information ever been compromised in a data breach?  There are security measures you can implement to lessen the effects.  Troy Hunt shares about the frequency and increasing size of data breaches of personal information.  Don’t miss the end where we share lots of strategies you can put in place today to better protect your information.

Troy Hunt is an Australian Microsoft Regional Director and Microsoft Most Valuable Professional for Developer Security. He doesn’t work for Microsoft, but they're kind enough to recognize his community contributions by way of their award programs which he’s been a part of since 2011. You'll regularly find him in the press talking about security and even testifying before the US Congress on the impact of data breaches.

Troy is a Pluralsight author of many top-rating courses on web security and other technologies with more than 30 courses published to date. There's no better way to get up to speed on a topic quickly than through professional training that you can take at your own pace. As both an author and a student, Troy has nothing but positive things to say about the breadth and quality of Pluralsight courses.

One of the key projects Troy is involved in today is Have I Been Pwned (HIBP), a free service that aggregates data breaches and helps people establish if they've been impacted by malicious activity on the web. As well as being a useful service for the community, HIBP has given him an avenue to ship code that runs at scale on Microsoft's Azure cloud platform, one of the best ways we have of standing up services on the web today.

Troy regularly speaks around the world and runs developer-focused security workshops. You'll regularly find him at major technology events.

“Be selective about who you give data to and how much data you give them.” -Troy Hunt Click To Tweet

Show Notes:

“Work with the assumption that there is going to be a data breach.” -Troy Hunt Click To Tweet

Links and Resources:

“I need to do these things proactively because if something happens then it is too late.” -Troy Hunt Click To Tweet

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Transcript:

Troy, thank you for coming on. I really appreciate your coming on the podcast, talking about all the service that you have, and all the experience that you have that has gone into that. Where did you get the idea for Have I Been Pwned, and how did that come to fruition?

Kind of accidentally, I’d really like to sit here and go, “I had this grand vision and I knew exactly what to do, it was all a masterplan.” But it was very accidental and organic. I remember in late 2013 I’d been doing a lot of writing about data breaches. I remember writing about things like there was […] data breach, and then there was a lot of Twitter spam trying to sell Asahi berries because people are reusing the same passwords. I was looking at things like, “Let’s go with the […] data breach, and the Sanyo data breach, and join together on the email addresses and see how many people have the same password.”  What do you know, a lot of people use the same password, isn’t this interesting.

Then, the [Davey] data breach happened, there are 150 million something people in there including me, twice, so my personal address and my work address. I kind of thought, “I wonder how many people actually know?” They’ll be seeing the notification emails and things like this but how many people actually get the email and don't get junk and then they still remember in a year from now whatever it may be.

I thought I’d create a service. Motivation number one, give people the facility that does pretty much what it still does today. Then motivation number two was, “Hey, I can build something cool on the cloud.” A lot of this was me wanting to scratch an itch to build something because of what happens in technology, I was not doing as much coding as I used to because apparently that’s what you got to do. If not, you stop doing the things that you like, and tell other people. I was like, “Screw this, man. I’m going to write some code.” It was really that those two motivations which actually got me going with Have I Been Pwned. There was no sort of great epiphany or anything like that.

That’s very similar to how I started with whatismyipaddress.com initially, this is back in 2000 when Google didn’t answer the queries like that, I don’t know if Google was even around then. When you’re inside your corporate network and you need to know your IP address it’s like, “I don’t know, what is it?”

I didn’t know that was you, I use it all the time, seriously.

That’s a blast.

It’s sturdy. I use it all the time where I’ll show people how VPNs work and it’s like, “Now, I’m in Sweden.” Or “Here’s the tool browser and look at this, I’m in Turkey.” It’s cool, sweet.

I probably ultimately figured out that at least at this point, that’s actually a lot of the reason why people are using my site. It’s not so much that they’re using it because they want to know their home IP address, it’s the confirmation that their VPN is working, which is really neat. Is it really saying Turkey instead of Southern California, or Eastern or Western Australia. Information can get a little bit fuzzy. At least as long as it’s showing an IP address different from your own, you’re usually a pretty happy camper.

Right, that’s awesome, well done.

You launched the site and it looked like you didn’t realize that like, “Oh my gosh, this is actually getting a lot of traction.” Either with data breaches coming in or when people started to use the site.

