After word spread that a hacker leaked the contents
of vice presidential candidate Sarah Palin's Yahoo email account by knowing a couple of pieces of background information
about the Alaska governor, I could hear the collective mouse-click of panicked web mail users, from Wasilla to Worcester.
If it was that easy for someone who'd never met Palin to break into her email account, what did that mean for the millions of users of Google Talk, Yahoo, MSN Hotmail, AOL, etc. whose identities could be just as easily impersonated.
Here's what went through my mind:
"What does my account require to retrieve a forgotten password? What's my 'secret' question? Darn it, everyone knows who my childhood best friend was....Why did I pick that as my question?"
Well you get the idea. But this is a real risk for so many people who rely on personal emails to transfer back and forth a lot of critical information about their lives.
Seriously, I doubt I was the only one who after hearing about the Palin incident, had flashbacks of that crazy ex who knew a lot about you and wouldn't mind using that knowledge to excavate your email account in hopes of confirming her wild suspicions of where you really were on that night when you swore you were working on an all-night project at work...I digress.
But I'm a curious guy, so I decided to try it out myself. With the permission of my twin brother, I tried to access his Gmail account.
So I entered his username and clicked on the "I cannot access my account" link, then the "I forgot my password link." What I learned was that my brother set up his account so the proper password would be sent to his AOL account.
Hmmm. Well, I'll try there then. So I go to AOL.com, enter in his username, some annoying CAPTCHA
and then it asks me: What is your favorite movie? Bingo, I'm almost there.
Well I tried three films that I was certain would get me in - and they didn't work. So I tried one or two more. No luck. Then it said the account would be locked for 24 hours due to too many attempts at this. Oops. Sorry, Dave.
Turns out, the guesses I made were the ones my brother thought they'd be. Either way, I'm assuming that if I would've correctly answered that "secret" question, it would've been pwnage.
(My little experiment sounds cool, but not nearly as well-documented as our friend Hugh Thompson wrote here
in an article he did for Scientific American
Since the Palin hack, my inbox has been predictably flooded with a number of requests to speak with vendors who claim to be able to solve this weak web mail authentication issue. From the Trusted Platform Module
to outright blocking, there's a lot of of ideas out there.
But one thing is for sure: While we can never expect personal email accounts to undergo the same scrutinies and protections as corporate accounts, the burden is on the web mail providers to offer users some more comprehensive security.
Something beyond what someone's favorite movie is or where a husband and wife originally met...These answers are easily discoverable on the internet.
Didn't the Yahoos and Googles of the world ever hear of social networking sites or, better yet, internet searching?