5

For example, with a bank's credit card activation/registration, that user is required to authenticate with a unique code that was mailed to their address. If they don't get that mailout-with-the-code, they'd be SOL.

With that in mind, we'd like to do a self-registration system for a site where a potential registrant could login and self-register to creating an account by successfully answering some personally identifying information (SSN, DOB, address etc.) that we already have on file.

Obviously, this seems less secure than requiring that multi-factor item of the activation code.

I've gone over a lot of OWASP authentication cheat sheets and combed through the payment processing industry best practices and glossed over PCI DSS but I can't seem to find something that would indicate that the scenario that we're planning on implementing for self-registering would be minimally "acceptable" or non-compliant.

Any suggestions?

khangtt
  • 51
  • 1
  • Do you have a mobile number or email for the users? – Neil Smithline Sep 04 '15 at 13:41
  • No, no mobile number so we can't use multi-factor. As part of the self-registration, they will set their email address. – khangtt Sep 04 '15 at 16:21
  • The only thing that's close to a standard that I can think of is a little timed quiz I've seen about my credit history. It's a few multiple choice questions. – Neil Smithline Sep 04 '15 at 17:25
  • Question: Do you have any piece/s of confidential information (confidential betw. you and the user) that you specifically generate to identify a person/account/etc. and that only has meaning to you ? To put it another way via examples...banks create bank account numbers, employee payroll self-service systems usually use in-house employee id numbers, med records systems may use in-house patient id numbers, etc. Put another, other way: do you have any info that you could require during self-registration that a bad guy couldn't get from another source? – mostlyinformed Sep 16 '15 at 06:08

1 Answers1

2

I would refrain from using details that, despite being personally identifying, are available to other people as well. I dont know how secret the SSN is on the US, but here in Europe it is quite possible that someone would knew my SSN. Date of birth: Is on my facebook. Adress: Is in the public phonebook.

You need to find a datum which is only accessible to you and the registrant at the time of registration and satisfies some kind of identification at the same time. It comes down to asking "Is it really you who is registering?" via some other means than the current browser session. If you do not have an email or phone number already, this will be very difficult.

If you are sending out invoices or some other kind of letters, you could ask for the last invoice number. But still, this could be found in the paper waste by someone and he could register on behalf of the poor victim.

The only remaining 2-factor-auth that would work is sending out a letter by mail with some auth code. This would take a few days, but it is rather hard to intercept since the attacker would have to live in the same househould and must be able to check the mail every day.

Are you doing payment business? It´s delicate, so it´s your obligation to really identify those people correctly.

flohack
  • 547
  • 3
  • 8