Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
1/11/2018
09:00 AM
Lori MacVittie
Lori MacVittie
Partner Perspectives
50%
50%

Why Facebook Security Questions Are no Substitute for MFA

If identity is established based on one thing you know and one thing you have, the latter should not also be a thing you know because in the sharing economy, we share everything.

If you’ve been on Facebook any length of time, you’ve probably scrolled by one of those "let’s get to know each other" status updates. These seemingly innocuous exhortations to share information make my teeth itch.

It’s not because I’m not into sharing with friends, or divulging sometimes quite personal information. It’s because this data is increasingly part of the security equation that “protects” even more sensitive personal data.

Yes, the scare quotes are necessary in this case.

I present as Exhibit A this screen capture of a fairly well-known cloud app which recently updated its security questions. It appears scarily like those lists you see on Facebook, lists that are shared and re-shared no matter how many times you might offer a kind, cautioning word against them.

My favorite color, by the way, is black. Or at least it will be until something darker comes along.

While marginally better than asking for personal information that is just as easily discovered on the Web —your mother’s maiden name, where you were born (my mother claims it was in a barn based on my habit of leaving doors open as a child), what high school you graduated from—the fact remains that these questions are useless for verifying identity.

Seriously, how many colors are there? And how many of us share the same love of one of those limited choices?

The answers to these questions aren’t that hard to guess in case a quick search doesn’t turn them up. Because, while we’re great at sharing, we aren’t so great at managing admittedly sconfusing privacy settings on social media, and some things are a matter of public record. Check an obituary sometime. You’ll quickly find not only my maiden name, but my mother’s maiden name and the names of all my siblings and their children and … See, it’s not that hard to find information if you know where to look. A new upcoming breach trends research report by F5 Labs, studies data breaches over the past decade and concludes that “there have been so many breaches that attacker databases are enrichened to the point where they can impersonate an individual and answer secret questions to get direct access to accounts without ever having to work through the impacted party.”

It is also true that passwords are not enough. Credential stuffing is a real threat, and the upcoming F5 Labs breach trends report discovered that 33% of the breaches started with identity attacks, of which phishing was the primary root cause. Many of the malicious URLs clicked on, or malware files opened, in phishing attacks collect credentials, which are then sold and used to gain illicit access to corporate systems.

Security questions are used as a secondary source of identity verification. They simulate, albeit poorly, the second-factor in a multi-factor authentication (MFA) strategy. But they do so with stunning inadequacy. MFA is based on the premise that identity is established based on one thing you know and one thing you have. The latter should not also be a thing you know, because in the sharing economy, we share everything—whether we should or not.

MFA is a good idea. It’s not always convenient;  we use it extensively at F5, so I say that as a user, but it is safer. And that’s the point. Because it’s really hard to duplicate a one-time password from an isolated key, but it’s pretty easy to figure out my pet’s name, thanks to Facebook, Twitter and others.

So, if your implementation of MFA uses Facebook favorite lists or any other security questions as a second form of authentication, you need to rethink your strategy.

Get the latest application threat intelligence from F5 Labs.

Lori MacVittie is the principal technical evangelist for cloud computing, cloud and application security, and application delivery and is responsible for education and evangelism across F5's entire product suite. MacVittie has extensive development and technical architecture ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Richard PM
50%
50%
Richard PM,
User Rank: Apprentice
1/11/2018 | 1:59:19 PM
Use incorrect info
If you are using the correct info you are doing it wrong. In very few cases the answer does not even have to match the type of question. For instance you could answer the mothers maiden name or favorite color questions with Pineapple or Bananna. All the sites do is match the answer you give them initially to see if they match and no one is going to be able to find the answer anywhere. 

 

Now you obviously have to "remember" the answers you give and in my case they are in a text file buried on my computer. I suppose someone could find the file but if someone can find and use a random tex file in the ~8TB worth of files on my computer I have much bigger problems to deal with.
'Hidden Tunnels' Help Hackers Launch Financial Services Attacks
Kelly Sheridan, Staff Editor, Dark Reading,  6/20/2018
Inside a SamSam Ransomware Attack
Ajit Sancheti, CEO and Co-Founder, Preempt,  6/20/2018
Tesla Employee Steals, Sabotages Company Data
Jai Vijayan, Freelance writer,  6/19/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
F5 makes apps go-faster, smarter, and safer. With solutions for the cloud and the data center, F5 technology provides unparalleled visibility and control, allowing customers to secure their users, applications, and data. For more information, visit www.f5.com.
Featured Writers
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12697
PUBLISHED: 2018-06-23
A NULL pointer dereference (aka SEGV on unknown address 0x000000000000) was discovered in work_stuff_copy_to_from in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. This can occur during execution of objdump.
CVE-2018-12698
PUBLISHED: 2018-06-23
demangle_template in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30, allows attackers to trigger excessive memory consumption (aka OOM) during the "Create an array for saving the template argument values" XNEWVEC call. This can occur during execution of objdump.
CVE-2018-12699
PUBLISHED: 2018-06-23
finish_stab in stabs.c in GNU Binutils 2.30 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write of 8 bytes. This can occur during execution of objdump.
CVE-2018-12700
PUBLISHED: 2018-06-23
A Stack Exhaustion issue was discovered in debug_write_type in debug.c in GNU Binutils 2.30 because of DEBUG_KIND_INDIRECT infinite recursion.
CVE-2018-11560
PUBLISHED: 2018-06-23
The webService binary on Insteon HD IP Camera White 2864-222 devices has a stack-based Buffer Overflow leading to Control-Flow Hijacking via a crafted usr key, as demonstrated by a long remoteIp parameter to cgi-bin/CGIProxy.fcgi on port 34100.