64

I was thinking about this earlier this morning and was wondering why websites and devices don't offer fake logins for hackers? What I mean by that is that if a hacker finds out some of your details and tries to log in to a website (for example) the website will show that you have successfully logged in but will show dummy data that is completely fake.

That way the hacker won't know if they have got the login details correct or not. It will also protect people in a security situation. For instance, imagine a criminal has stolen someones phone and realises he can't access it. He then points a gun at the owner who then types in part of their details correct but some of them incorrectly. The device unlocks in fake mode, and the criminal then thinks they have access and they decide not to shoot the person because they have complied with their wishes. But the criminal never knows that what they see is just a fake login.

Has anyone implemented something like this? It seems like quite a good idea to me.

Cromulent
  • 1,103
  • 1
  • 9
  • 13
  • 19
    1) Why do device/site owners need to do anything. Why can't users set this up for themselves? 2) If it is known that the device/site does this, then won't the attackers try to verify that they have true access? 3) Your approach does not survive [Kerchoff's principle](https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle). – schroeder Jun 01 '18 at 12:55
  • 1
    Would this not fall under "security by obscurity" - I feel like it would just give the owners a false sense of security in all honesty. –  Jun 01 '18 at 13:07
  • 2
    This is crappy for human hackers, but it can work decently well for unsophisticated bots. A site I administer uses fake POST submission forms to catch spambots and it works kinda well. – forest Jun 01 '18 at 13:22
  • If it is a known system, then the criminal just smile, load the gun and continue with : "Right, now the real one" - "It is !" - "Lier !" *BANG* And unfortunatly, it was. I don't see what security this gives. – Guillaume Beauvois Jun 01 '18 at 13:49
  • 20
    How does the website know that the user is a hacker and not the actual user? Is this referring to cases where a (non-chinese) user logs in from China or something like that? – SethWhite Jun 01 '18 at 14:26
  • 94
    What if I just mistype my password? I don't want to be logged into fake mode. I want to know I entered my password incorrectly. – Tom Bowen Jun 01 '18 at 15:21
  • 19
    How often do criminals ask victims to log into their accounts at gun point? This sounds like an extreme edge case that would just cause unnecessary confusion in the general case. I'm far more likely to mistype my password (happens several times a day) than get held up (hasn't happened yet). – Seth R Jun 01 '18 at 17:36
  • 15
    This is a [honey pot](https://en.wikipedia.org/wiki/Honeypot_(computing)) – crthompson Jun 01 '18 at 17:59
  • @SethR: actually i've heard about that in the news a couple times, so it does happen. i don't think it's for ID theft, more so that the phone can be reset and sold. – dandavis Jun 01 '18 at 19:59
  • 3
    @Tom.Bowen89 the way around that concern would be a security image - an icon is displayed after you log in, and only the "real" user knows if it's the right one. If I select an image of a cat as my security image, and I log in and see a butterfly, I know I typed the password wrong. (Not trying to make an argument for the OP's approach in general, just addressing your specific concern.) – dwizum Jun 01 '18 at 20:43
  • This does exist, [MobileSitter by Frauenhofer Institute](https://www.sit.fraunhofer.de/en/imobilesitter/?cHash=c055727af39b2fb3d6e6e15111b4e2ac&wmc=SM_TW) (not affiliated) is one example I know of. They solve the problem in exactly the way @dwizum commented, by providing a visual clue (or you just memorise one password in the password manager and check it). – Narusan Jun 01 '18 at 22:04
  • 1
    As I know, this is implemented in some door locks. There is two codes: for regulal usage and for forced openning, which will also open the door but notify guards/police. – val is still with Monica Jun 02 '18 at 15:57
  • 1
    @SethWhite That is simple, you only need to check if the evil bit is set https://tools.ietf.org/html/rfc3514 – rypskar Jun 04 '18 at 08:47
  • @SethR Clearly you just aren't important enough :P – Pharap Jun 04 '18 at 14:00
  • Actually, this has been implemented. ESET anti-theft made a second windows account on my computer. It's unlocked and if a hacker takes the bait and clicks on it, ESET will take a picture of them, notify me, and start tracking my computer. – Byte11 Jun 04 '18 at 20:34
  • Related: [Is it possible make brute-force attacks ineffective by giving false positive answers to failed log-in attempts?](https://security.stackexchange.com/questions/129898/is-it-possible-make-brute-force-attacks-ineffective-by-giving-false-positive-ans) – John Wu Jun 05 '18 at 01:42

11 Answers11

66

That way the hacker won't know if they have got the login details correct or not.

