GM online account
Why do I need an online account for a pickup truck ?
Do I need to download updates?
Does it come with a built in vinyl printer to print new political bumper stickers every time the Great leader tweets a bon-mot ?
Automaker General Motors has confirmed the credential stuffing attack it suffered last month exposed customers' names, personal email addresses, and destination data, as well as usernames and phone numbers for family members tied to customer accounts. Trucks come off the assembly line at GM's Chevrolet Silverado and GMC Sierra …
To use their reward system, however that works. If you earn points and have to identify yourself to spend them, that's one of the only ways. I think if you don't care about that system, you can refrain from setting up an account and just drive the thing. You would then lose whatever advantages there are in the reward points, although I'm having trouble imagining how they could set it up to be very useful.
If these companies weren't treating their own security in such a lazy manner these data breaches wouldn't keep happening. My own company requires that I log in multiple times across multiple systems to do my job. It's a huge pain, in fact 25 percent of my workday involves entering password after password. An example? Just submitting a timesheet requires that I enter a password to log into the computet, a second passeord with MFA to enter the VPN, a password to enter the company website, a password to enter the HR website, and a password to enter the timesheet site, all so I can say I worked 43-45 hours a week. To reach actual equipment requires more logins, more VPNs and more MFA logins. I wouldn't mind so much if they'd add some processing power to these systems as it can take several minutes to get in. I'd also like if they increased the timeouts once you do get in. The timeout is the worst part, as it's so short I'll be kicked out in the middle of testing, only with no indication that it timed out.
This is really an IT problem. This is fixable.
At my employer, the entire company is 100% work from home, but we have implemented single-sign-on (SSO) across all of our systems. We have one sign in for nearly 30 different systems/servers/VPNs/etc. This works with Linux and Windows servers. We do use multi-factor and very strong passwords, since the down side to SSO is the "keys to the kingdom" issue.
It was not easy, and I did not set it up. We have one (very smart) guy that made it all work. It can be done. We are not that big of a company, and we can do it.
Until your users get duped into entering their SSO password on a convincingly crafted web page, no doubt the 2FA too if prompted
Obviously that last part (2FA) would need to play maninthemiddle due to it being time-based
single sign on, while convenient, is not a security feature
I work on systems that are secured down so tightly that I can't get into them, even though I officially have access. It starts with a 2 factor authorised VPN with local certs that I can only use from an secure-issue laptop that is locked down so I can't change anything. Once that VPN is up then I connect to a virtual desktop, and then from there I start one of another selection of similar VPNs depending on which part of the network I am working on. I connect into that next part of the network on another virtual desktop, from which I can use tools to reach the resources I am after. I frequently forget how to reach some parts of the system that I don't often access. Before I can do any of that I have to have a current DV clearance.
No GM customer is going to tolerate that.
"No GM customer is going to tolerate that."
I was thinking less about GM's customers, and more about systems that let an attacker slurp hundreds of thousands of user credentials. A customer should never be able to access anything more than their own information, and the hackers didn't get into the back door by getting hold of Mary Jo Parker's account login. Unless, of course, Mary Jo is GM's head IT admin.
The first big issue with multi-factor is the plethora of different factors used by different service providers, resulting huge complexity for the user. The second is increasing reliance on biometrics, which necessarily are used on multiple sites and can not be changed or rescinded.
The source of the password problem is not passwords in principle, but inadequate understanding of how they should be created and used.
M.V. Lipvig's problem, which could be managed by use of single sign-on (provided the master credential were robust enough), is a good example of that lack of understanding on the part of the organisation, as are almost all "password rules". I recently moved a web site to a new host. Some passwords that were deemed 'highly secure' on the old host were considered unacceptable 'weak' on the new, and vice versa, strongly suggesting that one or both sets of rules are completely arbitrary. That doesn't invalidate passwords per se, just legitimately questions the competence of those setting the rules.
If we got their creation and management right, passwords might emerge as much safer than they are while we get all that wrong.
"increasing reliance on biometrics, which necessarily are used on multiple sites and can not be changed or rescinded."
Yes. Wide-spread biometrics will enable ultimate credential stuffing attacks. A shared, unchangeable credential. What could go wrong?
I have always just shaken my head at the use of fingerprints for verification. Why not use a credential that you leave hundreds of copies of laying around everywhere, every day?
It's like writing down your password on hundreds of post-it notes, and randomly sticking them to every surface you touch!
To labour an already well-laboured point... biometrics are at best a user name, and even that's questionable since you can change your user name but it's much, much harder to change your face and/or fingerprints.
They are not authentication, and should never be used so.
"biometrics are at best a user name, and even that's questionable since you can change your user name but it's much, much harder to change your face and/or fingerprints."
This bears repeating. Again. And again. In 72pt text. With mozilla marquee tags!
Yeah, the conflicting results you mention are the result of yet another flash in the pan idea to "fix" password re-use. The idea went something like this:
If you make the "complexity" rules completely arbitrary and wacky for every site, people can't re-use the same password everywhere.
The problem being is that it fails to accomplish that end reliably, and inflicts pain an annoyance everywhere consistently. It is now considered unfashionable.
We need to just stop trying to fix them. There are much better, easier, and more secure ways to do this. FIDO, TOTP, and phone or hardware tokens run rings around passwords. Once you get there SSO is easier.
Something else that would be good is getting more of these systems off their custom built login windows and onto something with a more modular interface. PAM meant that *nix based systems could update or swap authentication sources or methods W/O ripping up the front end.
"yet another flash in the pan idea to "fix" password re-use"
Can I play? How about forcing the user to do a password reset after every login.... That way even if they re-use the password on multiple sites, it still won't when the credential stuffer gets their hands on it. What could go wrong?
"That doesn't invalidate passwords per se, just legitimately questions the competence of those setting the rules."
It could be a good idea to move from a single password to a call and response.
"To the axeman, all supplicants are the same height."
I do this routinely.
It's entirely possible that other users chose the same password as me. What they can't do is choose the same user name.
I use a different user name for each online service I use (which isn't many). Mostly they require an email address for that purpose, but this is easy for me since I run my own MX on my own domains.
Remembering a strong password that you use everywhere is easy. Remembering the user name when it's basically name-of-website@mydomain.tld is also easy.
I recommend it.
-A.
If entities that store the information were on the hook for severe penalties, including prison time for executives (no sacrificial employees), maybe they'd stop storing the information as it might wind up being a liability rather than a sale-able asset. There may be a nice bonus in that the information also becomes more expensive. For less than the cost of a coffee at Starbucks, it's possible to get a nice dossier on the target of your choice. It you pay for a subscription, it can be much less. While credit card info, bank details and other financial information being exposed is a big problem, even mundane information can be weaponized. If "your ISP" calls to sell you an upgrade package with the first 3 months free and no obligation, they will find it much easier to dupe people if they have a stack of info such as account numbers, names, addresses, current subscription details, etc. The problem is that it is a scammer that needs one more piece of information from you to ruin your life. By reciting what they already know, they lull you, or a family member, into being comfortable revealing that info. This happened to a friend that immediately slapped her forehead for being such a dolt and raced to contain the damage. This is why it's a good idea to share as little information about yourself as possible.