I’ve run into versions of this far more often than I should. My favourite anecdote along these lines was my mother trying to cancel her cable account. The company stated that only my father could cancel the account, since it was in his name. My mother responded that my father had passed away, but the company stated that they needed a death certificate signed by the coroner to confirm this. This was arguably reasonable, but also a nuisance, as the local coroner was currently on an eight-month backlog.
Eventually, my mother obtained my father’s death certificate coroner and returned to the cable company office. At this point, the branch manager was brought in. He stated that he could not be sure that this death certificate was for my father and not just another man with the same name. They said that my father would need to confirm, in person, that that was his death certificate.
This is not Kolkata, India by any chance? Actually, when I was closing down my parents house, all I needed were the death certificates. No one surrenders a telephone in Kolkata fradulently, I guess.
In any case, you could ask if the cable company would like to supply free cable. When they ask why, you could tell them, because you will stop paying.
Surely the solution is to simply stop paying, and watch as they try to bill a dead man? If it was a shared account start rejecting the charges, maintain a copy of them refusing to cancel the account.
I had similar issues halting our alarm service when Covid started - only my wife’s name was on the account - but they just accepted the cancellation with her signature (which wasn’t necessary to start off with). At least for an alarm service though you could make a strong argument for why such approval is necessary - but then it was trivially handled by me faxing (sigh) a random piece of paper I’d filled out, this defeating the purpose.
I can see where the confusion might arise. “Imagine” is quite often used when telling a real story - you are asking the reader to imagine something that really happened to you.
“Imagine if you will, I was walking to the market when I saw a bus hit a man on a unicycle.”
As with the author, I treat all (in)security questions as eventual phish food and never put the right answers in there. Is the author now saying not to do that?
Author here! I am saying that you should do it. But you also need to be aware of the risks of doing it.
For example, I tried to social engineer my way into one of my accounts. The call centre asked me for my mother’s maiden name and I said “oh, it is just gibberish. I just smashed my hand on the keyboard.”
I haven’t tested it, but this is one of my motivations for using pass phrases. I’m moderately optimistic that if your mother’s maiden name is Defog-Preamble-Blurry-Clerk5 then there’s a higher chance they’ll be strict than a random password.
who ever decided to implement/invent “security questions” based on things all your friends may know, wikipedia can tell you or a phisher may get to know without looking suspicious to any normal person, didn’t think this through for one second
If you can put wrong answers you remember, then that’s fine. I personally have an entirely separate fantasy persona whose birthplace, pet’s name, and first teacher I can recall.
A random string of numbers is the same as disabling security questions.
This is why my offsite backups are an unencrypted hard drive sitting in a drawer in a family member’s house, in another city. Whenever you’re tying a knot, leave yourself a bit of string to tug on in case you need to undo it later.
use 1Password to store your passwords and TOTP codes together. this isn’t 2FA, since the passwords and TOTP codes are stored in the same place. it’s more like 1.5FA. nevertheless, the convenience is worth it IMO.
cloud backup of access to your digital life
easy to transfer to a new phone
autofill TOTP codes in web forms
for bonus points, store critical passwords in a shared vault with friends or family so you can gain access to your 1Password through them in the event of a catastrophe.
This article describes exactly the kind of questions I’ve asked myself a few weeks ago when I tried to design a backup system that would survive even a catastrophic event.
Just as the author of the article, I couldn’t find a proper answer that solves all these issues:
it is secure in the cryptographic sense – thus protected with a strong “key” (be it asymmetric or symmetric);
it can be easily recovered with nothing more than the “secured” backup files (on physical media) and something I “know” (which should be the source for the “key”);
(plus, to make it more realistic, add to all these also the requirement to be recovered by non-technical relatives in case I’m not around anymore; and just for fun, let’s imagine I don’t want to use physical media, but instead some cloud service;)
However, I think the author actually meant to touch on a different subject, as seen from his conclusion:
This is where we reach the limits of the “Code Is Law” movement.
In the boring analogue world – I am pretty sure that I’d be able to convince a human that I am who I say I am. And, thus, get access to my accounts. I may have to go to court to force a company to give me access back, but it is possible.
I think the article is trying to prevent Dataloss where you simply can’t plan for. How in the world do you reliably plan for the fact that a nuke hit your home. Because a thunderstrike won’t destroy your house like that, not if you have a normal lightning conductor. My yubikey won’t get destroyed by water or a car rolling over it. It burning down with the house would mean I dind’t have it with me or didn’t place a backup somewhere else. If you need your data somewhere else: Encrypt them and store them at services like backblaze (key in your head/bank/..), far off from your home.
But ultimately this looks one step below “where are your backups and IDs if the death star showed up tomorrow”.
