The Bankwatch

Tracking the consumer evolution of financial services

A security hole every banker must read

Every banker and security expert must read this. The flow here is common knowledge to security experts already but it really drives home to users how they must be careful about how they approach their password strategies.

The key here is to note how the interconnection takes place between, in this case, gmail and the secondary address, hotmail. The former can be secure yet through innovative ‘social enginering’ the second can open all sorts of doors.

Worthwhile to take the time .. read through and think about your approach.

The Anatomy Of The Twitter Attack | Techcrunch

Unfortunately for Twitter, Hacker Croll found such a weak point. An employee who has online habits that are probably no different than those of 98% of other web users. It began with the personal Gmail account of this employee. As with most other web applications, the personal edition of Gmail has a password recovery feature that presents a user with a number of challenges to prove their identity so that their password can be reset. It likely wasn’t the first account from a Twitter employee that Hacker Croll had attempted to access – but in the case of this particular account he discovered a kink in the armor that gave him the big first step. On requesting to recover the password, Gmail informed him that an email had been sent to the user’s secondary email account. In an effort to balance usability with security, Gmail offered a hint as to which account the email to reset the password was being sent to, in case the user required a gentle reminder. In this case the obfuscated pointer to the location of the secondary email account was ******@h******.com. The natural best guess was that the secondary email account was hosted at

At Hotmail, Hacker Croll again attempted the password recovery procedure – making an educated guess of what the username would be based on what he already knew. This is the point where the chain of trust broke down, as the attacker discovered that the account specified as a secondary for Gmail, and hosted at Hotmail was no longer active. This is due to a policy at Hotmail where old and dormant accounts are removed and recycled. He registered the account, re-requested the password recovery feature at Gmail and within a few moments had access to the personal Gmail account of a Twitter employee. The first domino had fallen.

Written by Colin Henderson

July 19, 2009 at 23:29

Posted in Security

Tagged with , ,

4 Responses

Subscribe to comments with RSS.

  1. but it really drives home to users how they must be careful about how they approach their password strategies.

    We can’t expect users to have password strategies because we made it impossible for them to do so. The problem is inconsistency. Every bank, store, etc have different login implementations and username and password requirements. Some do it well – others don’t.

    As for the story itself – this is hardly new news. Twitter itself appeared to not have a basic security procedures in place. But considering how young the company is and the difficulties it had maintaining a stable environment – that’s not surprising.


    July 20, 2009 at 07:58

  2. @Tim … this is not a twitter issue. My focus on this blog is banks. Bank employees email their own docs to themselves at their personal email account all the time, due to restrictions on their bank network. So I would argue this potential hole exists for all banks and corporations. If the bad guys employ this example of social engineering, they can get into employee personal email and potentially locate bank documents.

    While we cannot expect people to have password strategies, everyone does, whether they realise it or not. These strategies are either very good or very bad.

    Colin Henderson

    July 20, 2009 at 09:22

  3. I used to work in the security department of a big bank in London. For each user account we created we would give each user a secure password. However, without exception they would then try and syncronise their passwords across accounts against company policy. Monday mornings after a boozy weekend the telephones were red hot because staff couldn’t remember theur passwords. Boy I miss it. Rgds Vince

    vince stevenson

    July 21, 2009 at 16:19

  4. @Vince …. thanks for that … a very real life example!

    Colin Henderson

    July 23, 2009 at 00:03

Comments are closed.

%d bloggers like this: