Surviving the Byte of the Cobra, part 2

The exemPlum doesn’t fall far from the tree…

Yesterday, we discussed password problems. Today, we look at those subversively risky personal questions used to zero in on you and perhaps your wallet.

A fair lot of crap programming comes out of Bangalore, so it’s befitting software designers call this particular law of unintended consequences ‘the cobra effect’.

The Cobra Effect

During British Crown Rule of India, legend says administrators grew concerned about the numbers of vipers infesting Delhi. The colonial governor offered a bounty for every dead cobra brought in. However, the plan’s short-term success was undermined by enterprising locals breeding cobras to collect bounties. The British governor terminated the program. Disappointed cobra farmers subsequently released their breeding serpents into the wild, far worsening the problem… or so the parable goes.

Character Reference

Last week, I needed to register on-line with a county agency. (No, my readers, NOT the Department of Corrections as the snarky amongst you might suspect.)

The first hint of difficulty lay in the most restricted character set to date, merely letters and numbers, no punctuation whatsoever. This thoughtfully provides bad guys huge hints: “Psst. Save time, fellas. Don’t bother testing the lock with those difficult oddball characters.”

The next clue… You know those personal identifying questions in case you forget your password? Questions like naming your favorite cheese or your first juvenile parole officer? These questions mask some of the greatest risks in computerdom. Anyone who knows the least bit about you can guess the answers.

Worse, I’ve encountered sites that provide convenient drop-down menu answers, a selection of eight or so choices. One of the most popular questions with a handy menu is, “What’s your favorite color?”

Presumably this helps the spelling-challenged, but what a gift to bad guys. Immediately black-hat hackers rule out black and white, rarely anyone’s favorites. That leaves six or eight choices, hardly a burden for the least capable password cracker. They need not guess if they notice the blue shirts and blue cell phone cover ordered on Amazon and now appearing in your latest Facebook pose.

Moral: Never answer a question with a menu choice.

Orange County Registration Questions

 Your Government at Work

At left, notice the personally identifiable questions from the aforementioned county agency. Anyone with the slightest knowledge about you can guess the answers. Anyone who doesn’t know you, can easily google your name, learning where you attended high school, your favorite team, your pets, and your mother’s maiden name.

What can you do about it?

Don’t play the game.

First, of course, avoid Q&A with drop-down menus. That’s a given.

If the web page doesn’t feature drop-down menus, you can answer your favorite color of yellow, orange, or red with “sweet cream banana pie yellow”, “fancy freckle-farm fulvous fantasy,” or “notorious red dye number 2”.

If you know French, Spanish, or Romanian, you might utilize that knowledge, perhaps in combination with the verbose suggestion above. Answer your favorite color as ‘rouge’, ‘rojo’, or ‘roșu’. If you don’t know a foreign language, try Pig Latin, e.g, ‘edray’ or ‘ellowyay’.

But I never could abide by the rules. There’s an easier way than such hard-to-remember replies.

You can boost security if you make your answers– every answer– a non sequitur, a nonsense phrase. Remembering will be easier if you use the same response, such as “None of your damn business.” For example:

© BBB

Favorite author?
None of your damn business.
Favorite color?
None of your damn business.
Favorite team?
None of your damn business.

Web sites like Apple’s recognize and object when an answer is repeated while populating a questionnaire. One solution is to exactly echo the question with leading or trailing words. For example, “Favorite author?” can be answered with, “My favorite author is none of your damn business,” or more simply, “Stuff my favorite author,” and “Stuff my favorite team,” etc.

Most importantly, choose a method that fits your style, then keep that information to yourself. Not playing by their dictates helps keep your data safer.

Don’t play the game.

Make up your own rules.

Password Security Question

Q. What’s your favorite security question?

A. ______________________________

Chasing Pennies

I've written about exploits in banking and brokerage fraud with further articles to follow. Bad banking practices don’t feature well in my write-ups. Institutions change only when they’re forced to.

Recently my fraud expertise touched upon the personal. A good friend fell victim to gaping holes in one of New York’s largest financial institutions, J.P. Morgan Chase & Co.

Lily is smart, pretty, and unattached. Two out of three is pretty good, but she means to win the trifecta. She doesn’t advertise, but merely hopes to attract the right kind of guy. She appears on social media: Facebook, Pinterist, and a singles’ site that’s been around some thirteen years, MeetMe.com, where she met an interesting fellow.

