SE Labs

Posts filed under 'passwords'

Join the most secure one per cent of internet users – in minutes

Hackers have spent well over 20 years stealing users’ passwords from internet companies.

They’ve almost certainly got yours.

The good news is it’s very easy to make your passwords useless to hackers. All you do is switch on Two-Factor Authentication (2FA).

2FA is a second login layer

It works much like the second lock on your front door. If someone’s stolen or copied your Yale key, that double-lock will keep them out.

A digital double-lock is now vital for protecting your online accounts – email, banking, cloud storage, business collaboration and the rest. It’s up there with anti-malware in the league of essential security measures. And it’s much easier to pick a 2FA method than choose the right anti-malware (our Anti-Malware Protection Reports can help you there).

So 2FA is essential, easy, and doesn’t have to cost a thing. It’s a security no-brainer. So how come hardly anyone uses it?

Join the one per cent elite!

Earlier this year, Google revealed that only 10 per cent of their users have ever bothered setting up 2FA. Just a fraction of those – we estimate around one per cent of all internet users – use the most secure type of 2FA, a USB security key.

In this article we’ll show you how to join that elite one per cent for less than £20. If you’d rather watch a step-by-step demo, here’s our YouTube video.


(This blog reflects the views and research of SE Labs, an independent security testing company. We never use affiliate links.)

Why everyone in your business should use 2FA

You’re not the only person who knows your usernames and passwords. Head over to Have I Been Pwned? and type in your email address to find out how many of your accounts have been hit by hacking attacks.

A quick (and scary) web search reveals how many times your passwords have fallen prey to hackers

While you’re digesting those results, here’s a sobering statistic. More than 90 per cent of all login attempts on retail websites aren’t by actual customers, but by hackers using stolen credentials (Shape Security, July 2018).

Nearly everyone has had their passwords stolen. But hardly anyone protects their accounts using 2FA. We’re all leaving our front doors unlocked.

And as hackers plunder more and more big-name services (as well as all those services you’d forgotten you had accounts with), the more chance they have to steal the passwords you use everywhere.

This is why you must never using the same password twice. Don’t be tempted to use a pattern to help you remember them, either (‘123amazon’, ‘123google’ and so on). Hackers decode that stuff for breakfast. We’re also not keen on password managers. They’re Target Number One for hackers.

Instead, store your passwords where no-one can find them (not online!) and deadlock your accounts using 2FA. It’s the only way to make them hack-proof.

Why a USB key is the best way to lock your accounts

The ‘memorable information’ you have to enter when logging into your online bank account is a watered-down version of 2FA. Hackers can easily create spoof login pages that fool you into handing over all your info, as demonstrated in our NatWest phishing attack video.

Proper 2FA methods are much tougher to crack. They involve more than one device, so a hacker can’t simply ransack your computer and steal all pertinent data. Without the separate device, your passwords are useless to them.

Use more than one 2FA method if offered. This double-locks your double-locks – and also gives you another way into your account if one method fails. See our 2FA YouTube video for a step-by-step guide to doing this for your Google account.

Here’s a quick run-through of your options, starting with the most basic.

Google prompt
How it works: Tap your Android screen to confirm your identity.
Pros and cons: Very quick and easy, but only works with Google accounts and Android devices. Useful as a backup option.

SMS code
How it works: You’re texted (and/or voice-messaged) a PIN code to enter after your usual login.
Pros and cons: Authentication is split between two devices. It works on any mobile phone at no additional cost. But it can be slow, and the code may appear on your lock screen.

Authentication app
How it works: A free app, such as Google Authenticator, generates a unique numerical security code that you then enter on your PC.
Pros and cons: Faster and more reliable than SMS, and arguably more secure, but you’ll need a smartphone (Android or iOS).

Authenticate your logins with a code that’s sent to your phone (and only your phone)

Backup codes
How it works: A set of numerical codes that you download and then print or write down – then keep in a safe place. Each code only works once.
Pros and cons: The perfect backup method. No need for a mobile phone. A piece of paper or locally-stored computer file (with disguised filename) is easier to hide from thieves than anything online.

