According to this piece on MSNBC, privacy experts are ringing worry bells over the safety and security of password systems online. Specifically, they are concerned that far too many companies are using very simple security precautions -- systems that are easily beaten.
The idea is this. You find an org that uses a common user name nomenclature -- for example, first initial last name. Then, you ask to reset the password. Most systems are using security measures like What's Your Mother's Maiden Name? or "What is Your Pet's Name?" While at some point in the past that might have been relatively private info, it no longer qualifies as it has become so easy to find personal info like resumes and social media posts that often contain the info.
Here's a passage from the MSNBC post:
There are no known cases in which hackers have widely exploited “forgot your password” links, but there are indications that both researchers and criminals are training their eyes in this direction. Markus Jakobsson, principal scientist at the famed Palo Alto Research Center in California, said answers to password reset questions have become so valuable that a black market has developed for personal information like dog's names. Criminals buy buckets of personal information, obviously with an eye towards foiling security systems, for about $15 per set, he said.
In most cases, such information sets are probably the result of successful phishing attempts, Jakobsson said, where a victim unwittingly supplied personal information in response to an e-mail. But he’s seen demonstrations of far more sophisticated tools designed to “scrape” information off blogs and social networking pages for later use by hackers.
“It’s an automatic dossier building tool,” he said.
Like all scary things, the story starts with none other than Paris Hilton, whose cell phone was reportedly hacked using the name of her dog, which the crooks found online. Now, no one credible is entirely sure that the story is actually true, but it has prompted security concerns over the issue. Another passage from MSNBC:
It also prompted researchers to study the issue, which is also known as “fallback authentication.” Ariel Rabkin, a researcher at the University of California at Berkeley, is probably the first to attempt to quantify the problem. He recently published a research paper (PDF)titled in part, “Security Questions in the Era of Facebook.” It examined password reset questions at 20 banks. Of the 215 questions used by the banks, he classified only 75 as secure and usable. The others were either easy for hackers to guess or obtain, or simply too hard for consumers to remember.
"Security questions are getting weaker over time," he said. Mother's maiden name, for example, continues to be asked even though it's often now available from various online sources. "We can’t seem to get rid of that question. … If we do nothing this will get steadily worse."
Oh, the world we live in. When even PARIS HILTON isn't safe!
Thanks for reading, and don't forget to write.
No comments:
Post a Comment
Because people have been abusing the comment platform to place phony links to deceptive sites, I am now moderating all comments. If your comment is legit and contains a relevant link, it will be published.