5

I'm currently developing a system which has a functionality where clients can view details of their purchases/renewals/etc by supplying a PIN "number".

A PIN is being used instead of login information because of the type of clients we're targeting. The PIN is printed on documents sent to them.

The view shown when they supply the PIN does not reveal highly sensitive information such as credit card etc, but less sensitive one such as product name, type, price, barcode, repairs etc.

The issue in question is the PIN. I opted to using a random 5 character PIN (0-9, a-z A-Z) - case sensitive. I'll be removing some homoglyphs ('I','1','l','0','O','rn','vv'), so the actual number of combinations is actually lower.

I've got a couple of questions about this:

  1. Is this practice acceptable?
  2. Should I write a lockout mechanism to "ban" traffic from IPs with a large amount of failed attempts?*
  3. Should I write an error checking system (similar to Luhn's algo in credit card numbers)?
  4. *Should I make use of a captcha system?
Alix Axel
  • 151,645
  • 95
  • 393
  • 500
Christian
  • 27,509
  • 17
  • 111
  • 155
  • Well, it depends. What is your threat model? Are you protecting Timmy's MsPaint doodles, or bank accounts? How many users do you expect? – Piskvor left the building Jan 25 '11 at 10:45
  • @Piskvor - Have you even read the post??? I described that precisely in the 2nd paragraph. – Christian Jan 25 '11 at 10:47
  • @Christian Sciberras: Yes, and I think that "is this acceptable?" raises the question "for what level of security"? The rest kind of follows from that. – Piskvor left the building Jan 25 '11 at 10:48
  • @Piskvor - The "is this acceptable" is on the lines of "does anyone actually do this out there". – Christian Jan 25 '11 at 10:50
  • 2
    @Christian Sciberras: I may be a bit slow this morning, for I don't see how that's relevant. People store passwords in plaintext out there; I hope the fact that such abomination happens doesn't make it acceptable. People do crazy stuff. But for a service where nothing even remotely important is at stake (e.g. not money or exposing sensitive data), using a five-character randomly generated password would be okay. – Piskvor left the building Jan 25 '11 at 10:53
  • @Piskvor - +1 for plaintext passwords :). But yeah, I might be a bit overly obsessive on the security aspect of this one. – Christian Jan 25 '11 at 10:56

6 Answers6

1

First of all, ask not only for the PIN, add something simple the customer knows, like with snail mail systems where you're often ask for your ZIP-Code. That sorts out people that do not know the somehow "shared secret".

The captcha, if it's not annoyingly hard makes sense as it helps to reduce "guess" attempts by bots. As Stefan mentioned, banning by IP is problematic because of shared IPs.

You could also implement some kind of "tar pit" when form posts are wrong based on your error checking, e.g. you delay the processing of incoming connections. A simple algorithmic error check helps you to avoid a useless database lookup of the given PIN.

Alix Axel
  • 151,645
  • 95
  • 393
  • 500
initall
  • 2,385
  • 19
  • 27
  • +1 for the tar pit - a legit user won't care that his 5th attempt takes 10 seconds instead of 0.01, a bot would be seriously hindered. – Piskvor left the building Jan 25 '11 at 10:59
  • So, basically, if the PIN is wrong, I `sleep(10);` before doing any output. Of course if the attacker knows about this, he'd just kill longer connections and assume failure. But let's just not tell him this :) – Christian Jan 25 '11 at 11:07
  • @Christian Sciberras: Actually, if the PIN is wrong, `sleep` just before you verify the *next* attempt from the same source. That way, the attacker will not learn anything from the response timing. – Piskvor left the building Jan 25 '11 at 11:14
  • How do I know about the next one? I meant, how do I track failed attempts? Perhaps a server-side table of IP=>tries pairs? – Christian Jan 25 '11 at 11:28
  • @Christian Sciberras: Probably. A session wouldn't be too useful (as a bot might just drop the cookies and start afresh); while IP-based slowdown might inconvenience others behind a NAT, it won't inconvenience them *too much*. – Piskvor left the building Jan 25 '11 at 11:31
  • @Piskvor - I'm concerned about IP spoofing - it makes the whole idea useless. – Christian Jan 25 '11 at 11:35
  • 1
    @Christian Sciberras: In my experience, it's rather uncommon with TCP (because it's hard to spoof a stateful connection), except in DoS attacks. Someone might go through anonymous proxies, or use a botnet, but defending against that is IMO way beyond due diligence. Thanks to 80/20 rule, even such simple throttling mechanism will slow down most of the attackers (read "s| – Piskvor left the building Jan 25 '11 at 11:47
1

As for the CAPTCHA and lockout - I'd go for the CAPTCHA, and delay 1) the clients that fail CAPTCHA, and 2) invalid logins: before checking, sleep 1 sec on 1st attempt, 2s on second, 4s third, 8s on subsequent. This won't inconvenience normal users too much, but it will slow down an attacker significantly. No matter what you do, people will get it wrong - no need to ban them outright.

