[OWASP-Security101] Application Help Desk with Confidential Information

Greg Merideth gmerideth at uclnj.com
Thu Nov 13 23:33:17 UTC 2014

For a health insurance data collection system I setup a registration system that requires a two-factor key along with the clients credentials.  In the case where users don't have smartphones I wrote a Windows .NET app they can download that mirrors what the cell phone authentication system does.  I assumed any path will be compromised so I made each link one-time use.

Anyone accessing a client's email will find that none of the links in any email message work even with the one-time key.  When an internal rep wants the end user to update their information a one-time link is generated and the user 2FA's in and updates the data.  It's a trade-off between users browsers crashing and needing a new link and their PII data leaking from our end.

That and the usual encrypted passwords and social-security numbers in the database.

We also don't allow password resets - a password reset request goes to an internal team member who verifys over the phone or other methods who that person is and then sends a link to reset either the password or the 2FA code.

-----Original Message-----
From: Tomás Gutiérrez [mailto:tomas.gutierrez at scalablepath.com] 
Sent: Friday, November 7, 2014 9:23 AM
To: security101 at lists.owasp.org
Subject: [OWASP-Security101] Application Help Desk with Confidential Information

Hi everyone,

I'm working on a project with the following topology:

   - Web application where end-users can submit a request containing PII
   - Backend where organizational users can process the requests
   - Need to interact with end-users through secure channels to
   correct/validate confidential data

Currently investigating:

   - Voltage SecureMail <http://www.voltage.com/products/securemail/>
      - Nutshell: MX server --> Encrypts message && stores in their system
      --> Notifies user with public key & message attachment --> requires user to
      create an account in their system & validate identity (email validation)
      --> Decrypts message & displays content (on their system) --> Allows
      response (same manner as before)
      - ~$6k & $600/yr thereafter
   - Zendesk
      - Pending technical discussion on PII data - not very hopeful
   - Homegrown encrypted message exchange which sends a link to the end
   user, and requires challenge from PII to interact with thread - just an
   idea at this time

Haven't found anything that I love so far.

Thoughts from the community? Would be interested in comments on the above, or any new ideas for this type of security pattern.

Happy Friday!

Security101 mailing list
Security101 at lists.owasp.org
List Run By OWASP
List Admin: Michael.Coates at owasp.org

More information about the Security101 mailing list