Social Engineering in the Facebook Era
August 26, 2008 11:34 AM Subscribe
‘Forgot your password?’ may be weakest link. Herbert Thompson, chief security strategist of People Security, "asked some of his acquaintances for permission to break into their online banking accounts. The goal was simple: get into their online accounts using the information about them, their families and acquaintances that is freely available online."
"Questions about hacking through password resets have been raised before. When Paris Hilton's cell phone was famously hacked in 2005, some tech sites reported that criminals simply used her dog's name, easily found online, to break in. That theory was later discredited, but it likely sent criminals scurrying to find famous people's dog's names.
It also prompted researchers to study the issue, which is also known as 'fallback authentication.' Ariel Rabkin, a researcher at the University of California at Berkeley, is probably the first to attempt to quantify the problem. He recently published a research paper (PDF) titled in part, 'Security Questions in the Era of Facebook.' It examined password reset questions at 20 banks. Of the 215 questions used by the banks, he classified only 75 as secure and usable. The others were either easy for hackers to guess or obtain, or simply too hard for consumers to remember."
This thread has been archived and is closed to new comments