It's really the classic case study in information (in)security and the need for strong authentication. With all due respect to the good people at Yahoo!, this opportunity to review Internet security mechanisms is too good and too useful to pass up.
By now, we all know Republican vice-presidential candidate Sarah Palin's Yahoo! email account was broken into on Tuesday night (read the link to get the details). Apparently (and fairly obviously), access was gained via the forgotten password mechanism on the Yahoo! webmail interface, which allowed the malicious person to reset the profile's password with just a few pieces of information about the Alaska governor (birthdate, ZIP code and a piece of info related to where she met her spouse) that could be easily discovered by searching Google. That fact that so much of Palin's life history has been documented on the Web makes her that much more vulnerable to knowledge-based security mechanism hacks. It should also be noted that some security questions are better (or stronger) than others, so it's important that questions you choose for online protection are not ones that can be answered with information available on the Internet.
We security folk frequently talk about something called "multifactor authentication." By "multifactor" we mean an authentication process that requires two or more of the following:
- Something you know (passwords, user names, answers to questions)
- Something you have (token, device, phone, etc.)
- Something you are (physical fingerprint, voiceprint, or other biometric measure such as a verifiable, non-spoofable behavior (some call this "something you do"))
Most multifactor auth systems are pretty easy to recognize. You know them when you see them. Those key fobs or cards with the revolving digits that you have to provide at login are a common example. They're also fairly expensive and complicated. Some multifactor technologies are easier to use than others. There are a variety of behind-the scenes systems that track user behavior and other markers to determine if the person accessing an account is the legitimate user or a bad guy, for example. A well-designed and well-implemented system balances usability with security strength, and some systems yield higher results in that regard than others.
In this particular case, the bad guy was able to leverage only things he knew (found via a search engine) to change the password on the account and gain access to the Yahoo! Mail account. No other verification or mechanism was required. That's simply weak security in this day and age.
I walked through the account password reset system on my Yahoo! account, just so I could get a first-hand look at how it works and how simple it is to reset an account there. Honestly, it was a little too easy. Here are the details (you can click each image to see them full-size):
First of all, I selected the option on the login screen that says, "Forgot your ID or password?"
Next I was prompted either to supply an email address for reset, or to choose the option to reset without access to a registered email account (which to me was an immediate red flag). Obviously, I chose the latter.
This is where the security mechanism breaks down. I'm immediately asked to answer a "secret" security question. This process is called knowledge-based authentication. It's an additional layer of validation in a single-factor authentication scheme - I have to provide "something else I know." Even in my case it's information that could be fairly easily discovered (assuming I answered the question accurately). It should also be noted that in order to change my security question, I need to contact Yahoo! customer support (which I did).
Once I supply the correct answer to a single question, I'm immediately allowed to change my password. At this point it should be noted that if I was prompted to answer multiple questions in this validation workflow, using some randomization of questions and setting a time limit to answer each one, that would at least make it more difficult for someone to gain unauthorized access. Systems are available to do exactly that (I know, I used to manage a team that built one such authentication app).
I'm asked to verify my ZIP code and country (just for profile information), and that's it. Note that other analyses of this process seemed to say that providing the ZIP code and Country was required to reset, but that was not the case in my review. In fact, it appears the bad guy is just being handed that information after changing the password, for free. Take that info, stick it in your Google and smoke it: More search accuracy for the next phase in your attack. Not good.
I'm then notified that my account is now "up to date." I also got an email notifying me of the changes that were made to an account I had tied to the Yahoo! profile for communication purposes. At least I can rest assured that I'll get an email before the bad guy goes into my profile and removes that address from the account.
I think you're starting to get the picture. The authentication mechanism is only as strong as it's weakest part, and the fact that I have an option to reset without ever having to leave the browser window is a problem. Even changing the system to require that I receive an email (which is already the standard reset mechanism) would be better. As it stands today, that's an option, but not a requirement.
Many will argue that hey, it's just an email account, and that Yahoo! can't be expected to implement stronger security on their site as a requirement. I say that's flat out wrong (and what the account was or wasn't used for isn't particularly relevant to this analysis). Email is the number one mechanism used to move information - both innocuous and sensitive - among people. The fact that it's not the best mechanism for doing so ignores the fact that it's how people do things. There are a variety of options available to help ensure only authorized users can get access to email accounts. The fact they are not regularly implemented is a sad state of affairs.
There are many options to strengthen the identification and authentication processes. We can't discuss them all here, but a couple on my mind are described below.
Physical tokens - Making the jump from only having to remember a user name (which is usually the email address, so hardly a secret ) and a password to a scheme where one must carry a token and provide information from it in order to log in is quite a leap (carrying yet another piece of technology around doesn't exactly appeal to me), but it works. The costs associated with fulfilling, supporting and maintaining such a system are very real, and for Yahoo! may not be realistic. But there are systems available to those who know and choose to use them that can substially improve your authentication profile. Check out Omar Shahine's recent blog entry describing how he's securing his accounts in a few ways, including with an OpenID-integrated single-sign-on token system from Verisign.
But, even if you use an OpenID to sign in, what if your OpenID is a Yahoo! ID or other identity that you can reset with a single piece of discoverable knowledge? It still needs to be protected from unauthorized changes and access.
How to do that? There are several ways. I have a couple of favorites, but please feel free to share yours.
Require security changes to take place out of band - One option, probably quicker and less expensive to implement than physical tokens, is using something like an automated telephone call or text message to require the owner of the account to verify a change should be allowed. By registering one or more phone numbers when the account is created and requiring a unique secret be provided via that channel to authorize a change, one can sufficiently secure the account. Vidoop uses a system like this for resetting information on their OpenID accounts. It's simple and it works. It requires me to have the correct device (my phone), uses a different communication channel (the phone network, hence "out-of-band") to contact me and then verifies I am a legitimate user. It requires me to interact as part of any change.
But the technology options get even better: JanRain's myOpenID, for example, now has a feature called "CallVerfID" that equips your myOpenID for two-factor authentication via the phone. It's quick and easy to set up and instantly protects every login with a multifactor authentication mechanism. I found I was not able to use it with a couple phone services due to the way they answer the call (I should provide feedback about that, added to my to-do list), but when set up for my cell or home phone it works as advertised.
Expect more of this class of technology in the future. Think, for example, about voice biometrics: Is that really you that's answering your phone? That kind of technology would be very cool if it was reliable. It's a complicated but useful technology that's being refined even as we discuss this.
I would guess that "review of all Internet email accounts" has been added to every campaign manager's list of things to do deal with early in the vetting process (not to mention the Secret Service's list). Any of the technologies above would likely have prevented the malicious bad guy from accessing the Yahoo! email account.
In the security world, change only happens when enough people make enough noise, a regulator gives an order, or enough companies feel enough financial pain. This looks like one of those cases where noise is the better option. It's certainly better than regulatory mandates (which tend to create collateral damage), and waiting on big companies to suffer is not exactly a reliable plan.
So... Feeling okay? How safe is your account, really?