Who are you, really? The value of incorrect response in challenge-response style authentication.

Service providers (electricity, cable, wireless phone, POTS telephone, newspaper, banks, credit card companies) are regularly faced with the challenge of identifying and validating the identity of the individual who has called customer service. They have come up with elaborate schemes involving the last four digits of your social security number, your mailing address, your mother’s maiden name, your date of birth and so on. The risks associated with all of these have been discussed at great length elsewhere; social security numbers are guessable (see “Predicting Social Security Numbers from Public Data”, Acquisti and Gross), mailing addresses can be stolen, mother’s maiden names can be obtained (and in some Latin American countries your mother’s maiden name is part of your name) and people hand out their dates of birth on social networking sites without a problem!

So, apart from identity theft by someone guessing at your identity, we also have identity theft because people give out critical information about themselves. Phishing attacks are well documented, and we have heard of the viruses that have spread based on fake parking tickets.

Privacy and Information Security experts caution you against giving out key information to strangers; very sound advice. But, how do you know who you are talking to?

Consider these two examples of things that have happened to me.

1. I receive a telephone call from a person who identifies himself as being an investment advisor from a financial services company where I have an account. He informs me that I am eligible for a certain service that I am not utilizing and he would like to offer me that service. I am interested in this service and I ask him to tell me more. In order to tell me more, he asks me to verify my identity. He wants the usual four things and I ask him to verify in some way that he is in fact who he claims to be. With righteous indignation he informs me that he cannot reveal any account information until I can prove that I am who I claim to be. Of course, that sets me off and I tell him that I would happily identify myself to be who he thinks I am, if he can identify that he is in fact who he claims to be. Needless to say, he did not sell me the service that he wanted to.

2. I call a service provider because I want to make some change to my account. They have “upgraded their systems” and having looked up my account number and having “matched my phone number to the account”, the put me through to a real live person. After discussing how we will make the change that I want, the person then asks me to provide my address. Ok, now I wonder why that would be? Don’t they have my address, surely they’ve managed to send me a bill every month.

“For your protection, we need to validate four pieces of information about you before we can proceed”, I am told.

The four items are my address, my date of birth, the last four digits of my social security number and the “name on the account”.

Of course, I ask the nice person to validate something (for example, tell me how much my last bill was) before I proceed. I am told that for my own protection, they cannot do that.

Computer scientists have developed several techniques that provide “challenge-response” style authentication where both parties can convince themselves that they are who they claim to be. For example, public-key/private-key encryption provides a simple way in which to do this. Either party can generate a random string and provide it to the other asking the other to encrypt it using the key that they have. The encrypted response is returned to the sender and that is sufficient to guarantee that the peer does in fact posses the appropriate “token”.

In the context of a service provider and a customer, there would be a mechanism for the service provider to verify that the “alleged customer” is in fact the customer who he or she claims to be but the customer also verifies that the provider is in fact the real thing.

The risks in the first scenario are absolutely obvious; I recently received a text message (vector) that read

“MsgID4_X6V…@v.w RTN FCU Alert: Your CARD has been DEACTIVATED. Please contact us at 978-596-0795 to REACTIVATE your CARD. CB: 978-596-0795”

A quick web search does in fact show that this is a phishing event. Whether someone tracked that phone number down and find out if they are a poor unsuspecting victim or a perpetrator, I am not sure.

But, what does one do when in fact they receive an email or a phone call from a vendor with whom they have a relationship?

One could contact a psychic to find out if it is authentic, like check the New England SEERs.

http://twitter.com/ILNorg/status/3786484194

http://twitter.com/NewEnglandSEERs

RT @Lucy_Diamond 978-596-0795 do not return call on text. Call police or your real bank. Caution bank fraud. Never give your pin to anyone2:59 PM Sep 5th from Twitterrific in reply to Lucy_Diamond

RT @Lucy_Diamond Warning bank scam via cell phone text remember never give your pin number to anyone. Your bank won’t ask you they know it3:00 PM Sep 5th from Twitterrific in reply to Lucy_Diamond

But, what does one do if a psychic isn’t readily available? Doesn’t it make sense for service providers (who are concerned about my privacy and information security) to come up with a mechanism by which they can identify themselves to a customer?

