cpsc 329: Explorations in Computer Security & Privacy (f21) Instructor: Ryan Henry <ryan.henry@ucalgary.ca> Worksheet 0x03 Part 1: p@ssw0rdz11 (b) Share your password for… i. …your UCalgary account: ii. …your online banking account: iii. …Facebook: iv. Were all three of the above passwords distinct, or did some password repeat? (If you actually shared your passwords, shame on you! Destroy this computer posthasteā¼) (c) Password managers i. Do you use a password manager? No! If yes, which one? ii. Do you trust password managers? No! Why or why not? Having all my passwords in one place does not seem secure. If a data leak were to ever occur, all my passwords would be compromised, instead of just one if a single website was hacked. (d) What do you think were the 10 most commonly found passwords in 2019 data breaches? (Don’t look it up; just make an educated guess.) password, 12345678, qwertyuiop, p@ssword, pass1234, Password, incorrect, qwerty1234, asdfghjkl, zxcvbnm Part 2: Identification, Authentication, and Authorization (a) Alice is a Canadian citizen planning a trip to the USA. She plans to book a flight, in person, at a travel agency (i.e., she’s “old school” and COVID isn’t a thing yet) but seek out hotel accommodations online (ok, not entirely old school). cpsc 329: Explorations in Computer Security & Privacy (f21) Instructor: Ryan Henry <ryan.henry@ucalgary.ca> i. Alice visits her travel agent and selects her flight. In order to secure her reservation, Alice is asked to pay for her flight using a credit card. • How might the travel agent identify Alice? They could ask for her first and last name and her date of birth. • How might the travel agent authenticate Alice? They could cross referenece her name and date of birth with a single or multiple government issued pieces of photo ID. • Who must authorize this transaction? And how might they decide whether to do so? The will authorize the transaction once Alice has been authenticated. The credit card company will also authenticate that Alice is using the credit card. Once this is done, her reservation will be complete. ii. Now that Alice has chosen her flight, she must make a hotel reservation. She finds a suitable room online and proceeds to the reservation page on the hotel’s website where she is prompted for her credit card details. • How might the hotel identify Alice? Alice will probably have to make an account online and so will have to enter her username or email. • How might the hotel authenticate Alice? The hotel may ask for her password or a number that they have sent to her email to confirm that she is who she says she is. • Who must authorize the transaction? And how might they do so? The website will authorize the transaction once her identity is verified and the credit card information has been processed. cpsc 329: Explorations in Computer Security & Privacy (f21) Instructor: Ryan Henry <ryan.henry@ucalgary.ca> iii. Alice decides that she should notify her credit card provider that she will be out of the country. She calls her credit card provider on the phone to ensure that her card will be approved and that there have been no problems with her recent transactions. • How might the credit card provider identify Alice? They will usually ask for your card number, but a name would also probably work. • How might the credit company authenticate Alice before authorizing account inquiries? When I have called credit companies, they ask a few security questions, which are usually personal questions you have answered previously. Recently when I called, they also have voice authentication where based on my voice it will authenticate my identity. iv. Alice realizes she never selected her seat when booking her flight. Rather than contacting her travel agent she decides to see if she can select it online. She enters the name of the airline on Google and sees a likely match as the first result. • How can Alice identify the owner of the website? She can take a look at the URL to see if the name matches the airline, and looking around at the website for logos and names that match the airline she booked. • How can Alice authenticate the owner of the website? What risks do Alice face if she fails to properly authenticate the website owner? Alice could phone the airline to verify that she is on the correct website, look for trust seals, and make sure is without spelling errors. She risks sending her personal information to people that could use it maliciously and losing money. v. Alice arrives at the airport having already printed her boarding pass at home. She proceeds to the counter to check her bags. • How can the airline agent identify Alice? They can ask for her boarding pass and her name to identify her. • How can the airline agent authenticate Alice? They can reference the information they already have about Alice with her boarding pass. They could also ask for her passport to verify her identity. • How can the airline agent check if Alice is authorized to fly into the USA? They can check for her name or picture on no-fly lists to make sure she is allowed to fly and is not a threat on an aircraft.
