The Hindu News Update Service
News Update Service
Tuesday, June 23, 2009 : 1230 Hrs
Sci. & Tech.
Secret questions 'make emails vulnerable to hacking'
Washington (PTI): What's the name of the school you attended? What is the first
name of your favourite cousin? Well, email services often protect accounts
with these kind of security questions in case holders forget their password.
Now, a new study in the US has revealed just how easy the answers of such
security questions are for other people to guess -- in fact these facts make
life
simple for hackers, the New Scientist reported.
Researchers at Microsoft have based their findings on an analysis of an
experiment, involving 32 email users.
Acquaintances of the email users -- people with whom they wouldn't normally
share their login details -- were asked to try and guess the answers users
assigned
to protect their accounts.
The volunteers managed to guess correctly a fifth of the time, raising
questions over how secure the commonly used system is, the study found.
However, a second study by software giant Microsoft has suggested a more secure
alternative -- relying on trusted friends to vouch for you if an account
becomes locked.
"Securing webmail is important because email accounts typically allow an
attacker access to other accounts, for example, eBay and Amazon. If I can
recover
these passwords via your email account then I can spend the balance of your
credit card on flat-screen TVs," Ross Anderson of Cambridge University was
quoted as saying.
Under the new system proposed by Stuart Schechter and Rob Reeder at Microsoft,
users select several "trustees".
If a user becomes locked out of their account their trustees receive a message
asking them to download a "recovery code". The user must collect codes from
multiple trustees to unlock their account.
A group of 19 Hotmail users trialed the system and 17 successfully regained
access to their Hotmail account. That 90-per-cent success rate compares
favourably
to 80-per-cent success rate of the secret question system, say Reeder.
In the trial, most users recovered their accounts within two days. However,
when the researchers got users' acquaintances to ask the trustees to give up
the codes, many of them did so.
Reeder said this attack could be avoided by getting account holders to advise
trustees of their role in advance.
In the trial, trustees simply received an email containing the code out of the
blue.
Rather than replacing the standard secret questions approach, the new method
should be an optional choice for users, according to Anderson, who agrees that
it is important to train trustees to be appropriately security conscious.
But the idea has promise, said Reeder, pointing out that it is not a new idea
to have people use third parties to back up their identity.
To unsubscribe send a message to accessindia-requ...@accessindia.org.in with
the subject unsubscribe.
To change your subscription to digest mode or make any other changes, please
visit the list home page at
http://accessindia.org.in/mailman/listinfo/accessindia_accessindia.org.in