If the information presented after login has no relationship to the person who the login should be for, then most hackers will quickly recognize that the login is probably not the real one.

But, in order to show information which looks like it fits the user, considerable effort could be needed. It also needs to be created specifically for each user and show some true information about the user so it does not look fake but not too much so no important information is leaked.

You cannot expect your provider to do this for you but you might try to do this yourself in many cases, i.e. add another email account, another facebook account etc.

Kevin
  • 151
  • 6
Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • 5
    Actually, I see how it could be set up. Don't have a fake login, but rather a real but restricted login. Apps and data would either be open or restricted, if you were in the duress login you would see only those things not marked as restricted. – Loren Pechtel Jun 02 '18 at 00:33
  • 3
    @Loren that's a neat idea. The duress login could include limited data (maybe a few old documents) and intentionally broken apps. For example, the fake login could have an online banking app that looks real, but that always crashes. Mobile data could be restricted ("Sorry, you've used all your data for this month"), and apps could then whine about how they won't work until they can connect to the Internet. – Robert Columbia Jun 02 '18 at 02:46
  • @RobertColumbia The tactics would be known, you can't use things like that. But have the baking app on the restricted list--with the duress code you simply don't see it. So long as you use apps for the sensitive stuff even someone who knows how the system works can't tell if it's the duress code or not other than by rooting the phone. If you want to make it even more secure there are two duress codes--if the second is used the entire sensitive dataset is deleted. (Use the first on the snoopy official, the second if arrested.) – Loren Pechtel Jun 02 '18 at 03:30
  • 2
    That's not so difficult to achieve: **ask the users** to do it for themselves. For example, when you create a Facebook account then FB can prompt you to create your "dummy profile" in case you are compromised. Still I think hackers will know it's fake and, since is a well known feature for all its users, it wont have any effect. – Gabo Alvarez Jun 02 '18 at 18:46
  • 2
    Even when access is granted to obviously fake data, that data still has to be processed to determine that it is fake, making it take longer for the hacker to gain access to the real data. – Clearer Jun 04 '18 at 07:02
  • This would be terribly confusing to the users. You better know your audience. – Ryan Leach Jun 04 '18 at 07:28
50

The concept you're describing is called Plausible Deniability and methods to provide it have indeed been implemented in some software, VeraCrypt being one example.

One problem with implementing it in websites, as you suggest, is that it's very hard for the website developer to come up with fake data that is realistic enough to fool an attacker while not giving away any sensitive data about the user. In encryption software like VeraCrypt, that task is shifted to the user, who is obviously in a much better position to do that.

David Foerster
  • 580
  • 4
  • 10
TheWolf
  • 1,079
  • 7
  • 12
  • 34
    I don't think that's what plausible deniability is. Honeypot != plausible deniability. – forest Jun 01 '18 at 13:22
  • 31
    @forest: The question is a bit confused, because it describes a honeypot but the use case (criminal pointing a gun at the phone's owner) demands plausible deniability. This answer addresses the use case. – Ben Voigt Jun 01 '18 at 14:12
  • 5
    @BenVoigt that's still not what plausible deniability is – Kevin Jun 01 '18 at 17:33
  • 12
    @Kevin: It's exactly what the term "plausible deniability" means in the context of cryptosystems. In addition to VeraCrypt which this answer mentioned, see also LUKS, TrueCrypt. – Ben Voigt Jun 01 '18 at 18:59
  • 13
    @Kevin where it comes to crypotsystems, plausible deniability essentially means that when forced to provide access to content secured by a password/encryption, once I provide that access (give my account credentials, enter password/decryption key), I can claim that I've given access to the content I've secured and the adversary cannot reasonably prove otherwise. I can plausibly deny that the real data is still hidden behind yet another key/credential and that I've actually provided access to the real data (or all the data that's available). – iheanyi Jun 01 '18 at 20:00
  • 3
    @BenVoigt I learned something new. Wasn't aware that this term was used this way in cryptography. – Kevin Jun 03 '18 at 03:15
32

Because hackers don't attack login forms

The flaw is that you assume hackers get into accounts by brute-forcing credentials against remote services. But that's futile anyway.

