Rocky Mountain Bank should be more solid now

I’m tired of yelling and complaining about data breaches.  As a result, I think I’m going to change my tune.

Take, for example, Rocky Mountain Bank of Wyoming USA.  An employee of the bank emailed sensitive details about 1375 customers to the wrong Gmail user, and now the bank is suing Google to discover who this anonymous user is, in an attempt to try and figure out just who they managed to gift their data to, and whether their gift kept on giving.    In the meantime, the Gmail account of a completely innocent bystander has been deactivated by court order.

As I see it, Rocky Mountain Bank is in their own little hell right now – they are being widely ridiculed, they have initiated an expensive legal action that can only partially assuage their fear of exploitation by a third party, they have at least 1375 really pissed off customers, and they have incurred some amount of liability and/or responsibility to those customers should their data be criminally exploited in the future.

You can think of these guys as one more incompetent organization and call them names.  Or you can think of it as one more organization whose eyes have been opened to the cost and danger of playing fast and loose with customer privacy.  Perhaps we simply have to hit a tipping point where enough people are close enough to enough victims that our societal internal risk meter changes.  If you look at it that way, every breach can also be viewed as an education…  and I’m a big fan of education.

So congratulations Rocky Mountain Bank on having your eyes opened as a corporation, serving as an example for others, and personally educating 1375 otherwise clueless end users.  It is appreciated.

Sears == Slimy

I want to talk about the Sears Holding Company, and I have nothing nice to say.

They encouraged their own Sears and Kmart CUSTOMERS to download a piece of software that seriously compromised privacy, transmitting banking details, unrelated shopping card details, and online prescription orders back to the mothership.

To me, this is worse than an accidental breach.  This isn’t about ignorance or stupidity, but about willful intent to do harm.  A whole group of people inside this organization decided it was a good idea to write a piece of software that “monitored consumers’ online secure sessions – including sessions on third parties’ Web sites – and collected consumers’ personal information transmitted in those sessions, such as the contents of shopping carts, online bank statements, drug prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size for Web-based e-mails” (from the FTC notice).   How could this project be designed, written, approved, and then evangelized without anyone raising the ethical issues?  How about the lack of respect shown to the very group of people whose privacy the Sears Holding group should have felt beholden to protect?  Worse, why *could* it be done? Oh yes, right.  We all use operating systems every day that have an egregious lack of granularity in access control.

There is little to do except spit in Sears’ general direction – so I do.   Ptooey.

So funny I forgot to laugh

Have you ever had to enter CHARACTERS from your password to log in?   No?  Me either.  How would you feel if you entered your credit card number into your credit card provider’s website and instead of the usual password you were given this screen:

Yer kidding RIGHT?

This is the second screen of my credit card provider’s authentication workflow.  They are asking me to answer my “Personal Identification Question”, and asking me to type 3 random digits of my password instead of my entire password.  The ramifications of this set of implementation choices just blows my mind.    Three strikes and you’re out, if you ask me:

1. Downright Terrible Personal Identification Questions

Worst Security Questions EVARAnyone who reads my blog can probably figure out my favorite hobby, I even mention it on my about page.  That question was one of five terrible security questions. Three of the questions are standard web access management fare. They aren’t great, but at least the 8-character minimum character limit keeps away answers like “golf”, “ford”, and “rex”.   The other two questions are in my mind criminal however.  No financial institution should give a customer the option to use their mother or father’s name as a method of personal identification.  I can’t believe anyone put those questions into production. The worst part: because of the list given, those two questions are the only ones that can be answered in a straightforward way while also fitting the complexity rules.

2. Removing The Guesswork from Password Hacking

Password Complexity?Then there is the 8-character password. I could have sworn that one of the variables that make a password tough to brute force is the fact that the length is unknown.  If you *know* you’re working with 8 characters, you can seriously narrow down your brute force parameters.  Plus the only punctuation allowed is an underscore.  Ouch.

3. One-way Hashes are *so* 2008

Security TheaterSince my bank is performing character matches on my password, there is no way that they are using a one-way hash algorythm to store my password.   If they were, they would be able to match the whole thing or nothing at all.  Instead, they have chosen to be able to retrieve my password and play with it.  I can only hope that it isn’t stored in clear text, but frankly anyone who asks “What is my mother’s name” as a security question can’t be too worried about security.  Don’t get me wrong,  HSBC is very worried about the appearance of security, in fact I was forced to positively acknowledge a big long page of statements about how firewalls are used, and how they require me to use 128-bit encryption. In spite off all the assurances, it seems to me that I’m at risk in a number of ways now, and all so that the password interface can be turned into a primitive and easily overcome turing test.

