Sun first contacted the 64-year-old woman in February and claimed to be “Mark Cooper”, an agent with “the office of the inspector general, Federal Trade Commission”, according to court documents, the Washington Post reported.
I don’t know via which mechanism the contact occurred, but I have to say that if it was via phone, the fact that we don’t have any real sort of authentication system for phones is once again rearing its head. There have been a lot of high-profile examples of people getting tricked via phone, including people who are going to be in a relatively-good-position to avoid fake communications. Consider the case where Navalny tricked one of his would-be FSB assassins into believing that he was with the FSB and confessing on record – that was an intelligence agent working in an extremely-sensitive area who probably was trained in a set of procedures and they can still get clobbered. And a number of politicians with entire organizations devoted to ensuring their security have been phone-pranked…and God knows how many have been tricked into exposing information, where it never became a news story. How is a random senior citizen going to know what can be trusted, be familiar with the existence of Caller ID spoofing? And then there’s deepfakes complicating the issue. The situation with phones is an outright dumpster fire. We actually have the computational hardware at each end today to be able to legitimately do end-to-end authentication and have trusted hardware to do things like app purchases and we still don’t have authenticated calls. It’s ridiculous.
Then there’s postal mail. Pretty much no authentication system in place. Anyone can slap an official-looking letter in an envelope.
For email, we have a few authentication systems (X.509 certs for companies, PGP certs by individuals), but they aren’t widely-used outside of organizations.
Of the contact mechanisms that are widely-used, only on the Web do we have an actual, widely-deployed authentication system…and there are some kind of egregious ways to game that. People often use search engines to reach given sites; people can do things like place ads for scam sites, or just try to game the search engine’s ranking criteria. The only thing that one gets even if one is using a TLS-secured connection and if the user understands how to check for that is a guarantee that the domain name in a browser’s URL bar is associated with the given organization and that the fields in the certificate – if they know how to check this and actually do, which I have never seen a user do and is inconvenient in a browser – also match. There is no standard mechanism for various organization using domains; governments might use a .com from a company they have a contract with, official government sites may live at various locations in various places, etc.
Realistically, unless a Web browser gives some kind of sane, reasonably-non-gameable heuristic for “is this probably not some random fly-by-night organization”, I suspect that even on the Web, even in the situation where the best authentication mechanisms exist, a typical person can be gamed.
I remember, years back, talking with a guy – studying computer science at a prestigious university, probably in a vastly-better position to make security calls than most people out there – about how vulnerable people are to attacks that trick them. I said that I was pretty sure that pretty much anyone was vulnerable; he was convinced that if people were careful, it wouldn’t be a problem. I said that I was pretty sure that I could break into his computer. Thirty minutes later – and remember, this is at target with domain expertise who has been warned within the hour that he’s likely to be attacked – I sent him a link to a file via, I think, ICQ. He clicked on it. It opened a Minesweeper game. The file had been of the form:
neat-image.jpg .exe
At the time, the ICQ client would simply open a file locally, using Windows’ database which used a filename extension to determine how to act on a file. The ICQ client didn’t try and restrict the list of file types that could be opened, and at the time, it was possible to make a filename so long that the client wouldn’t display the last bit.
I’d just grabbed the Windows Minesweeper binary as the quickest thing to hand, and I told him what it was, but had it been a malicious program that – for example – had a malicious payload and then opened an image, I doubt that a typical person would have been aware.
That particular attack isn’t noteworthy – and various types of software packages have aimed to defend against that class of attacks – so much as the fact that I think that it really illustrates how unrealistic it is to expect the average Joe to “patch over” the security problems in software and hardware out there via rigorous behavior. If someone who has domain expertise and has immediate forewarning and where the attacker just had a few minutes to think up an attack can’t deal with it, how realistic is it to expect anyone to do so?
In the US, sometimes organizations ask for some sort of secret information, like one’s Social Security number or mother’s maiden name or name of one’s first school or one’s first pet. First of all, some of those are not terribly-difficult to get ahold of anyway – birth records are accessible to public, and it may not be too hard to figure out someone’s first school or the like from looking back to see where someone or their parents were at a given point in time. But even in addition to that, various organizations don’t coordinate and restrict which ones can use a given secret. So if Organization X is trying to ensure that their users are authenticated, maybe they ask for their mother’s maiden name. Organization Y does the same. But that secret can’t be revoked and may be shared across multiple organizations. Say that Organization X’s computer system gets compromised…now someone has the secret required to get into the person’s account at Organization Y.