Yeah I guess I witched it with this comment. It’s probably more likely that google will (again) lock you out of your account for no apparent reason.
I use keepass with a yubi-key challenge/response for my password-safe.
I have an gpg-encrypted zip-file in a public S3 bucket; it should basically be impossible for someone to find it. If someone does somehow download that file, I get an immediate notification and can rotate credentials.
The password for the encryption is very long and I practice downloading and decrypting twice a year (that also exercises the download-notification :-) ). The zip-file contains the credentials and a restore-script for a backup containing my password-safe and the challenge-response key from Backblaze B2. My password-safe then contains the recovery-codes for all (I hope :-) ) my accounts.
Yes, this is a significant reduction of security, but it feels like it’s worth it…
You could put it somewhere password protected, without 2FA, and a simple username and password. It’s as “calamity safe” as the current setup, with one extra layer of security.
This is giving me a kick in the butt to do some threat modeling of my own. I started on a backup strategy diagram a few months ago as I was migrating between some NASes and wanted to make sure that all of the backups were working but I never got into the level of including credential provider DAGs in it.
An impersonator who convinces a service provider that they are me?
A malicious insider who works for a service provider?
Me permanently losing access to all of my identifiers?
I’ll add, services that have your secrets and can be compelled to release them. As privacy rights are lost, this will become more common. Then again, house fires have become more common too.
My partner lost her android phone while we were traveling internationally, and was completely locked out of her google account since it required SMS verification to sign in again on anything else. Receiving a new SIM card with her number was out of the question. Luckily any important documents/info were also in my inbox, else we would have had a really hard time getting back home. I think now I’m going to start printing copies of anything important to take with us on trips, like it’s 1999.
Had a job with a lot of travel for work around 2013-2020, and always printed flight tickets, hotel/taxi bookings, maps/directions, &c.
I would still recommend it, for safety in case of the phone disappearing in accident/theft/mugging/flooding. Also it’s nicer to hand those over to be fingered by strangers, than my phone.
My belief at this point is that all the standard “2fa questions” are a liability shift - it’s your fault you shared the last four digits of your SSN, your mothers maiden name, and the school you went to with someone else…
The modern actually secure 2FA systems are of course vastly superior (but require competence to set up, so businesses just use off the shelf “maiden name” type systems).
But that obviously hits what the author encountered, where the data is permanently gone if you lose all your 2fa proofs.
I think the real problem is for normal/non-tech users who have been trained by companies saying “your data is completely safe and protected by industry standard encryption” to believe that the protection is purely a permission thing, and the data can always be retrieved by the company.
This view Is further exacerbated by companies like Google and Facebook who aggressively avoid actual data security in favour of being able to scan, read, and analyze all of their user’s data - and normal people know this because odious examples of it repeatedly show up in the mainstream media.
Google&Facebook are so forceful with this “we will be able to read your ‘secure’ data” that it’s next to impossible to get people to understand that E2E encryption is a real thing, and companies that care about it can make your data actually private. It’s at the level where my wife will not trust even things like iMessage to be secure.
I may have to go to court to force a company to give me access back, but it is possible.
See? You live in a proper state with a functioning law system. There are valid reasons why sometimes you do not want “code is law”. If sued, even giants like Google all of a sudden start listening to you. And that’s why it’s good that the law system is run by humans working with oldfashioned paper letters.
My solution to this problem consists of a few steps:
Use either a password manager that generates passwords from a “master key”, use SSO for everything, or use multiple, password managers with encrypted backups on multiple cloud services
Use strong 2FA (multiple PIN-protected YubiKeys + TOTP) for everything FYI: YubiKeys support 63-digit alphanumeric “PINs”, so there’s no risk with untrusted people accessing them either.
Backup the primary passwords for [1] and the QR codes for [2] on an encrypted USB drive
Deposit sets of each a PIN-protected YubiKey [2] and one of the encrypted USB drives [3] together in different, trustworthy places.
Always keep one set on your body.
The only situation in which I could get locked out of all my services is four different places, some of them hundreds of kilometers apart, all being burned/nuked/SWATted at the same time, while I’m swimming (the only situation in which I don’t follow rule 4)
Oh that’s good to know! Do you know how well they handle the salt in seawater? If they handle that well, and I find an equally-waterproof usb drive, that’d be awesome!
6 Dust-tight No ingress of dust; complete protection against contact (dust-tight). A vacuum must be applied. Test duration of up to 8 hours based on airflow.
the only thing that salt could do would be corrode the contacts on the port plug, it’s encased in plastic (not just a plastic case like 99% of usb storage devices), just make sure it’s fully dry before plugging it in.
