One of the more brilliant things somebody came up with a while back was the notion that you could use an existing account to create a NEW account. “Yes, I’d love to join your blog community, but not if I have to register, wait for a confirmation email, and then remember yet another username and password. Oh wait, I can use Facebook? Cool, I’m in.”
And of course this is how you got OAuth, and that lovely little thing called account linking.
But here’s the catch. If somebody hacks your Facebook, they’ve got your life. It happened to a lawyer friend of mine. I got an email from him one morning, saying he was sending it from a library in London. The mail explained that he was vacationing in the UK and had been mugged. Lost his passport, cel phone, laptop. He needed some cash, and fast. He said, “I’m writing this with tears in my eyes.”
Instantly I knew it wasn’t him. First off, it’s an old scam. Second, he would sooner bite his own thumb off as shed tears over being mugged. This makes him a great lawyer.
I reached out to his kids and said, I think your dad’s been hacked. They said he was actually vacationing in the Carolinas, and they got in touch with him. I recommended an email blast to let all his contacts know there was a scam being perpetrated in his name, but naturally the bad guys had changed his email password. And in fact, they’d gotten into everything he had, by virtue of hacking his Facebook account. Now, Facebook didn’t get them into his bank, but it got them into his email and some other stuff, and they were able to get to his bank stuff that way. Luckily, some additional multi-factor shut them down.
What then got creepier was when they actually started trying to chat with me via Facebook, claiming to be him. I tried to go along and solicit some info from them, maybe to discern how to get in touch, and catch the lousy bastards. But they shut the conversation down quickly. Luckily, in the end, they got nothing from this, but it caused my friend a great deal of hassle cleaning up his accounts.
This is occasionally the argument against SSO. If somebody hacks that one password, they’ve got everything. To segment, sometimes orgs employ Reduced Sign On, RSO, meaning you need two or three passwords for a variety of apps, especially inside the firewall or VPN.
This is where multi-factor is indeed handy. You got the right password? Great. But it’s a strange box. Before I let you log in from that strange box, let me ask you a few other things. You can also deploy defenses that look at behavior. Edward Snowden talked a bunch of people into authenticating from his machine. Why didn’t any bells go off saying, “Why are all these people using this same freaking keyboard?”
I was asked for advice once when a friend’s daughter’s Neopets account was hacked. My first probing question was, what the hell is THAT? They explained, it’s a virtual pet world, in which you can earn points for taking care of your pet. The points allow you to buy virtual stuff for your virtual pet. So then I had to ask, why the hell would anyone want to steal virtual points?
But it was important to his daughter, therefore it was important to him. It was, in effect, her IP. You gotta safeguard stuff like that.