"Forgot Your Password" ?

Well what do you know, who could ever thought the most widely used password recovery procedure would be exploited? Who could ever thought that a security procedure would not be that secured at all?

I was checking my mails at Hotmail and bumped into an article in MSN. There was an individual who just stole somebody's identity just by viewing the victim's profile that is freely available online! With the flooding rise of community sites on the web today, like Facebook, Friendster, even IMEEM and others, your information is freely available and who ever bumps into your personal information would use what they see to access your bank accounts, email accounts, and other vital information they could get.

I am talking about a man named Herbert H. Thompson, a professor and software developer who was able to spent a career in software security. In his article, he said, "I decided to conduct an experiment to see how vulnerable people's accounts are to mining the Web for information. I asked some of my acquaintances, people I know only casually, if with their permission and under their supervision I could break into their online banking accounts. After a few uncomfortable pauses, some agreed. The goal was simple: get into their online banking account by using information about them, their hobbies, their families and their lives freely available online."

Some security researchers are beginning to sound the alarm about "password resetting" tools, suggesting they could be the weakest link in Web security.

If you try looking for your friend's information, you could simply Google their names and without invoking a magic word, or waving a magic wand, there you see a list of sites where your friend's information is freely available and worse freely exploitable! I tried Googling my name, and there it was, a list of the sites I am currently subscribed and with all the correct but undated information. I tried Googling Himura's name and that's how I found out when his birthday was! (I won't use your information against you Himura.)

When Paris Hilton's cell phone was famously hacked in 2005, some tech sites reported that criminals simply used her dog's name, easily found online, to break in. That theory was later discredited, but it likely sent criminals scurrying to find famous people's dog's names.

It also prompted researchers to study the issue, which is also known as “fallback authentication.” Ariel Rabkin, a researcher at the University of California at Berkeley, is probably the first to attempt to quantify the problem.

"Security questions are getting weaker over time," he said. Mother's maiden name, for example, continues to be asked even though it's often now available from various online sources. "We can’t seem to get rid of that question. … If we do nothing this will get steadily worse."

Red Tape Wrestling Tips
Researchers like Jakobsson are looking for new ways to authenticate consumers. One obvious area of potential is biometrics. The chief criticism of this technology, which uses people’s eyes, fingerprints, etc., to verify their identity, is the “doomsday” possibility that once such information is compromised, it could never be trusted again. You can’t change irises, for example. But Thompson points out that the same is true for personal information such as your first pet’s name or you mother’s middle name. While biometrics has potential flaws, new systems will soon be necessary, Thompson said.

Of course, these security enhancements are still in the future, so for now, consumers must fend for themselves. When answering password recovery questions while registering for online banking and other Web sites, don’t always pick the most obvious question. Consider what someone might be able to find about you on your blog. Better yet, consider not disclosing any personal information on your blog.

Alfred Huger, a security researcher at Symantec Corp., offers this suggestion: Some sites now allow consumers to make up their own question. While that might be a hassle, it’s probably much more secure. Again, think of a question only you can answer, and something that’s unlikely to be in any database. That probably means the name of your first girlfriend or boyfriend won’t cut it.

So the next time you post your information on the web, maybe it's good that you lie about it...just to be safe. If you don't want to lie, you can still post real information on the web but you would not give them "possible answers" to the "Forgot Your Password" link...

Sources: Red Tape Chronicles, Scientific American Website