OpenID: Security Weaknesses and Phishing Vulnerabilities

Written by Tom FronczakFebruary 18, 2011

Across all fields of computer security, phishing is the criminally fraudulent process of attempting to acquire private information by a user pretending to be someone they're not. While the digital world continues to change at a fast pace, so do the tactics to exploit security weaknesses, with new electronic communication threats appearing everyday. As OpenID restructures the way in which millions transfer data online, a wave of new phishing dangers exist.

For most online transaction exploits it boils down to two categories: tricking the user to give data to something they shouldn't, or fooling a code or machine into thinking a deceitful user is someone they're not. This means that the more we rely on the Web, the less we have to worry about us making mistakes, and the more we have to start worrying about companies making mistakes that put us at risk without us even knowing it. With more online populations embracing the single sign-on aspect of OpenID, that means that it only takes one incident to contaminate your private data across several sites.

Something we have to accept is that no security system – offline or online – is full proof. We like to find comfort in thinking that the more important something is to society, the more successful its security will be, but it's simply not true. No matter how big a business budget is, nothing is invulnerable. A great example of this is that many current ATM machines across the nation are still vulnerable to several exploits that let programming pros literally force them to spit out money (more technical version here: hacker convention video). So if even big companies are at risk, then what hope does a single user have?

In the real world, most of us have the benefit that we aren't lucrative enough to put a target on our backs, but on the Internet we're all at risk. The greatest danger that exists is that just one security threat can reach millions of people overnight. Stop reading for a second and check out that spam folder in your email that you haven't looked at in years: it's pretty scary. Most people use Twitter and/or Facebook more often than their email though, which is why the phishing market has shifted in recent years to target new ways of stealing your data. Once OpenID started to get adopted by Flicker, Facebook, Google, MySpace, WordPress, VeriSign, Yahoo, and many more, it didn't take long for new phishing scams to begin.

Perhaps the mot well known Twitter phishing scam came at the beginning of 2009, when a myriad of people fell for a site that looked like Twitter and asked them to sign on. Doing so not only meant you lost control of your account, but it also used you to send messages to all your friends enticing them to fall for the deception as well. This simple trick compromised countless users, yet it doesn't even come close to comparing to the end of that same year when the entire Website was hacked. Then in 2010 a new fear popped up when an old cryptography nuisance made a comeback, showing that it was theoretically possible to time how quickly or slowly incorrect passwords were rejected to help figure out which single characters were correct and eventually piece together an entire login password.

Normally these would only be strikes against Twitter's security, but OpenID would act as a SSO account for a user across dozens of sites, so only that first wall needs to crumble for every other wall to collapse and cause a Titanic sized wave through the cyber seas. The notion that anyone at the top of the online business world is without weakness was shattered just a few months ago when Gawker Media – arguably the largest blog network on the entire Internet – found out its servers were hacked, causing over one million accounts to be compromised with over 185,000 passwords embarrassingly posted publicly online for anyone to read. OpenID is no better, and its method of asking users to give data to external sources every time they use a SSO login only increases the risk that its users will eventually be duped.

One of the better ways to prevent phishing attacks from targeting you is to get into the habit of using bookmarks once you've verified a single URL to be safe, but let's face it: How many of us use those regularly? Not to mention that “spoofing” is on the rise online, and can even use your own Web browser to lie to you by displaying false URLs. The arsenal of exploits is endless.

With even more unpreventable ways for a user's account to be compromised than there are preventable ones, we live in an age when we'll all probably be hacked at least once in our lives, meaning it will always come down to ensuring that as little damage as possible can occur when it inevitably does happen. In my opinion it has very limited pros for a long list of potential cons, and it bothers me that it isn't even needed if you can continue to maintain a dozen different accounts and unique passwords like we've successfully done over the past decade. Is that really such a difficult safety standard to maintain? What worries me the most is that it's training a whole generation of Internet users to put all their eggs in one basket and also encourages us to be even less cautious of external URLs. It may make the future of the Internet easier, but I'm not convinced it will ever make the Internet better.

Social login powered by Gigya