Defending The Kingdom

Any site that asks for a username and password pertaining to another site should raise red flags for you, but apparently contact scraping is getting results:

Once you enter your credentials, like your [email] user name or password, the company sweeps through your contact list and sends everyone an invitation to join the site.

Nothing new here, but the tactic can be tough to spot. Facebook has nearly tricked me into giving up all of my email contacts a couple of times.

Here’s the story:

Who among us doesn’t love a good hack? After putting forth a $10,000 come-and-get-us challenge, it’s possible that StrongWebmail CEO Darren Berkovitz is rethinking his stance on that. The company, which makes voice-based authentication software, dared hackers to break into Mr. Berkovitz’s Web-mail account and report back details from an upcoming date on his calendar. A week later, a team of high-profile security researchers contacted a reporter with precisely that information.

Once again, it’s worth pointing out that there is no such thing as perfect security. You have to choose a level that is good enough. It can be uncomfortable to know and accept that your email address could get hacked, but there’s no way around it. All you can do is decrease the chances in a way that doesn’t cramp your style too much.

I advocate cramping your style a bit more than others in your category of “target juiciness”. If you have typical assets to protect, put just a bit more effort into security than the typical person. If you are atypical, put just a bit more effort into security than those with your level of assets.

If your secret question is easier to guess than your password, your password is effectively useless. From the abstract of a recent Microsoft research paper:

All four of the most popular webmail providers – AOL, Google, Microsoft, and Yahoo! – rely on personal questions as the secondary authentication secrets used to reset account passwords. The security of these questions has received limited formal scrutiny, almost all of which predates webmail. We ran a user study to measure the reliability and security of the questions used by all four webmail providers. We asked participants to answer these questions and then asked their acquaintances to guess their answers. Acquaintances with whom participants reported being unwilling to share their webmail passwords were able to guess 17% of their answers.

Since you often need to provide answers to secret questions when signing up for online accounts, I suggest using strings like “lJOcK6gS”. You can employ something like Password Safe to generate those strings and store them.

Straight from the “how cool is that?” department:

You are the victim of identity theft and the fraudster calls your bank to transfer money into their own account. But instead of asking them for your personal details, the bank assistant simply presses a button that causes the phone to produce a brief series of clicks in the fraudster’s ear. A message immediately alerts the bank that the person is not who they are claiming to be, and the call is ended.

But there are still a few hurdles before the technique can be used, including this one:

“It has to be able to reliably recognise people over long time periods,” he says. “For example, a fingerprint taken from a 20-year-old is still valid when they are 60.”

Of course, investigators would have been equally stymied by limited evidence crimes involving non-twins before DNA analysis was possible, but our expectations are higher now:

Saved by their indistinguishable DNA, identical twins suspected in a massive jewelry heist have been set free. Neither could be exclusively linked to the DNA evidence.