Researcher mines blogs, social networks to access bank accounts
Family names, other data posted on sites like MySpace, Facebook used to reset passwords
Computerworld - A recent Google search of MySpace Inc.'s popular social networking site for several variations of terms describing a person's maternal grandparents returned more than 11,000 search results.
The search by security researcher and author Herbert Thompson illustrates the growing security threat posed by the massive amount of personal information posted on social networks, forums, blogs and other Web 2.0 destinations. Thompson sent the search results to Computerworld.
Posting seemingly innocuous information -- like a mother's maiden name or a pet's name -- could help a crook access personal data stored by banks, financial services firms and other companies, Thompson said. Many companies typically ask for such information from clients to reset a password on an account, he noted.
Thompson, who is founder and chief security strategist at People Security, a New York-based IT security consulting firm, described how easily personal information posted on a blog or social network could be used to break into a bank account in an article published in Scientific American this month.
With her permission, Thompson accessed a friend's bank account in an hour and a half after mining her personal blog personal for details like her birth date, birthplace, father's middle name and pet's name. He used the data to reset her e-mail password and gain access to an e-mail from her bank with instructions on how to reset her account password.
Thompson said in an interview that cybercriminals are increasingly mining personal data splashed throughout the Web 2.0 world. He noted that the questions that banks have long used to reset or recover passwords were typically seen as difficult for thieves to answer. Now, however, the answers to the questions are often readily available to crooks because so many people are now blogging about their personal lives or are creating personal profiles that are rife with this type of information, he noted.
As proof, Thompson pointed to the fact that thieves on underground forums typically charge 10 to 12 times more for stolen credit card numbers with the mother's maiden name or a pet's name of the owner than for the credit card alone.
"You may not think twice about posting your grandfather's name, but you've just released your mother's maiden name," he said. "There are a lot of places where you can claim to forget other questions, and the site will default to mother's maiden name. If I give you the log-in to one account, I've essentially given you a fish. If I give you the answer to people's password-recovery questions, I've taught you to fish. You can pillage their accounts."
- How Network Connections Drive Web Application Performance Users around the globe, on all sorts of devices, expect Web applications to function as seamlessly as desktop applications. This paper discusses the...
- The Business Value of Continuous Delivery Download this whitepaper to learn more about the business value of Continuous Delivery and see why it could be a game changer for...
- Ten Factors Shaping the Future of Application Delivery Download this research report conducted by Enterprise Management Associates (EMA) to learn how those that are seeking to accelerate application delivery are leveraging...
- Software Asset Management: Ensuring Today's Assets Today's trends like BYOD and SaaS are new and exciting in terms of how they will help make our jobs more productive but...
- On-demand webinar - 7 Keys to Service Catalog Implementation Success Watch this webinar to learn 7 crucial keys to make your service catalog a success!
- Transform Your IT Service Management Watch this webinar, to learn how EasyVista can increase IT productivity & efficiency and deliver streamlined & integrated IT Service & Asset Mgmt. All Web Apps White Papers | Webcasts