Jay Heiser

A member of the Gartner Blog Network

Jay Heiser
Research VP
6 years at Gartner
24 years IT industry

Jay Heiser is a research vice president specializing in the areas of IT risk management and compliance, security policy and organization, forensics, and investigation. Current research areas include cloud and SaaS computing risk and control, technologies and processes for the secure sharing of data… Read Full Bio

Coverage Areas:

When Was Your Last Login?

by Jay Heiser  |  June 7, 2011  |  1 Comment

Back in the days of modems and character-based terminals, it was a normal practice to provide information about the previous login as part of the login sequence.  This was trivially easy to implement on old-fashioned Unix, but it quickly faded from practice as graphical user interfaces became the norm. Instead of continuing this cheap and effective security practice, the world has moved on.   And more loss to the world.

Multiple security failures related to logins have come to light over the last several weeks.  Google has reported that their sophisticated (but unspecified) mechanisms have detected misuse of several hundred phished accounts.  After a period of dissembling and vague assurances, it has now been established that the theft of seed material from RSA was instrumental in enabling the attack against Lockheed, and the status of the remaining 40,000,000 SecurID tokens remains a matter of discussion.  A decade after the first feeble attempts to slurp UBS PINs, Trojans such as Zeus are stealing login factors on an industrial scale.  Ultimately, no degree of authentication strength can defeat man-in-the-middle attacks against compromised endpoints. So now what?

Gartner analyst Avivah Litan makes a strong case that providers need to step up their level of fraud detection.  I don’t disagree with that, but I think in the interests of defense in depth, its time to give the user some ability to monitor the status of their own account, and expect them to do so.  If users were provided with information about their previous login, or better yet, logins, they would be much better prepared to detect misuse of their accounts.

I just checked Yahoo, and I can’t find anything like that.   I don’t see anything like that on Facebook, and LinkedIn doesn’t tell me when I last logged in.  My Recent History on Amazon does show me what books I most recently looked at, but provides no information on my login history.  Gartner’s workstations run on a very common commercial operating system that is constantly asking me for my password, but I don’t remember ever being provided info on my previous login.  I’ve got over 100 different logins, and the only login history I’m aware of is what appears at the bottom of a gmail page.  I can’t remember the last time that any system, corporate or personal, provided me with any sort of obvious message during the login sequence.

Its time for the past to return to the present. Consumers and corporate users need to be able to defend themselves from a growing variety of increasingly simple attacks against their accounts. A cheap and simple way to enable normal people to detect some degree of account misuse would be to provide login history info, along with some explanation as to the purpose and value of reviewing it. Every login sequence on every system should pop up a message saying “You last logged into this account from IP address x.x.x.x and were logged in for a period of X”, along with a suggestion to change your password if you don’t think that’s when you last logged in.

1 Comment »

Category: security     Tags: , , , , , , ,

1 response so far ↓

  • 1 Saqib Ali   June 7, 2011 at 2:55 pm

    Jay,

    I don’t think showing the last login info is very useful. Maybe IT folks find them beneficial, but rest of the world simply ignore those messages. They probably don’t even pay attention to them. Their brain blots outs that area of the screen.

    I think what Google does is better. They show warnings in red only when they detect some malicious behaviour. Or yellow warnings for access from multiple locations. I find this way better than just seeing a blanket statement of my previous login each time I login.

    Saqib