Doug Lhotka

Technical Storyteller

Opinions and commentary are mine, and do not reflect those of my employer.

(C) Copyright 2019-2023
Doug Lhotka.
All Rights Reserved.
Use of text, images, or other content on this website in generative AI or other machine learning is prohibited.

Archives for April 2018

Iconic Yellowstone

By

A few years back my wife and I toured Yellowstone before meeting my dad for a fly fishing boat trip.  It was a beautiful afternoon, warm and sunny, with the shadows just starting to appear.  The moon came over the horizon, and this guy looked up at me – a classic Yellowstone postcard.

There were a few other people around, and some who wanted to get way too close.  I was grateful when several other folks in the crowd gently (well, maybe not that gently) asked them to back away.  Let the wildlife be wild, and get a longer lens!

Last Four is Foolish

By

I keep running across companies that still, in 2018, are using the last four digits of SSN or mother’s maiden name as an authenticator.  We have 170+ million reasons why that’s a bad idea, and yet it persists.  That’s beyond inertia, past laziness, and nearly into negligence territory.  It’s time to end the practice of using easily discoverable information as an authenticator – especially those two, and especially to setup or validate new accounts.  It’ll take everyone working together to kill off this terrible practice.

If you are a customer of a company that does it, ask to set a password on the account instead (then call later and check to make sure that they actually enforce it!).  If they don’t allow you to do that, or fail to enforce it, then get on social media and shame them.  One company I use will let you do it, but they’ve created a massive barrier – they let you create an insecure authenticator over the phone or line, but require a time consuming in-person visit to use a secure one!

If you’re a developer and asked to write code to implement SSN based authentication, push back.  If you’re the business analyst who wrote that requirement, change it.  If you’re the executive who approved the requirements, unapproved it.  If you’re the QA engineer who tested a system that uses it, fail it.   If you’re a security professional, launch a project to remove it from legacy systems.

If you’re an auditor reviewing a system that uses SSN like this, fail them.  If you’re a regulator defining acceptable practices, ban it.  If you’re a congresscritter, outlaw it.  Everyone, everywhere, needs to push back on this outdated, dangerous and lazy approach to security.

For new account setup, knowledge based authentication (KBA) has issues (particularly after the recent breaches), but it’s still better than a raw SSN.  For existing accounts, two-factor via SMS isn’t perfect, but it’s better than single-factor, or use out-of-band (e.g. US Mail) to send a 6+ digit random PIN code.  Or one of many other alternatives that doesn’t use the single most targeted and compromised piece of personal information in existence.

Security is the poster child for continuous improvement – let’s make it better tomorrow than it is today. Retiring the ‘last four digits of your SSN’ is a darned good first step.