The checksum - might be useful as a 6th character for detecting typing errors, not for security.

As far as the password strength goes, this is a weak password - I wouldn't use this as the only form of authorization for anything stronger than "sharing pictures of lolcats" - consider a longer one, or your clients might even accidentaly access each other's data (and they tend to get really upset when that happens: "you mean that anyone could see my data like that?!").

Piskvor left the building
  • 91,498
  • 46
  • 177
  • 222
  • re: checksum, yes, that was the idea. re: password, how long then? 6 gives some 56,800,235,584 (56bn) combinations. – Christian Jan 25 '11 at 11:20
  • @Christian Sciberras: I'd go for 8 at minimum (+ possible check digit); since you have eliminated homoglyphs, this shouldn't be too much of a problem even for the least tech-savvy user. If you can, make sure the font is legible and characters are easily distinguished. – Piskvor left the building Jan 25 '11 at 11:35
1

A PIN is being used instead of login information because of the type of clients we're targeting. The PIN is printed on documents sent to them.

Very strange, but yeah could write it like this. I think you should really reconsider if it is really necessary. But if I understand you correctly you sent the document via snailmail? For example Isn't it possible to send the user a PIN and next have them sign into openID(LightOpenID). I would lock it down to just Google's OpenID provider because these accounts are "safe". This way you have added another level of security. Also Google uses captcha to verify account(make it "safe").

Is this practice acceptable?

I think it is acceptable, although very strange.

Should I write a lockout mechanism to "ban" traffic from IPs with a large amount of failed attempts?*

I think you should write a lockout mechanism should because brute-force hacking password is already easily accomplished, but brute-force hacking a PIN can be done without any effort at all. Although I don't think you should do it via IP, because the end-user could sit behind a router and then he would be blocked. Also hackers could have a botnet to perform these kinds of attacks. I read today about HashCash thanks to stackoverflow.com and I also found it very interesting. Maybe you could use that to protect yourself against attacks.

Should I write an error checking system (similar to Luhn's algo in credit card numbers)?

I don't think so.

Should I make use of a captcha system?

The only true way to prevent automated attacks is CAPTCHA's, so I think you should. Google/Twitter/etc aren't using CAPTCHA's because they are user friendly, but because that is the only working way to stop automated attacks. If you would implement my system that PIN with OpenID from Google then you can skip this step, because Google already has you covered.

Alfred
  • 60,935
  • 33
  • 147
  • 186
  • I've not idea what you guys are talking about snailmail. :) Basically, people that buy an item get mailed a guarantee document, with their PIN on it. Thought I'm especially not interested in using OpenID (bear in mind these clients may not even know how to use email). But I like the mentioning of light openid (sounds interesting). – Christian Jan 25 '11 at 11:15
  • @Christian Still I don't have an answer how you sent them the PIN? Is is via snailmail/postal? I know that it is possible they don't know how to use email. You just sent them a tinyurl with vid explaining they should create a google account. As a side-note I bet you the users have a Google Account if they check this kind of information online and they will get redirected to google so that process is also pretty straightforward(creating google account also, if you are not dealing with morons). You should have a look at lightopenid's google openid implementation => http://tinyurl.com/63oslzc. – Alfred Jan 25 '11 at 11:26
  • I'm sending an email if they have one, otherwise, it's by postal mail or manually (in the shop itself). – Christian Jan 25 '11 at 11:30
  • @Alfred: "if you are not dealing with morons" - that's a generous assumption, given that anything which involves clicking temporarily halves the user's IQ (and in my own experience this morning, we developers are not exempt from this rule when we're users ;)). Realistically, "you need a Google account" is a bit of a high bar IMHO. – Piskvor left the building Jan 25 '11 at 11:41
  • You don't NEED a google account, but most user have a google account and login with it => http://i.imgur.com/4Kl0l.jpg – Alfred Jan 25 '11 at 11:57
  • I think you should add openid layer and if that is really not possible I think you should reconsider the length of the PIN... – Alfred Jan 25 '11 at 11:58
  • @Alfred: Interesting graph. Care to share the source? (also, I assume this is some sort of "SSO provider preference" survey, wonder how it would look with a "no SSO" part). As for "you don't need a google account", I see a conflict with "I would lock it down to just Google's OpenID provider". Care to explain? – Piskvor left the building Jan 25 '11 at 12:06
  • 1
    @Piskvor it's from JainRain => http://www.janrain.com/blogs/measuring-popularity-social-media-platforms-across-web – Alfred Jan 25 '11 at 12:20
0

The axiom "If you're going to roll your own security, you've already failed," applies here.

For your 5 character [0-9, A-Z, a-z] pin, you're generating less than 8.27 bits of entropy (64 310 = 2^n). [fixed]

It will take less than one day (a 1,000 guesses/sec, which is very slow) for an attacker to break your system. Is that acceptable? Maybe for trivial systems where bypassing security has very little impact.

