September 23, 2008
Source: PC Mag
How can you prevent a Palin webmail hack from happening to you? The short answer: you can’t.
Yahoo has no immediate plans to overhaul its e-mail security procedures after a hacker last week gained access to Sarah Palin’s private Yahoo Mail account, the company said Monday. Instead, it is reviewing security processes on an industry-wide basis.
Google’s Gmail and Microsoft’s Hotmail also have existing processes in place to enable password recovery. But those too can be exploited by a hacker patient enough to sniff through personal data that might already be available online.
Yahoo, however, is being forced to reconsider its own security practices.
A hacker gained access to the Republican vice presidential hopeful’s email@example.com account last week after successfully navigating Yahoo’s password recovery feature. That process required the hacker to enter Palin’s login name, date of birth, ZIP code, and to answer the question, “Where did you meet your spouse?”
Palin, who currently serves as governor of Alaska, is now widely known to be a lifetime resident of Wasilla, Alaska, so the ZIP code was easily deciphered. A quick Google search revealed her date of birth, and any of the approximately 40 million people listened to her GOP convention acceptance speech were informed that she met her husband in high school. An amateur who fiddled with the wording a bit – “Wasilla high” being the correct response – had access within minutes.
Yahoo is trying to strike a balance between providing a secure user experience while also ensuring a process for accessing lost account information, according to a source familiar with the situation. The company last week issued a memo to users on how to create more secure passwords, though the Palin hacker did not know her password.
Naturally, a typical user’s personal Webmail accounts are not going to generate as much hacker interest as Palin’s account, but security remains a concern. What is your best option?
When signing up for Yahoo, the company asks for standard personal information – name, gender, date of birth, country, and ZIP code – and then asks users to answer one of nine possible secret questions: where the user met his or her spouse; the first school the user attended; his or her childhood hero, favorite pastime, favorite sports team, father’s middle name, or high school mascot; the name of the user’s first car or bike; or the name of the user’s pet.
Once you select one of these questions, however, you cannot change it. You can also not change your date of birth. Had Palin recovered her own account, hackers could have just as easily gained re-entry given that they had the answer to her secret question. Yahoo does allow users to change their gender and/or location, so switching her ZIP code to a random city might have done the trick.
Microsoft’s Hotmail has a similar set-up situation, asking for personal information, and the answer to one of six secret questions: the user’s mother’s birthplace, the user’s best childhood friend, the name of the user’s first pet, the user’s favorite teacher, favorite historical person, or the occupation of the user’s grandfather.
Unlike Yahoo, Hotmail users can change their secret question once they set up their account. This might have helped Palin if she’d acted fast, but it also means that if the hacker had successfully accessed a Hotmail account, the hacker could have changed the secret question immediately and locked the proper owner out of the account indefinitely.
Microsoft also has no immediate plans to change its Hotmail security processes, according to a spokeswoman.
“Microsoft is always working to strengthen the security of its products and services and is committed to helping consumers have a safe, secure and positive online experience,” she said. “We know our customers’ needs are constantly evolving based on changes in the security landscape and we are always working to meet these new threats and to help protect our customers from them.”
Gmail might have the most secure password recovery process at this point, but it is a potentially lengthy process.
Gmail also requires personally identifiable information, but lets users either create their own question or answer one of four Google-selected questions: primary frequent flyer number, library card number, first phone number, or first teacher’s name.
If a user forgets his or her password, Google will send password reset information to the secondary e-mail address a user provided when signing up. But if the user lost the password to that account, no longer had access to it, or did not provide a second e-mail address, Google requires a waiting period of five days before resetting the password.
“To prevent someone from trying to break into an account you’re actively using, the security question is only used for account recovery after an account has been idle for five days,” according to Google. “The Gmail team cannot waive the five day requirement or access your password under any circumstances.”
The FBI and Secret Service are now investigating the Palin hack. Authorities reportedly searched the home of a 20-year-old University of Tennessee student over the weekend, but no arrests have been made. The hacker could face felony charges for violating the Computer Fraud and Abuse Act, but could also avoid prosecution thanks to a Department of Justice loophole, according to the Electronic Frontier Foundation.
Palin and the now erased Yahoo account have also made headlines over allegations that the governor used her personal account for state business.