And the most secure 2FA method of all…

USB security key
How it works: You ‘unlock’ your accounts by plugging a unique USB stick (such as this YubiKey) into your computer.
Pros and cons: A whole list of pros. USB keys are great for business security, because your accounts remain locked even if a hacker breaches your phone. They’re convenient: no need to wait for codes then type them in. And they cost very little considering how useful they are. One key costs from £18, and is all you need to deadlock all your accounts. Buy one for all your employees – and clients!

Give a USB security key to all your employees and clients – their security (and yours) will benefit

Deadlock your Google account: a 2FA walk-through
Google lets you lock down your entire account, including Gmail and Google Drive, using multiple layers of 2FA (which it calls 2-Step Verification). It’s one of the most secure 2FA configurations you’ll find, and it’s easy to set up.

Here are the basic steps. For a more detailed step-by-step guide, see our YouTube video.

  1. Order a USB security key. Look for devices described as FIDO (‘Fast IDentity Online’) – here’s a FIDO selection on Amazon – or head straight for the Yubico YubiKey page. Expect to pay from £18 to around £40.
  2. Go to Google’s 2-Step Verification page, click Get Started then sign into your account. Choose a backup 2FA method, click Security Key, then plug in your unique USB stick. Google automatically registers it to you.
  3. Choose a second 2FA method such as SMS code, plus a backup method such as a printable code, Google prompt or authenticator app.
  4. That’s it – welcome to the top one per cent!
Double-lock your double-locks by choosing more than one 2FA method – and a backup

Deadlock all your online accounts in minutes

All reputable online services now offer 2FA options. But, as you’ll discover from the searchable database Two Factor Auth, not all services offer the best 2FA options.

For example LinkedIn only offers 2FA via SMS, and doesn’t support authenticator apps or USB security keys – the most secure types of 2FA. Even Microsoft Office 365 doesn’t yet support security keys. We expect better from services aimed at business users.

What’s more, 2FA settings tend to be well buried in account settings. No wonder hardly anyone uses them. Here’s where to click:

  • Amazon: Go to Your Account, ‘Login & security’, enter your password again, and then click Edit next to Advanced Security settings.
  • Apple: Go to the My Apple ID page then click Security, Two-Factor Authentication.
  • Dropbox: Click the Security tab to set up SMS or app authentication. To configure a USB security key, follow Dropbox’s instructions.
  • Facebook: Go to ‘Security and login’ in Settings and scroll down to ‘Use two-factor authentication’. Click Edit to get set up.
  • LinkedIn: Go to Account Settings then click Turn On to activate SMS authentication.
  • Microsoft: Log in, click Security, click the ridiculously small ‘more security options’ link, verify your identity, and then click ‘Set up two-step verification’. Doesn’t yet support USB security keys. Some Microsoft services, such as Xbox 360, still don’t support 2FA at all.
  • PayPal: Go to My Profile then click My Settings, Security Key and then Get Security Key. Don’t accept the offer to get a new code texted to you every time you log in, because then a hacker can do it too!
  • TeamViewer: Go to the login page, open the menu under your name, click Edit Profile then click Start Activation under the 2FA option. Supports authenticator apps only, not SMS.
  • Twitter: Go to ‘Settings and privacy’, Security, then tick ‘Login verification’.
  • WhatsApp: In the mobile app tap Settings, Account, ‘Two-step verification’.

17 Things Spammers Get Wrong


No one publishes successful phishing and ransomware emails. Jon Thompson thinks he knows why.

ransomware-8145580The headlines say phishing scams are at an all-time high, and ransomware is growing exponentially, but conspicuous by their absence are examples of the emails behind successful attacks. It’s becoming the cliché in the room, but there may be a reason: embarrassment.

Running an email honeypot network, you receive a flood of malicious email every day. Most is littered with glaring errors that point to lazy, inarticulate crooks trying to make the quickest buck from the least effort. When you do come across a rare, well though-out campaign, it shines like a jewel in a sea of criminal mediocrity.

