I recently read that Sarah Palin's Yahoo! email accounts had been hacked. What is interesting about the hack is that instead of guessing her password or finding a security flaw in Yahoo's email service, the hacker used the forgot your ID or password feature and a search engine. The Threat Level blog on Wired has posted an email from the hacker in a post entitled Palin E-Mail Hacker Says It Was Easy which is excerpted below

rubico 09/17/08(Wed)12:57:22 No.85782652

Hello, /b/ as many of you might already know, last night sarah palin’s yahoo was “hacked” and caps were posted on /b/, i am the lurker who did it, and i would like to tell the story.

In the past couple days news had come to light about palin using a yahoo mail account, it was in news stories and such, a thread was started full of newfags trying to do something that would not get this off the ground, for the next 2 hours the acct was locked from password recovery presumably from all this bullshit spamming.

after the password recovery was reenabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)

the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screenshits that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs.

I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…

The fundamental flaw of pretty much every password recovery feature I've found online is that what they consider "secret" information actually isn't thanks to social networking, blogs and even Wikipedia. Yahoo! Mail password recovery relies on asking you your date of birth, zip code and country of residence as a proof of identity. Considering that this is the kind of information that is on the average Facebook profile or MySpace page, it seems ludicrous that this is all that stops someone from stealing your identity online.

Even the sites that try to be secure by asking more personal questions such as "the name of your childhood pet" or "where you met your spouse" fail because people often write about their childhood pets and tell stories about how they met on weddings sites all over the Web.

Web developers need start considering whether it isn't time to put password recovery features based on asking personal questions to pasture. I wonder how many more high profile account hijackings it will take before this becomes as abhorred a practice as emailing users their forgotten passwords (you know why this is wrong right?)

Now Playing: DJ Khaled - She's Fine (Feat. Sean Paul, Missy Elliot & Busta Rhymes)


 

Friday, 19 September 2008 03:14:29 (GMT Daylight Time, UTC+01:00)
I think that is just one more example of how "wish it was multi factor id" does not work.
Friday, 19 September 2008 04:05:29 (GMT Daylight Time, UTC+01:00)
The worse are subjective questions, like "what is your favorite movie?" Subjective answers can change day-to-day, year-to-year. These "security questions" have become so absurd, that I just answer them all with the same passphrase (which is different from my password).
Friday, 19 September 2008 06:02:03 (GMT Daylight Time, UTC+01:00)
Friday, 19 September 2008 06:46:37 (GMT Daylight Time, UTC+01:00)
I have one word that I use for those things and one set of numbers. Then I just pick a random question from the list and use either one. The word and number are completely unrelated to any possible question so it seems pretty secure. I mean, unless they store the response in cleartext somewhere. But they wouldn't do that, right?
Friday, 19 September 2008 09:31:19 (GMT Daylight Time, UTC+01:00)
Get a password manager (like Password Safe or KeyPass) that has a password generator. Then treat your answers to those secret questions like you would a password. Granted if you lose your password manager file, you lose the ability to get back into your account. But with a good file syncing strategy, you'll be OK.
Friday, 19 September 2008 12:30:37 (GMT Daylight Time, UTC+01:00)
Do you have any recommendations here Dare? What are some alternatives?

Seems to me like OpenID is a big step in helping thwart this issue.
Friday, 19 September 2008 19:51:47 (GMT Daylight Time, UTC+01:00)
That's why I lie.
Stéphane
Friday, 19 September 2008 20:15:16 (GMT Daylight Time, UTC+01:00)
I agree more or less with Bill and Stéphane.... I give an answer, but it's not the answer to the question they ask. It's not like they are doing a background check to see if you answered the question truthfully! Just give some answer you can remember.
Saturday, 20 September 2008 01:08:38 (GMT Daylight Time, UTC+01:00)
I agree also.

I think the most sensible solution would be for account recoveries to be authenticated more thoroughly using traditional means of authentication (such as required to open an online bank account), and to require payment of a significant amount (say $100) before recovery is possible.

The fee would cover the costs of the verification process, while the stronger authentication requirements would make break-ins much rarer; and since a successful break-in would require counterfeiting documents, legal ramifications would also be moved from the category of "prank" to "fraud".
Comments are closed.