It wasn’t too long, it was sort of a few weeks, and that kind of surprised me. The reason it surprised me is that it suddenly hit the press. I’m really curious now because one of the things I did which actually worked out really well in multiple fronts is I wrote about pretty much everything that happens. As I was going through having this sort of massive growth, I’d write about certain things like scaling problems and how I solve them. Maybe part of that maturity is over time you’re happier to say, “Oh look, I screwed something up.” I was taking all of these events as lessons and writing about them in paper-like, “Wow, this is really interesting, thank you for sharing this.”

I think it was only a few weeks in and I think I wrote something about was it too big for Google because the thing that suddenly struck me is that I was having problems with Google Analytics because Google Analytics were going, “You’ve actually got too many requests, we’re going to have to down-sample you.” This was the 10th of December. I launched the thing I think only like a week before. The blog post here too big for Google and analytics fails you.

It wasn’t crazy amounts of traffic, it was 90,000 in an hour, that might have been it. Once you hit over 200,000 visits per day, Google Analytics starts to down temp them which is interesting. I think I hit 243,000 in a day. The interesting thing is now I think the biggest I’ve had since then was like 10 million in a day, I was like, “Wow, I thought that was big.” It was actually that it must have been only within a week.

I think people will be very jealous of that success.

No one’s more surprised by the success but me, trust me. It’s not like I was sitting there going, “I knew all along this will be amazing.” It was not that at all.

Since you’ve started to do this, how many data breaches have you actually moded into your platform now?

Good question. It’s 400 something, 430 as of the time of recording, just under 9.5 billion in breached accounts. There’s one in particular I’m dealing with at the moment that will push that well beyond 10 if I let it, there’s always a bit of a caveat here. I was talking to my 10-year-old son about this over the weekend and he’s like, “You should have a party when you hit 10 billion accounts.” I don’t know if you really celebrate that, mate. It’s a milestone, don’t get me wrong, to hit how many figures that would be, that’ll be 11 figures. It’s not a good thing either, there would be no better outcome for Have I Been Pwned than if nothing mobile was to go into Have I Been Pwned, but of course, that will never happen.

Wow. What’s the biggest data breach that you’ve loaded today?

All the biggest ones at the moment tend to be data aggregators or credential stuffing lists. Looking at my list here, the biggest one is collection number one which went in January last year, 773 million accounts. Then things like verifications, data aggregators, 763 million accounts, there’s an online spam bot service here, 711 million accounts. It’s always really, really big things which are just siphoning up all that data.

The actual largest, I guess, organic data breach is probably the way that we’d phrase it. Literal user accounts on a service that had a breach was MySpace. MySpace was 359 million accounts.

Still a crazy number of records they exposed.

It is. A lot of people have completely forgotten about MySpace and then they get an email from me and they’re like, “Oh crap.”

They’re coming back to haunt people.

Exactly.

Is there a particular data breach that kind of scared you more than any other data breach? Reflect the quality of the information as in like the depth of what was exposed, like this is all a lot of personally identifiable information?

A number of candidates, many of which I don’t think we should talk about on a public podcast, because I expect there’ll be people listening to this which would learn things that they don’t want to know, because I certainly learned things I didn’t want to know when I had to look into some of these. I’ll just let your imagination run wild with it.

I think the one which was probably the most mainstream, which was messily impactful was Ashley Madison, this was back in 2015. It was impactful because not only was it one of the 30 million accounts, but people literally killed themselves over this. If you put the emotion aside for a moment, the emotion and the moral judgment and everything else, it is just really a fascinating breach in terms of the sensitivity of the data, the personal circumstances under which it was collected. Not everyone was there to have an affair, there are a bunch of people who are single and looking for a bit of fun or whatever, and then this data breach happens. They might have been in there years ago and now they’re happily married and they have children, and then suddenly they’re implicated as being adulterous.

Then, of course, the way all of this internal data leaked. It wasn’t just data itself, it was emails and web code, and the internal practice of the organization then exposed as well. Really interestingly also is that to the best of my knowledge, the perpetrator or perpetrators have never been caught either, which is fascinating. Because there was a half a million Canadian dollar reward from memory for that particular breach.

Wow, that’s crazy. I think that actually leads us into a good segue to what are the types of scams that people can be targeted with as a result of data breach?

There’s a few actually. Ashley Madison was certainly a big one in terms of people getting blackmail scams. What would happen is people would get attackers, would just get the list and they’ll literally do a mail merge. They’re like, “Hey, you’re in Ashley Madison data breach. Send me a bitcoin or I’m going to email all your contacts about it.” Of course, you’re only going to get a very, very small percentage of people falling for that but that’s all you need.

