I am not a hacker, or even a coder. I am just a somewhat experienced computer user and a reasonably intelligent person. I have never done this before.
My friend didn't think e-mail security was anything to be concerned about, so I decided to put it to the test. I tried to hack into his e-mail.
Within 20 minutes, I had complete access to his XFinity home e-mail (and other things like DVRs and home security). Within 30 minutes, I had aquired new passwords to online vendors that he used. If he had credit card numbers on file with them, I could place orders. Here's how it went:
My friend has a comcast.net email address. I went to comcast and clicked "forgot password". The password reset function asks for answers to security questions. Each answer is like a tumbler in a lock. You have to answer all the questions correctly - at the same time - to open the lock.
In this case, comcast only asks for one answer. This is a lock with a single tumbler. That's the first security hole.
The process also asked for his zip code. Since I knew roughly where he lived, I knew his zip code from google maps.
The second security hole involved how many times you could guess. The answer: unlimited. Good systems will lock out the user after enough incorrect responses, or at least prevent any further guesses for a time period. Or change which security question is being asked.
In this case, the question was asking for a surname - the same surname - over and over an unlimited number of times. I took the 100 most common surnames and went down the list one-by-one. Number 47 opened the lock.
The enthusiasts can do their own thing, but average people who use the internet as part of their daily lives for banking and commerce come to rely on big brand names like comcast and assume that they will be taken care of. This level of lax security on such a large system is just unacceptable.
Tuesday, October 7, 2014
Subscribe to:
Posts (Atom)