January 19, 2007......... Skype - Unwelcome Secondary Logins and Password Theft

Security has always been one of my keenest interests, and it is one of the things about Skype that facinates; the combination of P2P avoidance of servers, encryption (of all its media types), invisibility, and firewall hole-punching capability says to me that this is a very secure platform.

I realize of course that usage of Skype in an enterprise environment, while being very secure for an individual user, is insecure for IT management... more about that another time. Mostly I choose to overlook such problems because the overbearing concerns of these bureaucracies are not mine. I am also less concerned about Skype becoming a conduit for viruses and other malware, mainly because I use a Macintosh.

What does concern me about Skype's security is identity theft, and the two problems I will describe below are very serious.

One of Skype's "features" is the ability to log into the same ID from multiple computers concurrently. If a call comes in, the first login to answer it gets the call and the other logged in users are locked out. Great so far, because it allows me to establish multiple Skype terminals (handsets) and any one of them can make or receive calls. There is nothing wrong with multiple login. Yahoo Messenger, for one, does it also.

However, text is handled by Skype differently that voice calling. Text messaging is seen by all logged in users. Also the contact list is available to all logged in users, as is chat history, voicemail, and access to user profile, including the ability to change information in that profile such as the login password. So let's say you and your spouse (or your kid or your business partner) were sharing a Skype ID.... it's an invitation to that person to spy on you if they know your password. You would never know about it because Skype does not tell you when/if there is a secondary login under your name, and you might even lose access to your account entirely if they change your password which of course they know if they have an ability to log into your account.

Or let's say that your enemy does not know your Skype password but does have access to your email account. One day you forget your Skype password and you go to Skype for help. Skype's password retrieval system is set up to send a new password to your registered email address in plaintext... astoundingly... so your enemy simply collects your email, removes the message from your POP server, and from then on only he/she is able to log into your Skype account. All he needs is access to your email and knowledge of your Skype login name. There is nothing you can do about it.

• Secondary login on an ID can change password, and then the owner of the account will not have access..... IOW the ID can be stolen (chat history, contact list, etc)
• New passwords can be sent with the only requirement that you provide the ID name and the email address. So anybody with access to that email account (the POP password) can fetch a new skype password..... and the ID can be stolen.
• There is no notification of a secondary login, so the secondary login can see text traffic without the primary login knowing about it.
• If the email with new password is not received because of an email error (even if it is not stolen), or if the user no longer has access to that email address, then the Skype ID will be lost forever, and if the ID with the new password is discovered or stolen by somebody else, it could be used by the identity thief without the real owner ever knowing.

One solution for this problem, not yet implemented by Skype, is (simply ??) to require different passwords for a) access to the profile, and for b) logging in. Yahoo has such a system. Another improvement would be to use a web-based re-identifier for password retrieval rather than sending an email. They might also consider a notification icon in the main Skype window for when there is a secondary login, and it would be a big improvement if the primary user (the one with the profile password) could prevent a secondary from logging in or force the secondary to log off. In the current Skype, one can do this by changing the password (which would eventually (though not immmediately) force off the secondary user with the wrong password), but it must also be noted that the secondary user might change the passwword himself, thereby forcing the ID's real owner to log off... permanently. It's a scary thought. Another thing Skype could do is force all ID's to confirm the special profile password periodically (once every X hours)..... or be logged off involuntarily.

Bottom Line: there should be a login password for primary and secondary users, but a profile password for only the owner of the ID. Until such time as Skype has implemented this improvement, all Skype users should be VERY careful about allowing secondary logins to their Skype ID's. Also, NEVER allow your Skype password to be known by anyone else, and NEVER share your email address and password with another person. Finally, take seriously the suggestion to change your password often (with good unguessable passwords). Studies show that most people have totally guessable passwords, use them for everything, and never change them for almost their entire lives. Therefore, when Skype suggests to us that the solution to the problem is simply to change passwords, it is largely gratuitous and naive.

Impersonation
Here is a second Skype security problem, but this one is common to all instant messaging systems, and indeed to email as well: ID's can be made to look very much like each other, and therefore it should be quite easy to impersonate another Skype user. My ID, for example, might be represented alternately, and I'm not sure my correspondents would know that it is not me who is contacting them..."garnet_stone", ".garnet_stone", "garnet_stone."

In order to really succeed in enterprise environments, Skype has to be able to solve the problem of Trust, which means to verify the identity of the person at the other end of a communication. My suggestion is to establish a system to qualify users with a "trusted identity". To implement such a system, Skype could build fields into the user profile with street address, email address, and a mobile phone number. If the user wants a trusted ID, he could have a memo sent to him/her via snail-mail and/or SMS with a randomly generated key-code. He logs back into skype, enters the key-code, and from then on the user has a "trusted identity" with a special icon that can be seen by others. Ebay and Paypal already have trusted identity systems similar to this, so it is not unreasonable to expect Skype to implement it as well.