Personal Queries System for Webmail Security WeakCarnegie Mellon University and Microsoft Research have recently released a paper, according to which, the personal safety queries that all four prominent Webmail facilities use are insecure. The paper explains that the four Webmail services - Google, Yahoo, Microsoft and AOL - use personal queries which act as the subsidiary verification secrets for account password resetting. During their study, researchers at Microsoft conducted an experiment on 32 e-mail accountholders. They asked some people, to whom the accountholders were acquainted but they wouldn't disclose their login particulars, to guess the answers that the accountholders allotted to safeguard their e-mail. After a few trials (on the fifth attempt), the volunteers succeeded in deducing the answers correctly, which raises doubts about the security of the system, the research notes. According to Cambridge University Professor 'Ross Anderson', it is extremely important to secure Webmail as e-mail accounts characteristically let a hacker gain access to other accounts such as Amazon and eBay. Thus, if a hacker is able to crack these accounts' passwords through a hacked e-mail account, then he could possibly withdraw money from the victim's financial account and spend it on expensive television sets, as reported by The Hindu on June 23, 2009. The paper states that while it is possible for other web providers to verify forgotten passwords through their e-mail ID, such is not possible for Webmail providers as a lot of users of Webmail facilities use their accounts for primary communications. The largest services, Yahoo Mail and Hotmail, tested here maintain beyond a half billion users, implying that a massive number of accounts could well be vulnerable. Moreover, the paper warns the secret queries that the four most popular Webmail providers employ aren't enough as the personal queries seem to have much weaker security compared to passwords. Since a duplicate of the research paper was shown in advance to Yahoo, the e-mail service altered all its earlier 9 personal queries, but Microsoft, AOL and Gmail did not follow suit. Moreover, in a real example of exploiting the personal query loophole, hackers in 2008 compromised the Yahoo Mail account of Sarah Palin. Related article: Personal Security Fears Weigh On Aussies, Kiwis ยป SPAMfighter News - 7/6/2009 |    |
Dear Reader
We are happy to see you are reading our IT Security News.
We do believe, that the foundation for a good work environment starts with fast, secure and high performing computers. If you agree, then you should take a look at our Business Solutions to Spam Filter & Antivirus for even the latest version of Exchange Servers - your colleagues will appreciate it!
 |  |
