That’s the conclusion reached by SecurEnvoy after talking to 300 IT profesionals: social networks in the hands of experts (that is, kids) are effectively a password cracking tool. The problem is that the social networks provide all the personal information necessary to engage in some serious spear-phishing; and it’s today’s youngsters who are the expert users.
SecurEnvoy’s co-founder and CTO, Andy Kemshall explains how combining different bits of information from the different social networks allows an attacker to build a detailed picture of a target. “For example,” says Kemshall, “on Facebook, by labeling relatives, it wouldn’t take a genius to work out that Mrs Jane Brooks’ daughter Susan, whose uncle is Peter Jones, probably has a maiden name of Jones.”
The attacker now knows the answer to the security question protecting Susan Jones’ password: her mother’s maiden name.
Over on LinkedIn, the attacker can discover where Susan works and probably get her email address (which is very often the ‘username’ in password protected log-ins). It’s quite possible that armed with all the personal information gathered so far, the attacker can simply guess Susan’s password. But if not, says Kemshall, “While many won’t be able to do any more with this information, someone wanting to attack Susan’s employer could log in, answer the ‘secret’ question and reset her password to potentially get control of her credentials.”
The basic problem is that access to passwords is often protected by nothing more than a secret question based on personal information – and the social networks give away all the personal information necessary to know or guess the answer to that question. It’s a problem that will only get worse. “If we’ve got a problem today then what’s going to happen tomorrow when our technology proficient kids also join in the games and enter the workforce? We need to start getting serious about security today.”
In reality, the problem with passwords is even worse. Quoting figures from Experian, the BBC yesterday reported that “Consumers now have an average of 26 separate online logins but just five different passwords.” If an attacker gets just one password, he or she will have access to the majority of the user’s accounts. "Passwords are simply not enough to protect vital data,” comments Websense Security Labs senior manager Carl Leonard. “They’re as strong as a simple lock against professional thieves. Passwords can be guessed, cracked or stolen through social engineering. Worse still businesses can be attacked and stories of breached password databases make for uneasy reading.
Kemshall’s solution is not to try fix what is broken, but to add an extra factor to standard authentication procedures. “Just like ‘chip & pin’ has helped prevent in person credit card fraud, apps and soft tokens as part of a two factor authentication process is a very effective security measure.” The alternative, he fears, is that the latest news of another serious breach will just become accepted as part of our daily life.