I’ve run into versions of this far more often than I should. My favourite anecdote along these lines was my mother trying to cancel her cable account. The company stated that only my father could cancel the account, since it was in his name. My mother responded that my father had passed away, but the company stated that they needed a death certificate signed by the coroner to confirm this. This was arguably reasonable, but also a nuisance, as the local coroner was currently on an eight-month backlog.
Eventually, my mother obtained my father’s death certificate coroner and returned to the cable company office. At this point, the branch manager was brought in. He stated that he could not be sure that this death certificate was for my father and not just another man with the same name. They said that my father would need to confirm, in person, that that was his death certificate.
This is not Kolkata, India by any chance? Actually, when I was closing down my parents house, all I needed were the death certificates. No one surrenders a telephone in Kolkata fradulently, I guess.
In any case, you could ask if the cable company would like to supply free cable. When they ask why, you could tell them, because you will stop paying.
Surely the solution is to simply stop paying, and watch as they try to bill a dead man? If it was a shared account start rejecting the charges, maintain a copy of them refusing to cancel the account.
I had similar issues halting our alarm service when Covid started - only my wife’s name was on the account - but they just accepted the cancellation with her signature (which wasn’t necessary to start off with). At least for an alarm service though you could make a strong argument for why such approval is necessary - but then it was trivially handled by me faxing (sigh) a random piece of paper I’d filled out, this defeating the purpose.
I’m hoping your mother wasn’t charged during that period. (You did eventually get the account canceled, right?)
In the long run, just hiring a necromancer will be cheaper than the cable bills.
Kafka called and said he wants his bureaucracy nightmare back.
@edent You caught Bruce Schneier’s eye
Wow, I totally missed this:
Bruce Schneier: “I want to remind readers that this isn’t a true story. It didn’t actually happen. It’s a thought experiment.”
OP leads with: “Imagine…”
I can see where the confusion might arise. “Imagine” is quite often used when telling a real story - you are asking the reader to imagine something that really happened to you.
“Imagine if you will, I was walking to the market when I saw a bus hit a man on a unicycle.”
Or in the sense, “this happened to me, but it’s so unbelievable a story, you will have to imagine.”
As with the author, I treat all (in)security questions as eventual phish food and never put the right answers in there. Is the author now saying not to do that?
Author here! I am saying that you should do it. But you also need to be aware of the risks of doing it.
For example, I tried to social engineer my way into one of my accounts. The call centre asked me for my mother’s maiden name and I said “oh, it is just gibberish. I just smashed my hand on the keyboard.”
That got me in…!
I haven’t tested it, but this is one of my motivations for using pass phrases. I’m moderately optimistic that if your mother’s maiden name is Defog-Preamble-Blurry-Clerk5 then there’s a higher chance they’ll be strict than a random password.
I’m amazed that worked…
Ehn, I’m not - if it was a long enough stream of garbage.
That said when I first moved to the states the credit union I joined demanded my mothers maiden name - literally would only accept a “last name”. :-/
who ever decided to implement/invent “security questions” based on things all your friends may know, wikipedia can tell you or a phisher may get to know without looking suspicious to any normal person, didn’t think this through for one second
If you can put wrong answers you remember, then that’s fine. I personally have an entirely separate fantasy persona whose birthplace, pet’s name, and first teacher I can recall.
A random string of numbers is the same as disabling security questions.
This is why my offsite backups are an unencrypted hard drive sitting in a drawer in a family member’s house, in another city. Whenever you’re tying a knot, leave yourself a bit of string to tug on in case you need to undo it later.
use 1Password to store your passwords and TOTP codes together. this isn’t 2FA, since the passwords and TOTP codes are stored in the same place. it’s more like 1.5FA. nevertheless, the convenience is worth it IMO.
for bonus points, store critical passwords in a shared vault with friends or family so you can gain access to your 1Password through them in the event of a catastrophe.
It’s not security unless it hurts
This article describes exactly the kind of questions I’ve asked myself a few weeks ago when I tried to design a backup system that would survive even a catastrophic event.
Just as the author of the article, I couldn’t find a proper answer that solves all these issues:
However, I think the author actually meant to touch on a different subject, as seen from his conclusion:
I think the article is trying to prevent Dataloss where you simply can’t plan for. How in the world do you reliably plan for the fact that a nuke hit your home. Because a thunderstrike won’t destroy your house like that, not if you have a normal lightning conductor. My yubikey won’t get destroyed by water or a car rolling over it. It burning down with the house would mean I dind’t have it with me or didn’t place a backup somewhere else. If you need your data somewhere else: Encrypt them and store them at services like backblaze (key in your head/bank/..), far off from your home.
But ultimately this looks one step below “where are your backups and IDs if the death star showed up tomorrow”.
Yeah I guess I witched it with this comment. It’s probably more likely that google will (again) lock you out of your account for no apparent reason.
I use keepass with a yubi-key challenge/response for my password-safe.
