My goodness industry, you are really taking the biscuit with this one.

Where to begin

The purposes of security

  1. Keeping consumers secure
  2. Keeping consumers confident

So I fully appreciate that consumers need to be confident in services in order for the internet, industry and economy to progress.

We shouldn’t impede users or make it difficult for them to use services.

But at the same time, you do have to apply a little bit of common sense OR you have to accept that inevitably convenience over security will have a negative impact on confidence.

So let’s take a Google Account

  1. Convenient store of online passwords – Plain Text
  2. Convenient store of App passwords – Plain Text
  3. Convenient store of payment details – Might as well be plain text
  4. Convenient transfer of funds – from bank account to non-secure destination
  5. Convenient tracking of users for SEO – Blackmail checklist
  6. Convenient account access – easy to log in
  7. Convenient account recovery – easy to bypass security
  8. Convenient wizard functionality – enabling all of the above by default

Personally, I think a lot of these should not exist by default, I think they should be optional to turn on the functionality as oppose to utilise it.

I think you should explain the security shortfalls at the same time you explain convenience.

I think a lot of things that would NEVER be adopted by the industry, so let’s go for something simple that can be adopted.

Assumption of security is not security

The assumption that something, especially a telephone number or mobile device, is secure is convenient to the service provider, in this example Google, but not to the consumer.

So the only person who benefits from assuming this security is the industry.

It does not benefit your customers to assume this is secure

It does not build consumer confidence to assume that this is secure

The fact is, mobile number account recovery shouldn’t really exist, 1/2 the things that use it only have it for redundant reasons, the other half use it in a redundant way.

You can still have convenience with security

Easy account set up is possible in a way that makes it secure and convenient.

In this case, we drop the account recovery for a mobile telephone number and we use an email address for account recovery, we advice the consumer that they should not use an email address that is accessed outside of the home (with the exception of work) or from a mobile device.

We do this so that 2 step authentication works and remains as 2 step authentication.

How does this maintain 2 step authentication

Well, the convenient way for a consumer to use 2 step authentication is to use it with their mobile telephone device.

The device and the number are separate entities, but they are equally both accessible at the same time.

Network hacking approaches i.e. either blagging my way through security questions from your mobile provider to forward your calls, call forwarding via the voicemail portal, or amending network settings from the mobile provider online account (some of which I do not reference here) are possible ways to bypass security remotely.

Locally, I can do this in simple convenient ways, with both access to the mobile telephone number and the physical device.

What that essentially means is that if my method of attack is either of the above scenarios, we go from 2 potential steps of authentication to 0 steps of authentication using account recovery options.

However

Remove the mobile telephone number from the equation of account recovery, utilise a different email address that is not associated with the mobile device, we go back to 2 steps of authentication as I

  1. Need access to your physical device
  2. Need access to your recovery email account

So I would need, in theory, to access your email to find out what email address you use for account recovery options.

The true is not same for the mobile telephone number, as we likely only have one.

Won’t somebody please think of the children!

Now given the way that set up wizards work, the way in which it is easy to bypass 2 step authentication, the amount of time it takes to do it with recovery options, here is what we are saying here for consumer confidence.

If I gain 5 minutes of access to your child’s mobile device, or one of their friends, I can track their movements.

That is not the case of “I might be able to”, it is not the case of “Possible to”, if you have followed the default set up wizard for services, irrespective of whether you use 2 step authentication, if the account recovery options are set up in this non-secure way using a mobile telephone number, I can access you child’s accounts.

So while the industry may argue around the purpose and likelihood of stealing an adult mobile phone and successfully stealing money from them, the fact of the matter is, children are vulnerable and the current wizard methods for things like email accounts, which are subsequently used to gain access to all other accounts, social media, twitter, chat rooms etc. the processes in place for convenience make it substantially easier for someone to access their accounts within a very short time frame.

It is not just pro-actively tracking their movements either, I can likely look back over their accounts, see where they frequent at the weekends, see the clubs they are part of, see who they talk to, see who their friends are.

Now I gave a scenario at the start of this article, about a phone I found whilst out walking my dog. Is it worth the risk?

Convenience, Confidence and Security cannot apply to all major demographics across the board with one solution.

It just isn’t possible.

What is convenient for an adult may boost their confidence in the industry, but if the same convenience methods reduce the security of their children, it is not a confidence boosting exercise.

It is then not just an adult or child demographic, the most obvious way for 2 step authentication to operate for someone with a visual impairment means that they are most vulnerable to the security flaws in this article, as it is very likely they use this particular set up by choice plus they use the 2 step authentication by voice call by default, which simply reduces the number of steps I take to access their account. There are alternatives to this that are secure but we would likely need to guide this service via accessibility requirements. Google actually offers everything you need for their service to be accessible and secure, it just isn’t guided by the set up wizards.

So what we actually find with convenience and security is that the most vulnerable individuals in society are made more vulnerable, whereas, we should be putting more effort into providing a convenient service that also offers the required level of security so that vulnerable individuals can make the best of the digital world in a safe and secure way.

It is possible to automate a wizard set up to provide security, convenience and confidence for all demographics based on certain conditions, date of birth and accessibility requirements being the obvious options here to then guide the rest of the wizard process.

So with our steps like this, we only really need one simple change with the rest of it being a choice

  1. Convenient store of online passwords – Plain Text
  2. Convenient store of App passwords – Plain Text
  3. Convenient store of payment details – Might as well be plain text
  4. Convenient transfer of funds – from bank account to non-secure destination
  5. Convenient tracking of users for SEO – Blackmail checklist
  6. Convenient account access – easy to log in
  7. Convenient account recovery – easy to bypass security
    • Do not allow recovery with phone numbers
    • Allow recovery via alternative email
    • Advise that the other email should not be accessible from the mobile device used for 2 step authentication
  8. Convenient wizard functionality – enabling all of the above by default

We summarise on the next page

Previous PageNext Page

Back to How I Would Commit Cyber Crime