Alan Shimel got hacked, and he’s blogging about it, in posts like “I’m back.” It sounds like an awful experience, and I want to use it to look at authentication and certificates. None of this is intended to attack Alan in any way: it could happen to any of us.
One of the themes of these posts is the difficulty of resolving the cases, especially when your password has been changed and your email accounts have been compromised. Alan’s spent a lot of time on the phone getting stuff cleaned up, and I’d like to look at that process a little.
Alan has various business relationships with organizations who know him only via email and credit cards, or perhaps with a PO. How should they handle a claim that an account has been hacked? How are they supposed to authenticate someone calling who doesn’t know the password, and wants to tie a new email account into the system? Doesn’t that sound like fraud? These organizations likely don’t know Alan’s driver’s license # or passport.
This problem isn’t hard because we lack technology, it’s hard because a networked system has emerged which makes it easy to do business all around the world with people you don’t really know. If Alan had a client cert, maybe that would have been stolen, too. If he had a smartcard, maybe that would have been attacked via a client-side trojan. He ran into these troubles, and documents them at Yahoo, in “Why Google is now my homepage instead of Yahoo:”
I have written and called to every address you can think of. They have asked for copies of my drivers license. They wanted all of my information when I first applied for an account (yes from 12 years ago). I have had to give them every email address I ever had (anytime you fill out information for a new account you should make a record of it and keep it somewhere safe. Don’t ask me where, but somewhere safe). Every mail address and zip code I have had. I sent them the answer to every secret question I can think of, but they won’t give me the question they want to answer. I sent them the hackers post bragging about getting my email account.
There may well be multiple guys named Alan Shimel out there-just seeing a faxed copy of a license isn’t very good authentication.
All we have in distant and simple relationships is persistence and that’s not that strong. We also have what Alan used, which is webs of trust. He called people who knew him and had them call people he knew:
As I have written earlier, I was lucky in that I was able to call on people to help me out. For instance my friends at FeedBurner/Google, Matt Shobe and Dick Costollo, quickly took control of my FeedBurner accounts, including the SBN feed. They were also to get someone live at Typepad to allow me to take back the blog. This took more time than it should have though. Until the Feedburner reached out to someone, the Typepad support team just kept sending a new password to mailboxes that the attackers controlled, even though I was mailing them from my stillsecure mail box! You could not get any of these people on a phone. Very frustrating! (“Our web infrastructure needs to be at public utility levels“)
Now, persistence and webs of trust seem like bad business models. They’re not easy to manage with regards to liability and contracts, but they are a great representation of how the world really works.