[OWASP-Security101] Application Help Desk with Confidential Information

Greg Merideth gmerideth at uclnj.com
Thu Nov 13 23:33:17 UTC 2014


For a health insurance data collection system I setup a registration system that requires a two-factor key along with the clients credentials.  In the case where users don't have smartphones I wrote a Windows .NET app they can download that mirrors what the cell phone authentication system does.  I assumed any path will be compromised so I made each link one-time use.

Anyone accessing a client's email will find that none of the links in any email message work even with the one-time key.  When an internal rep wants the end user to update their information a one-time link is generated and the user 2FA's in and updates the data.  It's a trade-off between users browsers crashing and needing a new link and their PII data leaking from our end.

That and the usual encrypted passwords and social-security numbers in the database.

We also don't allow password resets - a password reset request goes to an internal team member who verifys over the phone or other methods who that person is and then sends a link to reset either the password or the 2FA code.

-----Original Message-----
From: Tomás Gutiérrez [mailto:tomas.gutierrez at scalablepath.com] 
Sent: Friday, November 7, 2014 9:23 AM
To: security101 at lists.owasp.org
Subject: [OWASP-Security101] Application Help Desk with Confidential Information

Hi everyone,

I'm working on a project with the following topology:


   - Web application where end-users can submit a request containing PII
   data
   - Backend where organizational users can process the requests
   - Need to interact with end-users through secure channels to
   correct/validate confidential data


Currently investigating:

   - Voltage SecureMail <http://www.voltage.com/products/securemail/>
      - Nutshell: MX server --> Encrypts message && stores in their system
      --> Notifies user with public key & message attachment --> requires user to
      create an account in their system & validate identity (email validation)
      --> Decrypts message & displays content (on their system) --> Allows
      response (same manner as before)
      - ~$6k & $600/yr thereafter
   - Zendesk
      - Pending technical discussion on PII data - not very hopeful
   - Homegrown encrypted message exchange which sends a link to the end
   user, and requires challenge from PII to interact with thread - just an
   idea at this time

Haven't found anything that I love so far.

Thoughts from the community? Would be interested in comments on the above, or any new ideas for this type of security pattern.

Happy Friday!

Tomás
http://about.me/tomas.gutierrez
_______________________________________________
Security101 mailing list
Security101 at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/security101
List Run By OWASP
List Admin: Michael.Coates at owasp.org


More information about the Security101 mailing list