How Online Email Gets Hacked

Second In A Series: In a recent post, I described several situations where web-based email accounts were compromised.  Probably the best known incident involved Sarah Palin’s Yahoo e-mail account, which was burgurlarized a few months prior to the November 2008 presidential election.

Could this type of attack happen today? Yes.

Should a non-celebrity, average person be concerned about their email security? Absolutely.

Everyone needs to be concerned about email security

Even if you’re not famous …even if you’re not involved in anything illegal or embarrassing …even if all your email is really, really boring …you need to keep your email account secure. Here are three reasons:

Your contact list: If someone took control of your email account, they could attempt to impersonate you and defraud your friends and family before you realized what was happening. Would you be able to warn all everyone before it was too late? You do have your contact list backed up …don’t you?

Personal data: It’s great that Gmail gives us over 7 GB of storage. But, a lot of people keep important personal or business documents stored in their web-mail inbox. This could be a gold mine of identity theft: online billing statements, bank account information, calendar information and contacts. Also, some data might be irreplaceable if deleted.

Access to other accounts: Once inside your email, a hacker could discover information about other online services that your use.  Consider that you email account is often used to verify your identity when you forget a password. A compromised email account could result in a hacker getting access to online banking, PayPal, etc.

How celebrity e-mail gets hijacked

In Sarah Palin’s case, the accused “hacker” is David Kernell, a 20 year-old economics student at the University of Tennessee (also son of longtime Democratic Tennessee State Rep  Mike Kernell of Memphis).

The technique used to get Palin’s e-mail was not very sophisticated, and does not require any specialized knowledge of computers.  It simply used Yahoo’s standard password reset feature, provided for users who have forgotten their own password.

The hacker discovered Palin’s e-mail address—the now-defunct gov.sarah@yahoo.com—through publicly available sources, then used Yahoo’s password recovery feature to reset the password. To reset the password, he had to supply three pieces of personal information: Palin’s birthday, her zip code, and the place she met her husband.

Before Kernell was arrested, a person claiming to be the hacker posted the following in an online forum:

“it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes ….

the second [security question] was somewhat harder, the question was ‘where did you meet your spouse’ …they met at high school, so I did variations of that, high, high school, eventually hit on ‘Wasilla high’”

Many web-based email accounts are still vulnerable to this type of attack. In 2009 Salma Hayek was victimized in a similar manner.  According to gawker.com, “Breaking into the account was a simple matter of knowing Hayek’s birthday — September 2 — and guessing at her security word (they claim it was [Frida,] the name of her best known movie role) to reset the account’s password.”

Why your email might be vulnerable

What happens if a web-mail user locks themselves out of their own email account? Usually there is a “forgotten password” link that enables them to create a new password …but first they must provide proof of their identity. Typically, this proof involves the giving answers to “secret” questions, matching the response given by the user when the account was created. Here are some questions that Yahoo uses:

• Where did you spend your honeymoon?
• Where did you meet your spouse?
• What is your oldest child’s nickname?
• What is the first name of your favorite uncle?
• What town was your father born in?
• What was your first pet’s name?
• What is the name of your favorite sports team?
• What is the last name of the maid of honor at your wedding?

Someone trying to get unauthorized access to your email account could use the same procedure. The problem with many of these security questions is that they can be easy to guess, especially if the if the victim if famous, or if the “hacker” is an ex-husband, former girlfriend, creepy brother-in-law, or psycho coworker.

Despite the highly publicized incidents of email hijacking, password security for web-based e-mail accounts is not much better today than in the past. Regular people frequently forget their own passwords, so email providers need to have an automated, easy-to-use mechanism for legitimate (but befuddled) users to create a new password.

In the next post in this series, I’ll provide some steps anyone can take to make their web-mail more secure.

Sources:
Wired: Palin E-Mail Hacker Says It Was Easy
PCMag: Salma Hayek’s Email Gets Hacked
PCMag: Why the Palin Hack Could Happen Again and Again
Gawker: Salma Hayek’s Hacked Emails Reveal Celebrity’s Quotidian Existence
Image “US Mail” by Steve 2.0