To the average spammer, however, it’s all just a numbers game. He cranks the handle on the botnet, so to speak, and money comes out.

This poses an important question: why, given the quality of most malicious spam, are new ransomware infections and high profile phishing attacks still making headlines almost every single day? Clearly, we’re massively overestimating the amount of effort and intelligence invested by spammers.

With that in mind, what follows is a short list of 17 mistakes I routinely see, all of which immediately guarantee that an email is malicious. There are others, but these are the main ones. If this list reflects the mistakes found in the spam behind the headlines, then the size yet lack of sophistication of the problem should become apparent.

1.    No Subject Header

This error is particularly prevalent in ransomware campaigns. Messages whose payloads have very low VirusTotal scores are being sent with no subject header. Maybe the sender thinks it’ll pique the curiosity of the recipient, but it should also alert spam filters even before they examine the attachment.

2.    No Set Dressing

tesco-6478043

Look at any real communication from a bank, PayPal, a store, etc. It is well formatted, the HTML is clean, the language is clear, and the branding is obvious. Legitimate companies and banks don’t tend to send important messages in plain text.

3.    Generic Companies

generic-1081819

Generic companies are rare but I do occasionally see them. Who is “the other financial institution” and why has it refused my transaction? Vague, instantiated company names like this, with an accompanying attachment, are clear indicators of spam.

4.    Multiple Recipients

This is another example of laziness on the part of spammers. OK, they may have found an open relay to willingly spread messages rather than buy extra time on a botnet, but anything other than a one-to-one sender to recipient ratio should be an instant red flag.

5.    Poor Salutation

Much apparently personalised spam doesn’t use a competent salutation, or uses a salutation that is simply the user name part of the email address (i.e.: “Dear fred.smith”). It would take effort to code a script that personalises the messages by stripping off the first name and capitalising the initial. Effort is the enemy of the fast buck.

6.    No Body Text

Sending an email with a tantalizing subject header such as “Overdue – Please Respond!” but no body text explaining what or why it’s overdue is as common in commodity ransomware as having no subject header. The attack again relies entirely on the natural curiosity of the recipient, who can and should simply ignore it. Spam filters should also take a keen interest.

7.    Auto-translated Body Text

paypal2-9354648

Machine translation has the amusing habit of mapping the grammar of one language onto another, resulting in errors that no native speaker would ever make. Manual translation by a highly fluent speaker is far superior to machine translation, but the translator must also have knowledge of the subject matter for his text to appear convincing. Again, this is effort.

8.    The Third Person

This is a great example of a spam writer trying to distance himself from his crime. “PayPal has detected an anomaly in your account” and “they require you to log in to verify your account” just look weird in the context of a security challenge. This is supposed to be from PayPal, isn’t it?

9.    Finger Trouble

apple2bicloud2b2-6952704

I’m fast concluding that some cybercriminals really do wear thick leather gloves while typing, just like in the pictures. Either that or they’re blind drunk. Random punctuation marks and extra characters that look like they’ve been hit at the same time as the correct ones don’t make a good impression. Simply rejecting emails that have more than a certain percentage of spelling mistakes might prevent many of these messages from getting through.

10.    Unexpected Plurals and Tenses

Using “informations” instead of “information” is a dead giveaway for spam and should be blocked when in combination with other indicators. Phrases such as “we detect a problem” instead of “we detected a problem” also stick out a mile.

11.    Missing Definite Article

Many spam emails stand out as somehow “wrong” because they miss out the definite article. One recent example I saw read: “Access is blocked because we detect credit card linked to your PayPal account has expired.” An associated Yandex.ru return address gave the whole thing a distinct whiff of vodka.

12.    The Wrong Word

“Please review the document and revert back to us immediately”. Revert? Really? Surely, you mean “get back”, not “revert back”. It may be difficult for spam filters to weed out this kind of error, but humans should spot it without difficulty.

13.    Misplaced Emphasis

paypal-1531640

Unusually capitalised phrases such as “You must update Your details to prevent Your Account from being Suspended” look weird. Initial capitalisation isn’t used for emphasis in English sentences, and hints at someone trying to make the message sound more official and urgent than it is.