Telling the good from the bad isn’t always easy. By the time our malefactor (male factor or dirtbag are also suitable) stepped into the light, he already knew critical pieces of information about Lily: her real name (thanks to odious Facebook requirements), where she’s lived, family relationships, and importantly– her birthday.

For a few weeks, ‘Antonio Sanchez’ from ‘New Jersey’ wooed our lass on MeetMe. He didn’t do anything crass like ask her bank account number or credit card information; thanks to Chase’s security ‘features’, he didn’t need to.

As Thanksgiving approached, Lily traveled across the country, stopping to visit relatives in Greenfield, Indiana, home of another Lilly, the famed pharmaceuticals company. Our heroine happened to check her bank account and found it unexpectedly fourteen hundred fifty dollars richer.

Lily, not only smart but honest, sought clarification at the Greenfield branch of Chase. Greenfield couldn’t fathom the problem.

check 1 of 6 #808869

“You put money into your account in the early hours of the morning. Looks like you needed it. What’s the problem?”

“I didn’t deposit anything.”

“But you did.” Greenfield regarded her suspiciously. “You’re saying you didn’t?”

“Exactly. I didn’t do any such thing.”

“Well, lucky you. Someone likes you well enough to put coins in your account.”

*click* Instantly Lily knew who’d made the deposit.

A couple of hours later, the situation reached me. By then, other deposits had appeared. Curiously, monies were rapidly shifting among Lily’s three accounts. My fraud alert alarms clanged.

“If you make a withdrawal,” I advised, “calculate only what you own to the penny and not a cent more.”

“What’s the problem?” friends asked. “A handsome guy sending Lily money? Does he have any brothers?”

I spoke adamantly. “There is no money, no boyfriend in New Jersey, no gold at the end of the rainbow.” When I explained the con, Lily agreed to join me for a visit to the Indiana State Police.

The man manning the reception desk told us all detectives were out of the office and wouldn’t return until the next day. Lily asked if she could file a report.

The grizzled trooper brought forms out to us in the lobby. He stood by as Lily tried to explain the situation.

He interrupted her. “A guy giving you money is no crime. No crime, you can’t file a report.”

I said, “There is no money. It’s a con…”

The trooper threw up his palm in a ‘Talk to the hand’ gesture. Cops are trained to seize and maintain control, even when counterproductive. He went on to lecture Lily, not so much accusing her of wasting police time, but of being silly.

“May I explain?” I said as levelly as I could. “There is no money, only fake deposits. He will use that false balance to pay himself.”

The cop paused, considering. “Wouldn’t work,” he said. “If I deposit a check, I have to wait a few days to withdraw funds.”

“That’s why he’s moving money around her accounts. Some banks, perhaps including Chase, lose track of new deposits as they’re moved around. The technique is called seasoning, losing the new deposit tag and making the money look like it’s aged on account.”

“I’m a road warrior,” said the trooper. “I’m not up on these things. Yeah, I’ll have a detective phone you.”

Virtually next door to State Police Headquarters, we’d noticed a Chase branch. Lily made the wisest decision of the day, visiting the bank for an update.

The young woman listened attentively. She quickly grasped the situation. “Oh my God,” she said. “I received a notice exactly like yours of a deposit early in the morning. I need to check my own account before I go home today.”

Together, the three of us discovered additional deposits and further shifting around of money. By then, funds had been used to buy the first Western Union money order made out to an unknown and very foreign name.

“Let me guess,” I said. “The money’s sent to Nigeria?”

“If Lily didn’t give this jerk her personal information,” the young lady said, “how did he get into her account?”

I explained one hypothesis. I’m a vocal critic of the so-called security questions routinely forced upon on-line customers. “What city were you born in?” “What was the name of your first pet?” “What’s your favorite team?” “What’s your favorite color?”

With the slightest information, bad guys find it ludicrously easy to guess the answers. The favorite color question often includes a helpful drop-down menu of eight colors. No one chooses black or white, so a malefactor can guess the answer in six tries or less.

The young branch manager rang the fraud department. She posed the same question to them, who replied “There are so many ways to breach an account…”

check 2 of 6 #808870

The bank gave us copies of the checks. One peculiarity came to light. Chase said it appeared the Nigerian repeatedly deposited the same two checks over and over, fooling Chase and highlighting another flaw in their security, a defective filter for detecting duplicate deposits.

