Hacker News new | past | comments | ask | show | jobs | submit login
Post a boarding pass on Facebook, get your account stolen (michalspacek.com)
726 points by flux_w42 on Sept 23, 2017 | hide | past | web | favorite | 303 comments

And this is also why I almost never give my real birth date when registering on websites (except on financial websites or websites where I'm legally obligated to) and I never ever give real answers to the security question..

My typical answer for a security question is something like "39arsrc uyrsrsaulsr8832r" and that's saved in a password manager

Security questions weakens the security of an account, they are easily found information that people can just guess.

> My typical answer for a security question is something like "39arsrc uyrsrsaulsr8832r" and that's saved in a password manager

The problem with this is that the "security" question will often be asked over the phone. At this point an answer of "Oh I just mash the keyboard for those" is probably going to get an attacker access to your account..

> The problem with this is that the "security" question will often be asked over the phone. At this point an answer of "Oh I just mash the keyboard for those" is probably going to get an attacker access to your account

I used to do this and then lost my password file. Fast forward to a call with AT&T. I told them I forgot my secret answers. They offered that it was "a super weird answer," which let me use the "mashed keyboard" line and got in. TL; DR I think this system is less safe than just making up cars, cities, et cetera.

Yea, I always use a handful of random words. That way, it's something pronouncable over the phone.

Still, I expect "oh, it's a random word not related to the question" would clear phone screen human layer of verification a good percentage of the time.

I can confirm that "I'm not going to be able to tell you the secret answer" was accepted by Blizzard when they locked my account and made me apply to have it unlocked.

I'm still bitter about that. I put garbage in the answer to the secret question because I planned not to forget my password. I didn't forget my password, but Blizzard nevertheless locked me out of my account, for the crime of using a payment card that was listed on my account, but wasn't listed as my "preferred" payment option.

Yes, you should just make up a fake personal profile, and base your answers on that. True answers and human-bypassable answers are all bad, whereas fake answers open you up to a world full of entropy.

correct horse battery staple?

This is a reference to the XKCD comic, Password Strength [1].

[1] https://xkcd.com/936/

And for those who think the reference is so well known it doesn't need citing: https://xkcd.com/1053/

Quite Frankly - bad math. You judge people based on how old they are..

One solution would be to randomly generate security answers with human readable words. Diceware does this. You can use a dice, or you can use an open source tool like this one:



It's also built into 1Password. And before that, I just used what I think was literally a one- or two-line Perl script that just grabbed four words from /var/dict. Why yes, my mother's maiden name was indeed pathetic xylophone tootsie wasp, how did you know?

The entire point of security questions is that their answers are supposed to be things that are permanently stored in your memory, that you are physically incapable of forgetting because they are so ingrained. If you store these in a password manager, it is possible to lose them - and that is unacceptable.

These are supposed to be the very last line of defense for security, including if lose your password manager. As an exaggerated analogy, imagine that being unable to answer these questions meant your house, car, and life savings are taken from you. That is how important these answers are, except you're "only" losing one online account at a time.

Of course, it's terrible to use personal information that can be known to 3rd parties. It's also bad to reuse the same answers across multiple companies, as a compromise at one means you're at risk everywhere. The reason behind why security questions exist is a good one, but they don't offer enough security when used as intended (memorable, non-random data). The problem is there is currently no better alternative, short of requiring you to tie your legal identity to every account, and having to show up in person with photo ID to regain control of an account you've lost access to.

Anything relying on tech (like a password manager) is a bad idea for the general public. The average person does not have multiple off-site backups to guarantee that the information is physically impossible to lose.

Hum... I'd say that the entire point of security question is that incompetent people can appease non-technical bosses by claiming that they follow best practices.

Where they stand at the security line is irrelevant, because their mere existence on a place is already a symptom of a deep level of incompetence and an almost sure prediction of a compromised system. Besides, security is usually chain-like (compromise one node and it's broken), not army-like (compromise one node and you'll have to fight the next).

Besides, most people do not have a favorite color, do not remember the name of their 3rd grade teacher, and have severe doubts about what counts as their "first" pet. Yes, they are intended into solving a real problem, but nothing about them survives any amount of questioning.

The problem is that anything which you remember that well is likely to be discoverable by other people. For instance, if someone's mother is dead there's a good chance that her obituary will be online and list the names of her children and her maiden name. Likewise, you could find the name of a person's elementary school via looking at their posts on Facebook in many cases - or if not their posts, then their siblings or their friends. So these kinds of questions are hardly a great proof of identity if it can be found online with a bit of searching.

That might have been the theory of security questions early on. But by now I'm sure I've filled out security questions dozens of times. Whatever the intent, from my perspective as a user, they're in the "speed bump" category of security.

For things like house, car, and life savings, I'm perfectly glad to go somewhere with physical ID. Heck, I'd love to see police stations offering this as a municipal service. Lying via internet form is pretty easy. Walking into a building with 100 cops bearing fake ID is a whole different level.

> For things like house, car, and life savings, I'm perfectly glad to go somewhere with physical ID. Heck, I'd love to see police stations offering this as a municipal service. Lying via internet form is pretty easy. Walking into a building with 100 cops bearing fake ID is a whole different level.

This is a great idea. Not only can the police verify that a given photo ID matches the person in front of them, they can also verify that the ID is valid and unaltered by verifying that the details on the ID match the details in the DMV's database, eliminating fake IDs from being an issue. This wouldn't be 100% perfect -- maybe a really determined ID thief could get the DMV to issue them an ID in someone else's name -- but it would dramatically increase the risk and makes ID theft much harder to scale.

A federal effort to standardize an identity verification service across federal and local offices nationwide would be helpful. The service should be available to any entity (not only banks or financial entities) who wishes to verify the identity of a counterparty. The process and fee should be standardized nationwide, with the fee being break-even and paid by the entity requesting the verification.

Post offices are a good candidate to offer such a service, but would need some work to set up (unlike police agencies, I presume post offices don't have access to DMV databases).

The idea sounds nice in theory, but the only reason any administration would implement this would be to remove anonymity from the internet. Your ability to recover accounts would just be a side effect of the system designed to allow the government to track everything you do.

> This wouldn't be 100% perfect -- maybe a really determined ID thief could get the DMV to issue them an ID in someone else's name

This is much more common than you might think. I believe in Illinois there was some sort of ongoing problem with people at the DMV selling licenses to truckers who didn't actually pass their tests[0]. I'm sure any criminal with a wad of cash could get them to make a fake ID.

[0]: http://www.chicagotribune.com/news/chi-991009license-story.h...

This is true, but I think there's an important distinction.

Driving a truck is generally legal. Stealing somebody's life savings generally isn't.

This matters because once an underqualified truck driver is on the road, they're going to be hard to distinguish from a normal truck driver. You have to issue a lot of licenses before the pattern of fake licenses becomes obvious enough to trigger an investigation.

Granting fake licenses for serious theft, though, is another matter. Every single one of those will trigger a police investigation. It's much higher risk, meaning it'd be very hard to sustain an ongoing business in fake licenses for theft.

> The entire point of security questions is that their answers are supposed to be things that are permanently stored in your memory, that you are physically incapable of forgetting because they are so ingrained. If you store these in a password manager, it is possible to lose them - and that is unacceptable.

With a password manager such as Lastpass or 1Password you only need one very strong password you as human can remember. The passwords it manages don't need to be human-rememberable. They can have as high entropy as allowed.

> Anything relying on tech (like a password manager) is a bad idea for the general public. The average person does not have multiple off-site backups to guarantee that the information is physically impossible to lose.

2FA of the strong password plus physical OTP (like YubiKey) with one backup key is more than suffice. Sure, its not 3 letter agency proof. They can easily break in your house and steal your backup key temporarily, whilst recording you typing in your password, or catching you on the go. But against most criminals (a much more common vector for the general public) this is going to work just fine.

> These are supposed to be the very last line of defense for security, including if lose your password manager.

