3

Recently, I had lost my password on a web app that is supposed to be really secure (think bank or government type web app). This web app contains a lot of personnal critical infos (like SSN and salary, but legally).

Here is the procedure I had to follow:

  • I tried answering my secret question, but I did not remember the answer
  • I sent a message to the Customer Service as advised. A "ticket" was created, with a number.
  • A generic e-mail adress, not a secured one (no signature etc.) asked me to answer the e-mail with a scan of my ID (front & back). The only thing that made me trust this e-mail is that there were my ticket number in it.
  • I answered, so I had to write my e-mail to an adress like "contact@company.com", with the ticket number and the scan of my ID.
  • Then, they sent me the answer of my secret question, so they stored it in plain text
  • I answered my secret question, that generated a link sent to me by e-mail to choose a new password

Two things are warning me here, but I'm not sure it is that bad:

  • I had to send a scan of my ID, front and back, to an unstrusted e-mail adress potentially accessible by a lot of the company's staff.
  • The answer of my secret question is stored in plain text (or equivalent), so anyone accessing the database can see it, but to use it they must access my e-mail account.

I'm in Europe so it may change some things, legal-wise.

UPDATE FOR CLARIFICATION :

My questions are:

  • Can an attacker do anything wrong with my secret answer if he has access to it ?
  • Is it OK, information security-wise and legal-wise, to ask for an ID in an unsecured (no encryption or anything else), untrusted (no signature) and generic (potentially everyone in the web app's company can access it) e-mail address ?
LP154
  • 131
  • 4
  • Have you provided the same ID scan to subscribe ? Answer to your secret question could have been encrypted some how with your ID number or something on your ID card. That way when you want to recover your password without the secret answer, they can identify you and decrypt the answer. I won't bother too much about the ID Scan if they store it securelly. But this plain text answer thing makes me wonder if they do... – Guillaume Beauvois Sep 14 '18 at 10:19
  • No, I did not provided an ID to subscribe. My company subscribed for me and it wasn't the same ID I gave to my company when they hired me (it has expired since, and has been renewed). – LP154 Sep 14 '18 at 10:32
  • But maybe they did not store it in plain text, but encrypted with some infos on my ID as a key. However, almost all the infos on my ID are stored in this web app. – LP154 Sep 14 '18 at 10:35
  • The plain text part of your question is answered here: https://security.stackexchange.com/questions/18354/is-storing-answers-to-security-questions-in-plain-text-bad-form – Anders Sep 14 '18 at 10:38
  • Partly, because I'm not sure an attacker can do something wrong with this information. I'm realizing my question is not clear, I'll update for clarification. – LP154 Sep 14 '18 at 10:42
  • 2
    I would AVOID sending my ID through email. You just made yourself now a low hanging fruit to identity theft to anyone sniffing traffic or having access to mailboxes. – Marcel Sep 14 '18 at 10:44
  • @Marcel Exactly what I had in mind, but sadly I had no choice – LP154 Sep 14 '18 at 10:48
  • 1
    @LP154 I can second that. Email should be treated as an insecure channel. A support page with the ability to upload would be better. Data retention would be a concern as well (do they have a bunch of ID photos sitting around somewhere). For the security questions, if the answer itself is not sensitive then my concern would be if the same question is used elsewhere for security. E.g. if another app uses it or if your national revenue agency uses it, or similar. – user18519 Sep 14 '18 at 11:16

1 Answers1

4

First, questions about legality should be directed to https://law.stackexchange.com. As for the rest let's break it down to secret question security and id security:

Secret Questions

Using secret questions at all for account recovery has basically been a "deprecated" security step for quite a while. My go to example of why this is a bad idea is the hacking of Sarah Palin's email account during the 2008 US presidential election. The person who accessed her email did so by using the password reset feature in yahoo, which he was able to do because they used secret questions and all of her questions/answers were based on publicly available information about her life.

As a general hint, anytime I do encounter a site that uses security questions, I don't actually answer any of the questions asked. Instead I generate a long random string (which I store in a password manager or what-not) and use that for the answer. Because security questions are based on personal information they are a risk factor primarily for targeted attacks (aka Sarah Palin). As a result using a random string as an answer to a security question means that even if someone knows the middle name of your second grade teacher, the still won't be able to break into your bank account (because you didn't actually answer the question they asked). So whatever you do, if a site is using security questions, treat it like a password and provide a long random string. Also keep in mind that whoever setup the site isn't actually doing security well.

Onto the actual question though: "Is this safe?". Safe is a meaningless term in the security world. Nothing is safe. It is only ever "safe enough for my purposes". From that perspective I probably wouldn't worry too much if they were storing your answers in plain text. The answer to a couple security questions probably won't help an attacker very much because few sites these days still use them and the questions themselves vary from site to site. As a result even if someone got a hold of an answer to a security question of yours on one site you use, they can't just go around gaining access to other accounts of yours like they can if they had found the one password you used everywhere. However, now might be the time to go find all your accounts on systems that have security questions and replace them with gibberish instead of actual answers (or just delete your account since these people don't know what they are doing).

Emailing identification

I think you pretty much know the answer to this one yourself, but just to say it out loud: emailing around sensitive PI (personal information) over an insecure channel is definitely a bad idea. In this case though it has the advantage of at least letting you know that they have poor security practices. I used a system once that required me to take a picture of my ID using my computers webcam over a secure HTTPS connection. Sounds good of course (or at least, that's the minimum required to do it well). For all I know though they stored pictures of my id in a public AWS S3 bucket which will later be found by hackers and then splashed across the news (and happens every other day).

I realize that's not much consolation, but since it's quite obvious that having your personal information sent across unencrypted channels is a terrible idea, I figure I might as well try to find some good news. At least now you know that their security is terrible, and you can take measures accordingly - generate and use a unique and long password for this site, change the answers to your security questions to be long random strings, store as little information in their system as you can get away with, and complain loudly to whoever you can about how poorly they are using and storing your data. If you can also confirm that they are storing your data illegally, then you have a whole new slew of people you can complain to, so perhaps something can even be done about it (but I wouldn't hold your breath).

Henry WH Hack v3.0
  • 2,109
  • 2
  • 23
  • 37
Conor Mancone
  • 29,899
  • 13
  • 91
  • 96
  • Thanks for your answer. For the secret question, aside from the fact that I clearly not used this answer anywhere else (the answer was random), the question itself doesn't grant access to the account : when answering it, a link is generated and sent to the account's e-mail address, like a "classic" account recovery process. For the ID, I'm going to send a message to the customer service to ask for the deletion of my ID scan from their servers. – LP154 Sep 14 '18 at 14:22
  • @LP154 that's good. Most of the time with security questions it is setup so that once you answer the security question you gain immediate access to change the password. That is actively dangerous. If they have it setup so that answering the security question is required to get the recovery email and then do a normal password change, then that actually isn't dangerous. It's just inconvenient security theater. – Conor Mancone Sep 14 '18 at 14:33
  • I think the question of whether this process meets the legal requirement of GDPR Articles 25 and 32 might be answered here (or it could be [law.se], but it doesn't *not* fit here). – Andrew Leach Sep 14 '18 at 20:11
  • @AndrewLeach I would disagree, but that's the nice part about the internet - we don't have to agree. I know very little about GDPR so I certainly don't have anything more to add even if it *were* unambiguously on topic. However, you're welcome to post your own answer and address that and anything else you would like to. – Conor Mancone Sep 14 '18 at 20:17