Thursday, March 29, 2012

Household Charge Security Questions

The household charge website security questions pictured above are awful. This charge is a new tax the Irish government has created where most people with a house in Ireland are supposed to register online. These are questions you can use to prove your identity. But the ones they have chosen are really weak. There are three main methods to attack them.

Social Engineering: Ask someone, set up a website the user trusts "" and ask them this question again

Brute forcing or guessing via statistics: Murphy is a really common name guess that. Then Kelly, Smith, O'Sullivan, Walsh, Ryan, O'Brien, Byrne... you can guess someones surname most of the time in a low number of guesses.
Pets names are surprisingly guessable (low entropy). The names people use are not that unusual. This site has stats on the most popular ones. The most common entered place of birth will be Dublin. Similarly Companies are not based in many places. Dublin will be a correct guess in many cases. Next I'd guess America, Ireland, Home... again there are likely to be very common answers to this.

Looking at these questions I would predict 10 answers of each will cover 50% of the population.

Informed Guessing. Many of these questions can be answered by searching facebook as described in this paper Personal knowledge questions for fallback authentication: Security questions in the era of Facebook by Ariel Rabkin. Or follow the method described in the paper Messin' with Texas:Deriving Mother's Maiden Names Using Public Records by Virgil Gri th, Markus Jakobsson describes a technique for finding out the answer to this first question. These questions seem very susceptible to facebook and public record searches.

This site lists Examples of Security Questions these sorts of questions. In the Poor section they have

What is your mother's maiden name?
In what county where [sic] you born?
What is the city, state/province, and year of your birth?
What is your pet's name?

So all the questions except the where is your company based question are common and known to be poor. The questions on the household charge website are guessable, searchable and so common another website could ask you them without raising suspicions. They provide an obvious and well known vulnerability to the system.