The 4 digit PIN killer

Security professionals have been begging people to secure their mobile devices with a strong passcode for years. Yes, it’s a pain to have to type in all those characters on a tiny keyboard but the alternative is that anyone who can put their hands on your phone could read all your emails, texts, pics, view phone history, see everywhere you’ve gone and install malware that will keep track of all of this remotely (plus turn on your mic to listen on your conversations even when you aren’t making a call — ditto with the camera).

Maybe your life is an open book and you don’t care about privacy. Surely you care about your bank account, your reputation and your company’s confidential information, which, if not protected, could, at minimum, cost you your job (if not bankrupt the organization). Yes, a bad guy could use your phone’s mobile banking app to raid your funds or satisfy the second factor login requirement your financial institution’s web site requires for users of a web browser (assuming you bothered to set up those protections).

Many think, “OK, I’ll do a 4-digit PIN and that will be enough, right?” On the surface it sounds like a reasonable compromise. It’s not as inconvenient as an 8-character, alphanumeric passcode, but it still would mean that a hacker would have to try, on average, 5,000 different numeric combinations (half the total of 10,000 possibilities since the odds would be 50-50 of a correct guess at that point) to break in and who has that kind of time? Better still, the reasoning goes, “I’ve turned on that setting that automatically wipes the device after 10 incorrect tries, so the bad guy would have to be incredibly lucky to guess the right sequence that quickly.”

As the saying goes, “there’s nothing more dangerous than presumed security.”

What is being assumed, in this case, is that someone won’t come along and build a box that could automate the process of entering all those possible PINs and, here’s the kicker, disconnect the power supply on the device before it has a chance to wipe the phone’s storage after an incorrect guess. In other words, unlimited tries with no penalty. And what if the process of trying all 10,000 combinations could be done in roughly 4.5 days (bearing in mind that this is the worst case for the bad guy and the best case could be just a few seconds)? And what if this box only cost about $300?

What this means is that anyone who steals your phone (or just has access to it for some reasonable period of time, such as while you are asleep) could do all the nasty stuff described above to your bank account, company, Twitter feed, emails, photos and so forth. Well, that scenario exists.

So, while it may be a royal pain to enter that complex, 8 character passcode, it is, unfortunately, necessary. As an alternative, if you have one of the newer iPhones, you could simplify things with a fingerprint scan using the built-in Touch ID sensor. No, it isn’t perfect either. Nothing in security ever is, but it
could be a better trade off than the venerable but broken, 4-digit PIN.

Advertisement

Your secrets … aren’t

From an IT context, Authentication is the process by which you prove that you are you when trying to login to a system. It can be accomplished by providing something you:

• know (a password or PIN)
• have (smart card or security token)
• are (a biometric reading such as a fingerprint or iris image)

The vast majority of systems rely on the first option — knowledge-based authentication (KBA) — because it’s easier to implement and is presumed to be cheaper. The ease of implementation is pretty obvious since it only takes a few lines of code to ask someone for a password and compare it to what you already have registered for that user in the data base. The assumption on the cost part is more dubious when you take into account the often hidden cost of having to support users with help desk agents to reset passwords at roughly $25 a pop, not to mention the cost of trying to recover from a breach when passwords have been harvested through an attack on the infrastructure or simply guessed by an attacker due to trivial choices by the user.

In an effort to avoid the cost of acquiring and rolling out hardware readers that are typically needed for the other two options, many organizations have taken to doubling down on KBA approaches by asking users to answer additional questions that, presumably, only they would know the answer to. The problem is that most of these questions are poorly chosen and are often not very private in nature (e.g. mother’s maiden name, high school mascot, etc.).

Systems that do a better job by actually digging into your past and asking you to, for instance, identify which of the following addresses are ones that you have lived at and who were the co-signers on the mortgages are a little harder for the bad guys but not impossible since much of that information exists in online public records.

Worse still is news this week that some of these data bases containing this sort of “private” information about you that can be used by credit bureaus and others to establish your identity has been breached.  A KrebsonSecurity.com reports that:

An identity theft service that sells Social Security numbers, birth records, credit and background reports on millions of Americans has infiltrated computers at some of America’s largest consumer and business data aggregators, according to a seven-month investigation by KrebsOnSecurity.

The Web site ssndob[dot]ms (hereafter referred to simply as SSNDOB) has for the past two years marketed itself on underground cybercrime forums as a reliable and affordable service that customers can use to look up SSNs, birthdays and other personal data on any U.S. resident. Prices range from 50 cents to $2.50 per record, and from $5 to $15 for credit and background checks. Customers pay for their subscriptions using largely unregulated and anonymous virtual currencies, such as Bitcoin and WebMoney.

The article goes on to say that compromised data came from systems at Lexis-Nexis, Dun & Bradstreet and Kroll Background America. Assuming this information really is circulating on the Internet it becomes clear that it can’t be relied upon for authentication because it’s no longer something that only the user in question would know — yet another nail in the coffin of KBA systems for anything other than low security applications.

Never mind what the NSA may or may not know about you or Google or Facebook or Apple or any of the other thousands of companies that track us and leverage the power of “Big Data” to try to know us even better than we know ourselves in order to sell us things we didn’t even know we wanted. The real risk of having all your secrets no longer be yours or secret is that now a bad guy can convince your bank, your mortgage company, your stock broker, etc., that he is you because he knows the info that supposedly only you know. Only it just isn’t so…