I remember one time that I’d lost some authentication data to get into a stock broker account at a company. I didn’t have enough to get in via the phone or the Web…but each exposed and required a different set of information, so that using information provided by one was sufficient to get into the other: clearly, the portion of the organization dealing with phones and the portion dealing with the Web weren’t coordinating in how they did things. And that was a major stockbroker, where access to the account could mean access to millions of dollars, and correlation across their own authentication systems, somewhere where I would expect each side to be checked. It was horrifying.
And that’s even before the fact that most organizations permit password resets if someone can get into someone’s email, which is not always the best-secured thing in the world.
Organizations have tried to use SIM cards as a form of authentication, for lack of a better route. But then you’ve got SIM-swapping attacks.
What I’m saying is that security is just horrendous on most systems from the standpoint of a regular user.
You do need the human to have some sort of understanding of a system to use it securely, but what we do today is kind of foist on the user all kind of ill-defined expectations that are constantly changing and probably unrealistic.
What I think would need to be done for things to pass muster is to give people a set of maybe five simple rules, make sure that they’re taught to everyone, from school on up, and as long as they follow those rules, they can’t be tricked as to identity…and if software or hardware permits for them to be tricked, even if they’re following those rules, then it’s a bug in the software or hardware.
Even some of the better heuristics are pretty limited. “Don’t trust incoming phone calls”…okay, fine. But if my bank sends me a piece of postal mail and it says “call this number”…do I do that? Because anyone can drop a letter in an envelope on an official-looking letterhead. And financial institutions that I’ve dealt with have contacted me via phone, and certainly sent me mail telling me to call them at a given number.
People should be able to use phones or to use email or to get a letter or to use the Web and reasonably trust that the organizations they are communicating with are actually who they say they are. The situation today is just embarrassingly bad.
We shouldn’t have had this story about the detective in a wig because it shouldn’t have been possible to pose to the victim as a government agent in the first place, shouldn’t have even gotten to the place where the police were having to try to fix the problem.
I don’t know via which mechanism the contact occurred, but I have to say that if it was via phone, the fact that we don’t have any real sort of authentication system for phones is once again rearing its head. There have been a lot of high-profile examples of people getting tricked via phone, including people who are going to be in a relatively-good-position to avoid fake communications. Consider the case where Navalny tricked one of his would-be FSB assassins into believing that he was with the FSB and confessing on record – that was an intelligence agent working in an extremely-sensitive area who probably was trained in a set of procedures and they can still get clobbered. And a number of politicians with entire organizations devoted to ensuring their security have been phone-pranked…and God knows how many have been tricked into exposing information, where it never became a news story. How is a random senior citizen going to know what can be trusted, be familiar with the existence of Caller ID spoofing? And then there’s deepfakes complicating the issue. The situation with phones is an outright dumpster fire. We actually have the computational hardware at each end today to be able to legitimately do end-to-end authentication and have trusted hardware to do things like app purchases and we still don’t have authenticated calls. It’s ridiculous.
Then there’s postal mail. Pretty much no authentication system in place. Anyone can slap an official-looking letter in an envelope.
For email, we have a few authentication systems (X.509 certs for companies, PGP certs by individuals), but they aren’t widely-used outside of organizations.
Of the contact mechanisms that are widely-used, only on the Web do we have an actual, widely-deployed authentication system…and there are some kind of egregious ways to game that. People often use search engines to reach given sites; people can do things like place ads for scam sites, or just try to game the search engine’s ranking criteria. The only thing that one gets even if one is using a TLS-secured connection and if the user understands how to check for that is a guarantee that the domain name in a browser’s URL bar is associated with the given organization and that the fields in the certificate – if they know how to check this and actually do, which I have never seen a user do and is inconvenient in a browser – also match. There is no standard mechanism for various organization using domains; governments might use a .com from a company they have a contract with, official government sites may live at various locations in various places, etc.
Realistically, unless a Web browser gives some kind of sane, reasonably-non-gameable heuristic for “is this probably not some random fly-by-night organization”, I suspect that even on the Web, even in the situation where the best authentication mechanisms exist, a typical person can be gamed.
