Archives

Categories

ISP Password Change by Untrusted People

After dealing with Optus phone support [1] in regard to a routine request for a password change I have been thinking about better ways of managing password changes for a large ISP. The first criteria is that the user must have a password that is difficult to brute-force attack at all times. Changing a password to a supposedly temporary value that can be easily guessed (such as “changeme“) is never acceptable. The next criteria is that the help-desk operator should be trusted as little as possible and it would be ideal if they never knew the password.

One possibility that occurred to me is that each bill could have a six-digit pseudo-random number printed on it. This number could be used as an alternate password. When a customer calls up because they lost their password they almost always have their last bill (this is why they print the number for phone support on each bill). The help-desk operator could then push a button on a web based form that makes this pseudo-random number be their new password, thus the help-desk operator would not know the new password and the user would also have it printed out clearly which avoids the confusion from having a password read out in a foreign accent.

Another possibility is to have the password change infrastructure integrated with the CTI [2] system, then the help-desk operator could push a button and have the computer dictate the password without the help-desk operator being able to listen in.

There will always be corner cases where a help-desk operator has to change the password, but if these are rare because the automated system handles most cases then the potential for damage would be limited. Of course it would also be a really good idea to do some statistical tracking of the number of password change requests performed by each operator and investigate those who do significantly more than average. In the past AOL has experienced a variety of security problems related to trojans [3] which probably would have been discovered by such analysis.

Another possible option is that customers with mobile phones could have their new password sent to them by SMS. It’s quick, easy, cheap when done in bulk, and is much harder to intercept than most methods that might be used for transferring passwords.

References:

  1. http://etbe.coker.com.au/2007/09/03/optus-password-changeme/
  2. http://en.wikipedia.org/wiki/Computer_telephony_integration
  3. http://www.wired.com/techbiz/it/news/2003/02/57753

5 comments to ISP Password Change by Untrusted People

  • Stavros G.

    There is an ISP in Greece (Forthnet) that send you your password by SMS when you first set up your account. I don’t know if this is automated or can be done for future changes because I am not a client of them, but since the infrastructure is set up, it should be done this way.

  • Helen Coker

    Bills are extremely insecure, I wouldn’t want anyone to be able to grab my bill out of my letter box and then change my password with it! If the random number were never used it’d be secure but as soon as it’s used the whole population will know of it’s existence in a couple of years! The Aargauer bank (& presumably a few others) gives you out a internet banking password key tag with changing random numbers that is somehow calibrated to match a set of numbers in the bank, which change at the same time… I think it’s pretty nifty & solves the problem of forgetting your PIN. Seriously with online shopping (supermarket, veges, eBay, etc.) & bills and membership of a few sites, it’s amazing how many passwords one racks up!

  • etbe

    Helen: That’s why I suggest having the customer call the help-desk to have the password changed instead of having the password on the bill be a valid password. Currently to get a password changed all you need to do is know the name, address, and birthday of the person in question. Requiring that a hostile party know that AND have the ability to steal from the person’s letter-box makes an attack more difficult.

    As for the number changing thing, I’ve got some samples of those devices (I thought I showed them to you in the past). The problem is that they aren’t cheap enough for common use (probably $5 is the price point that they need to make).

    I’ll write a future post about secure tokens with more information on this topic.

  • Daniel Burrows

    To get a more secure password based on the bill, you could have the help-desk guy provide a random string that has to be appended to the random number sent on the bill. I don’t know if this would go over well from a usability point of view, though.

  • etbe

    Daniel: I had considered that possibility but thought that it might be too confusing. The fact that you have independently come up with it suggests that it wasn’t such a bad idea after all. I probably should have included it in my post.