Security questions aren't for security, they're against it. They're a tradeoff between security and usability, in the direction of usability. Assuming you answer security questions truthfully, they weaken the security of your account. It's like having multi-factor authentication, but instead of requiring all the factors, they just require any one of them. That's not necessarily a bad thing, as long as it doesn't weaken the security so much that it's easy to break.

> Of course, it's terrible to use personal information that can be known to 3rd parties. It's also bad to reuse the same answers across multiple companies, as a compromise at one means you're at risk everywhere.

And here's the problem. Many/most sites that use security questions have a dropdown list of acceptable questions and don't let you enter your own. Often the only thing you can do to avoid making your account easily compromised is to make up answers to some of the questions.

The downside, is, of course, the usual downside with security tradeoffs that favor the security side of the equation: you may be completely unable to access your account again if you screw this up. And that's also not necessarily a bad thing, if you believe compromise to be a really bad outcome. I think it might be ok to do this for, say, a bank or brokerage account. If you manage to fully and truly lock yourself out online, likely you'll still be able to prove who you are and gain access through some means like visiting a physical branch and showing them your ID. A hassle, to be sure, but if it means that much to you, it might be worth it.

In the end, social engineering is still the biggest problem: other posters in this thread have claimed that they've gotten past the security questions by saying things like "oh, I just mashed the keyboard, that's why my answer is gibberish", or something like that. So there's no way to win, unless perhaps you invent plausible (but incorrect) answers to the questions. "Mother's maiden name? Well, it's actually Jones but I'm going to put in Smith." I imagine a talented social engineer might still be able to get past that, but at some point you just have to acknowledge you've done the best you can.

> The entire point of security questions is that their answers are supposed to be things that are permanently stored in your memory

And it's a shame to lose that feature, but they compromise your security so terribly that you're far better off not using them.

> it is possible to lose them - and that is unacceptable

Ten steps forward, two steps back. I find that acceptable.

why not just offer a snail mail reset?

You don't have to say "oh I just mash the keyboard for those", you can say "it's weird, bear with me" and read it out from your password manager.

I do exactly this. About 4-5 characters in the support person interrupts me with "yeah, whatever".

The entire security question situation makes me incredibly pessimistic that we will ever get good security. The idea of security questions is so mind numbingly stupid to me yet it's widely used. One would have thought that after the Sarah Palin hack years ago everyone would have realised that but it seems like nobody did. The support agent didn't see my security question and go "oh that's clever". That's despite him being a person who deals with these all day they should realise the overwhelming stupidity. In a sane world companies who tell their users to use special characters etc. in their passwords and rotate them but then encourage them to mess it all up by storing information from their Facebook page ad a replacement for the password should have to pay massive fines. Yet hardly anybody is even seeing a problem with this.

This situation to me is so demotivating because it makes me think that whatever security mechanism we come up with well meaning people will undermine it.

Four to five characters is probably enough for their threat model though?

The only way I can think of that somebody could steal only the first few characters of your security answer is by looking over your shoulder at a very unfortunate time. That seems unlikely, and most of the questions they use are predictable from the first few characters when answered genuinely anyway (surnames, car names, streets and towns).

The quote is an attacker attempting to bypass the check.

It's not about what you say, it's about what an attacker can get away with saying. And they can almost certainly get away with "I just mash the keyboard."

Ah, I see what you mean. Perhaps instead of grabbing a handful of characters from /dev/urandom, you generate a passphrase (a few random dictionary words)?

Been doing this for several years and prefer this method. I also try to reduce the number of times I use a particular security question. However, I don't think the problem comes from what questions you use or what answers you provide. It becomes like others have pointed out, a problem of what a hacker can get away with answering when asked by a phone representative. Although, I do think this approach provides a little more security than just answering the "what city were you born in" question with the correct answer on every site.

Sounds like a "correct battery horse staple" would fit the bill

Or use a memorable phrase from literature.

> This was not the last encounter between Bobby Shaftoe and Goto Dengo

I would definitely be weary of using the same answer in multiple places. Even more so than with passwords. These stupid answers clearly get stored unhashed (how else would they be verified via phone?). Do if the system gets compromised the attacker now has your security question response for multiple targets.

Other than being pronounceable I see the exact same requirements for security questions as for passwords. If anything they need to be stronger.

I like the appeal (and the book) but I recall, when researching diceware, reading that this is a terrible idea in practice since the entropy is lowered dramatically by using natural language that's already in the public record. Even if they can't put every printed phrase into a lookup table, the probability of certain words following others wrecks the entropy.

Indeed, but for the attack discussed here (someone calls support and pretends they're you) you don't need that much entropy, as you can't test different phrases quickly.

You just need a larger number of random words to reach the same entropy as random passwords. It's not like your random password is made up from secret alphabets!

Sentences aren't random.

You seem to be misunderstanding how diceware works. You randomly generate numbers by throwing dice. Every five rolls indexes exactly one "diceware" word. So even if an attacker knew we were using diceware, each word contains

    log2(6^5) = log2(7776) ≈ 12.9 bits
of entropy. If you want 128 bits of etropy in your security question field, then just randomly generate 10 diceware words. This is comparable to choosing 20 random printable ascii characters or so.

Since we pick the words by literally throwing dice, English grammar has nothing to do with it.

I was responding to someone who was recommending using sentences from books as passwords. Hence the comment about grammar.

Median novel has some 65k words. Take all (consecutive) quotes of 2 to 24 words, and you have some 1.5m phrases. Take the top 666k books (apparently there've been about 130m titles been published in total, about 5m in the Amazon Kindle store), and you're at about 1e12 phrases, or 40 bits of entropy, or worse than a password with 7 random letters/digits/symbols.

You could probably improve on it considerably by selecting fewer books, and only taking quotes starting at some punctuation mark.

For a naturally throttled attack like here (on the phone) that's fine, but for an offline attack (where the attacker has access to the password hash) that can be cracked within days.

I am pretty confident that some phrases would repeat.

True, so even less entropy.

Necronomicon quote? Nice. This has me thinking about what I can do to make my security answers to security questions untethered from PII. A book quote is a really good idea.

Close! Cryptonomicon.

I'm guessing that having every book loaded into a password cracking database, subdivided and indexed by each leading phrase word, is still computationally infeasible for non-government actors.

Bitcoin brain wallets based on obscure Africa poems have been successfully cracked. Don't trust your choice of obscure books to be sufficient.

I need to look into that some.

If I walk into a library, pick a floor, aisle, shelf, book, and page at random (just walk, don't think about it), and use a phrase that is a minimum of 12 words long -- is that more random than what I presume happened here, where someone knew that their target liked that style of poetry and was able to concentrate their search on that genre? ( a "crib" in Bletchley Park terms)

The comments about English grammar are correct - classes of words (nouns, verbs, adverbs, etc) do fall in certain positional order and frequency analysis becomes important. A brute-force attacker would have to work through four types of passwords - the commonly used passwords like "12345" and "letmein", language-based phrases (like my not-great idea), language-based phrases with letter substitution (leet-speak, etc), and then truly random letter sequences.

What's happening is that people collect endless phrases and alter them with a ton of standard manipulation schemes, compute the corresponding private and public keys & addresses for all the variations, create a lookup table for the addresses and private keys, and as soon as they see a known keypair in use then they use the corresponding private key to swipe the funds.

See my comment above - unless I'm mistaken, taking all 2 to 24 word quotes from the most popular 1 million novels gives you about 40 bits of entropy (less than a password of length 7), and can easily be stored on one hard drive. In other words, feasible even for some script kiddie in mom's basement.

No need to have every book loaded, only the top 50000~ read by people who would use that method of passphrase generation should work fine (and be feasible for almost everyone). Cryptonomicon would probably be in that list.

Nope. If a phrase from literature is “memorable”, it’s guessable.

The logic of passwords is simple, once you realize that all humans are terrible random number generators.