I remember, years back, talking with a guy – studying computer science at a prestigious university, probably in a vastly-better position to make security calls than most people out there – about how vulnerable people are to attacks that trick them. I said that I was pretty sure that pretty much anyone was vulnerable; he was convinced that if people were careful, it wouldn’t be a problem. I said that I was pretty sure that I could break into his computer. Thirty minutes later – and remember, this is at target with domain expertise who has been warned within the hour that he’s likely to be attacked – I sent him a link to a file via, I think, ICQ. He clicked on it. It opened a Minesweeper game. The file had been of the form:
At the time, the ICQ client would simply open a file locally, using Windows’ database which used a filename extension to determine how to act on a file. The ICQ client didn’t try and restrict the list of file types that could be opened, and at the time, it was possible to make a filename so long that the client wouldn’t display the last bit.
I’d just grabbed the Windows Minesweeper binary as the quickest thing to hand, and I told him what it was, but had it been a malicious program that – for example – had a malicious payload and then opened an image, I doubt that a typical person would have been aware.
That particular attack isn’t noteworthy – and various types of software packages have aimed to defend against that class of attacks – so much as the fact that I think that it really illustrates how unrealistic it is to expect the average Joe to “patch over” the security problems in software and hardware out there via rigorous behavior. If someone who has domain expertise and has immediate forewarning and where the attacker just had a few minutes to think up an attack can’t deal with it, how realistic is it to expect anyone to do so?
In the US, sometimes organizations ask for some sort of secret information, like one’s Social Security number or mother’s maiden name or name of one’s first school or one’s first pet. First of all, some of those are not terribly-difficult to get ahold of anyway – birth records are accessible to public, and it may not be too hard to figure out someone’s first school or the like from looking back to see where someone or their parents were at a given point in time. But even in addition to that, various organizations don’t coordinate and restrict which ones can use a given secret. So if Organization X is trying to ensure that their users are authenticated, maybe they ask for their mother’s maiden name. Organization Y does the same. But that secret can’t be revoked and may be shared across multiple organizations. Say that Organization X’s computer system gets compromised…now someone has the secret required to get into the person’s account at Organization Y.
I remember one time that I’d lost some authentication data to get into a stock broker account at a company. I didn’t have enough to get in via the phone or the Web…but each exposed and required a different set of information, so that using information provided by one was sufficient to get into the other: clearly, the portion of the organization dealing with phones and the portion dealing with the Web weren’t coordinating in how they did things. And that was a major stockbroker, where access to the account could mean access to millions of dollars, and correlation across their own authentication systems, somewhere where I would expect each side to be checked. It was horrifying.
And that’s even before the fact that most organizations permit password resets if someone can get into someone’s email, which is not always the best-secured thing in the world.
Organizations have tried to use SIM cards as a form of authentication, for lack of a better route. But then you’ve got SIM-swapping attacks.
What I’m saying is that security is just horrendous on most systems from the standpoint of a regular user.
You do need the human to have some sort of understanding of a system to use it securely, but what we do today is kind of foist on the user all kind of ill-defined expectations that are constantly changing and probably unrealistic.
What I think would need to be done for things to pass muster is to give people a set of maybe five simple rules, make sure that they’re taught to everyone, from school on up, and as long as they follow those rules, they can’t be tricked as to identity…and if software or hardware permits for them to be tricked, even if they’re following those rules, then it’s a bug in the software or hardware.
Even some of the better heuristics are pretty limited. “Don’t trust incoming phone calls”…okay, fine. But if my bank sends me a piece of postal mail and it says “call this number”…do I do that? Because anyone can drop a letter in an envelope on an official-looking letterhead. And financial institutions that I’ve dealt with have contacted me via phone, and certainly sent me mail telling me to call them at a given number.
People should be able to use phones or to use email or to get a letter or to use the Web and reasonably trust that the organizations they are communicating with are actually who they say they are. The situation today is just embarrassingly bad.
We shouldn’t have had this story about the detective in a wig because it shouldn’t have been possible to pose to the victim as a government agent in the first place, shouldn’t have even gotten to the place where the police were having to try to fix the problem.
Even the DoD has been known to use texting/sim-based MFA, and they have people who work full time in SCIFs.
Definitely agree there needs to be sweeping improvements in general safety re: authentication and account access.