Any website with decent security (the ones without decent security wouldn't care about your idea either) will have a limit imposed on how many failed login attempts can be made in a certain timeframe per IP address, usually something like 5 failed attempts every 6 hours. If security is a bit stronger, accounts might also need action from the owner after a number of failed attempts, and/or the owner might be notified of failed login attempts or even all logins from new devices.

So while brute-force attacks may well be feasible against plain data (such as password hashes exposed in a breach), they are nowhere near feasible against any service with even a bit of security.

For attackers, it is thus much easier to go phishing, or better yet set up a genuine free service themselves and work on the assumption of password reuse:

Siguza
  • 419
  • 5
  • 6
  • 6
    Yep! This is why, above all of your other passwords, regardless of your password system, your email password should ALWAYS be unique. – JeffUK Jun 04 '18 at 11:27
  • 3
    And always mean Not even with an account of an obscure phpBB forum from 2001. Or an android application thats ask for an username/password even if you used it for 5 minutes. Or an old torrent traker. Especially with Android apps when an apps can request the mail of all device account then check with the used password. – Drag and Drop Jun 05 '18 at 14:10
16

I have never heard of any service or device implementing this either.

The case where an attacker is present and forcing you to login is pretty unlikely. They are more likely to just take your $1000 iPhone and run.

However, it is very plausible for this to happen if the "attacker" is a security guard/TSA officer at an airport security checkpoint. Especially if you are in a foreign country. (There was a PHENOMENAL Defcon talk on this subject a few years back.)

Websites

It probably wouldn't make much sense to implement this on a website. If you (the admin) are certain that someone who is attempting to access an account is a hacker, just block them/lock the account. Problem solved.

If the attacker is trying to access multiple accounts, they will probably know something is fishy if they are able to "successfully" login to multiple accounts on the first or second try.

Phones

While phones don't allow fake logins (?), but you can set them to lock after the password isn't entered correctly n times.

Attacker/TSA agent tells you to unlock phone. You intentionally enter wrong password on 1st try.

"Oh, oops, wrong password..."

You enter the wrong password again on the 2nd try.

"Sorry, my hands get sweaty when I am nervous..."

You enter wrong password on 3rd try. Phone is now locked for 30 minutes!

This of course will not work if you are reciting the password to the attacker, and they are entering it in the phone. And I think most phone lockouts only last for 30 minutes (?), during which time the attacker/TSA agent will do their best to "convince" you to remember the password in a back room.

Laptops

Your suggestion would be relatively easy to implement on a laptop...

Create 2 or more user profiles.

The first profile you name after yourself (first and last name). You set a picture of yourself as the profile picture. This will be your "fake" account. Set the password as something simple and easy to remember. Put some "personal stuff" in the account (music, pictures of your pet, "work" documents, etc).

The second account you give a generic family member name ("hubby", "the kids", "honey", etc). Keep the default profile picture. Set a strong password. This will be the account with admin privileges on the laptop, and the account which you will use for your important/confidential work.

Now imagine a scenario in which you are forced to login...

You are in an airport in Oceania, about to fly home to Eurasia. Airport security stop you on your way through the terminal.

Security: "Give us your passport and laptop!"

You hand them the laptop and passport. They turn on laptop, and try to login to the account which you named after yourself. Upon seeing they need a password, they demand you tell them the password.

You: "The password is opensea. No spaces."

The airport security enter the password, and successfully enter your fake account.

After looking around for a few minutes and not finding anything that interests them, they log out and try to login to your real account.

