14 DAY TRIAL // Password retrieval systems leave room for breaches that can allow hijackers to get into almost anyone's account. This has become possible because, nowadays, personal information about a person can be easily found during just a brief web navigation. Social network profiles, resumes, lists released by universities and other institutions can offer details, which, when put together, reveal nearly the entire life of a person.
A study performed by a researcher from the Berkley University of California shows what was already known but has been somehow ignored so far. "In the context of fallback authentication, the user I assumed to be unable to remember arbitrary strings - otherwise they would have been able to remember their password. Thus, the ideal security question should have an answer that is completely determined by the question, so that the user need not memorize or guess. As a result, the security questions posed essentially determine the answers given," explains Ariel Rabkin.
Together with his partners, the researcher determined six potential flaws in the password retrieval system. First of all, the questions that are usually employed by a password retrieval tool are not applicable for everyone, as they sometimes require details about spouses or vacation homes, so their area becomes all the more limited. Some of the questions refer to long-gone realities, which can make people forget the answer in time. Others are ambiguous, suggesting various possible answers. Many questions that allude to demographic statistics, such as "How old were you when you got married?" are guessable. Answers based on information that can be found on the Internet (such as a person’s first job or graduation year) are easily attackable.
Herbert Thompson, a security expert at People Security, showed to the Scientific American magazine how he hacked into the e-banking account of one of his friends, naturally, with previous consent from the "victim." Step by step, he infiltrated into the Gmail account (found as a contact detail on his friend's blog) and then on the college account, where the bank had sent a password reset query.
The old account was found on an online resume used by the woman friend to apply for a job years back. He pretended to have also forgotten this email password, so he used the information found, once again, on the blog (dog's name, place of birth, hometown, etc.) to retrieve it. Once he got to the e-banking password retrieval query, details offered either by the resume or by the blog, along with some answers he guessed, gave Thompson full access to his friend's money.