Huge Security Flaw Uncovered in Internet Passwords

August 29, 2008 – 10:40 am

Researchers have recently discovered a major flaw in the security systems of websites throughout the internet. This minor security feature represents an easy access back door for identity thieves to pry into your personal lives and access your online accounts. This huge security opening is actually a very simple and often overlooked feature common in most online accounts. The password reset feature is often very necessary to make sure we don’t get locked out of our own accounts, but it also makes it easy for identity thieves to reset our passwords as well. Once this is done, they can wreak havoc on our accounts, make fraudulent purchases, steal information to commit other identity theft, spam advertisements to our friends, destroy our credit, and ruin our reputation.

In a recent study, Herbert Thompson, chief security strategist of People Security, asked some of his friends for permission to try to hack into their online accounts. He used his friend’s name to find her online bank account, then had it send a password reset to her email address. He went to her email and was asked a security question. After pulling the information from her blog, he successfully took over her email address. He then pulled out the new password and had free reign over her online bank account. He did this with multiple people in a disturbingly short amount of time.

The password reset feature was implemented over a decade ago to ensure that forgetful people wouldn’t lose their passwords and end up locked out of their own accounts. It worked just fine back before we had so much social networking, but now most of us have personal information floating around all over the internet. The most common forms of password resets are security questions and email. Many accounts simply allow you to reset your password and have the system email you a new randomly generated password. This works just fine, assuming no one can hack into your email. Unfortunately most email addresses can have their passwords cracked with a simple security question.

The real danger here is that somewhere in the system, there is always a security question involved. You are asked to supply the answer to a question that theoretically no one would know about your personal life. Common security questions are mother’s maiden name, pet’s name, teacher’s name, high school, library card number, and phone number. Thanks to the popularity of social networking sites such as Facebook, Myspace, and online blogs, this personal information is now often public knowledge that is just a few clicks away.

You can help protect yourself against this security flaw by using obscure security questions that only you could possibly find out, and being sure not to tell this information to anyone (especially your blog). You may also want to simply put in the wrong information in the security question so hackers have no chance of cracking it. If you do this, be sure to physically write down your passwords somewhere safe where you can find them if you ever need to. Hopefully measures will be taken soon to close up this huge security flaw, but for now a huge section of the population is fully exposed to identity theft. This is yet another reason so many people are turning to LifeLock identity theft protection services to guard their assets.

Bookmark It