Authentication is an essential component of protecting critical resources. It comes in two forms. Data-origin authentication aims to assert that data has arrived intact from its expected source. Peer-entity authentication seeks to assert that the person who has tried to gain access to a system actually has the rights to access that system. When we hear about people’s identities being compromised online, weaknesses in peer-entity authentication are usually to blame.
Brian Krebs described his recent disappointing experiences with PayPal and its surprisingly week peer authentication mechanisms. Someone changed the email account associated with his PayPal account – twice. It turns out that the hacker perpetrated the attack by calling PayPal and answering a series of basic questions about Krebs. Satisfied with the responses, the Paypal employee gave the hacker what he wanted. Krebs wrote that he had similar experiences with attackers compromising other kinds of accounts, including that of his Internet Service Provider.
The problem with Paypal’s approach to peer-entity authentication is that it relies on static information to establish the identity of a user. Information such as social security card numbers and driver license numbers don’t change over time. Because they are permanent and in frequent use, they are ripe targets for hackers to capture. When hackers do steal this personal information, they post it online, so that other criminals can purchase it to use it for their own attacks. Unfortunately, the kind of information that companies like Paypal use to authenticate users is in too wide a circulation to provide adequate proof that a potential user should have the privileges he claims.
Yahoo and Google have recently rolled out mobile authentication approaches that text users one-time use passwords for logging into their systems. The systems generate random pins or passwords and send them to an attempted user’s cell phone. The recipient then uses that code to log into the system. This approach is similar to keyfob-based approaches that have been in use for over a decade, except that the user’s proof that he should have access to the system is based on possession of that cell phone number and not on knowing static information that could have already been stolen and posted online. Possessing the cell phone and its associated number provides an additional assurance that the person attempting to use the service is legitimate.
Hopefully, more companies will roll out mobile authentication solutions soon. It is unfortunate that Paypal, a company that drives so much of Internet commerce, continues to rely on authentication technologies that are so easily compromised.