Should I write a lockout mechanism to "ban" traffic from IPs with a large amount of failed attempts?

IPs can be spoofed.

Should I write an error checking system (similar to Luhn's algo in credit card numbers)?

That would actually decrease the number of bits in your entropy, making it easier to break into your system.

Should I make use of a captcha system?

If you feel you need the exercise. Captchas have been broken and are useless for anything other than as a speed bump.

Update

Unfortunately, there is no cut-and-dried solution for computer security, as it is still an immature (undermature?) field. Anyone who says, "Oh, do this-and-this and you'll be fine" is skipping one of the most fundamental issues around security.

Security is always a tradeoff

The ultimately secured system cannot be accessed. On the other end, the ultimately-accessible system has no barrier to entry. Obviously, both extremes are unacceptable.

Your job as a software developer is to find the sweet spot between the two. This will depend upon several factors:

  1. The technical expertise of your users
  2. The willingness of your users to put up with security
  3. The cost (time and money) to implement and maintain (i.e., a more sophisticated system will generate more support calls)
  4. The impact a breech would have on your users and company
  5. The likelihood of a breech: are you the US Department of Defense? Visa? You're probably under attack now. Bob's Bicycle Shop in Ojai, CA is on the other end of the spectrum.

From your question, I take it that you're effectively generating their "password" for them. What if you flipped it on its head? Make the pin their account and the first time they log into your system they have to create a password* that is then required from then on.

*Yes, if this is a bank, then this is not a good idea.

BryanH
  • 5,826
  • 3
  • 34
  • 47
  • First of all, I'm pretty sure you meant "axiom", correct? Secondly, the fallacy in that phrase is obvious - if no one is permitted (or should/could) roll out his/her own security measures would mean there wouldn't be any to choose from in the first place. Thirdly, you missed a point here: the pin system is not an option, I was merely asking people to discuss it and perhaps suggest improvements. "Rolling my own" is precisely what I'm supposed to be doing, as a software developer. How much research and effort I put into it is what matters. – Christian Oct 03 '12 at 19:50
  • Now, a little more on topic. I trust you read my question a few times? What I'm concerned with in this project is the possibility of having someone run a short script and get a nice list of things each registered person bought, not access to one person's purchases. Considering you seem quite knowledgeable in this matter, perhaps you want to tackle the real problem here: What's the best option in this case? – Christian Oct 03 '12 at 19:54
  • You say _"Rolling my own" is precisely what I'm supposed to be doing, as a software developer_ to which I counter: *good developers write good code; great developers steal great code*. There are good, nay, great [authentication libraries](https://encrypted.google.com/search?q=authentication+library) out there that are actually vetted, tested and solid code. I suggest you use them! To directly answer your question, I will update my answer. – BryanH Oct 04 '12 at 17:02
0

1) Yes, depends on target audience though. 2) Sometimes it makes sense, sometimes it won't work due to how the system is used, and how many clients are on a shared IP number. 3) What value would it add? Won't that just help people trying to find a working PIN? 4) Depends on target audience, and what kind of captcha.

Stefan H Singer
  • 5,469
  • 2
  • 25
  • 26
  • The probability of clients on the same IP is very low - clients are normal web users (as opposed to a company LAN). However, on a second thought, they're all local and this may depend on our local ISP. As to captcha, it's to avoid people running automated tools. – Christian Jan 25 '11 at 10:52
0
  1. yes but it depends on the value of the information,if the information value is hight and you think that someone may try to break in you should consider additional protections
  2. It may be a good idea if the information you are protecting have an hight value,in this case you must warn the user that he have a limited numer of possibilityes,create also a log file to monitor failures on code typing and consider that if the user is behind a NAT a lot of user may use the same ip(all the user on an office or in school for example,also connection like fastweb use one ip for a large group of people) so don't block the ip for a long time(15-30s every 3-5 fails should be enoght to avoid brute force attacks,you can double it every time the user fails a second time)and,most important,block only the code immission not the whole site.
  3. it's not needed but you can implement it,as i sayed it also depend on the value of the information
  4. it's a great idea to avoid proxy and crawlers but i recommend something different: use an image with a question like " five plus 2 =" or "what's the color of a red apple?",they're a lot more hard to understand by crawlers but a lot more easy for users.

I recommend also you use mt_rand() to randomize the pin(a lot more efficient than the default random,it's statistically correct random and it's integrated in php as default),the homoglyphs removal should be a good way to avoid error typing but i may recommend also to create a longer code with separators like 

 AXV2-X342-3420

so the user should understand that's a code and easly count how many character are left or if he entered the wrong code.

I may avoid case sensitive pin because upper case characters are more easy to read and some user will simply paste it lower or upper case only even if you write clearly that the code is case sensitive.

Plokko
  • 723
  • 2
  • 10
  • 23