So, what am I missing?  Is there some brilliant element to this setup that makes up for the sins that appear to have been committed?  Something that will make me happy my credit is in the hands of this company?  I hope so, because right now I feel like maybe it’s time to do my best ‘rat leaving a sinking ship’ impression.

Seriously, Certapay?

Tell me what you think of the following series of events:

  1. I receive an email with a link in it, promising money.
  2. I click on the link and see a screen purporting to be my bank and asking for my username and password.
  3. Not trusting the page to actually be my bank, I go independently to my bank site and authenticate.
  4. Clicking again on the link from my email,   I hope to see that the bank authentication page is gone,  and that I am taken directly to the step where I answer the “security question” and get my money.   Instead, however, I find that even though I have an existing valid bank session set up in my browser,  I am still taken to a login page and forced to re-enter my credentials before the transaction will work.

I know what you’re saying! Don’t do it! It’s a phishing attack!   Sadly, this is actually what happens if you are the recipient of a Certapay INTERAC email money transfer in Canada.   It is a phisher’s wildest dream come true, don’t you think?  Even those familiar with the process will eventually stop looking at URLs and just click through the brightly colored screens to enter their banking credentials.

The whole setup is ripe for abuse.  Why, dear god, is there no way to accept a payment without typing in your banking credentials?  There certainly needs to be an authorization step, but forcing an authentication step to be bundled is both lazy and dangerous.  The worst part is that the banks are complicit in this.

The best irony of all is the email fraud section of their website security page, under the “How to Protect yourself” section says:

  • Do not share or provide your personal information.

Oh, you mean like my usernames and passwords for my entire BANK ACCOUNT????


Step 1

Picture 61

Give it up for Bozeman

What would you do if your prospective employer asked for passwords to all of your social networking sites?

According to ReadWriteWeb, if you apply to work for the city of Bozeman MT,  you are asked for a list of the domains, usernames and passwords for “any and all current personal or business websites, web pages, or memberships on any Internet-based chat rooms, social clubs or forums, to include but not limited to: Facebook, Google, Yahoo,, MySpace, etc”.

What are you looking at?First of all, these people clearly have no depth of understanding of what they are asking for — the fact that they provided only THREE spaces for someone to enter their entire web presence is obviously a travesty of a mockery of a sham.  Most people I know would have to include an excel spreadsheet as an addendum :)

Beyond that, ask yourself what exactly it is that Bozeman’s moral evaluation team could possibly wish to examine in these accounts.  Most of what you put into a social networking site is there for other people to consume.   What have you got in your accounts that you couldn’t share using less intrusive methods?

Asking for Yahoo and Google passwords gives access to a massive amount of information, the richest source being your email.  Think of the juicy things they can mine for: affairs, viagra purchases, subscriptions to pr0n sites…   Facebook accounts could be mined for private messages.  Chat rooms… seems likely that racy-sounding chat room accounts won’t make it onto the application – so how do you evaluate a benign-sounding chat room account?  Log in and see if somebody wants to talk dirty?

And what if you are having an affair? What if you’re in the closet?  What if you are part of an unusual religion?  What if you are pregnant or have an STD?    You should still be qualified for most jobs at the city of Bozeman – but do you really think that knowledge of these facts won’t influence your chances?

If a company asked you those kind of questions in the interview, you could sue. Why on earth should they be able to ask for access to go find the answers themselves?

Photo credit:

Apparently Lloyds *is* Pants

Did you read about the guy who had his password changed by a bank staff member from “lloyds is pants” to “no, its not”?

I don’t care what kind of account this guy had — shared passwords? Stored in the clear? Visible to bank staff? Password policies that state he can’t make his shared, stored-in-the-clear password for his business banking account longer than six characters, one word?

This is my favorite quote:

“In this case it was a business banking customer using a system where more than one person from a business can check their balance.

“In these cases an advisor can read the full password.

“But if such customers require more complex transactions, then full security procedures apply and advisors cannot read secure information.”

Who wants partial security procedures?  Ever?  And how could you ever trust what this bank’s idea of a full security procedure is?   I wonder how many customers use the same password for viewing their bank balance as they use for the rest of their activities with the bank?  Probably quite a few.  Good thing one of the two is protected by full security procedures, eh?

Identity X-file 0x02

I just received a notice from my national airline’s frequent flyer program (screenshot below), telling me that if the name listed in my air miles account information is different from any of my “official” identity tokens (for example because of a nickname or an initial), I will have trouble being automatically credited with my flight miles.