When you allow any part of your password to be chosen by a human, i.e. yourself, you have to assume that the human-chosen part is known to an attacker. The solution is to generate passwords with enough random bits to satisfy current demands. And by “generate” I of course mean to allow a real number generator (either a computer, or dice, or anything really random; i.e. something a casino would accept) to choose the password for you. Without any restrictions except a desire to minimize length, you get the classic unmemorable 0vT2GVlncZ4pZ0Ps-style passwords. If you add the restriction “must be a sequence of english words”, you get xkcd-style “correct horse battery staple” passwords. Both are fine, since they contain enough randomness not generated by a human.

But if you yourself choose, either old-style “Tr0ub4dor&3” or passphrase “now is the time for all good men”-style, you have utterly lost, since nothing has been randomly chosen, and “What one man can invent, another can discover.”.

Note: this also applies if you run a password generator and choose a generated one that you like. Since you have introduced choice, you have tainted the process, and your password now follows an unknown number of intuitive rules (for instance, there was a story here on HN some time ago about how people prefer the letters in their own name over other letters of the alphabet), and these rules can be exploited by an attacker.

Diceware is memorable but not guessable.




Agreed, but the context was using memorable phrases from literature, in which case they are guessable. Post edited to clarify.

Gotcha. Thanks for the clarification.

> this also applies if you run a password generator and choose a generated one that you like.

I'm sure there's some math that could be applied here to determine how much a user selecting from one of n generated passwords. Human intuition in cases like this can often be wrong as human psychology hasn't evolved to solve problems like this, so please correct me if I'm wrong, but mine tells me that a user choosing a password from whole cloth has much less entropy when the user is taken into account than a user choosing a password from a small set of those generated with high entropy.

While the latter is less than leaving it up to be chosen purely at random, I think it's much closer to pure random than it is than from the one that's created by the human. It's likely not your intent, but your note comes across as not acknowledging this. Am I reading it wrong? Or are my intuitions wrong? If one were to choose between (a) human generated or (b) human chosen from a set of non-human generated, how much stronger do you think (b) is than (a), and how much weaker is (b) compared to (c) randomly chosen from non-human generated?

That’s easy to calculate. If you generate, say 4 password of 32 bits of randomness each, and you pick one of them, you must assume that the 32-bit password you chose has 30 bits of randomness, since your choice between 4 options has 2 bits of information in it.

Cheers :) See? I knew there was some math. So how do you feel that compares to a user-generated password? That's the question I was getting at.

Detecting the randomness of a user-generated password is like detecting randomness in general; it can’t be done¹. Is a number like 392872956 random, or is it derived by using some obscure but guessable procedure? You can’t know just by looking at the number. Even if a user thinks they are choosing randomly, subconscious biases are very powerful. The same principle applies to word and character based passwords, so the only safe course is to assume that anything chosen by a user directly is not random at all.

1. http://dilbert.com/strip/2001-10-25

Sure. So is there nothing to my intuition above? If you were to have users choose between (a) and (b) above, is (b) generally safer than (a)? Much safer? Only marginally so? When using a password manager that presents 10 passwords, should I always choose the first one to remove my choice from the equation? Are those few bits I've removed that important, given that the entire set is random?

I'm not trying to catch you out here. I'm trying to see how far my intuition works in this case and how to read you note in the context of the rest of what you've said.

A user-chosen password have exactly 0 bits of guaranteed randomness. A randomly generated password has X bits of randomness, and a list of Y passwords of X bits each, where the user is allowed to choose exactly one of the passwords, has exactly X−(log2(Y)) bits.

So, to answer your questions: Your intuition is correct – since user-chosen passwords do not contain any guaranteed randomness, generated passwords are better. How much better depends on the values of X and Y in the formula above. The value of X can only strictly speaking be said to depend on the generating algorithm for the passwords, and not any specific value like length or presence of special characters, etc. Yes, I try to always force myself to choose the first one of generated passwords if many are available. The importance of doing that, i.e. preserving those bits, depends of the size of X; a large value of X might stand to lose log2(Y) bits without any real downside.

The default pwgen(1) password algorithm appears to generate a display of 8 columns by 20 lines of passwords, each 8 characters long, like so:

    Uvee5exo aiXae6mi OoR5eiph thoo1Mo3 Ac0quiep woo5Ing7 uh2AiXei poh1Aigh
    ab1Mayai aeHaing4 eip0Wae1 Ho0jaeku Ahxah4Ec Kei4daez Gohmaib6 Chisaib3
    eiphim5U jiepai8C aeXohN3u SeiDahy2 cee9oiVu kei1Eel2 foht6iuY Kievei6o
    Eequ6Aeb eeng9wuS Kog6cie3 sapi7ooP ek9Aitie ohX6eese Eez5oth8 evaeL3oo
    gae1caeF io8EiNga ceaxaY6t eiZ1Lee1 Wagh2Bee maPh0een zoBi0Pee Kou8iel9
    ahj7Ooph eB9beGhe MieV6pe1 loGhae0F ughueTh1 eBohHae2 Eiv1aaQu ahRohv7b
    Iehoo7qu Ga6Buwuh We0UK9Ee gu8ahSoh Ahn2ash8 pee7Airo ey1Faish aeFaiQu1
    Einge6ai vi6uWeir eine8ooK Bae0lugh hewu5Hol hohd1nuH ohn2aeVa nei3oo4L
    Oob6aira Aij4Gila hieNgih7 Ax5iej7O lohLood6 thoo2ahG Thie6aeh Cee7Aajo
    zoot0Ief VaeN4uL5 SaiLa6ie Fii8Xeer uPhoo7os Iew7roh8 Kootu6ei Ohngue7e
    xah4aiPh OVeiT0th Ca3ohjae uiCohs0N Quei9eet Xoh5oobo eicaRae2 ahp1Joom
    Eequeer5 deiZ5uZa ApooSah4 Ca2wuale Xei1aifa qua1jooR oo9haiJo ie2rei2K
    sah4Kai7 Aiphoos3 Di7naip5 uo4sooG3 Aiw7luph ooL6xir0 seo2ooBo shib8eeL
    aem7kieJ aphei9Ie uo1ohF9A choh4Noo EijuF5Uy DohmieJ8 op5cieSh Barauk1o
    EePhi2el oFabee9i AiGhoP8G yaeZa6ah ca6ooTh8 Houc2ro4 Pi9phee5 Ahng1ief
    Eew2Eewu Vu3Wahm6 niep7Wei Gezai2no loR7noh5 aiph0aeT eiW2ap7o aiD6MeSu
    ahgh5Uaf ahse4Aid Yaenei5t ooV4mooc HauYey3r pho1uSah uZuy8fie aiTiek8B
    osh8Chae ee1Ju2Uo eet4Xo4U cheaw6Ee Ri2eoyei eesooh7X du3Pee0a hi8chohV
    ung6Ju7u thahMai1 Cho5ahs0 beipam6A ooSeich0 pohx5Eiy Iene0me8 eBo7aegi
    ohn6uaT7 iami8Aef Nooh6yai vaPhae7u aipai6Oe yaiPh0ue apohSh7i aiNgu8zo
All the characters in each password are lower case letters a through z, except one, which is always a digit, and one other, which is an upper case character, A through Z.

These assumptions give us all the information we need to calculate the actual number of guaranteed random bits in a password chosen from this output. There are 7 letters in a password, each a-z, which gives 26⁷ combinations. Then one of the 7 characters is made upper case, which multiplies the number of possible passwords by 7. Then a random digit (0-9) is inserted in a random place (1-8), which multiplies it again with 10 and 8, respectively. The resulting number is

26⁷×7×10×8 = 4497813698560

Now, 4497813698560 possible passwords is equal to log2(4497813698560) bits; i.e. 42.03236104393261 bits.

The number of password choices is 8×20; i.e. 160 different passwords. Our formula above thus gives us

log2(26⁷×7×10×8)−log2(8×20) = 34.71043294904525 bits of randomness if the default options for pwgen(1) is used, and one of the displayed passwords is chosen by a user.