14.    Tautological Terrors

cps-7972121

“It is extremely mandatory that you respond immediately”. Not just mandatory but extremely mandatory? Wow, I’d better click that link right away! Urgent calls to action like this overplay the importance of the message in ways that mark them out as fake.

15.    Grandiosity

splayer-6973270

Using grand words where normal ones should appear to make a message sound more authoritative are a dead giveaway.  Here’s an example from last September when a gang famously tried to distribute malware on the back of a new media player release: “To solemnise the release of our new software”. Solemnise means to mark with a formal ceremony.

What they really meant was: “To mark the release of our new software”.  The whole message was also riddled with the most outrageous auto-translate errors that it made difficult reading.

16.    Overly-grand Titles

Why would the Microsoft Chief Support Manager be contacting me personally all the way from the US to give me a refund? Wouldn’t he delegate this important work to a local minion? Similarly, the head of the IMF doesn’t usually spend their days emailing strangers about ATM cards stacked high with cash.

17.    Obfuscated URLs

If the collar doesn’t match the cuffs, it’s a lie. In other words, if the message contains the name of a high-street bank (for example) and a URL from a shortening service such as bit.ly, spam filters should be blocking the message without question, regardless of the rest of the content.

How To Really Stop Phishing

If phishing sites want data, they’ll get it!
phishing-3415461
Running a honeypot, you soon realise there are four types of spam. The first is basically just adverts. Next comes social engineering spam, which is mostly advanced fee fraud. There’s a ton of cash or a pretty girl waiting if you send a small processing fee. By far the largest category is ransomware, but this is closely followed by that perennial favourite, phishing spam.

Phishing works. Its “product” nets huge profits in two ways. First, by direct use of the stolen data. Second, from sales of that data to other criminals. This got me thinking about how to fight back.

Phishing sites tend to be static replicas of the real thing, with a set of input boxes and a submit button. That is their major weakness. Another is that, though the inputs might be scrubbed to remove the possibility of a sneaky SQL injection, the information being entered might not be checked. Who’s to say that the date of birth, password, bank details etc. that you enter are real? What if you were to enter a thousand different sets of bogus information? How about a million, or even ten million?

paypal-6108084
What I propose is that when a phishing site is discovered, it would be fun to deploy a script to flood it with random data of the appropriate format for each input field. Finding real data in the collected noise would become nearly impossible, and so would help protect the innocent. If such poor-quality data is sold on to third parties, then Mr Big will soon want his money back and probably a lot more besides.

Diluting phished data to homeopathic strengths is one thing, but the general idea could be applied in other ways. One of the main tasks in running a spam honeypot is “seeding”. This involves generating email addresses to accidentally-on-purpose leave in plain sight for later harvesting by spammers. If someone were to set up a honeypot with a huge number of domains pointing to it, and with a huge number of active login accounts, those accounts can be leaked or even sold (with all profits going to charity, naturally!) as being demonstrably live and real. If the buyer tests any of them, they’ll work. Set up the honeypot in enough interesting detail, and Mr Big won’t be able to tell he’s been duped for quite some time.

Phishing is popular because it’s easy, relatively safe for the perpetrator, and highly profitable. Frustrating the efforts of criminals, casting doubt on the phished data being sold, and hopefully causing wars between cybergangs is certainly one potentially very entertaining way of fighting back.

Of course, flooding phishing sites with bogus data may already be quietly happening. I certainly hope so…

Recovering From Password Fatigue

How do we solve the need for lots of strong passwords?

xkcd2bpassword_strength-2697560Mention password strength online and someone will usually reference the famous XKCD password cartoon. If you haven’t seen it, the idea is that the entropy of the password must be as high as possible, and that this can be adequately achieved by stapling together easily-remembered conjunctions of words
rather than difficult-to-remember strings of meaningless symbols. Some commentators have since pointed out flaws in the logic behind that cartoon.