Chase froze Lily’s accounts, leaving her stranded without travel money in the midst of a cross-country trip. But wait, we’re not done.

Lily awoke the next morning, finding her accounts unlocked and a half dozen or so deposits burgeoning her balances.

Lily phoned Chase to let them know further monkey business was afoot in her reactivated accounts. They quickly closed the window and her accounts, again cutting off her funds.

---

Big banks and little people, comes now the pathetic part. Instead of expressing gratitude for Lily’s quick action of notifying them of fraud, Chase blames Lily for the leaking of money from the bank. Their stance is that Lily either worked with the malfeasant Nigerian to defraud Chase, or at the very least handed over her account information to the bad guy. As you now know, that doesn’t have to happen. All it takes is sloppy banking.

Besides seizing Lily’s bank balance, Chase now demands another $600 in compensation for their losses. Good move, Chase: encourage honest citizens to rush in to report fraud made possible by your own shortcomings.

It’s a great day for banking. Have you had similar experiences?

It's a Hard Road Home

by Eve Fisher

In case you're wondering, my husband and I went on vacation - a Mediterranean cruise, from Venice to Barcelona.  It was wonderful, wonderful, wonderful...

And then we tried to come home.

Carbinieri on parade -
Wikipedia 

Now, I know security is tight everywhere.  The carbinieri were all over Venice, Naples, etc., and they walk around everywhere with light machine guns.  (Just have another glass of wine and don't think about it...)  And I expect to go through security checks and customs and all the rest.  But this trip... was something else.

We got up in Barcelona at 6:30 a.m., which is the equivalent of 12:30 a.m. in the US.  A last great breakfast on the ship, and then off to the airport.  First we had to find the American Airlines desk, which was tricky, because you're supposed to check the screens to find out what aisle, etc., your check-in desk is at, and the screens go by flights, and our flight wasn't up on any screen yet.  Eventually we found it - on the other side of the airport, of course - and checked in.  Answered questions galore, about our cabin number, our address, who we were, etc.  Checked our bags, got our boarding passes, and headed off for security and then Gate 62A.

Got through security.

Walked about a mile to Gate 62A, where the gate was blocked off and there was an endless equivalent of a cattle chute.  Two carbinieri stood there, blocking any entrance.  30 seats for 200 people; no snacks, no vending machines, no water fountains, and no toilets.  We all creaked down to the floor and waited for an hour until finally someone came and eventually we were put through the lines and questioning again.

A nine hour flight to Philadelphia.  Coach, of course (writers are rarely millionaires...).  I had a happy chuckle over the in-flight magazine that reminded me to "drink plenty of fluids" and "walk around the cabin whenever the seatbelt sign was off."  Sure, in an alternate universe.  First, of course, I'd have to climb over all the bodies to the right and left of me to even get to the aisle.  (The lady next to me, with her mother, had not flown in 20 years, and was practically in tears...)

We landed, and hiked the traditional mile to baggage claim, got our stuff, and then went through customs:  2 hours (endless cattle chutes...), again, no snacks, vending machines, water fountains, toilets, or seats of ANY kind.  Plus a brand new kiosk to manage so that we could take our own photos and get a receipt to match our passport.  After being up for some 24 hours, this was an excruciatingly slow part of the process.  Throughout, various airport employees tried to hurry us up by yelling at us (to be fair, if they hadn't yelled, we'd never have heard them), which only made some people lose track of where they were on the kiosk and start over.

After we got our receipt, we then go through another line to hand all this to a customs agent.
Then we went (because we had a connecting flight), BACK to baggage check, and through security again.
Then we hiked to our next gate.
Another 2 hour flight, and we arrived in Chicago.  Back to baggage claim, and arrived at our hotel looking like zombies on a bad day.

Basically, we were up for over 24 hours, and during this were repeatedly put through situations where we were not allowed to fulfill any of the most basic human needs (water, toilets, food, rest), other than breathing.  Why there are not more outright riots at airports I do not know, other than sheer exhaustion.

And I was exhausted.  I was also severely dehydrated by that 24+ hours.  I didn't realize that at the time, but five days later, I collapsed, sweating profusely, nauseous, dizzy, and Allan took me to the emergency room, where they ran tests, pumped me full of fluids, and sent me home feeling much better and even angrier at the system that had done this to me.

