Forgot your password? That’s no problem. Want to find out someone else’s?  That shouldn’t be a problem either.  Password recovery was designed to be simple and easy, but some companies make it problematically easy.

For most online accounts, there’s the option of having either your password or a set of reset instructions sent to the email address associated with your account.  Some companies have you call in and answer a series of security questions.

Out of the above options, you’d think the call in would put you through a more rigorous but impervious procedure, but a Cisco Security Expert Jamey Heary leaves you thinking twice.

He recounts his experience of resetting his password for his frequent flyer account in the article, “Account Password Reset Procedure a Joke.” When Jamey was locked out of one of his accounts, he called the number provided on the web page to do the routine password reset procedure.  He was then asked for his account number, full name, address and phone number, which to his surprise, won him a temporary password to log into his account.  There was no pop quiz security question like those we sometimes create upon registration that leave us scrambling for recollection (e.g., What is your maternal great grandmother’s middle name?).

All you had to do was nab one of Jamey’s boarding passes sporting his account number, open a phonebook, and open sesame; you’re in.  An interested party could have won access to Jamey’s frequent flyer account plus the credit cards he had on file, and then lock him out of his own account.

This simple password reset procedure (exploited to crack Sarah Palin’s email account) is a common hacking accessory, which makes it far too easy to do a quick password change and obtain personal information, financial data, shopping history, and a cache of confidential information like Air Miles points.

If you’ve been locked out of an account, been a victim of credit card fraud, identity theft or any other online crime, you know it’s a hard pill to swallow realizing that you may have blindly invited online criminals to swim through your personals.

Arm yourself for any potential attacks by:

• Updating the latest versions of anti-virus and security programs on your computer.
• Getting spam filters to block unsolicited spam and malicious content.
• Clearing “All History” in your browser to remove your browser history and cookies that can store account information, names and passwords on protected login pages, and preferences.
• Using different complex passwords for different sites. Click here to learn more.
• Changing your passwords regularly (every 90 days).
• Shutting down your computer when you’re not using, so attackers on the Internet cannot attempt to break into it.
• Shredding your paper statements and never leaving them lying around in public spaces.

Last but not least, the next time you call in to reset a password and they readily disclose your personal information without conducting a proper security check, tell the company to tighten their security practices. And be prepared to close down the account if they take no course of action.

Source: http://www.networkworld.com/community/node/44457

Posted in Internet Safety | news, privacy, scams, spam | |