Entropy is a head-twisting concept. Put simply, it is a measure of the chaos, disorder or unpredictability something contains. In information theory, entropy can be calculated and boils down to how many unknowns there are in a piece of data.

Consider a game of hangman. At the beginning of the game, none of the letters are known. Because there are many different possibilities, we can say that the unknown word contains high entropy. As you reveal each letter, the entropy quickly drops because of the way the English language works. Q is usually followed by U, for example, and not P or S or J. After revealing surprisingly few letters, we can usually infer the full word and win the game.

Passwords need high entropy. There should be no relationship between letters, so that if one character becomes known, it does not compromise the rest. If someone shoulder surfs you and spots you typing something like “M4nch3st” and they know you’re a Manchester City or United fan from glancing at your coffee mug, then your carefully placed capital and number substitutions are all for naught.

Many people still think that strong passwords are required to protect from brute force attacks, but this is largely false. When cybercriminals want passwords, they either take them by the million using attacks such as SQL injections, or have people hand them over in phishing attacks. Because of this, we need lots of passwords to compartmentalise our lives into discrete blocks. Compromise one account and the others stay secure. Re-use them across accounts, and one key fits many locks.

There are lots of strategies for generating and remembering high entropy passwords. One successful technique is as follows:

1: Take a long line from a favourite book, play, song, nursery rhyme, whatever.

2: Take the initial letters from the words in the line and put them together.

3: Change vowels into numbers and other symbols, capitalise others.

Et voila! A long, high entropy password you cannot forget. Here’s an example based on an episode of a sitcom that came to mind just now quite by chance:

In the Fawlty Towers episode The Germans, the Major says something like: “I must have been keen on her; I took her to see India!”

The 13 initials in this phrase are: imhbkohithtsi

Changing some letters to symbols and capitalising others gives: !mHbK0H1ThTsI

password2bstrength-2964104The online password strength meters I tried claim this password is strong or even very strong. Someone would have to know you were keen on that episode of that sitcom, guess the exact line from it, and guess exactly how you’d mangled the initials to stand a chance of recovering the generated password.

Now do that for the dozens of sites you need to log into, even those sites you intend to use very little but for which you must still set up an account. Ideally, each password must be different and unrelated. It’s just not practical, is it? In fact, that sinking feeling you’re probably experiencing has a name: password fatigue.

We could just store all our passwords in our browsers and create a master password to protect them. But what if we want to log in from another laptop, tablet or phone? This problem has led to the rise of the password manager.

A good password manger needs to securely store all your passwords, and to sync across all your devices. It should automatically capture the passwords you enter as it goes, and should contain some nice-to-have features. For example, the option to generate random, very high entropy passwords would be good. Intelligent form filling would also be useful.

There are other potential advantages to password managers. Because they recognise the sites you visit, if you get taken in by a phishing email and click on a link to enter your password, the manager will not recognise it, and should fail to cough up the creds. If you’ve allowed the manager to generate random passwords that you never see, there’s no danger of you overriding it either.

I’m not going to recommend a single password manager, but you should check them out sooner rather than later. Instead I will point you to a comparison chart for you to make your own decision.

There are pros and cons to using password managers, however. Some people, like our own Simon Edwards, have argued that caution is needed. Last year, for example, cloud-based password manager LastPass was hacked and user data spilled (including security questions and encrypted passwords). Malware has also targeted local password managers such as KeepPass that do not use a cloud service.

Because of these weaknesses and attacks, passwords and password managers may not be enough. A good password manager also needs to feature 2-factor authentication. Biometric authentication would be even better as this is substantially harder to subvert.

How The Clinton Campaign Was Really Hacked

hillary-clinton-3961580The 2016 US Presidential Election may not be the first held in the shadow of Wikileaks, but it is the most entertaining.

When John Podesta received an email apparently from Google in March this year warning that someone had used his password to sign into his account, events began to resemble an episode of Veep, with Chinese whispers quickly replacing information.

