3

I'm thinking out my password recovery logic for an ecommerce system. Some backround: Passwords are stored using bcrypt, password recovery involves the standard reset link, which then can be used to reset the password within a limited amount of time.

I would like to add an additional step before allowing customers to reset, such as a security question. My question is what is best practice, using today's security standards, for situations where the customer can't answer the security question?

Does the system prompt them for some other secure info tied to their last order, such last 4 digits of their credit card? (If yes, what if the customer hasn't placed an order yet?)

In my situation, I would need the entire process to be able to be done online (vs by phone - although, I would be curious to know what the benefits are using phone). We don't want customers not being able to place orders if they can't get through to customer service.

Anders
  • 64,406
  • 24
  • 178
  • 215
Rivka
  • 133
  • 4

5 Answers5

7

Security questions are usually stupid and useless. They rely on information that is usually easily obtained through a quick Internet search of the target's social media accounts and is not a good way of proving identity.

Does the system prompt them for some other secure info tied to their last order, such last 4 digits of their credit card? (If yes, what if the customer hasn't placed an order yet?)

The last 4 digits of a credit card is not secure information either. See a recent, well-known case of social engineering that exploits precisely this.

Personally, I'd just fire of a password reset email to the listed email account and be done with it. Any other steps will generally serve to annoy your customers more than protect against any real threat.

2

This will depend somewhat on how much security you need.

You mention you are an e-commerce site; do you store customer credit cards for "one click" style ordering? If not, I expect the impact of account breach is relatively minor, so you can probably get away with a relaxed password reset process. For example, simply sending a reset link to the stored email address, without any security questions.

If you do allow "one click" ordering then you may have certain controls to limit the risk of this, such as only shipping to the card's billing address, and a relaxed password reset process may still be appropriate.

If you truly need high security on accounts, then you must have a strong password reset process. The strongest of all is to have in-person enrolment where you capture biometrics, and an in-person password reset process where you verify the biometrics. In practice that is only done by a few governments of developed countries for passport or national ID schemes. And at that point, we wouldn't be relying on passwords, right?

Another approach is risk based transactional analysis. So, you may normally have the policy that you will ship to any address. However, if the account has recently (say, last 7 days) had a password reset, then you only ship to the billing address.

paj28
  • 32,736
  • 8
  • 92
  • 130
  • We currently don't display CC info, but I can't say we won't in the future. RE shipping only to card's billing address: I don't think will be an acceptable solution to my company. Is there no standard, in-between method? – Rivka Feb 03 '14 at 22:09
  • @Rivka - I've added a paragraph on risk based analysis which may help you. As a more general point, I would make decisions based on what you do now or in the near future. Trying to account for things that you might do in the future tends to make for bad decisions. If you do choose to store CC info in future, at that point you should revisit a whole raft of security measures, including password resets. – paj28 Feb 04 '14 at 09:35
  • Then I guess I'll be back as soon as we decide to allow "1-click" feature. (Also, it seems from the answers here that the accepted standards don't put the responsibility on the web app in regard to being able to change a password just by having access to email. Easier for me, just didn't expect that.) – Rivka Feb 06 '14 at 03:22
2

Could you not hide/wipe-out all secret information (personal, billing, payment) when the user resets the password?

It probably won't take them very long to re-enter these. You can also restore all these when they manage to re-enter one valid payment info matching the previous ones.

Never trust any information that can be socially engineered (birthday, favorite anything, anything related to family members) or readily available in a compromised email account (previous order numbers or contents, addresses, etc.).

billc.cn
  • 3,852
  • 1
  • 16
  • 24
  • This is a brilliant suggestion! The reset gets you back into the account where you can manage whatever is currently in process, view history, etc., but is useless for future abuse. – John Deters Mar 22 '14 at 14:30
1

as Terry Chia says, security questions are, in my opinion, a waste of time.

If you don't allow a maximum number of guesses without an account lockout, you risk a brute-force attack. If you enable an account lockout you risk a DoS attack against the user's account.

In either case, you get username enumeration problems.

I would go with sending an email to the address registered against the account, with an 'If you entered a valid username, a password reset email will be sent to our registered email address' message.

Jay
  • 1,565
  • 1
  • 10
  • 12
0

In my opinion the security question should be the last way of restoring the password. After that if someone fails to pass that the next step would be contacting customer support and by giving information about his account proving that is his own(Ex transaction IDs, recent activity etc) the team would send him back(by email preferably) a reset link only valid for a couple of days.

user36976
  • 3,233
  • 4
  • 14
  • 22
  • This isn't always a good approach as you may get a phished email actually pointing you to an attacker - or when you look at recent hacks such as Mat Honan's digital life. – cutrightjm Feb 02 '14 at 19:54