Page 4 of 5

Thread split

Posted: Fri Jan 28, 2011 2:13 pm
by aebrown
Moderator's Note: For those who are following this lively discussion, please note that I have pulled the posts that are now in this thread from the thread New Mobile Apps Available. This topic was quite distinct from that thread, and this discussion was obscuring other posts that were germane to that topic.

Even within this new thread, there are three discussions. One is related to the security issues involved with accessing the mobile web services via LDS Account, another is related to whether the data accessible via those web services will include the MRN, and third relates to the security of the MRN as a key identifier in obtaining and securing an LDS Account. But those three discussions are so intertwined that I couldn't figure out how to separate them.

I also moved this discussion to the LDS Account forum, since it is much more related to LDS Account than to mobile apps (even though it does involve both, and MLS, and a few other topics)

Posted: Fri Jan 28, 2011 2:28 pm
by aebrown
RussellHltn wrote:That's what I remembered, but I checked before I posted (that's how Ross scooped me)

I played dumb and indicted that I had forgotten my LDS Account name. At that point I'm asked for MRN and Birth Date.

That's all the further I went. It's entirely possible I may have to supply more information to take over an account, but that's all that's needed to start the process.
Well, we're both wrong.

I took the recovery process farther and discovered that the confirmation date is no longer used (although it definitely was once upon a time) to recover a forgotten password when the email address is no longer functioning.

If you need to recover your username, you are prompted to enter your email address, and the username is sent to the registered email address. But if you don't have the email address (have forgotten it, or it no longer works), you can recover your username by doing the following:
  1. Enter your membership record number
  2. Enter your birthdate
  3. If the above data is correct, then you have to answer two security questions correctly.
It's this last step that adds significant extra security against hijacking an account. I tried this process twice, and saw different questions. I don't recall how many security questions I set up originally.

Of course, it's possible that someone who knows me very well might be able to guess my security questions, but they'd have to know me so well that I already trust them and I'm sure they wouldn't hijack my account.

Posted: Fri Jan 28, 2011 8:01 pm
by RossEvans
BTW, while potential security holes related to LDS Account and mobile apps are being closed, I certainly hope this one has been plugged by now. It's been more than a year since I last looked, and I have never been a customer. But I don't know whether the app was ever fixed as promised. That was (is?) a different case not involving the MRN, but sending members' LDS Account credentials (username and password) directly to a third-party vendor's server.

Followups should probably be posted in that thread. But since this new thread has become a roundup of several related security issues, it bears mention here. The case also touches on the original question at the top of this thread regarding the future of the authenticated API and its use by outside parties.

Posted: Fri Jan 28, 2011 9:38 pm
by aebrown
RossEvans wrote:BTW, while potential security holes related to LDS Account and mobile apps are being closed, I certainly hope this one has been plugged by now. It's been more than a year since I last looked, and I have never been a customer. But I don't know whether the app was ever fixed as promised. That was (is?) a different case not involving the MRN, but sending members' LDS Account credentials (username and password) directly to a third-party vendor's server.

Followups should probably be posted in that thread. But since this new thread has become a roundup of several related security issues, it bears mention here. The case also touches on the original question at the top of this thread regarding the future of the authenticated API and its use by outside parties.
This thread is already messy enough. I suppose it's okay to put a reminder of that thread here, but please don't pursue that topic in this thread. There's absolutely no reason to continue that discussion here -- continue it in the existing thread.

Posted: Fri Jan 28, 2011 10:00 pm
by Mikerowaved
aebrown wrote:If you need to recover your username, you are prompted to enter your email address, and the username is sent to the registered email address. But if you don't have the email address (have forgotten it, or it no longer works), you can recover your username by doing the following:
  1. Enter your membership record number
  2. Enter your birthdate
  3. If the above data is correct, then you have to answer two security questions correctly.
It's this last step that adds significant extra security against hijacking an account. I tried this process twice, and saw different questions. I don't recall how many security questions I set up originally.
Just a few minutes ago I went through this process with my mother-in-law's LDS Account. Her old email address was no longer valid and she had no idea what her username and password once were, so basically we started with nothing.

Using only her MRN and birthday, I was able to...
  1. Reveal her username
  2. Change her her email address
  3. Change her password
Since she originally had no security questions set up, I was not prompted for any. I was actually surprised how simple it was to accomplish the above with just the information I had.

Posted: Fri Jan 28, 2011 10:11 pm
by aebrown
Mikerowaved wrote:Since she originally had no security questions set up, I was not prompted for any. I was actually surprised how simple it was to accomplish the above with just the information I had.

I think I have some faulty memory. Now that I remember things better, I don't think most people have to set up security questions. But it would be a good idea, in my opinion, to require everyone to set up some security questions.

So it really is just a matter of having the MRN and birthday, which strengthens the case for being quite careful with the security of MRNs.

Posted: Fri Jan 28, 2011 10:19 pm
by russellhltn
aebrown wrote:But it would be a good idea, in my opinion, to require everyone to set up some security questions.

Probably not a bad idea, but this is a "wish list item", is it not? Because I went into my LDS Account and I didn't see anything about security questions there. Since I suffer from CRS (can't remember squat), I'm not sure if I've set any up in the past.

Posted: Fri Jan 28, 2011 10:50 pm
by Mikerowaved
aebrown wrote:But it would be a good idea, in my opinion, to require everyone to set up some security questions.
To tell you the truth, I can't find that as an option for LDS Account.

Posted: Fri Jan 28, 2011 10:55 pm
by aebrown
RussellHltn wrote:Probably not a bad idea, but this is a "wish list item", is it not?

Yes, that's why I said "good idea" -- it's just a suggestion. As I said, most people don't have the security question option, so I wasn't talking about how it works right now.

Posted: Fri Jan 28, 2011 10:58 pm
by russellhltn
OK, the earlier post left me with the impression it was at least an option for us "normal" users. Apparently not.