The one which I’ve seen a lot over the last couple of years, and this one’s sort of fascinating from a social engineer’s perspective as well, is people will get things like credential stuffing lists. I mentioned collection one, 773 million records, that’s 773 unique email addresses, each one with at least one password that they’ve used before in cleartext. What people are doing while they’re mail merging this, sending an email, and I’ll try and pick a family-friendly wording here, saying, “I have infected your computer with malware. I know your password is blah.”

Then immediately there’s a social engineering bit because people look at them and they go, “Oh man, that is my password, I actually use that.” Then they start to configure their computer without the webcam, “I have observed you browsing pornography and enjoying the experience,” shall we say? There’s only going to be a small portion of people who are like, “Well actually, this could be feasible.” Then again, the social engineering bit kicks in, like that is my password, they actually know something secret about me, and I remember I used the word password in the singular sense here which is what it is for most people.

People do fall for the scam, and they pay their bitcoin, and this just runs over and over again. Because think about it from the attacker’s perspective as well, it’s a really low cost to implement, they can do it with high degrees of anonymity if they’re smart about it. They only need a very, very small hit rate to be successful, and it preys on their social engineering susceptibility that we all have.

Yeah, there’s the emotional hook and the fear hook, their, “Oh gosh, this something that I don’t want anybody to know.

Precisely.

Therefore someone has leverage.

Even if it’s not legit, there’s still the fear of being implicated participating in an activity and that alone is fearful as well. If the attacker manages to price it just right, just cheap enough that people actually pay for it but expensive enough that they’re actually going to get an ROI on it, it’s super, super nasty stuff but that is pretty rampant.

I’ve gotten several of them. Interestingly, one was an extremely old password, when back in the days we’d recycle passwords here and there.

We’ve all been there.

Was a password manager password, that’s obviously something very. I can tell if it’s something like that, like, “Oh, okay. This is a pretty convincing type of email.” Because it’s like, “As proof that I compromised your computer, here’s your password.”

Precisely.

Running the website that I do, I get people who are victims of these sorts of things contact me saying, “Oh my gosh, what should I do?” I had one woman contact me and she’s like, “I’ve never gone on one of these sites. Oh my gosh, people are out to ruin me and they’re going after me personally.” Respective of that was that it was not that this was an email that was sent out to 95 million or 350 million email password combinations, she viewed it as it was specifically targeting her and someone was trying to ruin her life.

Yeah. People don’t realize that they’re just a number in all of this.

Yeah, and that was like the hardest thing to communicate with this poor woman. It was like, “No, it’s not intentional.” She’s like, “Well but they know my password.” It just ultimately ended up being too technical for her to understand, I was like, “You haven’t done anything like that so don’t pay it.”

The sad part of this as well, I’m going to get in trouble now because people will say it’s victim-blaming but they’ll do it anyway. A lot of this only works due to the prevalence of password reuse as well. I don’t think you’d ever ask anyone and go, “Hey look, what are password management practices meant to be? Are you meant to have a password which is your dog’s name and use it everywhere?” They’ll be like no, but you do it anyway because I don’t really know how to do it otherwise.

People are consciously doing something which they know is risky and there is a portion of the blame that does lie there if you didn’t have credential reuse. You know what’s really amazing if you take it back and you go what if every single person everywhere used randomly generated passwords? How much stuff would be different? We’re part dreaming here but a huge amount of online attacks would be completely different, including this one just here.

Yeah, exactly. We’re talking about reducing the threat of blackmail, or watching porn and whatnot, do you find that there are answers to secondary security questions in these data breaches also that would reveal your dog’s name, the street that you grew up on, your first elementary school, all those quizzes on Facebook.

The Adobe data breach had that. The very first data that went into Have I Been Pwned had security questions and answers. Now not only do data breaches have security questions and answers, but your public profiles have security answers, at least. What’s the university you went to? It’s on my LinkedIn profile. What’s your birthday? Well, I got all of my mates saying happy birthday. I literally looked up someone today, I couldn’t remember their birthday, went to Twitter because I know they’ve got a bunch birthday congratulations, I was like, bang there you go. Solved that problem, didn’t have to ask them.

I actually testified in congress a couple of years ago and it was all about the impact of data breaches on knowledge-based authentication. This is what happens when someone is in a data breach and things like the mother’s maiden name is in it. The trick that most maiden names is it’s a static KBA, you can’t go back and change that, you can’t change your birthdate. If it was a dynamic KBA, something such as what’s your favorite food today, well you could change it but then of course you’ve got another problem which is my favorite food changes. What’s your favorite movie? How many times have you seen that? Well, I don’t know, I haven’t seen them all yet, I have a long life to live. This is going to change at some point in time. That makes things difficult.

