Thursday, March 29, 2012

Household Charge Security Questions

The household charge website security questions pictured above are awful. This charge is a new tax the Irish government has created where most people with a house in Ireland are supposed to register online. These are questions you can use to prove your identity. But the ones they have chosen are really weak. There are three main methods to attack them.

Social Engineering: Ask someone, set up a website the user trusts "" and ask them this question again

Brute forcing or guessing via statistics: Murphy is a really common name guess that. Then Kelly, Smith, O'Sullivan, Walsh, Ryan, O'Brien, Byrne... you can guess someones surname most of the time in a low number of guesses.
Pets names are surprisingly guessable (low entropy). The names people use are not that unusual. This site has stats on the most popular ones. The most common entered place of birth will be Dublin. Similarly Companies are not based in many places. Dublin will be a correct guess in many cases. Next I'd guess America, Ireland, Home... again there are likely to be very common answers to this.

Looking at these questions I would predict 10 answers of each will cover 50% of the population.

Informed Guessing. Many of these questions can be answered by searching facebook as described in this paper Personal knowledge questions for fallback authentication: Security questions in the era of Facebook by Ariel Rabkin. Or follow the method described in the paper Messin' with Texas:Deriving Mother's Maiden Names Using Public Records by Virgil Gri th, Markus Jakobsson describes a technique for finding out the answer to this first question. These questions seem very susceptible to facebook and public record searches.

This site lists Examples of Security Questions these sorts of questions. In the Poor section they have

What is your mother's maiden name?
In what county where [sic] you born?
What is the city, state/province, and year of your birth?
What is your pet's name?

So all the questions except the where is your company based question are common and known to be poor. The questions on the household charge website are guessable, searchable and so common another website could ask you them without raising suspicions. They provide an obvious and well known vulnerability to the system.


The Beer Nut said...

Wait. So some hacker could end up paying my household charge for me?! FUCK!

red dave said...

Ha! What more likely is they do an automated attack to change loads of peoples payments to random houses so the entire system doesn't work any more.

Bob said...

LinkedIn takes care of the "Where is your company based" really easily

red dave said...

Good point bob I hadn't thought of LinkedIn

Coffee Lemon said...

These questions are everywhere... :/
I always pick the "pet's name" question and answer the same thing - not my pet's name though.

castletonian said...

If you input random numbers in the PPS box it will actually tell you if they are real or fake PPS numbers. I had 3 successful attempts in the space of 5 minutes.

red dave said...

Thanks castletonian. There is publicaly available software for checking the checksum on PPS numbers

so yes it is easy to generate many PPS numbers rapidly