Chicago O'Hare International Airport from the sky -
Wikipedia

I know that we need security, I know that the TSA is understaffed, and I know that this is going to continue, because there isn't the money and fixing it is not a priority.  (I am a realist.)  But I also know other things:

(1) Airports are not designed for actual human beings, especially the rapidly aging.  There are (usually) no carts to move you across these huge spaces from one terminal to another, from one gate to another.  And there is an ever-decreasing number of seats where you can actually sit.  The last flight we had, the Chicago gate had perhaps 50 seats for a plane that held 100.

(2) The screening process itself is not designed for actual human beings. The constant lack - for hours - of toilets, water (fountains or vending machines), and seats is crippling.  And dehumanizing.  And wrong.  There has got to be a better way...  but I don't think anyone's looking for it.

Meanwhile, I'm staying home for a while.

PINs and Passwords, Part 1

Needles…

More often than you might imagine, financial institutions deploy inadequate security protection, the type of inadequacy where the word ‘woefully’ often finds itself used. I don’t know how much Discover has beefed up its on-line security since I last owned a card, but its password protection was weaker than some porn sites (so I’m told, ahem). It took Capital One and Washington Mutual a while to come up to speed, but my present bank still allows only a ten character password.

If a bank left the keys in their door at night or even left it unlocked, you could hardly blame the curious– or the wicked– for coming inside and wandering around. But that’s happened in the on-line financial world. Institutions lobby for harsh penalties, but their rantings and ravings are meant to detract attention from their own failings.

But a third party is involved, you, the customer. What do you have in your wallet?

From the aspect of a consumer, we can use the following to protect ourselves. From the standpoint of crime writers, we can use the information below to plot clues within a story.

… and PINs

Think about your PIN number, ‘PIN’ singular because most people use one for everything, even their security alarm code. And past behavior suggests people will continue using an easily exposed code even after reading an article like this.

But wait. Doesn't a 4-digit PIN imply guessing one is only a 1-in-10,000 chance?

Not at all. Knowing a little about you (Social Security Number, birth date, etc.) might help hackers, but the PINs and alarm codes of one in four customers can be reduced to sixteen or so numbers.

Does yours begin with 1? Or 19?

The vast majority of PIN numbers begin with 1 or 0. If yours starts with 1, you’ve reduced the possibilities from 10,000 to 1000. If 19, your herd's shrunk to 100.

Do you use the internationally ubiquitous top N° 1 PIN? 1234? Or another of the popular sequential variants, 4321, 5678, 6789?

Does your number begin with 19xx, perhaps a date? The possible numbers are now one hundred, probably a lot less, maybe twenty possibilities if you’re young and eighty possibilities if you aren’t, but a few more if the number represents month-and-day (MMDD) or day-and-month (DDMM). Popular dates that go beyond birthdays include George Orwell's literary 1984 and historical years 1492 and 1776.

Take 2486, which has two strikes against it: It not only comprises semi-sequential even numbers, but it's also a visual pattern, a diamond on a keypad. Other popular visuals are a square (1397), a cross (2046), an X (1937), and the most popular of all, a straight line down the middle (2580). Visual patterns produce deceptively random-looking numbers, but statistics demonstrate they offer little security. And let's face it: Security and convenience find themselves at odds with each other.

'heat' map

statistical moiré

PIN-stripes

Using graphing tools and such visuals as 'heat maps', researchers can determine less than obvious patterns. Some stand out like stars in the sky while others exhibit a warp and woof of woven fabric revealing unconscious human subtleties we're unaware of.

People love couplets, paired digits such as 1010, 1212, the ever-popular 6969, Intel’s 8080, or that Zager and Evans song, 2525. Even when not using 9898 or 2323, people exhibit a preference for pairs one numeric step apart such as 2389 (2-3,8-9) or 5478 (5-4,7-8)) instead of 2479 or 5668. Perhaps we still hear childhood chants in our head from when we learned to count.

A few users exhibit a distinct lack of imagination, to wit: 0001. Others look to pop culture for inspiration, especially fans of James Bond (0007 or 0070), Star Trek (1701), or George Lucas (1138). The 1980s hit 867-5309 peaked at #4 on both the Billboard Hot 100 chart and the hottest 7-digit PIN list.

Some people can’t be bothered at all: 0000, 1111, 2222, 9999, etc. These same overall patterns persist with PINs longer than four digits although people tend to pick phone numbers when forced to select 7-digits, thus adding artificial randomization to the mix.