That has been one of the ones that is most frustrating to me as a consumer is when you’re forced to choose a question, answer a question that has something that will change. What was your favorite movie? Well, five years ago it was this, last week it’s this, three years from now it’s going to be that, now I have to remember three different movies.

This is really a remnant of a bygone era where this worked really well 20 years ago. 20 years ago we didn’t have anywhere near the attacks or the risks that we have today. The other thing is that 20 years ago, we didn’t have access to a lot of other identity verification methods that we do today. For example, SMS is absolutely ubiquitous today, not so much 20 years ago. The soft token authenticators like we all have in our phones just simply weren’t there 20 years ago but are now. U2F keys weren’t there but are now.

We have lots of other ways of doing identity verification but the recent things like knowledge-based authentication questions prevail is that the one thing they have going for them over and above every single one of those mechanisms is everyone knows how to use them. I’ve had this discussion so many times before where people are like, “Look, there’s just nothing good about either passwords themselves or things like KBA.” Actually, there is, and no matter how good your technical solution is to replace one of these things, the one thing that you cannot argue about is that you can get any single person on the street and say, “What’s your date of birth?” Or “What was your mother’s maiden name or the first school you went to?” And they know. That’s a weak form of identity verification but it’s one that every single person gets and that actually has a lot of value.

That’s always been the challenge is that best practices for security professionals are more likely to be able to handle a key fob token, or a software authenticator. Whereas my grandmother, you ask her what a security token is and she’s like, “I don’t know, is that what you buy for an arcade game?” Knowledge gap.

Use a password manager, not a piece of paper.

Spot on. This is where we got to get the commensurate security controls to work with the different demographics  as well. I think about my parents, they’re in their early 70s. My father uses a password manager, I’ve got him on 1Password. For the most part, works pretty well. My mother, not so keen, she has a password book, she writes passwords down.

Some people lose their minds over it. Even today someone tweeted me a photo of one of these books he can get, password books, and they’re like, “Hahaha look at this stupid password manager, it’s not even encrypted.” I wrote back to the person and I linked to a blog post I wrote that was titled something like Password Managers Don’t Have To Be Perfect, They Just Have To Be Better Than Not Having One. I said, “Look, this password book is better than what 90% of people are doing right now.” Because if you get the book, and let’s say you create pass phrases, unique passphrases for every single website. Well now, no more credential stuffing. Now, no more guessing the password.

Your problem is someone who can break into your house and the person who breaks into your house doesn’t want the book in your desk drive, they want your freaking TV, or your computer. You’re going to have a different problem. The person’s not going to be the problem.

You’re talking about password books, I know someone that she would carry an 8 ½ by 11 piece of paper that was folded up, six years old, that had all of her passwords on it that she kept in her purse all the time. Every time I saw her pull that out, I cringed over it. Again, like you say, they have passwords on it. It’s not what people are looking for when they steal on purses necessarily.

Maybe because I’m just being a bit anarchist, but I really like the premise of changing people’s assumptions about how authentication should work. The other one that’s fundamentally changing at the moment is this ridiculous premise that you should have password composition requirements because if you have an uppercase, and a lowercase, and a symbol, and a number, then you will be better than if you don’t have those.

I do this really fun talk where it’s amazing no matter where I go in the world and do this, I always get the same result. Imagine you’ve got an audience, there are a thousand people there. Imagine you want to use an all-lowercase password, you go to the website and the website says, you’ve got to have at least one uppercase character, what do you do? Simultaneously across all cultures, everyone goes, “We capitalize the first letter.” Everyone starts laughing because I’m looking around and going, “Oh my God, everyone’s worked this out.”

Then you have to have a number, what do you do? They say they just put one at the end. Everyone’s still laughing and I start to get nervous laughter because I say to them, “If you have worked this out and all of you are doing the same thing, do you think maybe the hackers have worked it out as well?” That’s really an interesting one.

Then we get to the point of going, “Let’s say you use the word P@ssw0rd. If you go and set that at your place of work tomorrow, what’s going to happen in 90 days?” They go, “Okay, well then I’m going to be asked to change my password.” What do you do in 90 days? I just increment the number at the end, and everyone starts to say the same thing. We sort of have this discussion and go, “Do you reckon maybe the hackers have worked that out as well?” It’s just amazing that when you put it in that context, people are like, “Yeah, this is what security theater is.”

Kind of talking about strong passwords and whatnot, what’s the best that people can do to protect themselves from data breaches or the effects of data breaches?