I have an gpg-encrypted zip-file in a public S3 bucket; it should basically be impossible for someone to find it. If someone does somehow download that file, I get an immediate notification and can rotate credentials.
The password for the encryption is very long and I practice downloading and decrypting twice a year (that also exercises the download-notification :-) ). The zip-file contains the credentials and a restore-script for a backup containing my password-safe and the challenge-response key from Backblaze B2. My password-safe then contains the recovery-codes for all (I hope :-) ) my accounts.
Yes, this is a significant reduction of security, but it feels like it’s worth it…
Let the treasure hunt begin…
You could put it somewhere password protected, without 2FA, and a simple username and password. It’s as “calamity safe” as the current setup, with one extra layer of security.
My takeaway: don’t set up 2fa for your password manager. I avoid 2fa anyway, since I could lose my phone any day.
I have a 2fa on my phone, but in important things, I also have yubikeys
This is giving me a kick in the butt to do some threat modeling of my own. I started on a backup strategy diagram a few months ago as I was migrating between some NASes and wanted to make sure that all of the backups were working but I never got into the level of including credential provider DAGs in it.
I’ll add, services that have your secrets and can be compelled to release them. As privacy rights are lost, this will become more common. Then again, house fires have become more common too.
My partner lost her android phone while we were traveling internationally, and was completely locked out of her google account since it required SMS verification to sign in again on anything else. Receiving a new SIM card with her number was out of the question. Luckily any important documents/info were also in my inbox, else we would have had a really hard time getting back home. I think now I’m going to start printing copies of anything important to take with us on trips, like it’s 1999.
Had a job with a lot of travel for work around 2013-2020, and always printed flight tickets, hotel/taxi bookings, maps/directions, &c.
I would still recommend it, for safety in case of the phone disappearing in accident/theft/mugging/flooding. Also it’s nicer to hand those over to be fingered by strangers, than my phone.
Interesting article!
Incidentally, the IT gods at my employer were angered by your site’s use of pop-ups :)
There shouldn’t be any pop ups on my site… got any screenshots?
You know what? They can take a long walk off a short pier AFAIC they’re blocking mastodon.social.
Jerks :)
My belief at this point is that all the standard “2fa questions” are a liability shift - it’s your fault you shared the last four digits of your SSN, your mothers maiden name, and the school you went to with someone else…
The modern actually secure 2FA systems are of course vastly superior (but require competence to set up, so businesses just use off the shelf “maiden name” type systems).
But that obviously hits what the author encountered, where the data is permanently gone if you lose all your 2fa proofs.
I think the real problem is for normal/non-tech users who have been trained by companies saying “your data is completely safe and protected by industry standard encryption” to believe that the protection is purely a permission thing, and the data can always be retrieved by the company.
This view Is further exacerbated by companies like Google and Facebook who aggressively avoid actual data security in favour of being able to scan, read, and analyze all of their user’s data - and normal people know this because odious examples of it repeatedly show up in the mainstream media.
Google&Facebook are so forceful with this “we will be able to read your ‘secure’ data” that it’s next to impossible to get people to understand that E2E encryption is a real thing, and companies that care about it can make your data actually private. It’s at the level where my wife will not trust even things like iMessage to be secure.
See? You live in a proper state with a functioning law system. There are valid reasons why sometimes you do not want “code is law”. If sued, even giants like Google all of a sudden start listening to you. And that’s why it’s good that the law system is run by humans working with oldfashioned paper letters.
This situation is where a one way hash is better than a password store: https://ss64.com/pass/
They have one big compromise: a single hash is not much use if you want to regularly change passwords.
My solution to this problem consists of a few steps:
FYI: YubiKeys support 63-digit alphanumeric “PINs”, so there’s no risk with untrusted people accessing them either.
The only situation in which I could get locked out of all my services is four different places, some of them hundreds of kilometers apart, all being burned/nuked/SWATted at the same time, while I’m swimming (the only situation in which I don’t follow rule 4)
Yubikeys are waterproof. Unless you swim naked, you could have them with you.
Oh that’s good to know! Do you know how well they handle the salt in seawater? If they handle that well, and I find an equally-waterproof usb drive, that’d be awesome!
It has a pretty solid rating of IP68 (https://en.wikipedia.org/wiki/IP_Code)
and their press blog (take with a grain of salt) https://www.yubico.com/press-releases/yubikey-survives-ten-weeks-in-a-washing-machine/ claims that it survived a 48 meter dive in saltwater.
the only thing that salt could do would be corrode the contacts on the port plug, it’s encased in plastic (not just a plastic case like 99% of usb storage devices), just make sure it’s fully dry before plugging it in.
I did not test salt water myself, only washing machine and swimming pool a few times and did not notice any problem after.