Security: "Whose account is this? What is the password?"

You: "That is my kids' account. The password is 123dogs."

They enter the password, but are unable to login.

Security: "That password is wrong! Tell us the correct password!"

You act surprised, and ask them to give you the laptop so you can attempt to login. They hand you the laptop, and you start typing in bogus passwords.

You: "Those darn kids, I told them NOT to change the password! I'm sorry, they were only supposed to use that account for their stupid video games!"

The airport security confer with each other, and then let you go on your way. You safely return to Eurasia without having the confidential information on your laptop compromised.

Community
  • 1
sam
  • 263
  • 1
  • 5
  • 24
    Will airport security in Oceania even allow you to fly to Eurasia? I thought Oceania has always been at war with Eurasia. – Robert Columbia Jun 02 '18 at 02:50
  • 13
    People keep devising increasingly clever technical means to defeat a potential request to unlock a phone/laptop/data carrier at a border/airport inspection but I don't see how any of this helps. You might just as well flat-out refuse to give them your password. You might end up in detention or being refused entry but that could also happen while deliberately trying to lock your phone and playing dumb won't help you. The real solution is to avoid taking any sensitive material over the border. – Relaxed Jun 02 '18 at 09:30
  • 4
    VeraCrypt is an example of a program which implements it - you can set up an alternate password which will uncover only fake part of the data – Sebi Jun 02 '18 at 13:18
  • 12
    In real life, it is however much more likely that instead of "letting you go on your way" they will confiscate the equipment and give it to their forensic analysts, detain you, and put you permanently on "possible terrorist" list. [Or worse.](https://www.xkcd.com/538/) – Matija Nalis Jun 03 '18 at 19:49
  • 2
    Ledger Nano cryptocurrency wallets also support doing this - allowing you to enter a passcode to enter layer 1 of the wallet, but with the option of specifying an additional layer 2 where your real keys are kept. This way you can keep a few dollars in layer 1 for if someone forced you to unlock it. – Simon East Jun 04 '18 at 06:15
  • 8
    @RobertColumbia "_I thought Oceania has always been at war with Eurasia_" They have. Until Oceania makes peace with Eurasia, then [_they will always have been at war with Eastasia_](https://en.wikipedia.org/wiki/Nations_of_Nineteen_Eighty-Four#International_relations). – TripeHound Jun 04 '18 at 09:16
  • After logging in the fake computer account, how do you justify that it doesn't have admin/sudo privileges? – Nemo Jun 04 '18 at 20:43
  • 1
    @TripeHound would you like a chocolate biscuit with your nutmeg-spiced Victory Gin? The chocolate rations have just been upped to 2 mg per person per year! BTW, nice hole you have there in the back of your head. – leftaroundabout Jun 05 '18 at 09:42
  • 1
    @Nemo all your admin/sudo privileges are locked away in a "Administrator" account which you happily claim complete ignorance of. "My husband set it up years ago, I've never known the password" – Ruadhan2300 Jun 05 '18 at 13:48
13

It's not exactly the context you had in mind but there are in fact systems which implemented this idea. I used to work at a (somewhat sensitive) facility where each employee had two codes to disable the alarm system: The regular one and a duress code. If you used the duress code, the system would be disabled so as to not put you in danger but a silent alarm would go off at the monitoring centre. I am reading on Wikipedia that this was also considered for bank ATM in the US but ultimately ruled out.

Another similar concept is the “honeypot“. Some of them might in fact accept any credentials or serve dummy data when attacked, to be able to record what an attacker does next or otherwise exploit the situation (e.g. capture the payload of a worm).

As to why it's not more common in consumer products, online services, etc. there is simply a trade-off between the benefits (how likely a particular attack is, whether it would effectively deter criminals or just prompt them to slightly alter their technique) and the costs (more complex systems to develop, maintain and certify - which also means increased attack surface that could afford an attacker with an actual entry point, bandwidth and operating costs to serve the dummy data to all botnets constantly attacking online services, effort to create credible dummy data to fool more sophisticated attacks).

