Researcher mines blogs, social networks to access bank accounts
Family names, other data posted on sites like MySpace, Facebook used to reset passwords
Computerworld - A recent Google search of MySpace Inc.'s popular social networking site for several variations of terms describing a person's maternal grandparents returned more than 11,000 search results.
The search by security researcher and author Herbert Thompson illustrates the growing security threat posed by the massive amount of personal information posted on social networks, forums, blogs and other Web 2.0 destinations. Thompson sent the search results to Computerworld.
Posting seemingly innocuous information -- like a mother's maiden name or a pet's name -- could help a crook access personal data stored by banks, financial services firms and other companies, Thompson said. Many companies typically ask for such information from clients to reset a password on an account, he noted.
Thompson, who is founder and chief security strategist at People Security, a New York-based IT security consulting firm, described how easily personal information posted on a blog or social network could be used to break into a bank account in an article published in Scientific American this month.
With her permission, Thompson accessed a friend's bank account in an hour and a half after mining her personal blog personal for details like her birth date, birthplace, father's middle name and pet's name. He used the data to reset her e-mail password and gain access to an e-mail from her bank with instructions on how to reset her account password.
Thompson said in an interview that cybercriminals are increasingly mining personal data splashed throughout the Web 2.0 world. He noted that the questions that banks have long used to reset or recover passwords were typically seen as difficult for thieves to answer. Now, however, the answers to the questions are often readily available to crooks because so many people are now blogging about their personal lives or are creating personal profiles that are rife with this type of information, he noted.
As proof, Thompson pointed to the fact that thieves on underground forums typically charge 10 to 12 times more for stolen credit card numbers with the mother's maiden name or a pet's name of the owner than for the credit card alone.
"You may not think twice about posting your grandfather's name, but you've just released your mother's maiden name," he said. "There are a lot of places where you can claim to forget other questions, and the site will default to mother's maiden name. If I give you the log-in to one account, I've essentially given you a fish. If I give you the answer to people's password-recovery questions, I've taught you to fish. You can pillage their accounts."
- Six Ways Your Small Business Can Save with Internet Phone Service Traditional phone systems present two main problems for businesses: limited features and high costs. As a result, small businesses are migrating to Internet...
- Face Time Anytime Real-time communications facilitates team collaboration from nearly anywhere in the world. With facts and figures you can use to justify an investment
- Now is the time to implement a video conference solution Video conferencing is getting a lot of buzz lately due to the recent cost decrease, making it tangible for many law firms. It's...
- Video drives engagement Achieving maximum results means building a solid platform and network infrastructure. As digital age unfolds, it's clear that the ability to communicate effectively...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Web Apps White Papers | Webcasts