Increasingly, the pilfering of financial and credit card information is occurring from inside organizations. The method? Exploiting a common weakness - fixed passwords.
In a recent, highly publicized case in the United States, over 30,000 credit reports were allegedly sold to identity thieves by a helpdesk employee at a third-party credit reporting software company in Long Island, New York. How did the Long Island helpdesk employee get access to those credit reports? By stealing the fixed passwords of his company's clients: Ford Motor Credit Company, Washington Mutual and other financial institutions. The customers of these financial institutions lost over $3 million, and in many cases saw their financial status ruined by the thieves.
Fixed passwords may be the most common way to authenticate into networks, but it is one of the least secure. Passwords can easily be hacked using a wide variety of attacks, including sniffing, brute force attacks, dictionary attacks, personal information gathering, and even tricking users into revealing their passwords. Many industry experts estimate that 30 percent to 40 percent of companies' network passwords can be hacked within five minutes.
Do stronger password policies really help?
Security experts often recommend implementing stronger policies to protect passwords these common attacks. These include: mandating passwords of at least six or eight characters; forcing users to change their passwords every 30 days; not allowing users to "replay" a previously used password; no dictionary, slang or industry words; requiring at least one uppercase letter, one lowercase letter, one numeric and one symbol; no birthdays or social security numbers; no proper names - the list goes on and on. (One government agency has a password policy that's 30 pages long.) Some experts even recommend that users develop complex schemes for their passwords, including learning a mnemonic alphabet or secret codes. Passwords based on these schemes often look like "G1w$#Ih5W" or "A1Gr1%nFl."
The problem, of course, is that the more complex the password policy, the harder the resulting passwords are for users to remember. As a result, users write their hard-to-remember passwords down, leaving them taped to monitors, under keyboards, or in top drawers, which completely undermines security.
And these complex fixed password schemes are still subject to the kind of attack that compromised the financial institutions in the above case. A third party had access to the passwords and sold them. Each password could have been as weak as "MyDogSpot" or "Rhonda14" - or as complex as "Yc'tUgB$a^" - and they still would have been compromised.
Fixed passwords, no matter how 'unguessable,' can always fall victim to this kind of attack. The password buyers can use the compromised passwords for days, weeks, or, if the timing is right, a few months before the passwords get changed. Clearly, fixed passwords are nowhere near strong enough to protect this valuable information.
How vigilant do you have to be?
In order to protect against identity theft, the U.S. Department of Justice recommends vigilance in giving out personal information (particularly social security numbers and bank account numbers), and checking financial statements and credit reports regularly and carefully. It is also recommended to shred all financial documents - credit card receipts, account summaries, and anything with a social security number.
But it's crucial to note that the victims of the Long Island identity theft didn't have their passwords stolen; the financial institutions did. No amount of credit-card-receipt shredding could have stopped this attack.
Because of this, the responsibility for such a crime goes beyond the wrongdoing at the helpdesk level. Lawyers representing the victims are threatening to bring civil suits against the financial institutions - the institutions that were victimized by being robbed of their passwords - for failing to adequately secure their customers' private information. This has the potential to result in a legal and public relations nightmare for these credit companies - and all because of fixed passwords.
A clear way that these financial institutions could reduce the vulnerabilities of fixed passwords - thereby protecting their customers against identity theft and the ensuing credit nightmare - is to eliminate the vulnerabilities of fixed passwords. This can be done by giving users the means to replace their fixed passwords with one-time passwords. If organizations require strong authentication with one-time passwords for employees and business partners who need to access confidential information, they have provided an important level of protection for their clients' records.
The best protection
The simplest example of strong authentication is an ATM card. This requires something a user has (an ATM card), and something the user knows (a PIN). Most people wouldn't want their banks to allow withdrawals of money from their account with just a PIN or just a card. Yet most people's credit histories - which are usually many times more valuable than what's in their checking accounts - are, in many cases, protected only by a fixed password.
Obviously, replacing these weak fixed passwords would eliminate these vulnerabilities. In today's marketplace, there is much talk of using smartcards or fingerprint readers to replace fixed passwords. But smartcards and fingerprint readers are costly to deploy - often $200-$300 for the hardware alone - and require IT departments to touch every machine to install hardware and drivers. Today, there are solutions available that are just as secure than smartcards and fingerprint readers (in some cases, much more secure) - and they are much less costly to purchase and deploy.
Most of the vulnerabilities of fixed passwords - stealing (as the identity thieves did), sniffing, guessing, dictionary attacks, personal information attacks - would be eliminated if users constantly had their passwords changed not every 90 days, but every time they log in.
Several solutions are available that replace fixed passwords with one-time password-generating hardware tokens. Each hardware token generates and displays single-use passwords on demand (via a unique secret key and an advanced encryption algorithm that is contained inside). The authentication server, with each user's token on file, uses the same secret key with an event counter to confirm the authenticity of each password presented by each user. After being used once, a token-generated password is then useless and thrown away by the system. If someone steals it and tries to use it again, they are denied access by the authentication server. This virtually eliminates threats from outsiders stealing, copying, or reusing passwords.
If these credit agencies and financial companies had used a one-time password solution, it would have prevented the disaster described above. The helpdesk employee could not have stolen the user passwords and those 30,000 credit reports would not have been compromised. And even if the one-time passwords could have been stolen, they would have been useless to the thief because they cannot be reused.
Some of the more powerful and popular one-time password solutions are available from Secure Computing (www.securecomputing.com/safeword), RSA Security (www.rsasecurity.com/products/securid) and PassGo Technologies (www.passgo.com/products/defender). Different solutions also have different ways to balance the competing needs for security and convenience and creating access policies that require the appropriate level of authentication for each type of user and application.
One wonders whether the financial institutions have learned their lesson regarding strong authentication. After all, they didn't take the heat in the media for having weak passwords, and the law may or may not find them negligent. It will likely take well-informed consumers loudly insisting that their credit reports be protected with something stronger - much stronger - than fixed passwords.
Paul Ardoin is product marketing manager at Secure Computing corp. (www.securecomputing.com)
Secure Computing are exhibiting at Infosecurity Europe, Europe's largest and most important information security event. Now in its 8th year, the show features Europe's most comprehensive FREE education program, and over 200 exhibitors at the Grand Hall at Olympia from April 29- May 1, 2003. www.infosec.co.uk