The problem is when people sort of say to me, “How do I decide which websites I should sign up to, which ones I can trust?” I have absolutely no idea. I’ve got absolutely no idea. Should you be able to trust Adobe? Yes. Should you be able to trust LinkedIn, Dropbox? Yes. They’re all here, I can see them here on the list. Clearly there is no degree of measurement of brand, value, or recognitional trustworthy in the organization, none of that means anything. All you can really do is two main things.

Number one is work with the assumption that there’s going to be a breach. Use unique passwords, make sure that you’re not using the dog’s name everywhere. You have to use a password manager in order to do that, whether it’s a digital password manager or the book, you've got to record them somewhere. The other thing is, and this to me is just a really practical approach, is practice data minimization. Be selective about who you give data to and how much data you give them.

I'll give you a really good example of this. There is a website called catforum.com. I just use this example because it’s the internet and it's cats. It is literally just to talk about cats. One of the questions the cat forum asks you is your date of birth. After you register it's like, “Hey, why don't you put your date of birth in here?” I talk to people about it and go, “Why would you do that to talk about cats,” because that is a piece of static knowledge based authentication.

If Cat Forum gets popped, someone will take that and then they'll be able to use that as part of the process of verifying that they are you. What's really funny about this, as I mentioned this and then a bunch of people will say, “Well, because of COPA.” In America, the Child Online Protection Act, so CAPA says you got to be 13. I was like, “All right. Just ask him, are you 13?” The really funny thing is people say, “No, you can't do that because they might lie.”

Keeping in mind that people on the inside have their own interpretations. They said, “I don't know what the actual strict letter of the law is,” but one of the things I've heard people say is, “Well, you're not allowed to ask are you this age or not.” They're just tangentially in Australia. If you go to a website, let's say you go to a Jim Beam website, or Jack Daniel's website, and it's alcohol related. It's just a checkbox. Are you 18 or not? Yes, check, bam. So clearly, no verification but let's say you've actually got to ask for the actual date of birth, you can't have just a Boolean question.

I said, “All right, well, ask for the date of birth. Figure out the age and if it's less than 13, don't let him in. You don't need to store this, you don't need to know what their age is, you just need to know that they are at the age of 13 or more. This is a really good example if you do get one of these prompts, lie. I hate saying this, but just lie. Incidentally, a lot of people do because when I get data breaches with date of birth, the prevalence of people born on the first of January far outweighs any other day of the year.

Yeah. I know someone who lied about his date of birth when he signed up for Facebook. It always reminds you of all your friends. Hey, it's so and so's birthday. He gets all of these birthday wishes on his fake birthday. He just laughs about it. Facebook doesn't allow you to fix it but it's like well, should I even try to fix it? Everybody knows your birthday because you announced it to the world.

This is where it also gets very messed up. I've had a couple of experiences with Twitter. I logged into my Have I Been Pwned account one day, and Twitter popped up a message and said, “Hey, why don't you put the birth date in here?” It literally prompted me. I publicly announced it the day I launched the thing. Maybe that's not a bad idea, put the date in, and immediately just comes back as you're locked up because you're under 13. It's not a person. It's a company. How are you doing this?

It was kind of a scam that, “Hey, if you set your birthdate to this year, you'll get some special skin that nobody else has,” but it was making you under 13 and locked you out of your account.

It's crazy, right? Like no warning, no, “Are you really sure?” No ‘this will lock you out’, just bam. That's bad, but at least I managed to get the account back only because I knew people, because there were a lot of other people who ended up dealing with this for months. The one that was worse that I heard recently is a friend of mine has a daughter who's 18. She had a Twitter account many, many years ago, now she's a super responsible, smart kid, and she's using it in exactly the way I as a parent hope my kids use Twitter in the future. She's now at age. She gets prompted at some point to enter the birthday and she's done that. The same thing happened. They went, “You had this account before you were 13.” They have permanently killed the account. No recourse can never get it back, which is really, really poor.

How it was banned, because it previously violated Terms of Service.

Correct.

That's scary.

Yeah. She was really distraught because she's like, “Look, I've got all of these interactions,” and part of this was first starting to build her online profile and her career. And then she did a lot of blogging, things that were really good, healthy, legitimate things. Be careful of age. It bites you the other way too. My son who's now 10 a couple years ago said he wanted to be able to like YouTube videos so he could find them again.

