As many will have seen, Facebook won a court judgment today for $711 million from well-known spammer Sanford Wallace. It’s always nice when a spammer gets told “stop that”, but as bad as some people might think Wallace is, he is a walk in the park compared to the real villains out there. They are faceless, nameless, thugs who want to steal your money, your identity, and whatever else they think they can take from you and your family. They have no scruples and cannot be easily traced. The occasional bust makes the news across the world, which is one way of knowing that these miscreants are hard to find. The other way is that your mailbox is still collecting spam, some of it dangerous.
Growing up in the New York area in the 1970s, one never really paid attention to all the crime that occurred. There just was so much of it. Even when I lived in California, while a murder would make the local news, it wasn’t something that would shake the community. A murder in the Zürich area, however, is rare. Maybe it’s because everyone has a gun, as my friend Neal might say. Who knows? The point is that people here are not inured to that level of violence.
Now we are discovering the online version of that. When last we left our situation, we were trying to figure out how best to protect ourselves from evil bad guys by limiting the damage dumb passwords can do. Since then, it has been widely reported that 10,000 Hotmail account passwords were stolen. But they weren’t the only ones. Many of the people who use Hotmail accounts also have GMail and Yahoo! accounts, and many of those passwords are the same. Why? Because humans don’t like having to remember lots and lots of passwords. And of course, if you were one of those people who used the same password between both and linked your Yahoo or GMail account to Facebook, that means that your Facebook account could have been compromised as well. And that means that your friends may have been attacked, as we previously discussed.
How could this be worse? Let’s add Paypal into the mix. If you use the same password for eBay as you used for Yahoo!, now all of a sudden, you have invited someone to empty your bank account. Had Paypal implemented an OpenID consumer for login, an attacker wouldn’t even need your password.
Now let’s aggregate all of the people who do that. The popular OpenID providers include Google, Yahoo, and Verisign. As the number of providers increases, the concentration of risk of any one single failure decreases. Concentration of risk is a fancy way of saying that one is putting all of one’s egg in one basket. On the other hand, from the perspective of a web site that uses OpenID or some other federated mechanism such as SAML, the information received from any random Identity Provider (IdP) could reasonably be considered suspect.
This leads to a few conclusions:
- A large number of Identity Providers will require a service that provides some indication as to the reliability of the information returned by a given IdP.
- The insurance and credit industries can’t manage concentrated risk. We’ve seen what happens in the housing market. The Internet can reproduce those conditions. Hence, there will be limitations on transitive trust imposed.
Conveniently, you are not without any protection, nor are the banks. There are large federated market places already out there. Perhaps the two biggest are eBay and Amazon. Amazon has the advantage of requiring a physical address to deliver to, for most goods, the exceptions being software, soft-copy books and downloadable movies. In each of these cases, the transaction value tends to be fairly low, and the resale value of most of these items is 0. It’s the resale value that’s important, because the miscreants in this business don’t want 150 copies of Quicken for themselves, nor can they really sell off an episode of House.
Paypal is another matter. If someone has broken into your Paypal account, here is what they can do:
- Empty it of any credit it might have;
- Charge against your credit cards; and/or
- Take money from your bank.
If you’re paying attention and act quickly, you might prevent some of these nasties from happening. But first you will have to read a tome that is their agreement. In all likelihood you have no recourse to whatever final decision they make. If you’re not paying attention, your account and those associated with it become an excellent opportunity for money laundering. What does it mean to pay attention? It means that you are receiving and reading email from paypal.com. That means that they have to have a current email address. When was the last time you checked that they do? Assuming that they do, it also means that you have to read what you are receiving. Now- I don’t know about you, but I’ve been spammed to death by people claiming to be PayPal. Remember, how this posted started by talking about being inured to crime? Well, here we go again.
After my last post, a reasonable question is whether we in the industry have been goofing off on the job. After all, how could it be that someone got their account broken into? Everyone knows that passwords are a weak form of authentication. Most enterprises won’t allow it for employee access, and we would string a bank CSO up by his or her toenails if a bank only used passwords to access your information. They use at a bear minimum RSA one time password tokens or perhaps Smart Cards. So why are the rules different for Facebook?
They would say, I’m sure, that they do not hold the keys to your financial data. Only that may not be true. Have you entered credit card details into Facebook? Then in that case maybe they do hold the keys to your financial data. Even if you haven’t entered any financial data into Facebook? Are you using the same password for Facebook that you are for your financial institution? Many people are, and that is the problem.
Passwords have become, for want of a better term, an attractive nuisance. It’s not that the concept itself is terrible, but they are increasingly difficult to secure, as the number of accounts that people hold continues to skyrocket. Yes, the problem is getting worse, not better. My favorite example is the latest update to the Wall Street Journal iPhone app, where the upgrade description says, “Application Enhancements to Add Free Registration & the Ability for Subscribers and Users to Login”. What a lovely enhancement. Right up there with enhancing the keyboard I am typing on to give me electric shocks.
Facebook is at least making a feeble attempt to get around this problem by offering OpenID access in some limited way (I tried using it from this site, and FB is broken, even though I can get into all sorts of other sites, including LiveJournal). Still, it probably works for you if you are a Google, Yahoo!, or MySpace user, but for better or worse those sites themselves do not accept OpenID. (The better part is that no one can simply break into one account and gain access to all of these other sites. The worse part is that if you have some other OpenID, you can’t use it with these sites.)
