Call me your e-mail security guinea pig.
The other day I was talking to Hugh Thompson, adjunct professor of software security at Columbia University and founder of consultancy People Security, about his research related to online privacy and he mentioned how easy it can be to hijack someone's e-mail account. So, I challenged him to try to steal mine.
Over the course of an hour, I watched as he mined the Internet for information about me that could be used to reset passwords on Web-based e-mail services, plucking tidbits from a variety of search and other sites to create quite a surprising dossier. I decided to share the experience (with a few omissions) in the hopes that other people will test how easily they could be stalked online so they can better protect their e-mail and other Web accounts.
Access to an e-mail account opens up access to all sorts of other information that could be used to steal someone's identity and drain bank accounts, open up credit cards, and even take out loans in their name.
It's not just personal information at stake in e-mail accounts. Use of weak password-reset security questions is believed to have allowed someone to access the Yahoo e-mail account of a Twitter employee last year and then use that to access the person's Google Docs account where there was sensitive corporate information.
In agreeing to the project, Thompson had already done some homework and had a list of specific security questions that the major Web-based e-mail providers use. The questions include a mix of preference questions, like what is your favorite book, musician, town, and restaurant. Easy questions as they may seem on the surface, they are subject to change as peoples' tastes change. For instance, you are likely to have a different favorite movie every couple of months or at least likely to forget what your original answer was. These aren't always easy for a stalker to find either, unless the target happens to be a blogger who shares a lot of personal information. It's the same for the category I'll call "firsts," such as what was your first pet's name, teacher's name or job.
Then there are the fact-based questions that are easier to find from public databases, such as the hospital you were born at, the street you grew up on or the town, your first phone number, high school you attended, last four digits of your Social Security number, mother's birthplace and grandfather's occupation.
Finally, there are the questions that people don't usually remember or tend to have handy so they are less likely to choose them. These include what is your primary frequent flier number or library card number.
Armed with a list of common questions from Gmail, Yahoo, Live Mail and AOL, Thompson knew what information to look for. Using a Web-based conferencing system, I was able to watch his screen as he traversed the Internet. His first stop was Google where he typed in my first and last name. (All Thompson knew about me at the onset was my first and last name and that I work at CNET.)
Thompson went straight to my LinkedIn profile where he learned where I went to college and details of my past work experience. He then searched for me on a people search engine called Pipl.com and came across references for city, state, age, middle name, address and phone numbers. He found additional addresses on 123people.com.
On Intelius.com, another site that offers some basic information for free but charges for additional data, he came across other people with the same last name who were supposedly associated with me and their ages. (Most but not all of the information uncovered in this experiment was accurate.) By comparing information on the various sites and cross checking purported relatives and addresses, Thompson was able to guess which state I grew up in and what cities I have lived in.
Then Thompson called in the big guns--Ancestry.com. The site, which is designed for people creating family trees and doing genealogy research, pulls data from a host of public databases and provides more information than the free searches on the other sites but charges a subscription, of course. There is also a 14-day trial offer.
On Ancestry.com he had to guess at the birth year after learning my age on a different site but not knowing the exact date and took an educated guess at the city of residence too. Voila! Up came a birth date, a bunch of previous addresses, and even at least one phone number.
Someone could easily take the address information to figure out answers to some of the preferential security questions by using Google Street View to zoom in on bars, restaurants, and other hangouts in the immediate vicinity, said Thompson, who also is chair of the RSA Conference. "The longer you lived at an address, the more interesting those searches are," he said.
Then he used Ancestry.com to search on one of the names linked to me and that he suspected was my mother because of the associated ages. "Your mother is the most interesting relative for us to look up because her name typically tells us what your maiden name is, but it also is a gateway to find out who her parents were," Thompson said. "If we know their names then we know what your mother's maiden name was."
A common address between mother and subject also indicates the childhood home address. "That's valuable for password reset questions that ask what street you grew up on," he said. "Then you can search the addresses for the schools that are nearby and then go on Classmates.com and bring up teachers by year at that school."
Thompson then went back to Google to see if I had a resume online, but that proved to be a dead end. Resumes have a wealth of personal information, including e-mail addresses, phone numbers, addresses and college. Outdated resumes are even more valuable, according to Thompson.
Following the e-mail trail
Satisfied with the amount of biographical information he had accumulated on me, Thompson then decided to see what e-mail addresses he could find. Since e-mail services allow you to reset your password by sending a message to your alternate e-mail address, getting the earliest e-mail address for someone is key because that is the one most likely to offer up security questions. If it's a school e-mail address, that is even better because those security questions are likely to be the least secure, he said. The idea is to follow the trail of e-mail addresses as far back as possible. Corporate e-mail addresses, meanwhile, aren't much help because they typically reset passwords internally through the corporate IT department.
Since I was in school before e-mail was popular (now you know I'm no spring chicken!) there was no school e-mail address for me. If there had been one, Thompson said he would have searched for the school on Classmates.com and checked for the domain there and guessed what my e-mail address would have been. He also could have looked for public records associated with possible student loans to get an e-mail address that way, he said.
Thompson guessed that I would have a Gmail address and that as an early adopter it would follow a particular, simple format. But when he tried to reset the password, the system offered to have password reset information sent to my alternate e-mail address or phone number. Gmail provided enough of the other e-mail address to figure it out and a few letters of the cell phone that could be compared against phone numbers uncovered on the people search sites. He then would have had to hack my cell phone or otherwise get physical access to it in order to get to the text message and choose the password he wants in order to hijack my account.
Thompson and I ran out of time, but I went ahead and finished the process and tried to reset the password on my alternate e-mail account. I struck gold--from an attacker's point of view--in that it did ask security questions instead of referring me on to yet another e-mail address. But two of the three questions it asked (which I must have created) were unlikely to appear in any public databases and were not based on preferences. I'd share them with you, but then I'd have to kill you. (Just kidding. See below for some suggestions.)
The third security question asked was (yikes!) my mother's maiden name, which Thompson had not yet uncovered but would have eventually if we had had more time.
I compared the accurate information uncovered by Thompson with the list of about 30 or so security questions that the e-mail providers offer as default questions and found that about eight of them would have easily been answered and another four probably could have been.
Phew! Safe enough--for now
Because of the time constraint and the fact that I write about computer security issues and am thus more likely to be more security-conscious, Thompson did not hijack my e-mail account. But the experiment was fascinating, nonetheless. It showed how easily a stranger can dig up all sorts of information on someone. And it showed just how easy to guess many of the password-reset security questions are.
Thompson recommends that people conduct this experiment on their own identity to see what the results are and how secure their e-mail accounts are. And I would suggest the same. Then, either choose the safest default questions or, better yet, create your own, if that is an option.
When selecting a question option, think of an event in your life or a fond memory that is not going to be found on a public document and which you won't likely forget. Choose something that you haven't exposed to the public in a blog, Facebook posting or other online site. And think about specifics related to that memory, like a person, place or thing. Avoid referencing anything that can change over time such as a preference or feeling. Then set the question based on that.
When I realized the amount of information Thompson had amassed on me in a relatively short period of time, I was shocked and a little nervous. It's fine for someone I trust to be trawling the Internet for details of my personal life, but if he could do this so could someone else.