Hacking someone’s personal email account is the best way to control their online presence, and new research shows that it is frighteningly easy to do just that.
A recent study conducted by Lucas Lundgren of the computer security firm IOActive shows that all someone needs to break into a private email is a good understanding of how websites handle user password-reset requests and the patience to dig through a target’s online life to find a few key pieces of information. And anyone who receives bank or credit card statements or has work documents in their personal email account – not to mention any other private information – knows just how scary such a prospect is.
In an attempt to hack a friend’s Gmail account (with permission) for his research, Lundgren started by trying to reset the password of the account. That led to the discovery that this friend had an alternative Hotmail account, though he didn’t know the exact address. So Lundgren scanned the target’s Facebook account and made a fake account for someone who he figured out was a good friend of the target. He sent a friend request to the target from this fake Facebook account and when the target accepted the friend request, Lundgren had the Hotmail address.
To reset the password for the Hotmail account, Lundgren mined the target’s Facebook page to answer the security question (mother’s maiden name) which left him one small step short of his ultimate goal – hacking his friend’s Gmail account. He requested to reset the Gmail account password, and Gmail sent the necessary email to the Hotmail account that Lundgren had just hacked. And just like that, Lundgren had compromised his friend’s Gmail.
Just for fun, Lundgren then used similar methods to hack the friend’s Facebook account. Lundgren now controlled the target’s online life, and had a variety of purchasing powers (iTunes, an electronics store) through information he found in the Gmail account.
Gmail does offer a two-step security login option that lets users use a mobile app to receive one-time security codes that must be used in addition to the standard password. But it’s only an option, and many sensitive login sites don’t have such a feature.
Because it is frighteningly easy to find the information necessary to hijack someone’s online identity, Lundgren suggests that people restrict the information they share online, specifically on Facebook. And as added protection, he suggests that people not store any sensitive data in their emails – instead, he says, users should print out bank statements, credit card bills, etc., maintain those documents as hard files, then delete them online.
Because, clearly, you can never be too safe.