That's a life skill. This is something that you should be able to do. It's YouTube so he needs a Google account. You can't get a Google account unless you're 13, no problem, so just lie. He's coming to me again, “Dad, how come I keep seeing scary clowns every time I watch YouTube?” “Well, that's because you're 18, son.” That's weird. The frustration I have with that as well is a lot of it comes back to COPA. Obviously, in American law, a very small slice of the world is based in America, and then the rest of us are in other places.

Then you get to Europe, and then they've got different interpretations of what age you should be, but it's a government mandated kind of patent. In the case of this friend of mine, a very mature switched on kid, they've got to be exactly the same age as the young immature ratbags.

Were talking about limiting what you share, who you share it with, as far as web properties, and always thinking, “Well, why do they need this? Do they really need this information, then why do they need it?” A lot of times you go on this new ecommerce site and they allow you to pay with PayPal or you can enter the credit card number on their site. Would you suggest that people use services like PayPal, rather than providing a credit card to each and every ecommerce platform that they purchase from, in that you've limited the exposure of your credit card number to a payment provider like PayPal, versus maybe a mom and pop ecommerce store who's using an insecure shopping cart, or an insecure credit card processing system, or credit cards on the website in order to limit the exposure of credit card numbers.

Yes and no. The reason why I hesitate is I think credit cards get more credit than what they do for how sensitive they are. Let me explain this. I've had my credit card defrauded multiple times. I don't know from where, it's just been defrauded. What generally tends to happen is the bank gets in touch with me and they say, “Hey, we've noticed some fraudulent activity on your card,” and you look at it and you go, “Yeah, that is actually fraudulent activity.” So they go, “Okay, we'll cancel the card. We'll give you the money back. We'll have a new card in your letterbox like two or three days later, and you have to update your direct debits.

It's a bit of a pain in the back, but that's the extent of the damage. I honestly don't care too much if that is the impact and it happens once every couple years or something like that. It's just interesting that when there are data breaches and things, you see organizations in particular pop up and they go, “Yeah, we've had a data breach.” Well, firstly, they say, “We take the security seriously, by the way.” Well you didn't take it seriously, it's just been stolen. It's like your passwords out there, your date of birth, your home address, but good news, your credit card is all right.

That’s the thing I care least about. I can't change my date of birth. If I've used my password anywhere else, like the vast majority people do, I've now got a really serious big problem. The credit card is the easiest thing. I don't really care about the credit card, but organizations care about the credit card because they need to remain PCI compliant because that's how they sell things. Having said all that, these days, a lot of payment is done via providers like Stripe. For example, I have an API key on Have I Been Pwned, you can buy.

I never see anyone's credit card, orders go to Stripe, not my problem. The prevalence by which your card is accessible to the service that you're literally seeing in your browser is actually quite low. That said, there are other attacks we've been seeing that made you get attacks with a run script on the page and they get keyloggers and they capture everything. Different story, there's still risk there. The PayPal side of things to be honest, me personally, I don't really care either way.

I use PayPal for a few things. If I've got a bit of credit in there, if I don't, well then I'll just use the credit card. I do appreciate that debit cards don't get the same fraud protections as what you get with a credit card, so that might be a good example. Then we could also go, “Well, why don't we use bitcoin? We solved a bunch of other problems with either Bitcoin or other cryptocurrencies.

I don't really think that's where the problem is. With any of these things, I'm just a bit selective. I’m not going to be, if I can help it, emailing anyone my credit card details. There are still hotels out there that want that sort of thing, it’s a bit weird. PayPal, credit card, crypto, it doesn't worry me too much. All of them have their own protections in different ways.

What about SMS versus Google Authenticator, or physical key fob. I have no opinions about it, I hear lots of people complain, “SMS is not secure. Your phone can get cloned, it's super weak.” So they often have no two-factor authentication, which to me is like, “I’d rather have weak authentication.”

Yeah, that's just stupid. I've heard that before as well. There is a nuance here we'll get to, but there's a blog post I wrote about 2FA. I called it the hierarchy of 2FA and Google Advanced protection. In there we talked about four levels of 2FA: SMS, soft token, hard token, U2F. We've got to be conscious that they all have different pros and cons in terms of security, cost, and usability.

The thing that works well with SMS is that everyone can get an SMS. No one has to do anything special in order to get an SMS. Everyone understands how to get a message. Let's just say rounds to everyone. Ninety-nine point something percent of people understand how to use SMS. My parents can easily use it, anyone who's non-technical can easily use it. There's no cost to implement it other than the cost of sending an SMS which can be done super, super, super cheap. We do have problems with things like cloning phones, and sim hijacking, and all this sort of thing.

