Sorry, but you're just too ugly to access the system
Thursday, June 24, 2010 at 02:47AM Multi-factor authorization good, hackers bad
I’ve taken da wife and kids all over the country, and even out of the country. We’ve been to large metro areas, tiny little towns full of the antique stores that she loves, the mountains, the oceans white with foam, the Gulf (before it was black with oil), the islands. We’ve also gotten to see a lot of wildlife in the, uh, wild. But the one animal I’ve never been able to show her in the wild is a moose. I’ve been hearing about the frigging moose for twenty years. Never seen a moose in the wild. Last time at Brookfield Zoo in Chicago, the moose there was hiding. “Moose don’t like you,” I’ve tried to explain to her.
And so I kept this i mind, when I went online to our bank’s website, to create an online account, and I was asked to pick an anti-phishing image for authentication. You can pick various backgrounds. This way, if I ever get an email saying, “You need to check your account online,” and I click a link to go there, and I don’t see my personalized image, I know I’ve been phished, and I need to make like the good shepherd and get the flock out of there.
For my personalized image, I was a total smartass, and I chose … a moose. The system chose FOR me a personalized message, something regarding yet another kind of animal.
This system, as it turns out, is based on a product called Bharosa, which does multi-factor authentication, fraud detection and prevention, and multi-factor authorization. Bharosa was bought a while back by Oracle, and it is now called the Oracle Adaptive Access Manager, or OAAM. Oracle loves cooking up insanely stupid acronyms for its products. I mean, you think that one’s bad, how about the Oracle Applications Access Governor (OAACG)?
Anyway, it’s a pretty decent product, OAAM, and so when my bank was bought by another bank, and then THAT bank was bought by yet ANOTHER bank, they kept the thing in place. We pop over to MegaBank.COM, then up pops the moose and phrase, we stick in a user name, then on the next page we get asked for a password, and bing, we’re in.
Actually, I wish I could have picked my own phrase, because then I could have “moose and squirrel” come up, which is barely funny, and even then, only if you’re old enough to get the joke.
You might say, “Gee, that sounds like a pain. Username on one page, password on another. What gives?” Well, it’s actually not a bad deal. If they don’t find a legit username from the first page, they never forward you to the second page. A setup like this could also mitigate some of the danger of SQL injection, if you’re not already coping with that via input validation (which you should, you lazy ape).
OAAM also supports virtual authentication devices, which don’t require client software, and which prevent man in the middle, over the shoulder, under the elbow, and through the Adam’s apple attacks. If your virtual authentication device comes up more than once, it will play back with the keys moved around, to avoid anybody recording your keystroke coordinates. It can even let you register particular physical devices, such as PC or smart phone, and disallow a device that’s not registered. On top of that, it can match up time of day, historical behavior, transaction context, IP address or even country of origin, shoe size, you name it, in order to calculate risk score and decide whether or not to block a transaction.
“You say you’re the CEO? Okay, but you’re logging in from where? Russia? Screw you.”
“You say you’re the CEO, but you’re logging in from outside the firewall, on a Saturday night, and you wanna check out salary info? Screw you.”
“You say you’re the CEO, but you’re trying to download a thousand engineering specs all at once? Screw you.”
“You say you’re the CEO, but you’re trying to access HR data from a Blackberry? Screw you.”
“You say you’re the CEO, but you’re trying to perform a wire transfer in excess of $50K, and you’ve never done anything like that before? Tell you what, I’ll send you a one-time use pin to your cel phone. Gimme that right back, and you’re good to go. Otherwise, screw you.”
“You say you’re the CEO, but you logged in from Minneapolis, and ten minutes later tried to do something else from Florida? How fast is your car, really? Screw you.”
And so on.
Hackers are smart, and always getting smarter. Check out the massive TJ Maxx attack. It wasn’t a single attack, even tough some of the lazier newsguys recorded it as merely a SQL injection hack. It was a whole series of hacks, allowing the bad guys to create a beachhead and branch out. They pulled data out of there nineteen different ways. SO you need to look at who they say they are, what they’re trying to do, what they’re using to try it, where they’re trying it from, when they’re trying it, and how much of it they’re trying. Any one of those things might be okay, but taken as a whole they might tell you a different story.