So it isn’t just stealing your phone that is my route into your accounts, it is centred mostly around the use of a telephone number, the easiest way to utilise that telephone number for account access is by stealing a phone.
But in no way am I limited to that as an option.
The only analogy I can think of here with account set up wizards currently available is this,
The Wizard for account set up by default is like
- You install a chain that you can pull across
- You install a key lock
- You install a sliding lock
- You get out your sonic screwdriver and put on a deadlock seal
Then you as a consumer go about your daily business.
Problem is though, none of these work without installing the door… that is pretty much what happened here and how accounts are set up by default, either that or you put the door on but forgot the walls.
Point is, the simplicity of the methods in this article are so simple they are likened to walking into your home unimpeded, having a rummage around, eating your food, stealing all your stuff, sniffing your underwear, then leaving without you being any the wiser that someone was in your home.
So back to our 3 points
- How the Crime is Committed
- What a Consumer can do to prevent it
- What the industry has to do to prevent it
How the crime is committed
Very easily, the long and short of it is
- Default account set ups provide convenience to access accounts when secure options are either forgotten (password) or not available (2 step verification)
- I can bypass both a password and 2 step verification by
- Accessing your phone directly
- Accessing the network settings of your phone via multiple methods
- I rely on the fact you set up your account as suggested by the provider, this allows me to benefit from all the ease of access and account recovery options you benefit from.
What a consumer can do to prevent it
- When you set up accounts, or you review accounts you have online, question the following
- Does this service or feature make security and access convenient?
- If so, I need to research
- For this particular example, do not use a mobile telephone number with account recovery or for two step authentication.
- If you set anything up that is important, consider the following
- Can access to one thing give me access to everything?
- So in this case, access to your mobile telephone number gives me access to everything.
What the industry can do to prevent it
- Assumption of security is not security – This means that you cannot make the assumption the users “other” device or service not provided by you is secure when considering security methods.
- You also cannot exclude or limit something to a simple entity when it is used for a wide variety of things
- In this case, a mobile device is NOT simply access to a mobile phone, but also access to the mobile network for the telephone number that the user has for communicating
- Equally, a mobile is access to all the apps and services available, so in this case using the mobile phone to reset the email, then the email to reset the mobile phone, probably then gives me access to accounts that are already logged in, like mobile banking and other such non-secure services.
- You can still have convenience with security – you can still make things easy for the consumer, all you really need to do is test the ways around what you have.
- You can argue the following, “A Hacker is simply a test analyst who is currently unemployed”
- A hacker is simply picking up on security flaws our testers missed, or security flaws our testers highlighted that we chose not to fix.
- Won’t somebody please think of the children! – Essentially, the only way to provide convenience, security and confidence across the board is to design wizards and set processes that consider demographics. One thing cannot be considered secure for all demographics in place.
There is a balance between convenience and security, everything being made convenient makes everything non-secure. Everything being made secure, makes everything non-convenient. Focusing on building confidence without acknowledging security will result in less confidence in the industry.
However, if you focus too much on either scenario as an industry, all you do is reduce consumer confidence, or at the very least, reduce consumer participation in your services.
This, for last 2 decades, is what as known as the “War-cry of the IT man”, it isn’t a new concept, it is something that people with digital expertise always bring up, it is something that always gets ignored.
Looking about online, when you hunt past the SEO results, what you start to see is a large sum of people complaining that “Their money is going missing”
It is just evaporating, they can’t understand why someone has been able to transfer funds from their accounts, it looks like “Google Play” has been hacked, but that should only work from their device, they have the security in place, but it’s gone.
No liability either, just gone.
Someone accessed your email, replaced invoice account information with their own account details, “Oh that only happened because you didn’t have 2 step authentication in place”, well you can bypass 2 step authentication pretty easily, but as far as that consumer is concerned, the money is just gone.
Like Magic… Arthur C Clarke
“Any sufficiently advanced technology is indistinguishable from magic”
Thing is though, it isn’t significantly advanced, what it really is is simply over confidence and too much convenience leading to poor security.
So you will go ahead setting up “2 step authentication” with your mobile device, feeling confident that I cannot get into your account, but the reality is that with the account recovery options likely utilising your mobile telephone number, I have easy access to your accounts.
Your money is going missing because you are under the misconception that “this new security thing fixes the problems” without realising that there are things on your accounts designed to allow you to easily circumvent the security in place.
So in this case, the 2 step authentication offered by a lot of providers increases your confidence, the mobile telephone for account recovery increases your convenience, the combination of the two essentially means that you can be in a position where I can access your account without even really trying, both combined result in you having no security.
Remove the Convenient item from the equation, the mobile telephone number, well look at that, we have both confidence and security.
We can add some convenience by getting you to use something else not associated with the device you use for 2 step authentication in case you forget your password.
Ultimately we are left with two simple conclusions we can draw from this exercise
- It is really difficult for consumers to find out or know how to set up accounts or to consider the ways in that someone with digital expertise would.
- It is really easy for the industry to consider these things and guide the users with an appropriate level of balance in all 3 areas.
Last point I have not covered in this article, but arguably quite an important notion
The way 2 step authentication works for a business is NOT THE SAME as the way it works for consumers.
So, when we hear this statement “Businesses have been using 2 step authentication successfully for some time”, there are a shed load of other things that would be considered around this for IT and security in place that do not exist for consumers, most notably, if you want to reset your password, there is a different set of personal security measure in place, more often, phoning the IT department and they validate who you are.
That does not exist for consumers, this is subsequently where the consumer 2 step authentication falls down, as if you were paying attention to the magic trick, the bit I am taking advantage of is the “Automated IT Department”, or the account recovery option to reset the password using a voice pin, that password recovery step is the equivalent of phoning the IT department except nobody checks you are who you say you are.
From there, the rest is just a step by step process.
Anyway, I hope you enjoyed this article, and I hope you learned from it.
Links to more below.