OpenID has lots of problems, the biggest of which is that there is no standard privileged interface to the user. This is something that Google, Yahoo!, and MySpace might actually like, because it means that they provide the interface they want to provide. Unfortunately, programs, or more precisely the authors of programs, might find that a little irritating, since OpenID is so closely tied to the web that it is difficult to use for other applications (like email).
SAML and Higgins to the rescue? OAUTH? Blech.
As Facebook now has more accounts than there are people in the United States, it should come as no surprise that it is possible to break into some of those 300 accounts. This happens. Well, what happens next when an attacker breaks into a Facebook account? Several things are likely. First, the attacker will retrieve as much information about the individual and his or her friends as possible. There are several key pieces of information that prove valuable:
- Birthday and Hometown are enough information for an attacker to reliably predict social security numbers of people born after 1989. You can hide this information from your profile by going to your profile, clicking on the little box in the upper right of the Information tab, and deselecting birthday and home town.
- Email address is useful to feed into a phishing/spam engine.
- Telephone # and IM account information is enough to either use or sell to other scammers.
Next, an attacker may try to directly contact friends to scam money out of them. While such attacks are unlikely to take the form of a 419 scam where the attacker tries to play on greed, they will more likely play on peoples’ sympathies.
Here is an example:
0Wn3d Friend: Hey
0Wn3d Friend: How are you doin?
Target: good evening, Friend!
Target: i’m doing well, and you and your family?!
0Wn3d Friend: Not too good
0Wn3d Friend: We are in a very deep mess
0Wn3d Friend: Glad you are here
Target: what happened?
0Wn3d Friend: We are stranded in London England
Target: WHAT?! how so?
Target: (in london)?
0Wn3d Friend: Kentish Town
0Wn3d Friend: We got mugged on our way back to the hotel at a gun point
Target: oh geez
Target: have you gone to the police?
Target: do you have a phone?
0Wn3d Friend: Yes,We were able to file a report to the cops and that is been Investigated
0Wn3d Friend: They made way with all we got here
0Wn3d Friend: Cash,bank cards and also the cell phone
Target: i have a few friends outside of london. are you in a hotel?
0Wn3d Friend: Yes
Target: do you still have your passports?
0Wn3d Friend: Yes,I’m still safe with the Passport
Target: ok. how long are you supposed to be in London?
0Wn3d Friend: That has been the problem
0Wn3d Friend: I seriously need your urgent help getting back home
Target: what hotel are you in?
0Wn3d Friend: Sector Hotel
0Wn3d Friend: I have a flight back home in the next 3hrs but the hotel management won’t let go
Target: do you have the hotel’s address & phone #?
0Wn3d Friend: I don,t have the #
Target: i’ll need an address
0Wn3d Friend: 151 Kentish Town Road, London, NW5 2CG
0Wn3d Friend: I’m having problem with the hotel on the bills
What happens next is that the attacker asks for a credit card.
So how do you know it’s a scam? First, Amazingly, Google is your friend. If you enter just a few details from this example, you’ll see that Kentish Town and the Sector Hotel show up as a scam. The other odd thing about this exchange is that the person claims to have been mugged at gun point in London. I’m not saying it doesn’t happen, but it’s rare.
More importantly, ask yourself why this friend is contact you, and not calling a relative for help. To be sure, if this person really is a friend, you should already have a phone number for that person. Call him or her, but do not rely on contact information from the attacker. Calling a number they give you can cause you to lose a lot of money. If they answer the phone and have no idea what you’re talking about, you know it’s a scam. If they don’t answer, call a relative of theirs or ask for more details. In this case the person said they filed a police report. Get the report number from the person, name of an officer who took the report, and independently call the police. Do not rely on anything in the facebook profile of the friend. You should assume the attacker has already manipulated all of that information.
Most importantly, never send credit card information over the network in such circumstances.
Ok, so you’ve figured out it’s a scam. Congratulations! What do you do next? Report it, and fast. Facebook is pretty responsive when it comes to shutting down accounts. In one case I’ve reported, they reacted within 10 minutes. To report abuse on facebook, click on Help at the bottom of the page, and right at the top you will find the following:
Hacked accounts and spam
Click on that text, and it will help you report the information. You will need the URL of the profile of the friend who you are reporting. To get this, type the friend’s name in the search bar.
Don’t feel bad that you are reporting a friend, either. This is a case where your friend is being maliciously used, and you are doing your part to putting an end to it.
Having staved it off for years I’ve finally joined Facebook. Here are a few initial thoughts:
I was disappointed that the only authentication method offered was old fashioned passwords. We are still as an industry struggling with making the leap to a better means. And it’s not like there are none out there. OpenID and Infocards can no longer be considered new. A question for a future blog entry might be why these technologies are not succeeding. Indeed just this week SlashDot.Org ran a story about how OpenID is losing ground.
There is a whole different set of social rules on Facebook, and I don’t know what they are. For instance:
- One of my friends wanted to add detail about my previous employment experience, which is something I wasn’t prepared to do myself. And so I refused. Have I offended him? I don’t know.
- My initial “note” indicated that I don’t do much with FaceBook, and that people should see my blog. This elicited a long discussion, not involving me. If I don’t reply, have I offended?
Why is Facebook even necessary? Isn’t this what we want the Internet to be in general? Why should this form of communication be limited to one site? For one, people are tired of spam on the Internet and so they are looking for an email replacement. Beyond that, having one’s own web server is a royal pain in the ass. But moreover, the comment I got more than once was that a blog is isolating. Why is that? What makes this blog isolating as compared to Facebook?