As you've just said, a password and an SMS is always going to be better than just a password on its own. This is just an immutable fact and it blows my mind that people say it's less secure in some ways because it's not. The nuance is a lot of people don't realize, but it is often possible to do account recovery via SMS alone. In fact the same guy who had the daughter who got locked out of Twitter pinged me. I remember this, it was really a couple of years ago and he said one of the guys in the company he runs just had their entire accounts taken over, because someone managed to do password reset via SMS alone.

You've really got to go and check very carefully, particularly in your key services. If your mobile number is in there, make sure that alone is not enough to do account recovery. Even then, the effort involved in going and doing sim hijacking is still going to be a lot more than credential stuffing where you can just anonymously send out gazillions of requests in absolutely no time.

Anyway, SMS is there. One of the problems with SMS regardless, all the sim hijacking stuff is you can still phish SMS. I mean, you as an attacker could stand up a phishing page, say enter username, password. The form gets submitted, the attacker takes that, sends it to say Google, Google then says, “Hey, we just sent you an SMS. Can you please enter it,” and so the attacker's page responds, so it plugs into the SMS here, and then they just relay that SMS. That's a bit of a problem, I'll relay the code in SMS.

If we move into the next hierarchy of auth, we get into soft tokens. Soft tokens are great because you can just put them on any phone like this, I got my iPhone here, I run Authy. I have all my soft tokens in there. You can't just hijack that like a SIM card. Even then, just hijack is not always as trivial as people think. It's a lot harder like passwords being attacked.

With soft tokens, you've still got the phishing problem because you as a human are reading a number. If an attacker can convince you to write a number then you got your problem. It's also a problem with some soft tokens, including Authy. You can sync them across devices. If someone gets into your Authy account, what happens then? They recommend syncing and then turning off sync, “Hey, you got a new one. Okay, sync. Now turn it back off. Again, make sure that if someone logs into your account, they can't just sync all your tokens.”

You can't do that if you have a hard token. Many people would have heard things like the RSA tokens before. RSA tokens you can still phish, RSA tokens you can't just replicate the same way as you can a soft token, but there's a cost barrier now. You've got a physical device, you've got to pay, you've got to ship, it expires some times. We go all the way then to U2F, and U2F is great. I'll show you U2F. I keep one in a drawer near my desk and I've got one that looks just like this. This is actually from a company called Fijian.

I use U2F for Google's advanced protection. So every single time I log into a Google account, I've got to provide my username and password, and then it says, “Take this key,” and like literally slide it into the PC, and press the little button on it. This little gold tab here is actually a button. This can't be phished. There's no display on here that someone can say, “Hey, Troy, I read out the number,” it literally has to be physically present in the machine.

That is a really neat way of doing two-factor but it's got a barrier because it's a physical token, you're going to ship it to people. It's also got a barrier over and above SMS, which is that you've got to actually understand how the thing works. If I had to explain this to my mom, she'd be like, “Okay, we've never done this before, so what is it now? Is it a key? Can I put it in the front door? What does it do?”

Well, it doesn't also have the barrier in the sense that if you lose that token, well, no one else knows what it is. You're now missing a token and now you reissue a new token or do they assume that they're now getting phished to send out a new token.

Well, there's two interesting sizes. The first is at least in Google's advanced protection program you have to have two keys. What you normally do is you have one that can just do USB, and then I've got another one which can do NFC and Bluetooth, and the things that my mobile phone wants to do, because I can't check a USB into my iPhone. That's the first bit.

The second bit is what happens if someone loses a soft token. This happens all the time because people get a new phone, and they set the new phone up and they don't migrate the soft tokens. Well, the answer to that is that we have recovery codes. When you first start the telephone enrollment process, it's like, “Do the QR code thing, scan it.” I can now enter the number. Great. “Now here's your recovery codes, save them somewhere safe,” which a bunch of people don't do.”

You fast forward let's say a year later, someone's rolled over to the new iPhone, and they're trying to set it up, trying to log into the website, can't login. They've already raised the old phone and given it to the kids, so that's no good. Now you've got this problem because think about it from the perspective of the site operator. The site operator says, “Hey, you came to my site a year ago. You turned on 2FA because you told us that if someone has your username and your password, but not the token, don't let them in. And now you're coming back here and you're saying, you've got the username and the password, but you don't have the token. Can we please let you in?”

What tends to happen then is that you have to fall back to much more laborious offline, human involvement, authentication processes. If someone stays locked out of their account for some period of time, and then you've got to have enough information to verify identity. For PayPal, you've got things like the bank accounts you've transferred money to, the purchases you've made, the transaction values, things like that. But that's now slow and laborious and time consuming, not just for the individual, but for the service providers themselves as well.

