On 26 October 2023, we’re launching new security features that will help you better protect your identity information from cyber criminals.
What these security improvements mean
When you log in to your MyServiceNSW Account, we will:
immediately check the dark web for leaked email address and password combinations
alert you if we find the email address and password you just used
strongly suggest you change your password.
Your information is protected and not disclosed to anyone during this security check.
===========================-
I’m not an IT person, but surely hackers lurking on the dark web will see this as a constant supply of validated user names + passwords?
Presumably Service NSW will use some form of encryption, but at some point the actual user and password details must be exposed in the dark web if a search is being done?
Maybe not. Using HIBP as a model a hint is ’ HaveIBeenPwned covers over 12 billion stolen records.’
Whilst HIBP is kept up to date with as much data as possible, it contains but a small subset of all the records that have been breached over the years. Many breaches never result in the public release of data and indeed many breaches even go entirely undetected. “Absence of evidence is not evidence of absence” or in other words, just because your email address wasn’t found here doesn’t mean that is hasn’t been compromised in another breach.
There are more sophisticated ‘providers’ out there for free/sponsored and for pay but I suspect they all generally operate similarly. Considering the scope of ‘doing it’ I suspect Service NSW has a contracted provider that is ‘in that business’.
edit: Your information is protected and not disclosed to anyone during this security check.
What is a password as one enters it for a login, is not what is stored in Web sites these days who may have data stolen.
It will be a hashed and salted string of bits. It is a one-way function. The original plain text password cannot be derived from the hashed result (unless you have a supercomputer and a few centuries to try).
The userid will be plain text. The ‘password’ will be the hashed bit in plain text.
The ‘dark web’ is just sites that are not searchable by search engines, and one needs to know the IP address. Some are market places for procured userids and associated password hashes, and these are well known and searchable.
HIBP searches these sites as @PhilT says. I note that other security providers like Norton offer similar services.
I still like getting alerts from Apple as I access “passwords” in the settings app or keychain…. And I’ve just looked again… UGH 149 changes needed. Also, since I have taken up iCloud+, I’ve had access to “Hide My Email” and that is another way of achieving security, so for the 149 I’ll be changing emails too.
The very first question you should be asking yourself is: Is this email even legitimate?
Any email that you receive unsolicited that is talking about security, validation, passwords, … etc. should be viewed with suspicion until you have satisfied yourself that it is legit.
However since it is not asking you to do anything and you can’t control this behaviour anyway, the email itself looks low risk.
For me the obvious risk is that scammers see this email and start sending out similar emails but which are subtly different (such as requiring you to choose whether to opt in or opt out of this checking).
I had some reservations about the actual change from ServiceNSW. I would rather manage my own security, thanks. I was tempted to ditch my current ServiceNSW account which happens to associate with a simple email address (for historical reasons) and change ServiceNSW over to a unique complex email address (as I have with many other entities that I deal with) - since ServiceNSW are going to be doing who knows what with my email address.
The only assurance is the one that you quote (“Your information is protected and not disclosed to anyone during this security check.”) but it is not transparent or auditable.
Probably ServiceNSW will download whatever they can from the dark web and then search their downloaded copy. In some cases a criminal organisation may have been busted and their data stolen by law enforcement. They may use trusted third parties. Who can say?
It is easy to find lists of the most common passwords on the web, even the non-dark web. (However ServiceNSW really ought to be rejecting such a password up front.)
Sure, that applies if a data breach of the underlying authentication data has occurred. However what you can buy on the dark web are valid combinations of usernames and plaintext passwords i.e. usable information for the purchaser. These could be obtained from:
compromised servers
compromised clients (user computers)
a breach of the underlying data and running lists of common or obvious passwords through the hashing algorithm to check (which takes much less than a few centuries but of course only breaks poorly chosen passwords)
maybe in some circumstances compromised email (which could be at either end).
Perhaps there are even a few web sites that are still not salting and hashing? Would it actually be against the law not to? Probably in selected industries and selected situations it would be against the law but for all random low importance web sites? And if a web site is not up to ‘best practice’, how would you know?
I would think that the usual source of userid/password combinations would be simple phishing. Getting users to reveal their passwords.
Much easier than trying to guess a password to see if it matches a hashed value.
Could there be sites out there that store passwords in plain text? One does not know. But I know of at least one that leaked my password onto the dark web a decade ago. Linkedin.