Now, whether 34.7 bits or 42 bits is to be considered high or low is not my area of expertise, and I am given to understand that this changes rapidly over time as computing technology advances.

FWIW, I see several examples with two numbers and up to four uppercase letters. There's a clear bias toward lowercase letters though.

You’re right. Looking at the source code (https://github.com/tytso/pwgen/blob/master/pw_phonemes.c#L59), the algorithm seems to be rather complicated, so I can’t say what the exact number of bits is. But we could certainly calculate an upper bound:

7 letters a-z which are either upper or lower case, plus an unknown digit at an unknown location, gives:

(26+26)⁷×10×8 = 82245736202240 possible passwords, giving log2(82245736202240) = 46.225006121875005 bits. Subtracting the bits for the 8×20 choices of passwords gives

log2((26+26)⁷×10×8)−log2(8×20) = 38.90307802698764 bits as an upper bound of the security of a password chosen by a user from the default output of pwgen(1). This is a bit more than the 34.7 bits I first thought it was, but not much more. And this is an upper bound; since I can see that the source code does not choose each character completely randomly and does, as you say, seem to prefer lower case letters, the correct number of bits is guaranteed to be lower than 38.9.

That's consistent with what I was thinking. Thanks!

I have no idea who is downvoting you; this is perfectly correct. In fact, one of the (minor) plot points in the quoted book is a cyphertext getting broken because the person generating one time pad keys looks at the letters!

How would the attacker know that you mashed the keyboard when answering 'What high school did you go to?' ?

Most likely from a "helpful" CS agent offering up the hint above. "It's really weird" or "I've never seen that one before" or just an odd chuckle. Anything an attacker could use to gain an advantage will be used to compromise you eventually.

Or because you posted about it on HN...

How hard do you think it is to get a bored call center employee to give you enough of a hint to know that it’s random characters?

But the attacker kind of has to know the answer is gibberish from the bat, otherwise they'd either guess or pretend to not remember a real answer, which is noticeably different from saying something like "oh, that's 30 random characters but I don't have the note with me right now".

Here is how it would go... attacker gives a real answer, support says no that isn't it. Attacker goes, "oh, sometimes I give fake answers for the question... is it a really long string of characters?"

Or they could go through a few things like that, always giving the excuse that they give false answers until they stumble on the right one.

But we already know @sersi just mashes the keyboard for those questions :)

Sure, but I doubt it would be easy to find my identity from my hn account name.

One trick is to use pronounceable passwords as answers to security questions, like a sequence of words (“Mother’s maiden name?” “correct horse battery staple”) or arbitrary syllables that make it sound as if you’re having a mini-stroke (“Where were you born?” “prisencolinensinainciusol, oll raigth”).

I try to leave them unset where I can (probably doesn't help over the phone; I'm thinking more of online accounts), such as on eBay which keeps prompting me to set security questions but going back to the homepage lets me avoid doing so.

For sites that force you to set them (and where I care - otherwise they just get random nonsense), and for my bank, I have a set of plausible but false answers I use. Not bulletproof of course, but definitely not googleable and avoids the "I just set it to something random" attack.

that places the liability on the phone rep, while guessing an easy answer places it on you, so still a better choice

Just generate a pronounceable word, for example using KeePass*.

"Your mother's maiden name has numbers in it?" (bank teller, DMV person, etc.)

"You .. give real answers for your security questions? Seriously?"

I do the same thing, real birthday if it's financial or employee related, but for everything else, I'm a few years older on another date. I often pick a security question that I don't have a real legit answer to as well.

Yes, I try to make the fake answer sound legitimate though

City you were born? Just pick any (random/unrelated) city instead of 2DXSDGREDV@#!

It's easier if you have to go through a person (which is usually forced to go through a script) also easier on the phone

Not just easier, but actually more safe. The person on the phone isn't usually aware about your security "paranoia" and is being evaluated on how much customers he/she has been able to help.

As such most helpdesk employees will accept the answer "Oh I forgot, I do remember I put some random characters in there"... and your random password end up not helping you after all.

As noted in another comment, the attack on this of "oh I forgot, it's random characters" requires the attacker to know you do this. So if you do this, don't go disclosing it on public websites.

>requires the attacker to know you do this

Nah, "well, it kinda looks like random characters" is information a support rep will give you.

Welcome to social engineering and info escalation.

If the support rep is just giving away enough info to figure this out, there is nothing you can do to protect yourself against the company's policies.

Yes, which is why social engineering is going to get a whole lot worse before it gets better.

As another commenter mentioned, a help desk rep once gave the clue "it's really weird" over the phone, which would easily indicate to an attack to try the mash the keyboard line.

The random character thing isn't great for this use, it seems, as a result.

If support reps give enough information away over the phone to let someone guess a security question, there is nothing you can do to protect yourself from them.

The search space for city names is tragically finite.

There are ~35,000 cities and towns in the U.S., but if you start weighting those by populating (and birthing hospitals and centres), you're going to reduce that count considerably.


Why pick name of U.S. city or more general city in country you live/are related to?

There are a lot of lovely and easy to remember names in other countries ;)

Yes but if a system allows you to bruteforce this you probably have bigger problems

The overall risk runs a few different ways. One is that you yourself will bee at risk, another is that there will be a high number of compromises.

There are about 300 in the U.S. of over 100k population (corollary: the other 34,700 locations have fewer than 100k people each, or are at most 10% of the population). A 1/300 chance of cracking a security question on any given transaction is pretty good odds. Particularly if the crack is then reusable.

Another 10% of the U.S. population (roughly) lives in the 10 largest cities alone. That's a 1% likely success rate based on just ten values.

The point being that "legitimate sounding but fabricated" may still not be a particularly good option.

I don't even try to make it sound legitimate. e.g. How many sisters do you have? Anyone guessing will be trying a number between 0 and 5. I use a semi-random word, colour or car I associate with my sister(s), eg. Audi. When asked for a number no one guessing will respond with a car make.

Someone has the idea behind challenge/response.

You don't have to answer the challenge with a 100% truthful, legitimate, accurate response, because the point is to NOT provide an answer that could be guessed by framing the response in truth, or even reality. So long as you've picked one that matches with what you've preseeded, use a random word/phrase as your response.

q: What is the name of your favorite teacher? a: bumble bees in the desert

Yeah, but the key is you need to be able to remember it. Sure, you could store it somewhere, but often times the reason you are needing to use it is because you don't have access to your normal system (computer, phone) that you use to login with.

I don't recall the last time I used secret answers to get into anything. I don't perceive it as a valid way to get into an account. But the option cannot be refused... so to me it's just a security risk.

I've had to use security answers because I was locked out by systems that detected I was using an ip from a different country and so refused my correct password and were using the security questions as a kind of extra authentication.

The amount of stupidity needed to build such a system is staggering.

I believe the general recommendation I saw was to type something in lines of "never accept this answer - it's probably someone trying to impersonate me | 2DXSDGREDV@#!" (although it's probably hard to do so if the maximum acceptable length is too short)

This is how you get engraved plaques, or birthday cakes, with the message NO MESSAGE JUST LEAVE IT BLANK on them.

Haha, true.

Still, if that helps in one case per thousand, it's still better than none.

I doubt this would help, it seems fairly unlikely that whoever answers the phone would be interested in playing logic puzzles.

I had this thought as well, but figured I'd make sure no one else already posted it. Kudos :). I was thinking something like this:

> Do NOT give ANY hints; only accept an EXACT answer; I will NEVER say I "forgot" this answer. 2DXSDGREDV@#!

Maybe add an "I test you occasionally." :D

If there's a length limit, trim and remove parts of that as you see fit. For example:

> NO hints! EXACT answer! NO exceptions! 2DXSDGREDV@#!

I'm going to do this at a few places, then call to test them :D.

I do this too, some phone number checks and email checks are surprisingly good.

The first time (years ago...) I had to enter my birth date on a website that asked it to me for no valid reason, there was a default value. It's now my birthdate on every others !

January 1st 1970 is sometimes known as "The Internet's birthday" for this reason..

