LUWS Account Security Breach

aebrown · #11

mkmurray wrote:Actually, that's changed. Now it's just MRN and birthdate.

Sort of. That's true for creating an LDS Account. But to reset an account (meaning you have forgotten the username/password, and need to change the associated e-mail address), you still use MRN and confirmation date. The post you quoted was talking about "taking control" of an LDS Account, so it was indeed accurate to refer to the confirmation date.

russellhltn · #12

Alan_Brown wrote:That's true for creating an LDS Account.

Ah, that's what's going on. I did check the reset page before I posted (so Alan wouldn't have to correct me

), but I knew we had discussed it having changed.

dmaynes · #13

atticusewig wrote:Is the suspected person who created the account a family member (or former family member) or did
he gain access to the information because he was
in a position of authority ?

Also, what would be the motive, other than nuisance ?

If the impostor is a "stalker," the information from LUWS can be used to create plausible fictitious lies in order to gain the confidence of the victim.

If the impostor is an "abuser," the information from LUWS can be used to stay connected with the victim, even when the victim wanted no further contact.

Wherever the victim moved, the impostor would be able to maintain control. Just knowing the ward could be enough information for the impostor to gain the confidence of the victim's bishop or fellow ward members.

The specific details of this situation are best left for others to handle. It suffices that we have detected the security breach and we are now working to remedy it, if possible.

dmaynes · #14

RussellHltn wrote: What evidence is there that someone has actually created the old LUWS account? From what I gather, the evidence is only that in the creation of a new account for a member, it has been discovered that there's an existing one.

The e-mail address registered for the LUWS Account was that of another individual known by the ward member. We are quite certain that we know the identity of the impostor.

The discovery that the account had been hijacked was not through the process of creating a new account. It was made by asking the member about ward website access and use. The member was completely unaware that this account existed. There was convincing evidence that the member did not create this account.

RussellHltn wrote:Is there any evidence that it's been used? Do you know the identify of the user? I would not rule out the member had forgotten that they created the account in the past.

Besides the fact that the account is tied to an active e-mail account, and the fact that ward e-mails have been sent to the impostor's account for some time, there is no evidence that the LUWS has been accessed by the impostor. The impostor knew the e-mails were coming for my ward and made no effort to reply and to let me know that the e-mails were being sent incorrectly. While this is not active use, it is definitely passive use.

There is no logging mechanism (that I am aware of) where website Administrators can know who is accessing the ward website. I would dearly like to see website access and use logs. Access logs could help in a lot of ways, from knowing where to focus and improve communication to enlisting the help of those who are most involved with the website. And, obviously, they could answer questions like the one in this thread.

dmaynes · #15

lajackson wrote:But isn't the MRN the key to the account? Retrieving a password, etc.?

If a new login is created for the MRN, would the imposter be able to get into the account without guessing the new login?

The username of the LDS Account can be retrieved by using the MRN and the confirmation date.

Once the username is retrieved, the account hijacker reasserts control of the account by claiming to have forgotten the e-mail address that is bound to the account. But, a notification that the e-mail address has been changed will be sent to the old e-mail address. So, the account hijacker cannot operate surreptitiously without being discovered. This is why the LDS Account is more secure than the old LUWS Account.

russellhltn · #16

dmaynes wrote:The e-mail address registered for the LUWS Account was that of another individual known by the ward member. We are quite certain that we know the identity of the impostor.

Well, that certainly changes things!

Good luck. I hope the church does have a way to change the MRN as that would be the best way to lock them out.

aebrown · #17

dmaynes wrote:The username of the LDS Account can be retrieved by using the MRN and the confirmation date.

Once the username is retrieved, the account hijacker reasserts control of the account by claiming to have forgotten the e-mail address that is bound to the account. But, a notification that the e-mail address has been changed will be sent to the old e-mail address. So, the account hijacker cannot operate surreptitiously without being discovered. This is why the LDS Account is more secure than the old LUWS Account.

Once an LDS Account exists for a given MRN, the LUWS account can no longer be used to login to LUWS. Although the LDS Account could still be hijacked, as you mentioned, it could not be done surreptitiously. So it seems like it would be wise for the member to create an LDS Account right away.

dmaynes · #18

RussellHltn wrote:I hope the church does have a way to change the MRN as that would be the best way to lock them out.

Actually, MRN's are not that hard to discover. And, changing MRN's could have wide implications.

I would prefer that there was an ability to "LOCK" the LDS Account against hijacking (i.e., resetting the e-mail address on the account without using a password) and require that a trusted third party, such as a bishop, hold the key for resetting the e-mail address so that the ward member could then follow the normal routine for resetting the password.

In other words, when the account is "LOCKED" the e-mail address can only be reset by a trusted person who verifies that the individual attempting to gain control of the account is indeed the proper account holder. The "LOCKED/UNLOCKED" status would be an account attribute and it would be modified using the normal account maintenance function by the account holder.

I believe this would provide the best security within the existing design. It would be better than having headquarters perform e-mail reset operations, because (1) the work is distributed, and (2) the person performing the account reset can verify the identity of the requester.

mkmurray · #19

dmaynes wrote:I would prefer that there was an ability to "LOCK" the LDS Account against hijacking (i.e., resetting the e-mail address on the account without using a password) and require that a trusted third party, such as a bishop, hold the key for resetting the e-mail address so that the ward member could then follow the normal routine for resetting the password.

* emphasis added *

Or maybe one of the Ward Website Administrators.

dmaynes · #20

mkmurray wrote:Or maybe one of the Ward Website Administrators.

I thought about that, but the LDS Account is a centralized account that provides access to many different functions, some of which could be very sensitive. The LUWS is only one of those functions. It is never good security design to allow an individual to maintain functionality that grants access to secure information beyond that individual's trust domain or responsibility.

A truly wicked person could hijack the LDS Account of a bishop or stake president and cause all sorts of trouble. There is reason to believe this could happen because at least one person in a position of trust has compromised the security of the Church Handbook of Instructions, volume 1.