The Bankwatch

Tracking the consumer evolution of financial services

Posts Tagged ‘password

A security hole every banker must read


Every banker and security expert must read this. The flow here is common knowledge to security experts already but it really drives home to users how they must be careful about how they approach their password strategies.

The key here is to note how the interconnection takes place between, in this case, gmail and the secondary address, hotmail. The former can be secure yet through innovative ‘social enginering’ the second can open all sorts of doors.

Worthwhile to take the time .. read through and think about your approach.

The Anatomy Of The Twitter Attack | Techcrunch

Unfortunately for Twitter, Hacker Croll found such a weak point. An employee who has online habits that are probably no different than those of 98% of other web users. It began with the personal Gmail account of this employee. As with most other web applications, the personal edition of Gmail has a password recovery feature that presents a user with a number of challenges to prove their identity so that their password can be reset. It likely wasn’t the first account from a Twitter employee that Hacker Croll had attempted to access – but in the case of this particular account he discovered a kink in the armor that gave him the big first step. On requesting to recover the password, Gmail informed him that an email had been sent to the user’s secondary email account. In an effort to balance usability with security, Gmail offered a hint as to which account the email to reset the password was being sent to, in case the user required a gentle reminder. In this case the obfuscated pointer to the location of the secondary email account was ******@h******.com. The natural best guess was that the secondary email account was hosted at hotmail.com.

At Hotmail, Hacker Croll again attempted the password recovery procedure – making an educated guess of what the username would be based on what he already knew. This is the point where the chain of trust broke down, as the attacker discovered that the account specified as a secondary for Gmail, and hosted at Hotmail was no longer active. This is due to a policy at Hotmail where old and dormant accounts are removed and recycled. He registered the account, re-requested the password recovery feature at Gmail and within a few moments had access to the personal Gmail account of a Twitter employee. The first domino had fallen.

Written by Colin Henderson

July 19, 2009 at 23:29

Posted in Security

Tagged with , ,

%d bloggers like this: