Thursday, January 3, 2008

More security is not better security

When will people learn...

I've maintained a health care spending account over the last year. An outside company manages the account and provides web access to view balance information, spending etc. I have always been frustrated by this site since they require a phone call during business hours in order to reset your password. But hey, it works and isn't too annoying.

Well, lets leave that piece aside for a moment. This particular site (which will remain nameless) has continued to implement absolutely atrocious security controls. First, when you attempt to login to the site you have to enter your account number. If the account number is not valid, then you can not proceed to the login screen where you will enter the password for the account. Unfortunately, the validation of the account number is done client side via a javascript. Determining valid account numbers from the javascript is trivial. Not only is their solution ineffective, it actually puts them in a worse situation. Now, an attacker can use the javascript algorithm to determine a whole range of account numbers that are valid.

After you enter your account number you move to the next "control". The screen asks you to enter a one time password which has been mailed to the email account listed in the account. I went along with things and logged into my email, retrieved the passcode and entered it to the site. But then I got curioius. A quick ctrl+u and I found something that should have died years ago.... The security code which was emailed to my account for "security purposes" was sitting there in a hidden post variable for all to observe.

The moral of this story? If you are going to spend money on security solutions (because we all know how it ends up costing quite a bit of $$ to get anything coded) then make sure the security you are paying for actually works.

-Michael Coates