Some security researchers suspect that too many individuals post seemingly harmless information about themselves on blogs and social networking web sites. Posting information such as name, date of birth, and even your pet’s name, may seem fun and harmless, but may also provide crucial information to online thieves.
Many web sites that maintain user profiles provide an option for users to reset their password by clicking on a “Forgot Your Password?” link. One researcher used the “Forgot Your Password” link and other personal information found on social networking sites to break into his friends’ online bank accounts. The friends provided permission to the researcher so that he could demonstrate how social networking information could be misused.
The researcher began by finding one of the friend’s blog and résumé. That data provided a bounty of information on her grandparents, pets, hometown and more. The researcher then visited her bank’s web site. The friend’s account user name was simply her first initial and last name. At this point, the researcher clicked on the “Forgot Your Password” link and requested a password change. The bank sent an email with the new password information to friend’s web mail account. The researcher then requested a password reset for the email account, which sent a link to her old college email account. To access her college email account, the researcher only needed to supply the woman’s address, zip code, and birth date. Once the researcher successfully infiltrated the college email account, he was able to gain access to her email account that she used for her online banking by supplying other vital information such as the friend’s birthplace and father’s middle name – and ultimately entered her bank account by supplying her pet’s
name.
Articles