It's also the "UNIX Birthday".

Right, leave it blank when enrolling → Empty value coerced to number becomes 0 → Recorded in Unix timestamp format where 0 is Jan 1 1970 → Wow, everyone was born then?

I never quite got this "mother's maiden name" thing. Isn't your mother's maiden name... your mother's current name, minus the extra surname she got when she married? Why is this treated as a hard-to-discover information?

"Mothers maiden name" has been used in over-the-counter banking as an authentication secret for over a century (1882 first mention[0])

Likewise DOB and SSN have been long established as auth secrets.

They never should have survived the transition to the internet

[0] http://splinternews.com/your-mothers-maiden-name-has-been-a-...

In the US and other countries it's common for a wife to take her husband's last name.

Changes from "Jane Doe" to "Jane Smith"

I think he's saying the maiden name is easily found. At least in Brazil, the husband's surname is _appended_ at the end, doesn't replace the maiden one: Jane Doe Smith.

Yeah, but often (usually?) the woman's maiden name replaces her middle name. E.g. Jane Elizabeth Doe -> Jane Doe Smith. I'm pretty sure my mom's maiden name is printed on her driver's license, paper checks, etc.

I know very few women that have done that TBH.

Maybe you just didn't realize it, because it isn't very common to see someone's full name? It was very much the norm until the 80s-90s, and even today I think the majority of women still go that route. I just spent a couple minutes searching Facebook to sanity check myself, and so far all of the women I'm friends with who are under 30 and married have done it.

I wouldn't use Facebook as a guide. My sisters all have done <First> <Maiden> <Last> for facebook, but none of them have legally changed their middle name. They just do it on facebook so that people can find them.

Most if not ~all of those women are doing it so people can find them on Facebook, and people in the States rarely use the middle name field anyways except for legal docs.

In my experience, the women do that so people that knew their name pre-marriage can find them, not because that is their full name.

That is not super common in the US.

In South-America and other countries it's common for a wife to keep the name she was assigned at birth for ever.

It also is from an era when you would assume that a person's mother was in fact married. Less likely today.

Or for all the women in my family... their maiden name is their current name, because none of them change their name when they get married.

I think the best bet is to provide an actual name in that field, just not the real one. Grab a list of the surnames and pick one at random. Bonus if you hyphenate two.

Doesn't matter if you give your real bday or not. I could easily google you, email one of your coworkers and ask for your birthday for a secret gift. Voila.

Ignore my last comment. I didn't follow your logic of putting a fake birthday into the site haha. Doh!

When I was in high school, SWIM was stealing everybody's MSN's accounts. The technique got out, it was through these "security questions", then SWIM got his MSN stolen. Then people would recreate MSN accounts and get it stolen again. It became a funny war until some dude started asking for money to other people's contacts (via allopass, these things where you could just call a number to get charged and obtain some token).

Good times. Except some of my friends actually sent out some money. I'm pretty sure I know who did it.

Since then I enter garbage in these security questions. Better lose my account than that.

i had to look it up: SWIM = Someone Who Isn’t Me

You can't do that with United Airlines. The answers have to be picked from a drop-down of answers.


I didn't believe you when I read this, but you are right. => https://krebsonsecurity.com/wp-content/uploads/2016/08/unite...


> Yes, you read that right: The answers are pre-selected as well as the questions. For example, to the question “During what month did you first meet your spouse or significant other,” users may select only from one of…you guessed it — 12 answers (January through December).

> The list of answers to another security question, “What’s your favorite pizza topping,” had me momentarily thinking I using a pull down menu at Dominos.com — waffling between “pepperoni” and “mashed potato.”


Source: United Airlines Sets Minimum Bar on Security => https://krebsonsecurity.com/2016/08/united-airlines-sets-min...

Video => https://www.youtube.com/watch?v=vmrdLAp7wSw

12 possible answers… little better than a 1-digit PIN!

I ran into an issue with this a few times... What was the fake birthday I entered?!

Keypass has a random phrase generator plugin- it's what I use for security question answers.

Often for security questions like "what was the name of your grade school" or "in what city was your father born" I'll give intentionally wrong answers for the exact reasons you outlined.

My bank's terms of service bans recording passwords - ie managers.

How are they supposed to know you use one?

Not that they can really know, but most I've seen is that they disable pasting anything into the website, effectively making banking super slow for us with password managers and long passwords.

Fortunately, my bank doesn't disable pasting (Banc Sabadell in Spain). Instead the password is restricted to maximum 6 numbers for login. Yay banks!

In Firefox, at least, there is an about:config option to turn off the ability of webpages to disable paste. Flip that setting and managers work again on those pages.

6 characters? Let me guess, were there restrictions on character space and case?

One place I had an account has a password input that restricts all of those, so it's like an 8-10 character string of all capital letters. I don't understand it at all.

This is often an externally visible code smell that implies plaintext storage of passwords in a char(10) (or whatever the max length is) db column.

You read wrong, not 6 characters but 6 numbers. So no spaces or casing.

Yeah, I just disable their disablement. Super annoying.

Their site was broken one day. I could not login. I told support that I had not forgotten the password since I was using a manager. Then they told me about the terms. Ooops. Luckily they didn't ban me or anything.

Wow. What bank?

For security questions for sites I dont care about, I pick the subjedt of the question and use that:

"What city were you born in" == "city"

"what was the name of your first pet?" == "pet"


I use profane language since in my opinion the answer should still be hashed if I'm verifying it through the website.

Mom's maiden name: InfectedPussyPimple

How she got dad, I'll never know!

I use my real birth date when dealing with my bank or government departments. Everyone else gets the same fictitious but approximately correct date.

It's not just posting photos that can cause this kind of trouble. I get a lot of email intended for other Doug Webbs sent to my gmail account, with variations on the presence/location of periods, or CC'd with another gmail account that's the same but with numbers on the end. For a while I was getting boarding passes from a major airline for a Doug that was frequently flying up and down the US west coast. Those emails gave me the confirmation number, and a link directly to the page that would let me make changes to the reservation, with no security barrier at all.

Granted, this most likely was caused by that other Doug providing my email address to the airline, but the airline is at fault too for assuming that access to a given email address is proof of identity. That's a very common mistake, often made intentionally to provide a more "user-friendly" experience. Had I been malicious, I could have caused that other Doug a lot of un-friendly grief.

I was not able to see any contact information on the reservation, and I didn't have full access to his account. (I don't know if a "Forgot Password" request would have given me that, though it probably would have.) I contacted the airline customer support to tell them they had the wrong email address on the reservation and they should contact their customer through some other means if they could. I think I got a form-letter thank you and never heard from them again, but I did get a few more boarding passes for a while.

I also get a lot of online shopping order/shipment confirmations, and plenty of personal correspondence. I try to tell the senders to fix their address books, and when I get a CC with the real address I contact the other Dougs too, but most of the time there's no response. I've had to set up a filter that puts all email with TO addresses that aren't the one I use into an "Other Dougs" folder, which I treat like spam.

(my data point ...)

I get mail from a bank for someone who misspelled their email but their name is very close to mine.

I called the bank, reported that I was getting their email and they tried to sell me their identity theft service. ( Give us your SSN to check to see if you ... )

American Express didn't care that one of their subscribers personal information wasn't getting to their customer, but wanted to sell me service.

Ha... I just checked my Other Dougs folder. On Aug 4, I got an email from myidentityassist.com saying that "I" reported a case of identity theft, and that "my" Royal Bank of Canada credit card has been blocked from further use. Then on Aug 5 I got an email confirming an order from a Pizza Hut in Kingston ON, Canada, using the same variation on my email address.

This is one of my repeat-offenders. I see a lot of email out of Kingston with this same variation on my email address, and I've tried many times to reply and get people to tell him he's using the wrong email address, but to no avail. This has been going on for years.

Wow, an official, functional, online phonebook with addresses? I didn't know those still existed. Crazy Canadians. Thanks, I may give that a try.

