Security, Soundbites, and Password Recovery Abuse

Written by

A recent blog by Graham Cluley drew my attention to an unpleasant little scam apparently aimed at users of webmail services such as Gmail and Yahoo, taking advantage of the password recovery mechanisms offered by such services. The scam was actually pointed out in a short video by Symantec but Graham’s version comes without a backbeat and as softcopy text rather than as spoken narrative.

Since Graham’s article is perfectly clear and quite comprehensive, I won’t attempt to duplicate his efforts. If you want more information, I’d rather you went over to his page, which is as painstakingly reliable as usual. However, here’s a brief summary of the type of attack he (and Symantec) describe.

Two of the ways in which messaging services try to help people who forget their passwords is to enable them to register a mobile phone and/or an alternative email address. If a user of the service forgets his or her password, the login page includes a link to a page where they can ask for a verification code to be sent as a text message to their cell phone or as email to their alternative address, and this code is used to enable a password reset.

It is, of course, quite easy for an attacker who knows your email address to get to your login page and ask for a verification code to be sent to your phone (or alternative email address, come to that). But he can’t retrieve a code sent by SMS if he doesn’t have physical access to your telephone. However, if he knows your mobile telephone number, he can send you a text, purporting to be from your provider, requiring you to respond with the code that was just sent to you so as to stop unusual or unauthorized activity. (Or, if he knows your alternative email address, he could send you a similarly themed deceptive email: however, that may be a less effective attack. People may nowadays be better at recognizing spoofed email than spoofed text messages.)

"Panic is a very effective social engineering tool"

This isn’t actually a particularly sophisticated attack: it relies on victims, panicked by the threat of losing access to their email, responding to the type of message that a responsible service provider shouldn’t be sending. A verification code should take you to a recovery page that should itself be verifiable as genuine: your provider shouldn’t ask you to respond with the code to a hard-to-verify SMS or email. And receiving a verification code you didn’t ask for is in itself an indicator of malicious activity, and should make potential victims more suspicious of subsequent unverifiable content and contact. But panic is a very effective social engineering tool.

Symantec is not, of course, the only security company that seems to prefer to provide information to its non-technical users in video form, but it got me thinking about the reasons behind this preference for information as (literal) soundbites.

Personally, I tend to avoid informational sites that accentuate multimedia: while the Symantec video cited here is pretty short, I prefer information in more textual form that I can skim and decide whether I want or need to read it properly (even offline). I often find I have to expend bandwidth by watching/listening to video content for a while before I’m sure I do or don’t want to see it through to the end, whereas I can make a similar judgment on a blog article or paper in seconds. I suppose it’s the same as skimming a newspaper as opposed to watching television where the volume of content is limited by the speed of a presenter’s delivery, and isn’t so easily retained for future reference. On the other hand, if I spent more time on the move trying to absorb content from a mobile device with a small screen, I guess I’d see more value in aural rather than visual content.

What’s hot on Infosecurity Magazine?