A recent Google search of MySpace Inc.’s popular social networking site for several variations of terms describing a person’s maternal grandparents returned more than 11,000 search results.
The search by security researcher and author Herbert Thompson illustrates the growing security threat posed by the massive amount of personal information posted on social networks, forums, blogs and other Web 2.0 destinations.
Posting seemingly innocuous information – like a mother’s maiden name or a pet’s name – could help a crook access personal data stored by banks, financial services firms and other companies, Thompson said. Many companies typically ask for such information from clients to reset a password on an account, he noted.
Thompson, who is founder and chief security strategist at People Security, a New York-based IT security consulting firm, described how easily personal information posted on a blog or social network could be used to break into a bank account in an article published in Scientific American this month.
With her permission, Thompson accessed a friend’s bank account in an hour and a half after mining her personal blog personal for details like her birth date, birthplace, father’s middle name and pet’s name. He used the data to reset her e-mail password and gain access to an e-mail from her bank with instructions on how to reset her account password.
Thompson said in an interview that cybercriminals are increasingly mining personal data splashed throughout the Web 2.0 world. He noted that the questions that banks have long used to reset or recover passwords were typically seen as difficult for thieves to answer.
Now, however, the answers to the questions are often readily available to crooks because so many people are now blogging about their personal lives or are creating personal profiles that are rife with this type of information, he noted.
As proof, Thompson pointed to the fact that thieves on underground forums typically charge 10 to 12 times more for stolen credit card numbers with the mother’s maiden name or a pet’s name of the owner than for the credit card alone.
“You may not think twice about posting your grandfather’s name, but you’ve just released your mother’s maiden name,” he said.
“There are a lot of places where you can claim to forget other questions, and the site will default to mother’s maiden name. If I give you the log-in to one account, I’ve essentially given you a fish. If I give you the answer to people’s password-recovery questions, I’ve taught you to fish. You can pillage their accounts.”
The problem with the type of information that is posted in blogs and social networks can be compounded by the fact that “the Web — especially Web 2.0, is very sticky,” he added.
Many archive sites contain snapshots of data long after the primary data has been removed. In addition, thieves can supplement information from Web 2.0 sites with public data from state motor vehicle departments or from sites containing home-ownership records, he noted.
To offset this problem, Thompson advised that people find out from their banks or financial services firms what information they use to reset passwords.
Then, they can backtrack to see if any of the information about them required to answer those questions could be found on the Web, he added. If so, he advised online users to change the password-recovery answers or question.
“Most people are likely to find some scary mismatches — that information is publicly available through some state or other government department, or it is something they have freely disclosed online.
See if you are comfortable with your bank-account access … riding on those pieces of information.”
It wasn’t a massive breach, says Best Western
More on the security front:
The Best Western hotel chain has strongly refuted a story published by a Scottish newspaper on Sunday suggesting that it had been the victim of a massive system intrusion exposing the personal data of more than 8 million customers.
Phoenix-based Best Western International Inc. acknowledged that some of its data may have been accessed by an unauthorized users.
But the company said that only one hotel was affected and that only 13 customer records were actually exposed.
The story in Glasgow’s Sunday Herald claimed that attackers had accessed the data of every single customer who had stayed at one of Best Western’s 1,312 European hotels this year and in 2007.
The Sunday Herald reported that the alleged intrusion was perpetrated last Thursday by a hitherto unknown Indian hacker, who got the log-in credentials for Best Western’s online booking system via a keystroke-logging program and then sold the details of how to access the data in the system “through an underground network operated by the Russian mafia.”
According to the paper, which touted the story as a major scoop, the compromised data included the credit card information, home addresses, phone numbers and place of employment of people who had checked into Best Western hotels. The heist potentially could result in more than $4 billion worth of fraud, the Sunday Herald estimated.
However, in a statement sent to reporters via e-mail, Best Western said that the story was “grossly unsubstantiated” and inaccurate.
In a separate FAQ that was distributed with the statement, the hotel chain confirmed that there was “some evidence” of unauthorized access to customer data by someone using a valid employee username and password.
But the compromise was limited to just one property, Best Western said, adding that the total number of potentially affected customers was 115.
Just over a dozen customer records were exposed, according to the company, which said it has found “no evidence to support the sensational claims” of a much wider and larger breach made by the Sunday Herald.
Best Western said it takes several steps to ensure that cardholder data is protected as part of its compliance with the Payment Card Industry Data Security Standard, which was developed by the major credit card companies and is known as PCI.
The measures cited by Best Western include encrypting all card data both while it is stored and in transit between systems, using passwords to restrict access to the data, and deleting credit card records and other personal information when guests depart.
“It is impossible to prove a negative,” the hotel chain said in its statement. But, it added, there is no reason to believe that the exposure went beyond just a few records and the one hotel.
Best Western also called on the Sunday Herald to provide it with evidence backing up the newspaper’s claims about the scope of the breach.