It seems like every portion of multi-factor authentication does have some advantage/drawback each one of them depending on either it’s technical savviness or collecting forty-five physical tokens that you have to show up in your pocket.

Correct. What we got to recognize is that there are upsides and downsides to all this. If we get too myopically focused on the security controls, and we neglect the usability controls, then we have a big problem. I've got another blog post, which is called Here's Why [Insert Thing Here] Is Not a Password Killer. There's a lot of technologically sound solutions out there that people say, “Look, this is great. It's going to kill passwords. It's amazing.” I got these emails all the time.

It sounds like a broken record, but I was just having a Twitter conversation literally this morning with someone who said, “Look, we shouldn't be using passwords, we should be using SQRL,” which is a standard for authentication that uses QR codes and then you point your phone there. I said to him, “How many websites do you use it on?” “None. It's not used anyway.” “Why do you think it's not used anyway?” Because the UX sucks.

No matter how good the security controls are, someone running that site actually wants people to log in because they're going to sell things, because that's how they pay the salary of the people implementing the security controls. It seems obvious when you say it that way but some people just get so myopically focused on just the technical implementation that they miss that broader picture.

Is then the philosophy good enough security? We just want enough barriers to entry that it's just really unlikely that an account can be compromised.

It's always a balance, right? It really depends on what it is even if you take Google's advanced protection. This stuff works great. If anyone listening to this has got a Google account, and they really want to keep it locked down, go turn this on, but I noticed even for them, I was reading this the other day. They've got a bit of a caveat here, where they say this is who it's targeted to. If I go to get stronger account security with advanced protection, they talk about things like journalists and activists. Advanced protection is recommended for anyone who is at risk of targeted online attacks such as journalists, activists, business leaders, and IT admins.

I would not get my mom and dad to go and turn this on. I think it poses too much of a barrier to entry to them. I don't think it's going to be much fun. If you get locked out, I think the verification process and they're both on Gmail, so that would probably not be much fun, trying to get back into Gmail.

If you're a well-known named individual, it sounds like these attacks are specifically targeting the individual rather than just credential stuffing, “Hey, we're going to go through millions of accounts and hope we can get into one. We're trying to get into this particular individual's account.”

Correct. I think that the right criteria to be on there is that you're in a high risk position or you're technically advanced enough to probably not screw it up, one of those things.

We all want to be that person who's technically advanced enough not to screw it up.

That's it.

Is there any final advice that you want to give to people to protect themselves online, whether it's data breaches or just the wider sense of protecting yourself?

I think maybe it’s a fun exercise and particularly for anyone watching this, it’s a bit more technically incited, go and try and break into your own account. Do the hack yourself first thing like if you've got your Twitter account. You're worried, “Could someone possibly get in my Twitter account, what are the ways?” Go to another machine, go to the incognito window, something like this try and do password recovery. If you've got a mobile phone number on there, can you do password reset just via mobile. Does the process disclose information such as a partial mobile phone number because that in itself is leaking information.

What happens if you got 2FA turned on and you actually know the password? Does that actually stop someone from getting in? I did this myself a little while ago, in fact, after I'd heard that story from the friend of mine who had his account taken over just with an SMS. It was fascinating to look at the different services. I really need to tweak that one a little bit, and that one a little bit. I think putting that offensive hat on against yourself with a view to improving your own security posture is a really good idea.

Obviously, I'm sure you recommend everyone go to Have I Been Pwned and your email address to really find out maybe you don't want to know, the threat can be a little bit frightening for some people, but really find out have your accounts been compromised at some point? Are they at risk?

It's one of those things that you want to know, right? You want to know if it's happened. Definitely do that. You can do domain searches for free as well. If you can verify that you can control the domain so do that. You'll see that there's someone password product placement on there as well. If you don't have a password manager go and get that and make sure that you put all of your things in there and make them unique.

Turn 2FA and all the things that you possibly can 2FA multi-step MFA, whichever they want to call it. Do this proactively because it's almost a little bit like ransomware. If it happens it's then too late later on to go, “Yeah, maybe I should have had backups and that sort of thing.” You've got to do it in advance. Even today, I don't want to do this stuff but there's a bunch of stuff I have to go and proactively do because it'll be too late for that.

That sounds like a great note to close out this episode. I really appreciate you taking the time to come on and chat with us. Maybe it frightened some of us into a better security.

No problem. My pleasure, Chris.

 

 

Exit mobile version