1

I have a screen sharing application in which all sensitive data is masked. There are some scenarios in which the customer types sensitive data, such as the SSN, into a non-masked field, thereby directly compromising our solution.

Is there a way I can detect that person is typing SSN or any sensitive data, without accessing the DB -- or any other server-side information -- just on the client side.

For instance, consider a form with SSN and address fields. How can I avoid displaying an SSN mis-entered in the Address field?

SSN
Address:888-9999-0988

EDIT

My approach as of now is storing all patterns in a property file on the client side. For example, a typical password in my application is 8 characters with following rules:

^(?=.*[A-Za-z])(?=.*\d)(?=.*[$@$!%*#?&])[A-Za-z\d$@$!%*#?&]‌​{8,}$

I will have this regex stored on client side. Once the user starts typing, I will check whether he is typing a password or a username. Similarly, I can break a phone number into country - area code format and can have a regex for that also. But since SSN is pure 9 digit random number, I am stuck.

By extracting field names from DOM, I can get exact location of cursor and Field name in which User is typing data.And by using the type of data format they support I can have rough idea whether user is typing the required data or something else. Please correct me if I am wrong

September: 14th-2016 Since I have screen sharing solution running in a browser,it will be used as plug-able component by the websites.So it won't be easier to ask them to restructure their pages. Below is the approach I have finalized based on your inputs. I will have one file file with all patterns stored in it. 1.For Credit related info all have definite patterns.So it won't be any problem 2.Passwords also have some rules or patterns.So these can also be checked

To avoid data exposure I will show generic message till user types data,like the watsapp shows "User is typing".Once User tabs or comes to next field then only data will be shown after inline Pattern Validation.

Only thing left here is how to detect those fields like SSN, Phone number etc which does not have any pattern.Hope we can have some solution for this also.

Regards Harry

Bhargav Rao
  • 50,140
  • 28
  • 121
  • 140
harry singh
  • 11
  • 2

1 Answers1

2

In short, you can't. How do you differentiate the sensitive data by value and format? For instance, how do you differentiate SSN 212-73-6500 from NYC telephone number 212-736-5000 in time to blank out sensitive information? Similarly, how do you detect that the user is typing a password in the address field, before displaying any characters of the password?

You say that you cannot access the data base to match entered data with already known values. Unless you can dictate some differentiation to the user before sensitive data gets entered, you have no way under information theory to detect the mistake. You can't differentiate a password from a name or other alphanumeric input.

I see one possibility: treat all data as sensitive until cleared for display. Each input field gets masked until you verify that it cannot contain sensitive information.

Unfortunately, I don't know that you can do this strictly from the client side. Again, how do you differentiate a mis-typed SSN (left out or doubled a digit) from a phone number? How can you tell an alphabetic address from a password?

I believe that, to solve this, you will need to impose some restrictions on the sensitive input you request. Passwords cannot look anything like any other field. You separate confusable fields by as much as possible on the page ... and some of this may be problematic with the smooth flow of entering information.

EDIT RESPONSE

That's correct: you can set up a family of recognition rules and differentiate various types of input. However, you still have some innate problems in that you cannot differentiate some types of input until it's too late, such as the phone-or-SSN ambiguity above, or telling a password from a name or address (some addresses start with pure alphabetic characters).

Can you fulfill security requirements with severe partitioning? For instance, put all of the sensitive information on one page, and all of the displayed information on another. I'm looking for a way to force the user to know that certain information is sensitive.

Also, do you have to configure this for international use? Security requirements differ across cultures and nations. Keep that in mind when you design this application.

Prune
  • 76,765
  • 14
  • 60
  • 81
  • My approach as of now is storing all patterns in a Property file on a client side.For example A typical password in my application is 8 characters with following rules: "^(?=.*[A-Za-z])(?=.*\d)(?=.*[$@$!%*#?&])[A-Za-z\d$@$!%*#?&]{8,}$" So I will have this regex stored on client side,once user starts typing I will check whether he is typing password or username. Similarly I can break phone number in Country area code format and can have regex for that also.But since SSN is pure 9 digit random number I am Stuck. – harry singh Sep 13 '16 at 09:20
  • By extracting Filed names from DOM I can get exact location of cursor and Field name in which User is typing data.And by using the type of data format they support I can have rough idea whether user is typing the required data or something else. Please correct me if I am wrong – harry singh Sep 13 '16 at 09:29
  • I edited these into your original question; anyone else who comes by can find the relevant information more easily. – Prune Sep 13 '16 at 17:34
  • Since I have screen sharing solution running in a browser,it will be used as plug-able component by the websites.So it won't be easier to ask them to restructure their pages. Below is the approach I have finalized based on your inputs. I will have one file file with all patterns stored in it. 1.For Credit related info all have definite patterns.So it won't be any problem 2.Passwords also have some rules or patterns.So these can also be checked. – harry singh Sep 15 '16 at 06:56
  • To avoid data exposure I will show generic message till user types data,like the watsapp shows "User is typing".Once User tabs or comes to next field then only data will be shown after inline Pattern Validation. Only thing left here is how to detect those fields like SSN, Phone number etc which does not have any pattern.Hope we can have some solution for this also. – harry singh Sep 15 '16 at 06:57
  • Harry, if there's no pattern to differentiate those fields, it is not logically possible to detect them. For instance, if you live in an country with a 9-digit phone number, and punctuation is not required for either that or your SSN (assuming you're still have some USA presence), then it is *not possible* to tell them apart from the 9-digit input alone. Most pointedly, there will be 9-digit sequences that are both an active phone number *and* an active SSN. Without more information, you cannot partition these as "safe" and "unsafe". – Prune Sep 15 '16 at 16:49
  • That's why I suggested a separate input region altogether. Since it's impossible to tell the difference, and you are not allowed to contact the server for even background help, you need to reach farther on the client side in some fashion. Either push the security directly to the user, or maintain a local cookie with enough information coded to make that differentiation. – Prune Sep 15 '16 at 16:51