Web-based customer self-service password resets are a boon to any enterprise that manages user accounts. Users invariably forget their passwords on occasions, and an online, automated system that allows end-users to reset their own passwords is a benefit to everyone. It eliminates the need for a helpdesk or system administrator to manually service these reset requests, so both the user and the company can save time.
But with every on-line action, there are associated security risks. The security issue associated with password resets is that the reset process, if not executed correctly, can inadvertently reveal personal information that can then be used in an attack.
When going to a password reset page, some sites will use an email address or the person's mother's maiden name to initiate the reset. The problem with such an approach is that both pieces of information are often available through third-party data aggregation services, which means an attacker can use purchased data to reset a victim's password and thus gain access.
If you don't architect your customer self-service password reset process correctly, attackers can find those vulnerabilities, and exploit them. One of the most notorious instances of this process is with Igor Klopov, whose identity theft ring used such attacks as part of their MO.
Ensuring your customer self-service password reset process protect your customers is not difficult; it just takes some thought and attention to detail.
Risk #1: Aggregated data
Myriad data aggregation services make terabytes of personal information easily available. That information includes social security numbers, mother's maiden name, birth date, zip code, phone number, age, profession, income and more. If your security reset process requires such information, you may be introducing additional risk.
Action item: Data that is aggregated should not be part of your password reset process.
Risk #2: Inappropriate redirectAfter a password reset, some sites will redirect the web page to the user's preferred login page. Imagine if an attacker attempts to initiate a password reset on an investment bank site, and then is taken to the bank's Your Portfolio page. At that point, the attacker knows the victim has a portfolio account.
Action item: Redirect to main web page.
Risk #3: Easy to guess password reset questionsauthentication questions that are extremely easy to guess. But the reality is that few websites use effective security questions. According to the website goodsecurityquestions.com, the answer to a good security question:
Similar to risk #1, many sites will ask
- cannot be easily guessed or researched
- doesn't change over time
- is memorable
- is definitive or simple
It's difficult to create questions that meet all four characteristics, which means that some questions are good, some fair and the remaining (which unfortunately includes many that are in use today in password reset situations) are poor. A list of really good (and poor) security questions can be found at www.goodsecurityquestions.com/examples.htm.
Also, if you do use such question, you should also instruct your users not to post the answers on social web sites such as myspace. The question 'Who is your favorite sports team?' becomes an ineffective part of password protection if the user's myspace page includes Boston Red Sox logos.
Action item: Choose good password reset questions approved by goodsecurityquestions.com
Risk #4: Error code information release
Different self-service password reset systems require different fields. If a user enters an incorrect piece of data, the error code may be something like Member Not Found or Password Incorrect. Such error codes can reveal that an account does exist on the system and that the password is simply incorrect.
Action item: Determine what error codes you want to reveal, and reveal only those.
Conclusion
Users are notorious for choosing poor passwords. You don't want to exacerbate the issue by having an ineffective self-service password reset process. As part of your web-development process, it is imperative that all details of the self-service password process be appropriately defined and executed. Attackers will strike at every part of your web presence to find a breach. Make sure this is not one of them.
Ben Rothke CISSP, QSA (ben.rothke@bt.com) is a Senior Security Consultant with BT INS and the author of Computer Security: 20 Things Every Employee Should Know.