I had just finished reading two interesting articles related to I.T. security that got me interested in writing up a little post on personal online security. You should read both of these articles before continuing.
Anatomy of a Twitter Attack:http://techcrunch.com/2009/07/19/the-anatomy-of-the-twitter-attack/
There have always been ways to reset online passwords. My interest in the topic became strong while working at an ISP over 10 years ago. Customers had to call the technical support department to reset their passwords. They had to wait in the phone queue with other customers that had other issues (such as a connectivity problem). The technical support queue would get long. Soon,
management was pressuring the technical support engineers to reduce the queue (thus decreasing the wait time for customers). It became commonplace for password resets to take place without
verifying identity. And this was typically resetting an administrative email account password (and administrative accounts had access to reset all other email passwords on the same domain).
Certainly, security standards and practices are a bit better these days (although there are still plenty of exceptions). Over the last few years, in an effort to cut down on costs, businesses have
been encouraging users to use self-service for basic account management (resetting passwords, etc.). I recently read an article that a password reset phone call costs a business about $20. Today,
it is almost impossible to find an online service or website that doesn't offer a self-service password reset feature.
Have you read the Twitter attack article yet? If not, you should before continuing. Otherwise, I can summarize it: The attacker was able to reset an email address password using a secret
question, then reset a Gmail account by using the newly owned email account which was the alternate email address for the Google account. Then, the attacker expanded to other services like PayPal and Facebook. In a short amount of time, the attacker had access to a bevy of confidential information. This was all possible because he gained access to a single seemingly unimportant email
Nowadays, more and more online services and websites are linked or tied together. You probably notice this all the time. Somebody tweets a message and it shows up in Twitter, Facebook, and
LinkedIn (and others). You can shop and buy products using your Gmail account. You can log in to websites using your Facebook account. The vast majority of websites are protected using an email address and password. What percentage of people have credit card information stored on these websites. Amazon? PayPal (required in many cases), Google? By gaining access to your email address, an attacker may have access to a lot more than just your email. For the majority of people with only a single email account, an attacker would likely have access to everything except banks and credit card sites. And even without bank or credit card access, they can rack up thousands of dollars of purchases on eBay, Amazon, and other sites.
A critical piece of securing your online accounts is determining the weakest link. Attackers will typically use the easiest way in. Maybe your Gmail account is semi-secure, but if the alternate
email account specified in Gmail is less secure, then your Gmail account is only as secure as alternate email account. I chose 5 popular websites and online providers to determine which were weak
links and which weren't. Note - I did this in April of 2011 so some providers may have updated their processes and/or policies.
Windows Live: Provider of email accounts, online services (MS Office, instant messaging). To gain access to an account, you need to know the email address, the zip code, and the answer to a
single pre-canned question.
Windows Live only offers these canned questions:Mother's birthplace
Best childhood friend
Name of first pet
Favorite historical person
A quick Google search will typically reveal zip codes (or cities), mother's birthplace, and grandfather's occupation. Surprised? Genealogy sites have birth and death records and many marriage records (depending on state). Tie some dates together and it is pretty quick and easy to figure out some body's father, mother, and grandfather. Data is also available in the census data
(including occupations). Marriage certificates include occupations. You can look up or order a public marriage certificate to get the occupations of the husband and wife (along with other data).
Remember, marriage certificates are public record in some states. You can also order birth certificate (informational copies) for a small fee (California's fee is $14 from State or $17 from
Google: Provider of email accounts and online services. Google accounts are often compromised by compromising the alternate email account.
Google offers the following password reset questions:What is your primary frequent flyer number?
What is your library card number?
What was your first phone number?
What was your first teacher's name?
What is your father's middle name?
Write my own question (this is key difference when compared to some other providers as it provides the average Internet user a way to better secure their email account)
Bank of America uses the following password reset questions:In what city were you living at age 16?
What is the name of your first niece/nephew?
What is your maternal grandmother's first name?
What is your maternal grandfather's first name?
In what city were you born?
What was the name of your first pet?
What was your high school mascot?
How old were you at your wedding?
(The list is much longer... these were the first several.)