> a link directly to the page that would let me make changes to the reservation, with no security barrier at all.

This is most likely intentional.

Most business travel gets booked by assistants / travel agencies / client reps / etc. They are going to use their own account when booking tickets, and then forward reservations or boarding passes to the actual passenger. That passenger then wants to for example reschedule in a hurry when a meeting overruns, or change seats or meal choice without having to explain their seating preferences over the phone (is 25C still available? No? Then get 27A).

Security wise it would be better to have some sort of delegated permissions system, where the travel agent can add email addresses who are allowed to access the booking, you then have to create an account with the airline and prove that you own that email... but I don't see the airlines pissing off their most profitable customer segment with extra hassle to add protection against misforwarded emails.

My Gmail account was one of the first created. Here's a quick list of emails I've received intended for other people:

- Thailand holiday itineraries and airline tickets

- A PayPal money request for $1800

- Congratulations from someone's godfather that I am now able to play the opening riff of AC/DC's "Hells Bells"

- South African real estate quotes

- A bar mitzvah invitation

- A reply to a Thanksgiving invitation sent by someone else

- Inquiries about racehorse sponsorship

- South African Taser training course booking confirmation

- British Heart Foundation cycling team invitations from a BBC reporter

- Complaints from an Ebay purchaser that I'd sent them a Nutribullet with a broken blade

- Confirmation that my NJCAA hardship application had been granted

- Pictures of 5th graders riding trail bikes in Eagle Lake, Maine

- Solicitations from the Greater Palm Harbor Area Chamber of Commerce to run a stall at the 13th Annual Palm Harbor Parrot Head Party

- Sports tipping results

- House painting estimates

I'd be living a much more exciting life if all of these had been intended for me.

You should decide to do some of these one day! Show up to a bar mitvah with gifts and stuff and when people ask who you are, you just show them the invitation. "I dunno man, they told me it was a party, so I showed up... Mazel tov!"

I have the same thing with the email address for this nickname. A few people are occasionally using the version without a dot.

Whenever somebody register on any website using it, I use the recovery options from the emails they send me to disassociate my email address from their accounts (I never ever keep access to those accounts).

For direct / personal emails (usually in Spanish) or anything else with some customer support involved I just send a short reply in English stating that they've got the wrong person and email. Then I usually spam flag everything not English (I'm only a little sorry for doing that).

There was this one day recently when somebody kept re-registering on this one site about a dozen times, and I kept resetting the password because they used my email every time. I have to guess that they eventually figured out their mistake, because it stopped. I hope...

Let's talk about common first and last name @ Gmail.... It is ridiculous. Oh the things I have seen. I have gotten multiple financial account resets over the years.... Retirement account statements with resets..... Loan info...

I have a guy doing this to me. I have firstname.lastname@gmail.com

He lives in Texas and teaches a sport. I got a reminder that he had to visit the doctor a while back. I replied and got a real human and asked her to tell him he was giving the wrong email. I don't think it happened, something new showed up later.

I had never considered doing anything to mess up something he had done (like canceling his appointment) to get his attention.

Overall it's not that big of a hassle. It peeves me a bit, but I guess I'll let it continue.

I get this all the time and initially have been nicely replying/forwarding, but after a while you have to figure they don't care, so it's either spam or account take over. After all, "I" own the identity, and "I" want my email back.

Yup, I get emails about Cassidy's kids, Conrad's car purchase, Clyde's Lion's Club meetings, etc.

33c3 talk related to this topic: https://www.youtube.com/watch?v=n8WVo-YLyAg - "Where in the World Is Carmen Sandiego?"

Or in a lot of different formats and also for download on media.ccc.de:


Just to clarify in case someone assumes the same thing I did from the headline: it isn't the Facebook account that gets stolen, but the airline website account.

And really this has nothing to do with Facebook at all, it's not a good title.

I've seen that meme get passed around Facebook for several different airlines, several times. It's always so lazy too "this company that's been around for 60 years is turning 88! Wow get your free tickets because thats what companies do when they turn 88!"

Eh, Instagram is owned by Facebook, so I gave that a pass.

I thought the point was about the risks of posting images of boarding passes on the internet. Where they happen to be posted seems irrelevant to me, but whatever.

It seems the attacker/pen-tester got access to the guy's passport number. I wonder how easy it would be to do identify theft and gain entry into other accounts.

A much better title would be: Post a boarding pass online, get your identity stolen.

It would also help if tickets had a "No photography" icon on them and a note about them having private information.

I think somebody should develop a standardized and open auto redaction flagging scheme for anything printed, where cameras and any software meant to share photos can offer the user to redact every sensitive field in a secure manner.

Something like a Qr code saying "this stuff in that position relative to this code is sensitive", giving the user a prompt saying "this was redacted; undo?"

And then camera-shy people will print it on their clothes.

That's a feature

Maybe something similar to the EURion constellation[0]?

[0] https://en.wikipedia.org/wiki/EURion_constellation

With people taking pictures of their breakfast and posting it to Instagram these days... that's a great idea.

Recently saw a viral tweet with a picture of a political mailing posted on twitter with the address blacked out, but the USPS bar code (https://en.m.wikipedia.org/wiki/Intelligent_Mail_barcode) showing (looks like a comb with broken teeth).

They obviously didn't know the barcode contained the precise house address of the recipient (presumably the user's home address). Anonymization is hard!

Like SSNs (with a defined purpose), IMbs "use" is to help the USPS sort and deliver the mail without manual handling.

Large mailers (billions of pieces per year) get a postage discount by applying such barcode to all the pieces. (edit: any mailer can get the discount. it just adds up for the larger mailers) Those pieces are delivered to USPS facilities, dumped into the auto-sorters and end up at the local post office with no human handling.

It should not be used for anything else except handling mail.

It's amazing that with the algorithmic power Facebook brings to bear on every photo you upload, finding faces etc., that they can't spare a few cycles for security.

It would be simple to run barcode detection over any post and blur the result (maybe prompt the user just in case they actually wanted to post one?).

Almost any barcode is assumed to be private information, even a barcode on a store receipt can be used for return fraud in certain circumstances.

Saying 'don't post barcodes online' is all well and good, but that message will never reach the general public.

The problem is not barcodes and it is not Facebook. The problem is airlines with security systems that went out of style in the 90’s.

You don’t print a paper with all the information you need to hijack accounts. You don’t use ‘secret questions’. You don’t treat birthdays as secrets. You don’t use a number as a secret if it’s on the ticket.

I was traveling with a friend and we could benefit from changing flights. So my friend went to the counter to just ask about the possibility. He had my boarding pass but not my passport. He returned 20 minutes later with both boarding passes changed. The counter stuff just took his "word" for "he is my friend".

Edit: An hour later driving and thinking about it, I think it is the right move from the airline. The risk is small because identity theft and authentication hacking is not possible in this case. The Airport is a highly controlled environment and thus someone pulling this will have a higher chance of getting arrested. On contrast, you can't just take anonymous IPs on the Internet for their words. You have to carefully authenticate them and even then you can still have issues.

If you booked the flight together then it is very probable that it's seen in the booking system that you travel together. So it was probably a little bit mor that just his "word". (I'm, however, not judging if it was correct action on the counter stuffs behalf.)

A friend of mine was once travelling to Bali and she posted pictures of the boarding pass on Twitter. It was a few weeks after the CCC talk by Karsten Nohl and Nemanja Nikodijevic (https://media.ccc.de/v/33c3-7964-where_in_the_world_is_carme...), so I warned her that it might be not the best idea to post these images. She was very self-assured and replied that she's almost in the plane so there's not much risk.

I've asked if it would be OK for me to test and she was fine with it. I could log in to her booking without problems (booking code and the name which I knew anyway were on the images). In the system I saw the other person she was travelling with., I could change seats and names of passengers. I think I could even change the date of the flight back (but I'm no longer sure about it).

But this is how I'm pretty sure that if you've booked together, this might habe been visible in the booking system.

