Monday, January 25, 2010

Protecting Your Personal Information on the Internet

Do you continue to hear the stories about passwords and accounts being hacked, people being scammed on-line and companies "losing" their customers' information?  Does it make you nervous?DIY Identity protection

The on-line world, much like the real world, is both wild and wonderful. There are positive elements and seriously creepy elements.

This is the first in what I think will be a four post series on protecting yourself and your family on the web.

To start us off I’m posting a terrific, albeit scary, MSNBC article about how easy it is to gather and then use your personal information from Facebook and other sites where bits of your identity can be viewed by any maniac with a computer.

From the story, "Using only one friend’s name and place of employment, he found her blog and résumé. That provided a font of information on her grandparents, pets, hometown and more. He then visited her bank’s Web site...."  I'll have tips for you at the end.

‘Forgot your password?’ may be weakest link
by Bob Sullivan, MSNBC

Almost everyone forgets a Web site password once in a while. When you do, you click on the familiar "Forgot your password?" link and, after entering your pet's name, identifying your high school mascot or answering some other seemingly obscure questions, you can get back into your account.

But there's a problem: A criminal can do that, too. With the help of social networking sites like Facebook and MySpace, personal trivia is getting less obscure all the time. You’d be surprised how easily someone can uncover Fido's name or your alma mater with a little creative searching.
Some security researchers are beginning to sound the alarm about "password resetting" tools, suggesting they could be the weakest link in Web security.

As an experiment, Herbert Thompson, chief security strategist of People Security, recently asked a few friends for permission to "hack" into their bank accounts. Using only information gathered from Web sites, Thompson found his way in within minutes.

"This is a serious problem. It kind of blew me away," Thompson said.

Here’s what Thompson did. Using only one friend’s name and place of employment, he found her blog and résumé. That provided a font of information on her grandparents, pets, hometown and more. He then visited her bank’s Web site, where her user name was simply her first initial and last name. He asked for a password reset. The bank sent an e-mail with that information to her Web mail account. Thompson then asked for a password reset there, which sent a link to her old college e-mail account. There, Thompson needed only supply the woman’s address, zip code, and birth date. Once successfully in the college account, Thompson hacked his way into the Web mail account – supplying her birthplace and father’s middle name -- and ultimately entered her bank account by supplying her pet’s name.

“I did this a couple of times. But the scariest thing would be someone doing this with some scale,” Thompson said. A more detailed description of his romp through someone else's identity can be read on the Scientific American Web site.

There are no known cases in which hackers have widely exploited “forgot your password” links, but there are indications that both researchers and criminals are training their eyes in this direction. Markus Jakobsson, principal scientist at the famed Palo Alto Research Center in California, said answers to password reset questions have become so valuable that a black market has developed for personal information like dog's names. Criminals buy buckets of personal information, obviously with an eye towards foiling security systems, for about $15 per set, he said.

In most cases, such information sets are probably the result of successful phishing attempts, Jakobsson said, where a victim unwittingly supplied personal information in response to an e-mail. But he’s seen demonstrations of far more sophisticated tools designed to “scrape” information off blogs and social networking pages for later use by hackers.
“It’s an automatic dossier building tool,” he said.

Like Paris Hilton
Questions about hacking through password resets have been raised before. When Paris Hilton's cell phone was famously hacked in 2005, some tech sites reported that criminals simply used her dog's name, easily found online, to break in. That theory was later discredited, but it likely sent criminals scurrying to find famous people's dog's names.

It also prompted researchers to study the issue, which is also known as “fallback authentication.” Ariel Rabkin, a researcher at the University of California at Berkeley, is probably the first to attempt to quantify the problem. He recently published a research paper titled in part, “Security Questions in the Era of Facebook.” It examined password reset questions at 20 banks. Of the 215 questions used by the banks, he classified only 75 as secure and usable. The others were either easy for hackers to guess or obtain, or simply too hard for consumers to remember.

"Security questions are getting weaker over time," he said. Mother's maiden name, for example, continues to be asked even though it's often now available from various online sources. "We can’t seem to get rid of that question. … If we do nothing this will get steadily worse."

In some situations, statistics give the criminal an advantage. For example, data published by some U.S. cities indicated about 1 percent of the nation’s dogs are named “Max,” making that a pretty good guess for a criminal trying to break into thousands of bank accounts. When a bank asks consumers who their favorite president was, it rarely takes more than two guesses, Rabkin said.

Even if the questions are more personal, and even if the subject doesn’t have their own blog, others might blog about their dog, car or high school. And search engines can easily unearth such minutiae.

“There is an arms race here between people who trying to ask obscure questions about (us) and people who are trying to answer obscure questions about (us),” Rabkin said.

Not a bad idea
Thompson, the People Security expert, said that asking “challenge” questions with so-called “out of wallet” answers – questions that even a criminal who stole your wallet couldn’t answer – once was a secure way to confirm someone’s identity.

