Thursday, March 26, 2015

Keys to a Kingdom

The OMG

clickety-clack clickety-clack clickety-clack clickety-clack.

clip_image001

“Hmmm……”

clickety-clack clickety-clack clickety-clack clickety-clack.

clip_image002

“Really?!??!!”

clickety-clack clickety-clack clickety-clack clickety-clack.

clip_image002[1]

“Are you kidding me I know that’s correct”

Checking email…
clip_image003

OMG! No - I did not do that!

Who is [email protected]?

Uh so wait … that means someone else is logging in my account. What if they have access to the whole kingdom?

No Breach

I setup a call with Origin and they were helpful and said that this does happen but they have not had a breach. So how did this guy get into my account? Well my account is from 2010 so it has weaker security. They have implemented two factor authentication which the “hacker” conveniently setup to text his phone also. Luckily the rep was able to reverse everything.

The scary

After everything was reversed out and back in my hands I wanted to check out to make sure there were no purchases done and what I found was scary.

clip_image004

Holy smokes – look at all those failed orders from different currencies/countries. What does that mean? Multiple people tried to use my account to buy games. And it goes all the way to early December. Luckily nothing was charged and all failed. Probably due to my card being expired.

Maybe other breaches

How does something like this happen? How did they get login credentials? Well two possibly ways. One way could be they just got lucky and guessed it. Although my password was probably slightly weak I don’t think it was luck. The other possibility and most likely scenario is that they got my account and password from a different company’s breach. If you remember in recent history that some large online commerce web sites have had breaches. So potentially my email address is stored with an “encrypted” password if the developers followed good practice.

What is proper practice?

The best security practice is not to store the password at all but to store the salted hash of the password. You might be thinking why not just encrypt the password why would use this salted hash thing. Encryption usually means it is reversible and the algorithm tends to be fast. So encryption would be out because you don’t want someone to easily be able to reverse all the passwords in your database.

What you want is to hash it. Hash algorithms by nature are not reversible and there are quite a few that tend to be slower to compute. I’ll tell you why the speed part is important in a bit.

How a “hacker” would break passwords on a database that did not have salted hashes is really simple. They would just need to find a dictionary of already hashed words and just compare the hashed passwords in the database and instantly they would have userid tied to a password. So you will want to salt the password before you hash it. Salting the password “increases” the complexity of the password and makes each entry unique. Now instead of just finding a dictionary of already hashed words the “hacker” now has to spend time and run the hash routine with your unique salt from a dictionary of words which takes time.

Sounds great but…

This is all great and is the preferred method of storing a password (you really aren’t storing the password but the hash) and this prevents someone from seeing a user’s password in the event that the database has a breach.

The downside is that even this method can be broken, but unlike real reversible encryption this method takes time to break. The reason each user gets a unique salt is to make this process of retrieving all the passwords from a given database take longer to retrieve. It could be years before a “hacker” can break a whole database. This gives a company/entity enough time to alert their users about a breach and force everyone to change their passwords before it’s too late. A better reason you are asked to make complicated or random passwords now a days is not because people are going to guess it, it is because those words do not appear commonly in dictionary of words “hackers” use to get you password so it will take much longer for your password to be revealed.

Everyone’s responsibility

How does this relate to my real life example of my video game account being hijacked by multiple people even though Origin had no leak? Since I either had the same or a similar password somewhere else that had a breach it makes it possible for someone with malicious intent to attempt that same combination elsewhere. If you are using the same user id and password combinations everywhere this could lead to one breach opening the doors for someone to access all of your online accounts.

It is everyone’s responsibility from end user to developer to know how this works in the real world. It would be wise to change your password on multiple sites that you use if you know that one of the site’s user accounts were compromised. Likewise as technologists it is our jobs to inform clients of the risk of creating a custom user identity system, because one breach, even if you are smaller company could still have large impact on the web ecosystem.