NanoToolkit Blog

The Way to Keep in Touch.

How online services are combating unauthorized access!

If we choose to ignore modern concepts such as multi factor authentication most us often rely on the traditional username/password authentication on daily basis. The assumption with username/password authentication is based on probability rules; that is the combination takes many millions of permutation possibilities if not billions of permutations. That’s effectively why you are often forced to have numbers, special characters and capital letters as part of your password. Moreover many times providers recommend for you to have an underscore a dash or dot in your username to make it bit more difficult to guess as well. However, with the advent of online email services most of the times the possibility of reducing those permutations is a lot because most people’s email address is the exact same thing as their username. That is John.Doe@yahoo.com is probably the actual username for that account.

Many Services such as yahoo mail or gmail and hotmail do not provide a way to change that username. It is possible create new aliases in yahoo or gmail and hotmail but frankly most people are not able to use that because their email address might already be well-established or the feature is not well exposed.

Online E-Mail providers have been forced to evolve as well. They have introduced things such as Code Verification via e-mail, secret questions to where you went for your honeymoon or the name of your fourth grade teacher. However, they can’t ask for those questions all the time and thus they store a cookie in your browser indicating your trustworthiness until such a time when your IP perhaps changes significantly which most likely means your geo changed.

Financial institutions have historically had a higher burden because frankly the stakes have been higher. If you have a significant amount of money, Banks or brokerages might provide you with a RSA Token which essentially means a different password every 30 seconds or so. Banks often also provide protection against phishing attacks by showing your familiar image or logo customized toward your particular account to ensure that you have logged to the actual Bank Website not a copy-cat. Government Services such as eftps use USPS mail shipment as a method of providing you with a pin Number to authenticate your address. That make it harder for a criminal to remain in the shadows in case they decide to create a phantom account or access somebody else’s account.

On Top of all these efforts organizations have been improving their captcha technology on a constant basis to prevent automated attacks. But once Attacks do occur these organization have had to rely on old fashioned human authentication. That is they would lock your account after a number of unsuccessful attempts to logon; they would then force the user to call by phone to have their account unlocked. The Bet they are making is that those with automated attack capability would either not make such an attempt or if they do, this would considerably slow bot operators down.

Update1: It is quite troubling that Mobile Phone Network operators by in large use the telephone numbers which are part of public domain as your username? This in effect could make much easier for anybody to hack into your account especially if they knew when you would have little access to technology.