In today’s bundle of security fun (okay, it’s only a single item of fun…) I’m bringing awareness about a study that proves that two-factor just doesn’t cut it in certain circumstances. Basically, when trying to access one site or another, you are sometimes required to “register” prior to accessing what you wanted to. On most sites, this is not an issue. However, on a malicious site, or a site affected by a cross-site scripting or cross-site request forgery vulnerability, it can be abused in an interesting way.
The idea behind it is that the site gets you to register to gain access to your email account or some other system. To do this, it uses its registration process to simply “pass-through” the password reset process at the targeted account’s site. So, you may initially sign up on the site by giving your email address for a newsletter or whitepaper, and it then provides a CAPTCHA or a security question to also enter, or maybe even requires you to respond to a TXT message, email, or phone call. What it’s really doing is passing along the additional security items that the targeted account’s system requires to do a password reset, but it looks like it’s just part of the registration process. It then uses that response to perform those same responses to the targeted account’s password reset process, effectively allowing you to bypass all those multi-factor and out-of-band security measures for them.
The annoying thing about this is that this is a simple matter of social engineering. It’s fooling you into thinking that everything’s just standard. It does bring up some additional points that are worth keeping in mind, though:
Don’t repeat passwords Especially with the same email address. If the site’s vulnerable and lazy, it can just see if the initial password and email you provided for registration works in the background… If it does, why ever let you know it has access? One password for each site, no matter what.
Security questions aren’t secure In general, you should never answer truthfully when setting up security authentication questions. Many of them (where you grew up, met your significant other, pet’s name, etc.) can be found simply by perusing your social media history.
Be wary of unexpected second-factor alerts If you receive an SMS or email from a company that you were NOT resetting the password for, it’s probably a good idea to contact them directly and find out why you received it. Most sites have a Support or Contact Us section with a phone number, which is best to try to go through in order to ensure that you get someone quickly and can at least verify why you received the message and potentially stop an attack in progress.
If possible, always use a secure password manager I try to avoid recommendations too much, but services like LastPass or offline password managers like KeePass are a huge benefit for trying to track all these passwords. Additionally, you can use them to track the authentication questions for each site. It’s sometimes hard to remember all those made-up answers, right? Of course, you need to make sure you use a secure password manager and make that recovery process secure in and of itself.
An interesting recommendation in the first article linked below is that when a site allows you to setup your own security questions, to ensure that you make them site specific. This will help you be able to flag the usage of the question on a site that’s not really affiliated. For example, instead of putting in the question “What’s my mother’s maiden name?” you can use “(Facebook) What’s my mother’s maiden name?” or “Who do I keep an eye on most on Facebook?” if the site being setup is Facebook. That way, you’ll be wary if you see this pop up as a question during a registration process or any other non-Facebook site. Again, don’t forget to make up an answer that’s not research-able.
For more information about the attack, you can see the following sites.