Researcher mines blogs, social networks to access bank accounts

Family names, other data posted on sites like MySpace, Facebook used to reset passwords

A recent Google search of the popular social networking site MySpace for several variations of terms describing a person's maternal grandparents returned more than 11,000 search results.

The search by security researcher and author Herbert Thompson illustrates the growing security threat posed by the massive amount of personal information posted on social networks, forums, blogs and other Web 2.0 destinations. Thompson sent the search results to Computerworld.

Posting seemingly innocuous information - like a mother's maiden name or a pet's name - could help a crook access personal data stored by banks, financial services firms and other companies, Thompson said. Many companies typically ask for such information from clients to reset a password on an account, he noted.

Thompson, who is founder and chief security strategist at People Security, a New York-based IT security consulting firm, described how easily personal information posted on a blog or social network could be used to break into a bank account in an article published in Scientific American this month.

With her permission, Thompson accessed a friend's bank account in an hour and a half after mining her personal blog personal details like her birth date, birthplace, father's middle name and pet's name. He used the data to reset her e-mail password and gain access to an e-mail from her bank with instruction on how to reset her bank account password.

Thompson said in an interview that cybercriminals are increasingly mining personal data splashed throughout the Web 2.0 world. He noted that the questions that banks have long used to reset or recover passwords were typically seen as difficult for thieves to answer. Now, however, the answers to the questions are often readily available to crooks because so many people are now blogging about their personal lives or are creating personal profiles that are rife with this type of information, he noted.

As proof, Thompson pointed to the fact that thieves on underground forums typically charge 10 to 12 times more for stolen credit card numbers with the mother's maiden name or a pet's name of the owner than for the credit card alone.

"You may not think twice about posting your grandfather's name, but you've just released your mother's maiden name," he said. "There are a lot of places where you can claim to forget other questions and the site will default to mother's maiden name. If I give you the login to one account I've essentially given you a fish. If I give you the answer to people's password recovery questions I've taught you to fish. You can pillage their accounts."

The problem with the type of information that is posted in blogs and social networks can be compounded by the fact that "the Web - especially Web 2.0 is very sticky," he added. Many archive sites contain snapshots of data long after the primary data has been removed. In addition, thieves can supplement information from Web 2.0 sites with public data from state motor vehicle department sites or from those containing home ownership records, he noted.

To offset this problem, Thompson advises that people find out from their bank or financial services firm what information they use to reset a password. Then, they can backtrack to see if any of the information about them required to answer those questions could potentially be found on the Web, he added. If so, he advised online users to change the password recovery answers or question,

"Most people are likely to find some scary mismatches-that information is publicly available through some state or other government department or it is something they have freely disclosed online. See if you are comfortable with your bank account access ? riding on those pieces of information."

Tags privacy

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Heather Havenstein

Computerworld

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?