Second In A Series: In a recent post, I described several situations where web-based email accounts were compromised.  Probably the best known incident involved Sarah Palin’s Yahoo e-mail account, which was burgurlarized a few months prior to the November 2008 presidential election.

Could this type of attack happen today? Yes.

Should a non-celebrity, average person be concerned about their email security? Absolutely.

Everyone needs to be concerned about email security

Even if you’re not famous …even if you’re not involved in anything illegal or embarrassing …even if all your email is really, really boring …you need to keep your email account secure. Here are three reasons:

Your contact list: If someone took control of your email account, they could attempt to impersonate you and defraud your friends and family before you realized what was happening. Would you be able to warn all everyone before it was too late? You do have your contact list backed up …don’t you?

Personal data: It’s great that Gmail gives us over 7 GB of storage. But, a lot of people keep important personal or business documents stored in their web-mail inbox. This could be a gold mine of identity theft: online billing statements, bank account information, calendar information and contacts. Also, some data might be irreplaceable if deleted.

Access to other accounts: Once inside your email, a hacker could discover information about other online services that your use.  Consider that you email account is often used to verify your identity when you forget a password. A compromised email account could result in a hacker getting access to online banking, PayPal, etc.

How celebrity e-mail gets hijacked

In Sarah Palin’s case, the accused “hacker” is David Kernell, a 20 year-old economics student at the University of Tennessee (also son of longtime Democratic Tennessee State Rep  Mike Kernell of Memphis).

The technique used to get Palin’s e-mail was not very sophisticated, and does not require any specialized knowledge of computers.  It simply used Yahoo’s standard password reset feature, provided for users who have forgotten their own password.

The hacker discovered Palin’s e-mail address—the now-defunct gov.sarah@yahoo.com—through publicly available sources, then used Yahoo’s password recovery feature to reset the password. To reset the password, he had to supply three pieces of personal information: Palin’s birthday, her zip code, and the place she met her husband.

Before Kernell was arrested, a person claiming to be the hacker posted the following in an online forum:

“it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes ….

the second [security question] was somewhat harder, the question was ‘where did you meet your spouse’ …they met at high school, so I did variations of that, high, high school, eventually hit on ‘Wasilla high’”

Many web-based email accounts are still vulnerable to this type of attack. In 2009 Salma Hayek was victimized in a similar manner.  According to gawker.com, “Breaking into the account was a simple matter of knowing Hayek’s birthday — September 2 — and guessing at her security word (they claim it was [Frida,] the name of her best known movie role) to reset the account’s password.”

Why your email might be vulnerable

What happens if a web-mail user locks themselves out of their own email account? Usually there is a “forgotten password” link that enables them to create a new password …but first they must provide proof of their identity. Typically, this proof involves the giving answers to “secret” questions, matching the response given by the user when the account was created. Here are some questions that Yahoo uses:

• Where did you spend your honeymoon?
• Where did you meet your spouse?
• What is your oldest child’s nickname?
• What is the first name of your favorite uncle?
• What town was your father born in?
• What was your first pet’s name?
• What is the name of your favorite sports team?
• What is the last name of the maid of honor at your wedding?

Someone trying to get unauthorized access to your email account could use the same procedure. The problem with many of these security questions is that they can be easy to guess, especially if the if the victim if famous, or if the “hacker” is an ex-husband, former girlfriend, creepy brother-in-law, or psycho coworker.

Despite the highly publicized incidents of email hijacking, password security for web-based e-mail accounts is not much better today than in the past. Regular people frequently forget their own passwords, so email providers need to have an automated, easy-to-use mechanism for legitimate (but befuddled) users to create a new password.

In the next post in this series, I’ll provide some steps anyone can take to make their web-mail more secure.

Sources:
Wired: Palin E-Mail Hacker Says It Was Easy
PCMag: Salma Hayek’s Email Gets Hacked
PCMag: Why the Palin Hack Could Happen Again and Again
Gawker: Salma Hayek’s Hacked Emails Reveal Celebrity’s Quotidian Existence
Image “US Mail” by Steve 2.0

First In A Series: Pay your bills online? Do any online banking? If yes, you probably keep your bank account password secure.

But what about your e-mail password?

This article will give examples of what can happen when someone gets unauthorized access to your e-mail account. In an upcoming post, we’ll take a look at a couple of reasons why your e-mail password may not be as secure as you might think. After that, we will examine some methods for keeping your e-mail account private and secure.

“It’s impossible to move, to live, to operate at any level without leaving traces, bits, seemingly meaningless fragments of personal information.”
William Gibson

With each passing year we depend less on the postal service and more on the Internet to interact with our banks, utilities, employers and customers.  We realize that a lot of personal information about us is stored on computers connected to the Internet; we accept this reality (if we think about it at all) because online shopping, online banking, online bill pay, and social networking provide great convenience.

Frequently the humble e-mail account provides the common link between the user and various online services, whether these services are trivial or essential.  For this reason, it’s important to keep your e-mail secure.

Often banks have password security rules and require customers to create complex passwords with both letters and numbers.  But what happens if you forgot your password?  In many cases you can click on a password recovery link, provide your e-mail address, and then check your e-mail for a code or hyperlink that you can use to create a brand new password.

The following stories illustrate problems that can occur when a hacker gains access to someone’s e-mail account:

Edward Mendelson on AppScout tells the story of “What Happens When Your Webmail Gets Hacked” – about how a friend’s Gmail account was hijacked by a scammer.  The hacker e-mailed everyone in the victim’s contact list, claiming to be stranded out of town with no cash: “please I need you to loan me some money, I will refund you as soon as I’m back home, I promise.” It took over eight hours to regain control of the hijacked e-mail account …by which time the hacker had persuaded one well-meaning friend to wire money overseas.

This scam happens quite often, as when a retired Cornish vicar innocently shared information that allowed hackers to get into his Yahoo e-mail account. Shortly thereafter, his friends received an e-mail claiming “I am really stranded in Nigeria because I forgot my little bag in the Taxi where my money, passport, documents and other valuable things were kept…” Fortunately, his friends were not deceived by the faked message. According to the victimized vicar, “It was so long-winded and badly spelled that most of my friends were laughing by the end of it.”

It was not a laughing matter when another Yahoo email account was compromised:  Sarah Palin’s Yahoo e-mail was hacked during the presidential election campaign in September 2008. Palin, while governor of Alaska, had used the Yahoo address gov.sarah@yahoo.com to conduct state business. After the account was breached, confidential e-mail messages were posted on the Internet. The “hacker” (tracked down by the Secret Service and FBI) is now awaiting trial and faces up to five years in prison if convicted.

The technique used to gain access to Palin’s e-mail account does not require any special skill or technical knowledge, and many web-based e-mail accounts are still vulnerable to it today. My next post will show how it was done, and how you can take steps to protect yourself.

Sources:

AppScount: What Happens When Your Webmail Gets Hacked
BBC: Fraudsters Hijack Vicar’s E-mail
Wikipedia: Sarah Palin Email Hack
Washington Post: Governor Is Asked To Release E-Mails
Image by Esparta