At least here in Brazil, airlines are expected to authenticate you at boarding time and not a second earlier. This is the sanest option too, since they will have to authenticate you at boarding time anyway, and anything earlier will at most cause a mild economical loss for the company.

I always wonder about that. Often, in the line at the boarding gate several agents will walk around, compare your boarding pass with your passport (and your face), and then draw a squiggle on your boarding pass (sometimes with a coloured felt-tip pen, sometimes with a biro/ballpoint pen).

It seems to me that it would be trivial to squiggle on your boarding pass yourself, and then claim that you've been checked already. I wonder how much security theatre is happening there, too.

But usually when people get to the front of the line they still present both documents, the fact that 9/10 times the passport is ignored just makes it a judgement call by the ground staff.

Having spent some time working on staff management systems in airports I can say with some confidence that (at least in australia) most of the ground staff will immediately flag someone not at least offering their passport, and/or trying to talk their way out of needing to do so as sus.

And let's not forget that if your entire plan was to get on a plane under a fake name, it's a hell of a risk to just hope that you end up in a situation where some chap is squiggling on boarding passes.

If you booked the flights together, and paid together, it's probably pretty likely that you are travelling together.

If the flights were booked together, I don't think this is out of line.

In theory it still shouldn't be possible. The passenger owns the ticket, not the purchaser.

But that doesn't mean a smile and polite word won't get you around that...

Nope. That's not the case. In fact we live in different countries and booked from our countries (different countries/credit cards). I don't think of any possible thing that could make us related.

So what's going to happen is that 2 of the same person show up to the plane... and the copy cat goes on the plane and then you check in, and they say, nope, not you. And then you pull your passport. And then they go get the other person off the plane.

The scammer may have changed the flight time but it's still the original name and ID on the ticket. The scammer would have to fake your passport to be able to onboard as yourself. That's a pretty high bar.

And if the scammer moves your fare to an earlier flight, they get away and your ticket is void when you show up.

Chances are they'll figure this out before the flight in question lands, and have someone to arrest the scammer at the destination.

At worst, the company is a flight seat in the loss. Is this really worth protecting?

Has this happened?

And you get a change notification email and you can the airline and scanner gets arrested

The question is: What's the higher risk for the airline - that a bad person shows up in person, with a valid foreign boarding pass, to do some fraud with the risk of you coming to the counter shortly after or to have an unhappy customer if they resist (well yeah, airlines do much to avoid having happy customers ...)

The risk of someone doing real harm there is quite low ...

This is the case I've seen the most. It also really speaks to what is the ultimate security hole which is human error and social engineering. Granted your friend was not being malicious, the fact that it was that easy is scary.

Maybe this is not intentional social engineering but a former customer working in the micro credit market once told me that the people who's most difficult to get money back are friends, not strangers. Maybe he had an agenda (send your friends to me) but it matches my experience.

Exactly. I lost count how many times I was able to sweet talk my way past regular phone security measures while trying to access my own account after having forgotten security details. Now imagine I was a bad actor trying to get someone else's info.

Or it speaks to years of cost benefit analysis and outcome of someone doing this maliciously is so benign or so embedded within a trust chain that there's no benefit to closing that particular hole.

Not that I have any expertise in this particular situation, but not every 'threat' when armchair analysed in isolation is a threat when put into its correct domain and context.

Yes, you often only need the 6-char conf code and last name to change or cancel a random reservation.

The system is not set for security only for convenience and assumes a world of 80-90s of regulated travel with never full planes and no change penalties. At the time (US) airlines were even honoring competitor tickets at gate (assuming they has space, which they almost always did) -- show up with AA ticked at a United gate and get it swapped for a United flight by agent on the spot. Gratis.

The system had lots of problems, but malicious changes were not one of them.

>"The problem is not barcodes and it is not Facebook. The problem is airlines with security systems that went out of style in the 90’s."

No the problem as outlined in the post is people not thinking through what they are sharing on social media.

You are correct sir.

> Almost any barcode is assumed to be private information

I don't think that's really the case, I've deliberately embedded QR codes in images on Facebook. Your feature would be very annoying if it could not be toggled off.

A nice feature would be for them to decode and display the barcode info when you're uploading.

Something like “This image contains the following info: <Sensitive info you didn't mean to share>. Would you like us to blur that out? (Y/n)”

This image contains the following info: (long line of gibberish, the boarding pass ID)

User: srsly fb? OK

Detecting if the embedded data is from a boarding pass is not difficult, nor is parsing it[0] and displaying it in a human-friendly format to "prove" that it's probably sensitive ("The boarding pass you posted belongs to John Smith and contains their American Airlines frequent flyer number. Are you sure you want to share this?")

[0] https://www.iata.org/whatwedo/stb/Documents/BCBP-Implementat...

Could also very easily link to documents explaining why that could be bad for the user.

Gotta weaken security for everyone because you want your embedded QR codes? Most likely the only person on FB who has done this.

Isn't embedding QR codes the reason they were created in the first place? It's an optical data format designed to be easy for computers to read.

You're basically evaluating the cryptographic merits of CSV.

> You're basically evaluating the cryptographic merits of CSV.

I am not. I am weighing features vs unintended harm. Yes, the airlines shouldn't be including this data in the barcodes. It is improper to expose end users to this liability. And simply telling them not to expose them isn't a solution.

But if FB can detect harmful barcodes in an image, by all means they should remove the photo.

This is no different than Github scanning for AWS creds or MongoDB passwords in repos.

>This is no different than Github scanning for AWS creds or MongoDB passwords in repos.

But Github doesn't do that either.

Amazon pays a contractor to scan Github repos for keys.

Is there any data in the barcode that's not also printed (in plain text) on the boarding pass?

There is, that is issue. DoB specifically which in the US is used (dumbly) as PII.

Yes, they were meant for efficient consumption. The 'Q" is for quick.

Facebook has a billion users. To think that anything someone does there is the first or only time it happens is probably incorrect.

If something is a security issue for 99% of users, the 1% will have to just accept it.

Case in point: app sandboxing. I, for one, don't want it, but it's everywhere.

What if it turns out to be 70/30 or 50/50?

Stuff like this should be configurable or over-ridable, especially when it has legitimate uses.

There will always be a balancing act between features, security and usability, to ram the needle one way and to say 'tough luck' to everybody else is not a solution because then people will try to find ways around the block.

As a programmer the problem with feature toggles is this, lets say we have 1 feature toggle with on been 1 and off been 0.

For one feature that means we have

    1,0 states (two states).
For two features we have

    1,0/1,0 (four states).
By the time you get to 10 feature toggles you have

    1111111111 (1024 possible states).
In case I wasn't clear hammering home this obvious (to us but sadly not managers usually) point, feature flags are binary and when you have 16 of them you have 65536 possible states.

Now as a programmer that frightens me because the possible paths through the system has become incredibly large for us to handle and it's a UX/UI disaster unless handled very carefully, you end up with features that interact with other features (set a do not back up flag on a file, then a different flag for always back up all files) in unpredictable ways for us and for users.

You see this complexity in things like hierarchical role based permission systems and the like.

Not sure what the solution is but I can understand why programmers and users push back on adding features (not least because as a programmer I know that doubling the complexity for 1-5% of users just seems like a poor trade off in general - there are of course specific cases where it makes sense like the 5% of users is roughly the percentage who are paying for your product etc.).

That's a very good point, in fact I always use the various global state variables of a program to explain the complexity of the program to others to show them why they can't possibly know their programs do not contain bugs simply because they have not tested all possible states.

Thank you for pointing this out, it is a very important thing to realize and it applies to configurables, global variables and feature switches alike. The more you have seen of the guts of complex systems the more amazed you will be that they work at all.

They should make it opt-out.

That is a pedantic response. Replace "only" with some mathematically qualified low number of pictures on facebook that have legitimate barcodes in them. Is it more than 1:100_000 photos posted? Probably not.

I’ve seen people and business pages post Snapchat and LINE QR codes

The issue here is the airlines, not Facebook...