Not knowing any better, Podesta forwarded the email to a member of staff to deal with. After a hop or two, the email was passed to the Clinton campaign’s IT Helpdesk Manager. He in turn made the rookie mistake of not inspecting the message’s header or checking the Bit.ly  link it contained. Both would have shown this to be a phishing attack. 

phish-5291731

Instead, the Helpdesk Manager concluded that the email was real, and Mr Podesta should change his password right away. However, the reply also contained the advice that Podesta should ignore the email and log in directly to Google. He even supplied the correct URL to do this and explicitly said that Podesta should turn on 2-factor authentication at the same time.

The Helpdesk Manager has since been somewhat unfairly vilified in the press. The fact is that his explicit advice was lost in favour of a simpler message as his reply began to filter back up the chain of command.

podesta-it-email-1-8250640

According Wikileaks, Sara Latham seems to have been the person who actually contacted the helpdesk on Podesta’s behalf. She also received the Manager’s reply, and added her own endorsement of the phishing link.

Having been told it was real, it seems that either Special Assistant Milia Fisher or Podesta himself then clicked on the original phishing link and attempted to change the password. The rest has been pundit fodder ever since.

reply-2589288

You can bet that the Clinton campaign  spent money on insurance, health and safety training, and other measures to ensure a safe working environment, so why not basic cybersecurity training? Maybe it did, and the people concerned simply didn’t attend. It seems sensible that in future campaigns, no one should get access to devices without first demonstrating that they can spot a simple phishing email, IT helpdesk Managers included.

Interview With The Bank Manager

barclays-2502387Pundits pontificating about online fraud is all well and good, but what do the banks think, and how do they protect us? 

To find the truth, we talked candidly to a branch manager from UK bank NatWest.

SE: First of all, what’s the scale of the online fraud problem from the bank’s perspective?

I won’t lie. It’s massive. We’re always being told about phishing emails, and you can report them to us online. Scam phone calls pretending to be the bank and asking for your account details and passwords are also huge. Just to be sure, we never ask for passwords. No one does Well, no one legitimate anyway.




SE: If you’re scammed can you get your money back?

  
It all depends. The basic thing is if it’s not a transaction you’ve made, its fraud and we can help. If it’s something you’ve done yourself that’s it, the money’s gone. Where it gets tricky is when you think you’re signing up to a one-off payment but the small print says it’s every month and you don’t realise. It might be cleverly worded, but it’s up to you to read what it is you’re buying.  If there’s any doubt, don’t do it or bring it in for us to check.

SE: How do you protect people’s money in general? 
102bgolden2brules-3149731The monitoring systems now are really good. They put blocks on cards when something suspicious happens, and block dodgy transactions while we find out if they’re legitimate. Tell us you’re going to France for the week and we’ll know not to block your cards if we see a cash withdrawal from Paris. If you tell us you usually go to France about now then we can keep the card active for you. It’s just when we see things out of the ordinary that the system will react. A lot of the time people get their cards blocked on holiday because they forgot to tell us. It’s a pain for them, but if you tell us what you’re doing it’s usually fine.

We see a lot of “Make $2000 a month from home”-style spam. What’s the scam there?

It’s usually money laundering. A foreign gang wants your bank details to put money into your account, then you send it on to someone either at home or abroad but keep an agreed percentage as commission. It’s an old one, that. Sometimes, they want you to physically receive and send on stolen bank cards as well, or ones that have been obtained fraudulently. But you’re being used. Basically, if you’re caught acting as a money mule, then you’re as guilty as the bloke who gave you the money to carry. We have a legal obligation to report anything over a certain amount transferred from abroad into people’s accounts. Again, it’s one of the things the system looks for that’s out of the ordinary.



Can the banks stop people being duped into sending money to scammers abroad?

nat2bwest2bsite-6365254


You mean like rich Nigerian princes and lottery wins that need a processing fee? At the end of the day, it’s their money. We can only advise. We can say: look, we think this looks like a scam. But if they want to send it abroad then we have to do it for them. If it’s a large amount, we’ll ask them in to sit down and think is this really what they want. [We try to] find out how well they understand what they’re doing and where they’re sending it. We have had cases where people have lost considerable amounts because they’re convinced it’s real.

What’s the most outrageous thing you’ve seen?

I was asked to look at the cash machine outside the branch I was managing once, and there was a piece of wire hanging out of the card slot. That’s all it was. But it prevented the card from being returned, so people walk off thinking the machine’s swallowed it. You pull on the wire and the card pops out. It’s called a Lebanese Loop.  Simple and easy. Once you’ve got the card you’ve got the expiry date and the CVV number on the back and you can go shopping.



What’s your personal message to customers?


Basically, it’s always a scam. If it looks like something where you think you can get one over on the sender, it’s still a scam. These people aren’t stupid. No one wants to give you free money. You haven’t won a foreign lottery, either. There’s no pot of gold. They may only want a small processing fee, but if they get a lot of fees, it’s very profitable for them. Start with the idea that everything’s a scam, ask us to confirm anything you get that you don’t understand and you’ll be alright.

What other guidance is there for people?

little2bbook2bof2bbig2bscams-4102409


There’s lots about but it’s a bit scattered. Barclays did a good TV advert about phone scams. We’ve published a really comprehensive leaflet about online scams in conjunction with the police that covers all the different frauds. You can download that, and we have a web site for reporting scams. But if you have any questions the best thing is to just call the bank or walk into a branch and ask. That’s the best thing.

Went The Day Well?

 

title2bpic-8503324In The Great Escape, a Gestapo officer wishes Gordon Jackson’s character “good luck” in English as he attempts to board a bus.

In A Book About a Thousand Things, George Stimpson says that during WWII, US guards used the word “lollapalooza” to spot Japanese spies amongst Pilipino allies.

Judges 12-6: “Then said they unto him, ‘Say now Shibboleth’ And he said Sibboleth, for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan”.

These are all examples of shibboleths, named after the final example, in which a group of Gileadites identify an enemy Ephraimite from how he says a word.

Could subtle shibboleths also buy time until we can properly resolve the password reuse crisis? To answer that, we need a sprinkle of theory.

To log into a service, you must authenticate yourself by presenting certain bona fides. These fall into three broad categories:

  • Something you know
  • Something you have
  • Something you are

barclays2bpinsentry-9891496Passwords fall into the first category, as do your mother’s maiden name, your first pet, and so on.

To shore up authentication, two factor authentication is becoming more popular, and usually involves a password backed by something you have, such as a mobile phone to receive a passcode. Something you have could also be a special device that generates a one-time code. Some banks insist on such devices being present when transferring money from accounts.

What about things you are? Biometrics are the best known examples, but gait recognition has also been examined as a method of identifying people. Early research focused on thwarting smartphone theft, but has since been used in other applications.

The trouble with all this is that everything beyond simple passwords make the user do something extra or use special hardware. Everyday users tend to resist being made to change their ways for someone else’s convenience. There are also parts of the world where secondary authentication is impossible. Are we condemning those users to a second class, less secure internet. This is where shibboleths could help.

When your bank identifies rogue transactions, it’s identifying shibboleths in normal spending patterns. If you’ve ever had a text asking you to confirm unusual payments after some toerag has cloned your card, you’ll be thankful for this.

Think about this in terms of passwords. If a typical user types the same password for many years, he naturally falls into a predictable rhythm of key presses. If anyone else enters that password, the timing data will be different.

body2bpic-8592247 Encrypt the timing data before storing it, and it must be included in any password decryption effort. Remote brute force attacks would become impossibly difficult. Dumb phishing campaigns that don’t collect timing data would also be rendered useless overnight, and God knows that’d be a good thing.

It’s far from a perfect solution. You can probably think of a dozen difficulties (keyloggers, for example), but competent client-side shibboleth-spotting could at least buy the world time while someone clever creates a solution to password reuse that doesn’t divide the internet into secure haves and insecure have-nots.

About

SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.

Contact

SE Labs Ltd
Hill Place House
55A High Street
Wimbledon
SW19 5BA

020 3875 5000

info@selabs.uk

Press