Attempt to reset your password on the BofA site requires you to know online ID. Thereafter, you need to have the Bank of America card number. Otherwise, you need to enter the Social Security
Number (SSN). If you don't have the SSN, the password cannot be reset online (instead you have to call a toll free number to talk with a representative and the representative will ask a series of
random questions). BofA also has a graphical picture called a "SiteKey" (which is presented as an additional authentication factor). If you come from a computer that has not successfully logged
into your BofA account, you are prompted with one of the secret questions (instead of the SiteKey). Thereafter, you are presented with your "SiteKey" (which ensures you know that you are actually
at the BofA site) and then have to enter your password. If, at that time, you want to reset your password, you can answer a second secret question and reset the password (however, you also have to
enter your Bank of America card number and your ATM PIN number).
Facebook:Forgot your password? - Facebook takes you to a page where you enter a captcha and your email address (or mobile number) and they send you an email or SMS/TXT message with a password reset code.
Definitely needs work. Many people store their Facebook credentials in their mobile phone. Thus, if somebody loses their phone, an attacker may be able to hijack the Facebook account which could
lead to a complete identity compromise.
Yahoo:Yahoo has a link for resetting passwords titled "I can't access my account". It requires that you enter your Yahoo ID and complete a captcha. From there, there are 2 options - enter an alternate
email address (it shows a hint of that by displaying the first letter of the domain name and asterisks to indicate the total length of the domain name). The other options is titled "I can't access
any of the above". Choosing I can't access any of the above leads to the following security questions:
Question 1 of 2 (Where did you spend your honeymoon?)
Question 2 of 2 (What is the name of the street on which you grew up?)
Yahoo offers up about 25 canned questions (some bad such as "What town was your father born in?" to some better such as "What is your main frequent flier number?" I checked my frequent flier
numbers and they all are between 9 and 14 characters (all digits). Yahoo also offers the ability to write your own question (and as I mentioned earlier, this is usually the best option for the
typical Internet user).
Speaking of mileage plans, I took a quick look at Alaska Airlines. On the web site, I clicked the link to retrieve my UserID. It prompted for my first name, last name, and
date of birth (all publicly available). Then, I had to provide the account's email address and answer a secret question (in this case, "What city were you born in?"). Thereafter, it instantly
gives out the UserID. That means that the Alaska Airlines UserID can be retrieved for anybody by using publicly available information. To reset the password, the same information can be used
(basically, the only piece of knowledge needed is the answer to the "secret" question").
Alaska Airlines only offers the following pre-canned questions:What city were you born in?
What was the name of your first pet?
What is your mother's maiden name?
What is your mother's middle name?
What is the name of an elementary school you attended?
Not too tough to get answers to these questions. Thereafter, you'd have the mileage number which might be used as the answer to other secret questions on more important sites (remember, one of
Google's password reset questions is "What is your primary frequent flyer number?").
OK. So now what? It's time to go and evaluate your secret questions and your alternate email accounts. Here are 5 easy ways to immediately enhance your personal online security:
- Use a secure password application. Download LastPass (free) or a similar program and use it to generate complex passwords that are stored locally on your computer (encrypted). It can also store encrypted notes. For sites that allow a custom password reset question, create a question: What is the secure random password generated by LastPass? - then enter this question and the secure random password into a secure note in LastPass. For sites that do not allow a custom question, just use an existing question. Enter the existing question into a secure note in LastPass and have LastPass generate a secure random password. This mitigates the ability for attackers to use secret questions to gain unauthorized access to your email accounts.
- Use multiple factors for authentication. Because you'll be relying on LastPass for your ultimate online security, you should use multi-factor authentication (LastPass has a few choices).
- Rank your existing email accounts based on security practices. Ensure that you do not use the weakest account(s) for alternate email accounts. Example: Do not use your Windows Live account as an alternate account until the password reset process is more secure.
- Avoid chaining services and accounts together. The goal is to minimize the loss if an attacker gains access to one of your online accounts or email accounts. If you have 3 email accounts and 10 various web site accounts, ensure that an attacker can't gain access to all of your accounts if he gains access to one of your accounts. It starts by using a unique password for every site (LastPass can help with this).
- Pretend you are an attacker and dig up information on yourself. Here are a few web sites that provide useful information (the first couple being local for SoCal so find your local county/city/state/district sites if you are somewhere else):
- Superior Court of California (County of Orange) - https://ocapps.occourts.org/CourtIndex/
- San Bernardino court case information system -
- http://www.ancestry.com (mother's maiden name and other valuable information found here)