Relaxed
  • 1,720
  • 13
  • 10
5

This is called 'Deception Technology' in the cyber world where the solution deceives cyber foes (attackers) with turn-key decoys (traps) that “imitate” your true assets. Hundreds or thousands of traps can be deployed with little effort, creating a virtual mine field for cyber attacks, alerting you to any malicious activity with actionable intelligence immediately. The traps would carry login details, dummy data, dummy system, etc to deceive the attacker by intimating like actual system.

Deception technology is an emerging category of cyber security defense. Deception technology products can detect, analyze, and defend against zero-day (where the attack type/procedure is not known before) and advanced attacks, often in real time. They are automated, accurate, and provide insight into malicious activity within internal networks which may be unseen by other types of cyber defense. Deception technology enables a more proactive security posture by seeking to deceive the attackers, detect them and then defeat them, allowing the enterprise to return to normal operations.

You may refer below link for some solution providers: https://www.firecompass.com/blog/top-5-emerging-deception-technology-vendors-at-rsa-conference-2017/

Sayan
  • 2,033
  • 1
  • 11
  • 21
2

This has been done in the past, rather successfully, but depends a lot on what the system is.

At one point it was not uncommon for paid access websites to auto detect when an account was logging in from too many IP addresses or with other suspicious patterns and redirect those users to a version of the site that was primarily ads and affiliate links to other sites. If done well the sharing of stolen login credentials could become a revenue center.

There are also websites that direct users to different versions based on IP address or other criteria; the simplest version of this is targeted advertising.

For shell access it's possible to direct a login to a chrooted jail that has only a small section of disk and specially provisioned binaries, which may not necessarily be the same as the general system.

arp
  • 531
  • 3
  • 5
2

First off, I wouldn't call the attacker in this scenario a hacker. A hacker is trying to get around the security that the website offers, in your scenario the attacker doesn't care how secure your services are, he cares how easily the user is intimidated and possibly what to do with the body afterwards.

Secondly, alternate credentials that change your access has been done, but if it does more than present a restricted view of the truth, is a lot of work and of limited utility.

The reason it is of limited utility, is because your users know about it, you must presume that any attacker knows about it as well. Suppose you did this for an ATM card so that it showed a balance that was less than a hundred dollars in order to limit your loss. Either the attacker asks for both (in which case the victim has at best a 50% chance of not loosing more) or simply includes as part of his demands that it produces more than that -- "if I don't get at least 200 you're dead".

It's not totally useless, but is only effective against an ignorant attacker. Relying upon the attacker not knowing something is called security through obscurity, aka "they got it".

jmoreno
  • 496
  • 2
  • 9
1

For web and a remote attack, as many folks here stated before, appart from the difficulty of creating fake user's content , there is the problem of : how do you know it's a compromised login?

I mean, if you assume there is some sort of suspicious activity , like a brute-force attack, you can just block the login for that IP and maybe for that account itself for a while (until the real owner somehow validates its identity)

The only usefull cases are forced logins, that's another story and a pretty cleaver idea. Here is the implementation I imagine for a social network:

  1. The user creates himself an account with dummy data, and set it as his dummy account.
  2. When there is a forced login going on, like you jelous gf or bf extorting you to login , then you put the dummy password and there is! you are logged in your beautiful self created dummy account.

BUT Its not a perfect solution either. The attacker probably would know you and, if it's your crazy ex for instance, she may just check her chatlog with you and will know you just logged on the bogus account.

This is specially relevant because it will be a public well known feature of the platform you are , so anybody who forces you would be able to check wheter are you or not.

For banks or other sites, it's a pretty good idea.

Gabo Alvarez
  • 71
  • 1
  • 2
-1

The problem is that your users have to know about it, thus you must presume that any attacker knows about it as well.

Enerama Çevre Teknolojileri
  • 15
  • 2
-2

To me, this sounds as if you were inviting the attacker to dance with you.

"Hey attacker, you want to hack my website? Well here is a fake login web site for you!"

You certainly do not want to invite the attacker to dance with you because he might find it amusing and challenging which would give him even more motivation to try to hack into your website.

aks
  • 123
  • 1