“If you think about it, 10 years ago this didn’t seem like horrible idea, to ask for someone’s personal information,” he said. “You could say, ‘It’s probably unlikely that someone will know all of this information about me, or spend the time necessary to gather it.’ But now it’s really easy for someone who's never met you to know all this about you.”

Coming up with secure challenge questions is no easy task. There are two problems to consider: The question must be difficult for a stranger to answer but it also must be easy enough so the customer doesn't forget. Quick: What's your kindergarten teacher's name? Was it McFadden or MacFadden or Mcfadden?

“In some cases, it’s easier for an attacker with good data mining skills than the real person to answer these questions,” Jakobsson said. He is hard at work developing a new solution, one which relies on the answers to “preference” questions rather than fact-based personal questions. A consumer who requests a password reset might be confronted with questions like, “Do you like antique stores?” or “Do you like opera?”

Asking 16 questions like these would provide positive identification in better than 99 percent of cases, he said. “And preferences are rarely stored in databases.” (More on this idea can be found at

Rabkin is all for improving the problem of forgotten passwords, but he is careful to not exaggerate the problem. In addition to the lack of proof that any widespread forgotten password hacking has occurred, he says banks have multiple systems in place to prevent thefts from online services. When a password reset is initiated, for example, banks automatically set a red flag on an account and watch it for suspicious behavior. Any large transactions following soon after would surely be stopped, he said.

“The problem is not as bad as you think,” he said. “It’s not so easy to match up a pet name from Facebook with another database of login names and another database of Social Security numbers,” and use that to withdraw cash, he said.

Still, there is another problem associated with the importance of personal questions in security. A consumer who falls for an extensive phishing e-mail or has their blog copied by a hacker, may find it nearly impossible to navigate the digital world in the future. How would such a person ever reclaim a password or otherwise authenticate their identity?

“It would be incredibly difficult to recover from something like that,” Thompson said. “You can't really change your mother’s maiden name or these other things.”

Red Tape Wrestling Tips
Researchers like Jakobsson are looking for new ways to authenticate consumers. One obvious area of potential is biometrics. The chief criticism of this technology, which uses people’s eyes, fingerprints, etc., to verify their identity, is the “doomsday” possibility that once such information is compromised, it could never be trusted again. You can’t change irises, for example. But Thompson points out that the same is true for personal information such as your first pet’s name or you mother’s middle name. While biometrics has potential flaws, new systems will soon be necessary, Thompson said.

Of course, these security enhancements are still in the future, so for now, consumers must fend for themselves. When answering password recovery questions while registering for online banking and other Web sites, don’t always pick the most obvious question. Consider what someone might be able to find about you on your blog. Better yet, consider not disclosing any personal information on your blog.

Alfred Huger, a security researcher at Symantec Corp., offers this suggestion: Some sites now allow consumers to make up their own question. While that might be a hassle, it’s probably much more secure. Again, think of a question only you can answer, and something that’s unlikely to be in any database. That probably means the name of your first girlfriend or boyfriend won’t cut it.

Are you sufficiently scared?

Here are some tips that eM and I use on-line:
Facebook tips:
  1. Keep an eye on this site!  Facebook's founder believes that   For starters, don’t use any of the goofy applications and add ons available – they are not vetted by Facebook and when you install them you often give them access to your personal information even if it's hidden. If you already have them installed, go into your privacy settings and either deny them access or eliminate them. Users have gotten into trouble because of installed Facebook apps that looked harmless but weren't.
  2. Don’t include any personal information about your date of birth, kids’ names, pets’ names or anything else that you’ve used to set up passwords. Doesn’t matter if you’re not using the kids’ names in your Facebook password (see the article above). If someone posts something with your kids’ name, ask them to delete it.  If they tag them, delete the tag.  Did you put your high school or college graduation dates on your profile? Eliminate them immediately. Limit the amount of other personal data you show on your profile.  I'll have another post about later in this series.
General tips:
  1. Don’t EVER, EVER click on a link to a site that’s sent to you in an email. Always navigate directly to the site through your browser. Bad people scam lots of good people by making an email look official (like from the bank) with a login link that captures your user name and password. Once they’re in the very first thing they do is change your password so you’re locked out of your own account.
  2. Don’t ever send personal or financial information over the web unless the url in the address bar at the top of your browser starts with “https://”. That little extra “s” at the end means that it’s a secure, encrypted connection. If you’re using an address that starts with http (without the “s”), assume someone is looking at whatever it is that you’re looking at and seeing whatever it is that you’re sending across the web.
  3. Don’t store credit card information on any site. I know it’s a pain in the bum to enter your info each time you’re making a purchase from a favorite site but do you really want your credit card info sitting on some company’s machine?
  4. Never check the “remember me” button when logging in unless you’re doing so from your home machine.
  5. Always hit the “log off” or “sign off” button when you’re finished.
  6. Always close your browser tab when finished with a site.
  7. Configure your to run on pc start up to clean out your internet files and cookies.
Hope that helps! During the rest of this four part DIY series we're also going to review , and how to .

No comments:

Post a Comment