A simple thing that each of us can do!

Most service providers treat this question answer session as a formality, if you give them a wrong answer they will give you a couple of tries till you get the stuff right (that in itself should tell you how serious they are about this stuff). More specifically look at the following exchanges. When I setup my relationship with this provider, here is what I provided them.

My name: <My Name>
Passphrase for account: <some reasonable passphrase, say “heinz58”>
My mother’s maiden name: <made something up, let’s say “Hoover Bissell”, the vacuum cleaner happened to be nearby that day>
Last four digits of SSN: <they only asked for last four so they weren’t doing a credit check, they got a random string like 2007 (the year when I setup the account)>
Date of Birth: <none of their business, Feb 29, 1946. Really, I’m an old fart and I’m amused how many people accept that date>

Intentionally incorrect responses are underlined.

Agent: For your security please verify some information about your account.What is your account number Me: Provide my account number Agent: Thank you, could you give me your passphrase? Me: ketchup Agent: Thank you. Could you give me your mother’s maiden name Me: Hoover Decker Agent: Thank you. and the last four digits of your SSN Me: 2004 Agent: Just one more thing, your date of birth please Me: February 14th 1942 Agent: Thank you

Agent: For your security please verify some information about your account.What is your account number Me: Provide my account number Agent: Thank you, could you give me your passphrase? Me: ketchup Agent: That’s not what I have on the account Me: Really, let me look for a second. What about campbell? Agent: No, that’s not it either. It looks like you chose something else, but similar. Me: Oh, of course, Heinz58. Sorry about that Agent: That’s right, how about your mother’s maiden name. Me: Hoover Decker Agent: No, that’s not it. Me: Sorry, Hoover Bissel Agent: That’s right. And the last four of your social please Me: 2007 Agent: thank you, and the date of birth Me: Feb 29, 1946 Agent: Thank you

The exchange on the right really validated that the agent was in fact the company they claimed to be. It appears that most companies are similarly lax with their security and the question answer session is as much a challenge response as the question answer session on the NPR show “Wait Wait, don’t tell me; the NPR news quiz”. Hints are common. I am not sure whether this is lax by accident or by design. If it is the former, it is unfortunate. But if it is by design I am very impressed.

The one on the left is a reasonable indication that the person on the other side either is a fraud or is giving you no indication that they have received the wrong answers (that has NEVER happened to me). I have had at least two situations where the former has occurred (see below).

Why is this relevant?

Here is what happened this morning. I called a service provider because I saw an advertisement on cable TV about a service that I could receive. The number that was provided was not the number that I had on my bill but heck, the provider in question was my cable company! So, I called the number they provided. They gave a URL in the advertisement as well but that site was “temporarily unavailable”.

Agent: For your security please verify some information about your account.

What is your account number

Me: Provide my account number

Agent: Thank you, could you give me your passphrase?

Me: ketchup

Agent: Thank you. Could you give me your mother’s maiden name

Me: Hoover Decker

Agent: Thank you. and the last four digits of your SSN

Me: 2004

Agent: Just one more thing, your date of birth please

Me: February 14th 1942

Agent: Thank you. Could you verify the address to which you would like us to ship the package.

(At this point, I’m very puzzled and not really sure what is going on)

Me: Provided my real address (say 10 Any Drive, Somecity, 34567)

Agent: I’m sorry, I don’t see that address on the account, I have a different address.

Me: What address do you have?

Agent: I have 14 Someother Drive, Anothercity, 36789.

The address the agent provided was in fact a previous location where I had lived.

What has happened is that the cable company (like many other companies these days) has outsourced the fulfillment of the orders related to this service. In reality, all they want is to verify that the account number and the address match! How they had an old address, I cannot imagine. But, if the address had matched, they would have mailed a little package out to me (it was at no charge anyway) and no one would be any the wiser.

But, I hung up and called the cable company on the phone number on my bill and got the full fourth-degree. And they wanted to talk to “the account owner”. But, I had forgotten what I told them my SSN was … Ironically, they went right along to the next question and later told me what the last four digits of my SSN were 🙂

Someone said they were interested in the security and privacy of my personal information?

We people born on the 29th of February 1946 are very skeptical.