Jul 16

So I had my carpets cleaned today. A lot of these services won’t give you and exact time but instead give you a window of time and a phone call when they’re on their way. Anyways I was late meeting them and for 20min there was an unmarked white van idling infront of my house (why it was unmarked instead of advertising the carpet cleaning services, I have no idea). The short of it is that my neighbor was looking out for me and placed a call to the police about a suspicious van idling in front of my house for a long time seemingly “casing the place.” By the time the police arrived I had already met them, walked the carpet cleaners around, paid them and left telling them to exit on their own via the garage. Now here’s where it gets interesting. The dialogue that occurred moments later went something like:

CARPET GUY (calling me from his phone): "Hi Sean, can you talk to a police officer and let him know we're supposed to be at your house?"

OFFICER: "Hi I'm officer so-and-so, can you verify your address?"

ME: "Yes, it's xxxxx. How can I help you?"

OFFICER: Are these two men here supposed to be in your house? We had a call from your neighbor of a suspicious van idling for 20 min in front."

ME: "Oh yes, I was late blah blah, they're authorized to be there. Thanks for the call."

Now what’s interesting about this and what someone like Bruce Schneier would instantly point out is the faultiness of the authentication process used in this situation- at no point was there a reliable way to establish me as the true occupant. Think about it: if you were a wouldbe burglar trying to in this situation, all you’d need is to have a confederate on speed-dial that had been given the address you intended to rob ahead of time. The only true way to authenticate in this scenario is to either:

  1. reach me via a verified means that is already associated with the house (ie. officer looks up the phone number on record with the house and calls it) or
  2. have me come back and produce a key that unlocks the house or repeat the code over the phone that unlocks the garage (ie. something private that only the real occupant has access to) and then dismiss the alarm.

Having a random voice on the phone (from a call that the alleged perpetrator initiated) repeat back their present address doesn’t prove anything and yet doing just that gave me the ability to dismiss the officer.

And at the end of the day, I’m happy that my neighbor went out of his way to make the call. I’m happy the cop went out of his way to stop by and check with me over the phone. But I would point out that this is a highly flawed authentication scheme that can be exploited. Anyone authenticating something over the phone like this needs to think about the chain of certainty here. A very similar situation to this occurred to me recently where my bank called and asked me to verify account credentials to them over the phone- before doing anything I asked how I could know they were in fact my bank and not someone trying to get my account credentials? The lady thought I was crazy and couldn’t understand my concern. I made her give me a bank telephone number which I could verify on the contact page of their site and call back. And while, yeah it took a little longer, it’s the only sure way to authenticate in that situation. With identity theft as rampant as it is, people need to begin thinking this way.

2 Responses to “Flawed authentication enables social engineering”

  1. Brad Wood says:

    LOL That’s funny, sad, and true all at the same time. It reminds me of those “Hacker Safe” icons that E-commerce sites use with a little “pop-up” that confirms the site was tested that day. People trust that, but does it really mean anything? Do you think your grandma is going to know to check the URL of the confirmation popup, run a whois and confirm that page is actually owned by a reputable security organization? I doubt it. Usually the general public is much more enamored with the illusion of safety than anything else.

  2. sean says:

    random thought just occurred to me on the second part of method #2 for authenticating by repeating the garage code back to the officer- that’s completely silly because I haven’t authenticated that person as truly being a police officer at that point.


Leave a Reply

preload preload preload