It's both.

Facebook already scans the image, probably even for QR codes, they could prevent users from harming themselves. And airlines shouldn't expose this info in the first place.

>"It's amazing that with the algorithmic power Facebook brings to bear on every photo you upload, finding faces etc., that they can't spare a few cycles for security."

Do you really believe the problem here is FB? Do you really believe FB should be the arbiter of what incidental information their users's pictures can and can not convey?

And even if they did parse pictures for sensitive data do you believe that FB, given what we know about them would simply redact that information from photos and then discard that sensitive data? I think we can safely assume that FB doesn't discard data on individuals.

No not at all! I'm just making a point that for a company that oversees an enormous proportion of all the user-uploaded images in the world could make a big impact with a relatively small extension to the processing they already do on uploaded photos. I'm not saying any blame is directed at Facebook. While a certain blame does lie with the airline industry, airline ticketing systems were designed and built way before the web and ubiquitous cameras. To change such a system is non-trivial, given that it operates in every(?) country in the World all the time, and is safety and security-critical.

Since there's no obvious single entity to blame (and even if there is, so what?), we should be working together to prevent and reduce attacks like this. Apart from anything, Facebook popping up a warning about a barcode would go a long way to making people realise that they contain easily readable, and potentially private information.

Also, given how well image classifiers work these days, how hard is it to do the same for photos of (physical) keys, bank cards, and other commonly posted things?

> Do you really believe FB should be the arbiter of what incidental information their users's pictures can and can not convey?

Aren't they already do it for other stuff they don't want to see online ?

Surely a nipple isn't a barcode and legal implication aren't the same. And people sharing personal stuff ARE responsible for sharing those stuff.

So I guess it shows us again that FB is not our friend :)

Ha, yes you make a good point, I suppose this is already true. The removal of a posting Nick Ut’s iconic Vietnam War photo certainly comes to mind. Cheers.

Aren't all the variations of bar codes just a way to make it easy for computers to read things? What other utility do they have?

It's a hilarious perversion of the technology to use computers to blur the thing we created so computers could read.

> Almost any barcode is assumed to be private information

Wouldn't the most common barcode be the EAN-13, which is not private information?

Most common? Yes, almost certainly. Most commonly posted in photos? I don't know (Facebook could know).

Facebook will probably target ads based on scraping data and machine learning from barcodes they recognize -- for their user's convenience of course, then blur them so their competitors can't do the same thing -- for their user's privacy of course.


Not the first time airlines have had poor security with boarding passes:

https://medium.com/@da/need-a-last-minute-flight-45af88ec8df... https://www.wired.com/2016/08/fake-boarding-pass-app-gets-ha... https://puckinflight.wordpress.com/2012/10/19/security-flaws... http://www.washingtonpost.com/national/experts-warn-about-se...

And what the OP article is basically copying: https://www.theverge.com/2017/1/10/14226034/instagram-boardi...

I don't see this changing anytime soon (although there are some tests to move towards facial recognition).

The real problem is that once again someone treated what should simply be an identifier to look up data as something more. Why not store all this information on the server that an authorized person can see when they scan a uuid on the boarding pass? Would they allow boarding of the network was down?

There are procedures in place in case the network is down. I have flown with hand-written boarding passes multiple times in the past (they even had special cards for that situation laying around). On the other hand there were flights that were grounded as there was some network malfunction. I guess it depends on the specific problem they have.

Can you imagine how slow boarding might be if the information needed retrieved from a distant mainframe by the scanner before it would emit its _beep_ of consent? (I agree with you, though)

Is the problem the airline or the person posting it online?

Remind me of my ex-gf I had on my Facebook for a while. She liked to be show off, which I think nowadays is not that big of as deal. But she would literally invite crime to her house! On her public Facebook profile she didn't post her address, BUT she had bunch of photos: her with the Living Complex sign, her next to her doors (with apartment number on it), photos of her inside house with beautiful 85" TV and other equipment including expensive bikes, then finally her photo with the car showing license plate (revealing her state name).

I told her numerous times its not a good idea but she never listened! Then I told her publicly on her car photo that she should at least wipe out the plate number, which created a long trail of comments where basically all her friends thought I'm weird and creepy and why would I be warning her (perhaps I want to commit some crime??). No amount of explaining helped. Even telling cops will tell her the same thing got me bunch of her "friends" answering "you ain't a cop, bro". And then one fine Friday I saw her posting they leaving for another state to visit family. Boy it was a discovery when they come back Monday morning their house was cleaned out from every possible valuable belongings. And thieves must have came with a large enough truck to fit that 85" TV screen.

Not long after she removed me from her FB even though I never told her "told you so".

The bottom line is I don't believe people will learn not to give a clues online and I think in these days of age it should be an hour mandatory lesson at the school what NOT to post online.

It might be you remind her of her failure to listen to your advice - it's about her and not you.

WOW, that is becoming really REAL. XD

Why do Facebook and Twitter and etc. permit posting of airline QR codes and credit card photos without a safety warning and an option to safely blur out the sensitive bits?

Why do they permit it...? Because they aren't our parents and shouldn't be responsible for all the stupid shit that users could do.

The real question: Perhaps we can politely convince these services to display safety warnings & blur the sensitive bits? Want to be proactive about it: Help develop a plug & play library for services to use to accomplish this feat.

> aren't our parents ...

Doesn't seem to stop them from trying to find naughty photos and block them.


If they'll do this for one case like QR codes on boarding passes, then the question and and expectation will arise, why don't they do it for every other possible case?

This is not their job and not their responsibility, period.

Because it would be ridiculous to make Facebook and Twitter part of that security perimeter.

Relevant xkcd: https://xkcd.com/463/ ("You're doing it wrong")

the risk digest: http://catless.ncl.ac.uk/Risks/ is also pretty cool resource for these kind of things :)

I don't know if it's the case elsewhere but starting 2019 all invoice payments in Switzerland will use mandatory QR codes. https://www.paymentstandards.ch/en/home/softwarepartner/qr-b... That promises to be challenging too in terms of publication of sensitive data.

I can't see exactly where it says that it is mandatory?

I get it, be aware of what you post on facebook, but does this not rub anyone else the wrong way?

Imagine you break into your friend's car, and rewrire the stereo system so the left speaker doesn't work. Then, you say, "yo, I broke into your car and rewired things. The locks on this car are faulty, better let the car manufacturer know. I should contact them myself and collect my bug bounty." And when your friend, a decent chap, thinks you're joking, and finds out you're not kidding, is his response supposed to be, "Oh shit, you're right. You could have just [rewired my speaker system]. This is crazy." or instead, would he no longer be your friend, and probably report you to the police?

Analogies almost always make for tedious discussions.

I grant you that. I am trying to make a general point about whether you should do 'x' just because you can or to prove a point.

> Imagine you break into your friend's car

Bad comparison. Breaking into a car is a locally constrained high-risk attack vector.

This is a low-risk unconstrained attack vector. A bored person anywhere in the world could fuck their shit up with no risk or consequence.

Alright, say their car is unlocked and you rewire the stereo to teach your friend not to leave their car unlocked. Or a better example is surprising them with their car insurance card from the glove compartment to prove you got into their car. The act of intruding into someone's vehicle in and of itself is an unwelcome act, even if it is to teach good lessons. The same is true for this I think.

I always feel that pointing out vulnerabilities is okay. Penetrating to point it out is another thing altogether. Continuing the analogy here would be pointing out to your friend that they shouldn't leave their car unlocked rather than entering and making a mess of things.[0]

And sure, bored person anywhere can do lots of damage and may be your damage won't be as bad, but just the act of going through someone's belonging is unwelcome.

[0] Also, there's a huge difference I feel from penetrating systems from orgs that have dedicated security teams...and picking on a private individual to make a point.

It could be posting to Instagram, where a good number of people don't have their accounts set to private.

Someone could write a bot to scrape Instagram for photos with #airport #[name of airline] #[airport code], identify photos with tickets, and steal information that way.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact