Finding authentication in interesting places

What does baseball memorabilia have to do with the recent Uber hack? It turns out both depend heavily on authentication. I wrote about the latter for Avast here. The hacker — who claimed to be from Uber’s IT department — set up a man-in-the-middle portal that tricked an Uber contractor into revealing his authentication credentials. This is the same person, or group, that also broke into a gaming studio recently. The contractor did have multifactor authentication enabled, but wasn’t paying attention and the hacker was able to fool them into entering the credentials.

And this week Microsoft researchers found other hackers using malicious OAuth applications were compromised because they lacked any multi-factor authentication credentials.

Authentication — proving you are who you say you are — figured large in a series of emails that I had to regain control over my wife’s website. I had to show both a government picture ID and that I had some financial responsibility over the account. As if that wasn’t enough, I started reading this piece in the NY Times about how Major League Baseball authenticates the items used in its games. Remember how you could just catch an errant fly ball or better yet, one used for a home run? Well, MLB has made some effort to ensure that the ball so used is actually legit, using a chain-of-custody process (off-duty cops collect the items and certify them) along with special tamper-proof holograms that are placed on the objects used during its games.

The Times piece mentioned that lots of stuff gets authenticated, particularly at the end of a season or when a player is about to break a record. These include not just the bat and ball but shoe spikes, gloves, the actual bases, uniform clothing and even the dirt on the infield and decommissioned Shea Stadium seats. Our home team favorite, Albert Pujols, will have specially-marked balls pitched to him for the rest of the season as he climbs the home run chart. About half a million items used in the games a year are authenticated, according to MLB officials.

MLB began using holograms back in 2001, according to this webpage, and this year improved on the tags. They are placed on a variety of memorabilia objects and licensed MLB products, each with a unique code that can be looked up on that page (or on the page of tech supplier, Authenticators Inc.) to determine if it is authentic. (The MLB page returns the status in the URL with the code explicitly listed, which probably means it could be subject to an injection attack, but what do I know?)

The tags are produced by OpSec Security, which also does tags for a wide variety of manufacturing vendors (such as used by GM Europe to insure that genuine parts are sold).  If you try to remove the tag, the hologram is unreadable. Of course, this means your souvenir has this tag on it, but I am guessing that most collectors would rather have the assurance that their item is the real thing.

While Uber’s next step to up their authentication ante will most likely be to use FIDO2 tokens and passkeys, maybe they need a few MLB umpires and off-duty cops to get involved in auditing their authentications.

3 thoughts on “Finding authentication in interesting places

  1. Another old, old authentication solution concerns my many greats grandfather, Solomon Freer. He joined the Revolutionary War at the age of 18 as the war was winding down. He served under Francis Marion, known for the Disney series, The Swamp Fox. After the war was over, he moved to Kentucky. When the United States government decided to award pensions to the war veterans, veterans had to submit a “deposition” on what they had done in the war. Solomon’s deposition is in the National Archives, and my mom was able to actually handle it and transcribe the original. And it “authenticated” his service.

  2. Pingback: Authentication a master’s painting isn’t easy | Web Informant

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.