This is, theoretically, a technical enhancement. Now, I don’t know who exactly benefits from said enhancement, but I’m pretty sure that it isn’t the passengers of the airline, or the help desk people at Aeroplan that will have to take the irate calls and deal with people who have lost their ticket stubs and still want credit for the flight they a) paid for and b) submitted a valid unique identifier for (the Aeroplan account number).

Honestly, what is the point? There are no anti-terrorist requirements here, this policy is not from the airline, but from the frequent flyer company — all this affects is whether you get your air miles, not whether or not you get on the airplane.

It is most likely an anti-fraud measure, to protect against people who don’t actually have an Aeroplan card using another person’s card so that at least somebody gets the points – but wow, that’s some kind of low tolerance they have going there. Perhaps it is merely a coincidence that Aeroplan benefits from every airline mile not credited, since they then are guaranteed never to have to pay a redemption? But then, what do I know, I’m sure there are a lot of valid abuse cases where Fred Smith tries to rip off Aeroplan by using Fred R Smith’s air miles card on a flight… It probably happens all the time. Maybe there is a widespread Jr/Sr father & son conspiracy going on right under our noses, and this is the only way Aeroplan knows to crack down. Or maybe (entering full-scale conspiracy mode now; please don your tinfoil hats if you haven’t already) this is a subtle way to influence which identity token people use, since (for example) my drivers license has a different naming format from my passport — since I can’t set my Aeroplan account to BOTH formats simultaneously, it would seem that the easiest thing to do would be to always use my passport.

But seriously, naming data is notoriously volatile. This is not a new concept. To put into effect name-checking measures that cannot take such volatility into account is just stupid. Either their software is incapable of setting a reasonable threshold, or the company is choosing to set the threshold where it is – no matter which is the case, you just have to wonder what the exact cost vs. reward calculation is, because it isn’t obvious to me…

Identity X-file 0x02

Identity X-File 0x00

Due to serious last-minute site issues, Dale & I ended up pulling an all-nighter (fuelled by a good bottle of port and a LOT of water) the Sunday before RSA, in order to get up, running, and stable. I ended up registering with a hastily-chosen web hosting company in the wee hours of the morning. Luckily I did not have to use the account right away, as Dale & I were pursuing parallel possibilities for site hosting, and Dale’s plan materialized before mine did. My heartfelt thanks to the Olds family for letting me hijack their home MythTV linux box for a week, it was a lifesaver :)

Once the demos finished that Friday, I prepared to port my site over to what I hoped to be a long-term home for When I clicked the web hosting administration link from the site email, however, I was *very* surprised to be taken to my administration page without being prompted for the password I’d given when I registered. This is what I saw:

Note the line in the above screen-shot that says:

“Page contain your password and account number – please do not share this page URL and never paste this link in public forums or in instant messages softwares”

So – just to confirm my worst fears, I went to the main page and clicked on the “client login” link — and here’s what I saw:

Yep, I had paid late-night desperation money to a company who uses two static elements to authenticate – username and account number. Not only that, they allow those static elements to be passed as query string elements of a URL, which once accessed, display my FTP account password in CLEAR TEXT!!! If these guys think that keeping such a URL out of IM and public BBs is enough to keep it from being discoverable, they are on crack.

Call me crazy, but I consider this kind of protection to be just a wee tad risky. I’m certainly not going to go to all sorts of trouble to build any kind of CardSpace infrastructure on top of this service, what would be the point? Sure, the transactions would be secure, but the foundation it was built on would be just hanging out there, ripe pickings for someone with the right skills. Thinking about all the ways to get hacked makes me feel panicked in general, but for the love of Pete, there’s no point in handing it to them on a silver platter…

As a result, this web hosting service has the dubious honor of becoming the first entry in the Identity X-Files. Nice work…

(BTW, has since found a permanent home, and it isn’t at the company above. Just in case you were wondering.)

Identity X-Files

You know, there are some funny things going on out on that there intarweb. Things that shouldn’t happen, but do anyways. Where such things intersect with identity & access management, I’d like these stories to be linked – because I think that as a body of information, they tell a story that needs to be heard. I’m not interested in pointing fingers at the companies involved (brings to mind images of rocks & glass houses, you know what I mean), but I would like if possible, to start conversations in this area, for the benefit of all.

So I hearby open the “Identity X-Files”. If you find something on the net that scares you from an identity or access perspective, send it to me, I’d love to add it to my collection. Or post it under this tag, and let me know so I can link to it.