?

Log in

No account? Create an account

Previous Entry | Next Entry

Year of the Compromised Password

No, thankfully I have not had anyone rummaging in my email or buying stuff on my Amazon account.  But this year really has been the Year of the Compromised Password, in terms both of my clients having problems in this department that I've had to sort out, and in terms of people I know apparently sending me invitations to services of dubious origin.

And I have seen quite a lot of resulting speculation about how the passwords got stolen, so I thought I'd pile in...

 

The number 1 theory that people seem to come up with is that passwords are being stolen by hackers direct from the services themselves.   The reasoning tends to go something like : four people I know have sent me spam. Those four people all have facebook/hotmail/livejournal/deviantart accounts.  Therefore, facebook/hotmail/livejournal/deviantart must have been hacked and their passwords stolen!

This is always possible, I suppose - never say hackers can't do anything!   But it really doesn't seem the most likely explanation.   In general, passwords are not stored in databases in an easily-stealable format.   If you view a database containing a bunch of email passwords, you can't read those passwords - each one is encoded using a one-way system that can only be decoded if you already have the original password.   This is why if you contact your email provider and say 'I've forgotten my password!' they can't tell you what it is.  They have to generate a new one.

If the passwords were all very easy to guess, then perhaps it's more likely that someone just got a list of, say, hotmail email addresses, and ran an attack on them to automatically guess the passwords. This does happen, though it's a lot of work just to be able to send spam - people doing that sort of thing are probably hoping the email address can be used to give access to a bank account.

When groups of people have their passwords stolen, there are likely to be other things they have in common apart from the services they use.  If they know each other, then perhaps they attended a conference together, and all used the same wireless network to log in to their services?  Wireless communications can be intercepted much more simply than hacking hotmail or Yahoo.   

Or perhaps they have all visited the same friend who allowed them to use his computer, or his wireless network, to check their email?  If that one systemn is infected, the owner might never know that he's sending all the passwords ever used on it straight to a third party.

Perhaps the most likely scenario is that one member of the group got a password compromised, and that one person infected the others.   I think I'm fairly careful and well informed about 'stuff not to click on' - but I admit, if someone that I know that has a good reason to contact me sends me a message with a dodgy link, I'm much more likely to click before thinking.   At that point, I'm hoping that my antivirus software will save me from my own idiocy - but no antivirus is 100% foolproof.

Another potential weakness is services that fake logins for more reputable services.  We're starting to get used to logging in to services using the same ID - so convenient, to be able to comment on that news story with your Facebook account, or log into that store with your Gmail, and service providers like that approach too - it means they may be able to collect your social media details rather than just your name.   But it is very easy to build a login tool that looks like Yahoo, but ain't. 

If you try to log in to a site that vaguely interests you to comment with, say, your Yahoo ID, and get a failure message, you would be excused for thinking 'oh drat' and just moving on - not realising that the page you put your password details into has collected them for later use.  When your account is compromised three months later, you probably won't even remember that failed login. 

I'm looking at my stupid numbers of accounts and passwords (managed via a secure password manager tool) and I'm thinking: 'must be cautious about linking accounts together'.   This guy, for example, had his Apple email compromised via information from  his Amazon account.   I've had my Amazon account since the 90's and I've just realised I've never changed the password, so it was something of an achilles heel. I have now!

Comments

( 12 comments — Leave a comment )
carmarthen
26th Sep, 2012 14:23 (UTC)
I've had two services (one health insurance, one medicsl) inform me that their databases were hacked and my credit card info/SSN/password may have been compromised. Both bought me a year of identity theft protection (I'm also pretty sure the first was why I got attempted bad charges on a credit card I hadn't used in over a year).

I don't know about services which don't store financial info, but those which do, when they're hacked, seem to let you know.
carmarthen
26th Sep, 2012 14:24 (UTC)
*medical
bunn
26th Sep, 2012 14:52 (UTC)
They certainly *should* tell you.

But there are so many databases out there recording bits and pieces of user information, that I'm not convinced that when a whole database gets stolen it is always noticed - specially if the information isn't used immediately. If they just quietly got in, grabbed a database and made off with it without breaking anything in the process, then two months later started using the data, it could be hard to trace it back.

I've had that too, with an online shop which really should NOT have been storing credit card data anyway. :-/
carmarthen
26th Sep, 2012 15:48 (UTC)
Whether they notice probably depends on their security situation. I suspect in the USA at least there's a legal obligation to notify, if only to protect themselves from potential lawsuits.

Unfortunately, with today's cracked programs, the whole idea of a secure password may be futile...it's why financial institutions especially are moving towards two-step authentication.

What scares me is what happens when you combine these issues with the cloud, like that tech writer recently who got everything wiped by hackers in a few minutes. Three cloud is no substitute for regular backups....
bunn
26th Sep, 2012 14:59 (UTC)
... meant to say - databases that are not related to email addresses are probably more vulnerable, because they are all different, whereas email tends to be a bit more standardised.
inzilbeth_liz
26th Sep, 2012 14:31 (UTC)
I've no idea why my email suddenly spammed all my contacts yesterday. I find it rather scary as I always assume the next thing will be my bank account being raided.
bunn
26th Sep, 2012 14:53 (UTC)
Well, you certainly aren't alone, I've had this SO many times this year. And there are so many ways the data could be stolen, it's really hard to pin it down. If you used an unsecured wifi connection to check email at any point, that would be my number 1 guess.
inzilbeth_liz
26th Sep, 2012 15:00 (UTC)
In the last month I've acquired my first smart phone, though, as far as I'm aware, I've only used my home wifi to check emails. I did have to create a google account email to use it and, until yesterday, this had the same password as my yahoo email. Other than that, it's hard to say as, like everyone, I'm careful. But, of course, you never know.

I see you are on my contacts list so sorry about the spam!
bunn
26th Sep, 2012 15:23 (UTC)
I take it your home wifi is definitely secure...?

I ask because the other day I took my laptop to my Mum's house which is in an only slightly more built-up area than mine, and it picked up THREE unsecured wifi networks belonging to neighbours (and three secured ones).

I'm working through the ideas just now because I'm just building a system which has a user/password system. I was thinking: 'well, this really won't have anything of even passing confidentiality in it' - but then I thought of the 'same password' thing, which means that probably I should protect the data to the best of my ability even though it *shouldn't* be any use to anyone, it could be if a user chose the same password as on a more important service...
wellinghall
26th Sep, 2012 15:34 (UTC)
Four of our neighbours have wifi we can sense, but they are all secured. One of them must be unusually powerful, though, as we only have three immediate neighbours.
inzilbeth_liz
26th Sep, 2012 15:56 (UTC)
I've never used the Wifi before but assumed it was secure. Wouldn't hurt to double check.... thanks for the tip.
lindahoyland
26th Sep, 2012 15:45 (UTC)
Thanks for sharing this.
( 12 comments — Leave a comment )

Latest Month

April 2018
S M T W T F S
1234567
891011121314
15161718192021
22232425262728
2930     

Tags

Powered by LiveJournal.com
Designed by Lilia Ahner