The problem with guessable PINs surprisingly worsens when customers are forced to use additional digits, moving from about a 25% probability with fifteen numbers to more than 30% (not counting 7-digits with all those phone numbers). In fact, about half of all 9-digit PINs can be reduced to two dozen possibilities, largely because more than 35% of all people use the all too tempting 123456789. As for the remaining 64%, there's a good chance they're using their Social Security Number, which makes them vulnerable. (And as we know, Social Security Numbers contain their own well-known patterns.)

To reemphasize, the greater the number of digits required, the more predictable selections become. Why? Why does the problem worsen with additional digits? As people are forced to use more digits, I hypothesize they react by falling back on easy-to-recall patterns such as sequences. Someone might remember 3791, but they won't easily recall 379114928, and they may reason 123456789 is as difficult as any other number.

PIN-pricks

The bad guys know these things. They don’t need high-speed analysis engines or intensive code-cracking software. They know the numbers and work the odds. As often as not, they can hack into an account– or your house or your medical files or your life– within moments.

Armed with only four possibilities, hackers can crack 20% of all PINs. Allow them no more than fifteen numbers, and they can tap the accounts of more than a quarter of card-holders.

PIN-ups

If you absolutely cannot remember little used numbers and carry a reminder, at least code the number in some way. • Some take a cue from old-fashioned costing codes that used alphabet substitution for digits: I=1, J=2, K=3, … • Roman numerals might be another idea, e.g, 2009=MMIX. • One handy method is to subtract your PIN from 9999 and write that down. When you need your PIN, you simply subtract the code from 9999 again. (For those who know hexadecimal (base 16: 0-1-2-3-4-5-6-7-8-9-A-B-C-D-E-F), this geeky technique is even more effective: Where F is 15, subtract your PIN from FFFF, e.g, 9531=6ACE. I used this method to label keys in an apartment complex: 1422B=EBDD4.)

Your job– you should choose to accept it– is to make breaking into your account as difficult as possible, not that institutions tell you what you really need to know: Their usual advice is to cover ATM and store keypads with your hand. Don’t tell anyone your PIN. Don’t write it on a stick-em and carry it in your billfold.

But you can do a lot more than that: Make your number as difficult to guess as possible.

PIN-wheel

So what numbers are rarely used? Generally, the higher the first digit, the less common the password. Of the ten least used PINs, four start with 8, two with 9, and two with 6. Just don’t blow your efforts with 8888 or 8000, or 9999 or 9000.

Tip: Sure, you want a number you can remember. Toward that end, I suggest picking an easy four letter word (or a word with the same number of letters as the number of PIN digits) you can remember, say ‘easy’ itself. Look at E-A-S-Y on a telephone keypad and you’ll see the letters correspond to 3279, which breaks the most obvious patterns. Reverse the digits if you like to make the combination harder. If your ATM doesn't show letters, then open your cell phone. See more tips in the box at right.

PIN-points

In the following table^* of the twenty most used numbers, it becomes painfully obvious any baddie who’s learned only the first four or five most popular numbers can suck the money out of one in five ATM accounts. With a crib sheet of these twenty numbers, he can boost his takings to 27%.

Most Common PIN Numbers rank PIN freq % 1 1234 10.713 2 1111 6.016 3 0000 1.881 4 1212 1.197 5 7777 0.745 6 1004 0.616 7 2000 0.613 8 4444 0.526 9 2222 0.516 10 6969 0.512 11 9999 0.451 12 3333 0.419 13 5555 0.395 14 6666 0.391 15 1122 0.366 16 1313 0.304 17 8888 0.303 18 4321 0.293 19 2001 0.290 20 1010 0.285

Least Common PIN Numbers rank PIN freq % 9981 9047 0.001161 9982 8438 0.001161 9983 0439 0.001161 9984 9539 0.001161 9985 8196 0.001131 9986 7063 0.001131 9987 6093 0.001131 9988 6827 0.001101 9989 7394 0.001101 9990 0859 0.001072 9991 8957 0.001042 9992 9480 0.001042 9993 6793 0.001012 9994 8398 0.000982 9995 0738 0.000982 9996 7637 0.000953 9997 6835 0.000953 9998 9629 0.000953 9999 8093 0.000893 10000 8068 0.000744

^* Credit for this table and the heat maps goes to math mensch and privacy professional, Nick Berry.

PIN-out

Now go forth and protect thy accounts. And drop me a line if you use these clues in your own stories.