Security vs. Customer Service

Every day you see it: a new company that has been hacked… all of their customer accounts are sprayed across the dark side of the internet. Some account records contain passwords, some contain credit card numbers, and even a few will carry checking account numbers. Its a devastating event for any company, and one that will cost some organizations their business life.

With these high-profile incidents in the news, it has finally come to the attention of the suits in the C-suite that they need to make security a priority. Stop at nothing, do not let hackers get into their systems. No unauthorized access to ANYTHING! This is a great stance, in theory… but some directions can be taken too far, and policies set on things that really have no purpose in being protected with ‘federal government grade security’

Remember Edward Snowden?  Edward was the NSA staffer who blew the whistle on the organization for spying and breaking into all sorts of internet communications.  Security and keeping information private doesn’t really hit home for Americans unless its about something they REALLY want to keep personal.  If you haven’t seen it, here is the discussion Mr. Snowden has with John Oliver with a slightly comical twist… but hits the nail on the head with the discussion of what security and privacy means to the common American.  Check out the story from the 24:56 mark on:

Interesting stuff…

Security is a great thing, privacy is an important thing…  secure all the things!

Some organizations have taken this too far in a poor manner and have impacted their customer service capabilities.  Before I continue, those of you who are familiar with me and this blog already know: I am not a technical newbie, and I work with some extremely intelligent security analysts.  In fact, some of them make Mr. Robot’s hacking ability look like child’s play.

My experience with Verizon

This week, I visited the Verizon website in an effort to pay my bill.  I’ve been a customer of Verizon for more than 10 years, and I’ve used LastPass to manage my authentication credentials (username and password) with them for a few years.  Recently, Verizon added “two factor authentication” (2FA) to their login process.

For those who are unfamiliar, 2FA is a method to verify your identity using a separate piece of information that only YOU can uniquely carry that you are accessing your account.  Wikipedia has more information on two-factor authentication for those who are curious. Typically with other services that have 2FA they take your mobile phone number so that they can SMS you a unique short-lived code to login with. Some services give you an application that generates a random number every thirty seconds.  I have 2FA on my email, cloud, dropbox, Battle.Net, and work accounts.  Its easy to do, and I login with it every day.  Yes, you can find me on Heroes of the Storm on a regular basis. (username: csharpfritz)

In the case of Verizon, their additional authentication involves adding a personal image to prove that you are accessing their site and not some cross-site-scripting hosted website.  They claim that these changes meet a ‘federal security guideline’ and they have also added a personal question to the process, that you must answer before keying in a password or seeing the personal image.  These questions are things like:

  • Where did you and your spouse first meet?
  • What is the name of your best friend?
  • What was your favorite place to visit as a child?
  • What is the name of a memorable place?
  • What was the first name of your first roommate?
  • What was the first live concert you attended?
  • What was your favorite restaurant in college?
  • What is the average speed of the unladen swallow?

Ok, I made up the last one… but you get the point.  These are simple questions that only you should have the answer to.  Here’s my problem: for anyone who is active on social media, these questions have very well known answers.  Additionally,Verizon does not ask you to re-type your answer to these questions like they do your password.  You can’t even consider entering your password unless you get this question right.  If you’re like me and had a typo in your answer, it doesn’t matter that you have LastPass; Verizon will tell you all day that you don’t know where you met your wife.  …and that’s just mildly insulting.

Strike One on interesting security policies – don’t ever tell someone that they don’t know something about their family or loved ones.

This is a communication company that I also have my mobile phone service with.  Great!  Just send me a text message on my mobile phone with a new access token for the website and I can get going again.  No, according to Verizon, having my mobile phone is not proof that I am who I say I am.

Hmm… ok.. what are the next steps?  To recover my password, Verizon asks for my billing account number and the amount of my last bill.  Here’s my problem with those questions: I have paperless billing with Verizon and they don’t send you the full account number in the email notice that your bill is available. If I didn’t have paperless billing, my account number and bill amount are available to anyone who gets to my mailbox before I get home.

Strike two on interesting security policies: you trust a piece of paper that you generated more than the phone hardware that you issued to me.

After digging through some very old emails from years ago and my bank records, I was able to provide Verizon with the key information to access my account.  In response, they issued me an 8 digit number to access my account.  That’s right: an account that I need a password with upper case, lower case, numbers, and special characters, a personally identifiable phrase, and a login id – they gave me 8 numbers to login with.

Strike three on interesting security policies: your temporary passwords aren’t as good as your real passwords.  You can’t issue me a password like Apple123 or Phone911?

Consider what is being protected by this high-level of security: the right to be able to pay my bill and manage my internet services.  You can’t see my credit card information, you can’t see my bank information.  You can see what television services and internet services I pay for and that’s about it.  Do other people really want to break into my service provider’s account to pay my bill?  Are they going to steal my mobile phone and call my internet provider and attempt to pay my bill?

Recommendation

I appreciate what Verizon is trying to do.  Really. I applaud them for taking the security of their customers accounts as a high priority.  Well done!  Your friends at AT+T could learn a thing or two from you.

Here’s the problem: you want to be able to uniquely identify me with an extra piece of information only I know and have available.  You are THE communications giant in America, so why not use text messaging and my mobile phone to help with securing my accounts?  Our friends at Microsoft who work on identity and security for web applications have built a very easy to implement 2FA module that you can add to your web application.  With this change, you can do away with the silly “What is your favorite place” question and just sms or email people a code to use to access their account.

Summary

All in all, I understand what this vendor is trying to do.  I’m not going to guess at what their underlying architecture is and how people could get my account information from their data stores.  However, I will question what the less technically inclined do when confronted with all of this information that they now need to provide to their phone company?  Does my mother have the patience to wander through all of this information?  To many, and now me included: I’m just going to send my payment offline with an old-fashioned stamp.

  • Great post, Jeff. Security is always a tradeoff. We don’t have to look for ultimate security. We have to look for the RIGHT security for each scenario. That said, there are plenty of important firms, utilities, and banks just doing awful things that provide no benefit or have easy workarounds.

    I believe, and I think many do, that security questions are a security anti-pattern (and have been identified as such for over ten years). As you pointed out, they are ether vulnerable to social engineering or simply public records lookup. Your only defense is to make up new “passwords” to put here as answers.

    For a time, I was using the same password generating techniques of using long random strings for security answers. I didn’t realize that a certain credit card customer service center actually intended to identify me with the answers over the phone. It turned out, my answer led to a conversation like this:

    “Okay Mr. Gomez, can I just get the name of the high school mascot… uh.. hmm. Nevermind.”

    Me: “I’m sorry what did you ask?”

    “You haven’t answered these questions yet. It looks like a little problem on our end. Nevermind, how can I help you?”

    I honestly, didn’t find this to be a problem because they are already an anti-pattern. It wasn’t keeping me secure… merely security theater that makes customers THINK they are being protected. But as usual, humans work around perceived issues. The rep must have seen the string and assumed it was a bug in the system, and proceeded to help me anyways.

    When you consider most any place I’ve called has agreed to help me with my online account by my merely confirming my name and address, that is the REAL password anyways. Just call customer service and sound really bummed that I can’t remember my user id, password, email, or anything and I need to get into my account. Name/Address… done.

    “For my protection” a retirement account provider helped me with an IRA rollover by confirming my name, address, birth date, and social security number. All publically available. I pointed that out to the phone rep because I felt that really was a concern (“You mean I can roll this over with entirely public information”) and the rep sheepishly answered “Yes, I know.”