HERBERT H. THOMPSON
Image: Courtesy of Herbert H. Thompson
More In This Article
-
The Best Science Writing Online 2012
Showcasing more than fifty of the most provocative, original, and significant online essays from 2011, The Best Science Writing Online 2012 will change the way...
Read More »
As a professor, a software developer and an author I've spent a career in software security. I decided to conduct an experiment to see how vulnerable people's accounts are to mining the Web for information. I asked some of my acquaintances, people I know only casually, if with their permission and under their supervision I could break into their online banking accounts. After a few uncomfortable pauses, some agreed. The goal was simple: get into their online banking account by using information about them, their hobbies, their families and their lives freely available online. To be clear, this isn't hacking or exploiting vulnerabilities, instead it's mining the Internet for nuggets of personal data. Here's one case. I share it here because it represents some of the common pitfalls and illustrates a pretty serious weakness that most of us have online.
Setup: This is the case of one subject whom I'll call "Kim." She's a friend of my wife, so just from previous conversations I already knew her name, what state she was from, where she worked, and about how old she was. But that's about all I knew. She then told me which bank she used (although there are some pretty easy ways to find that out) and what her user name was. (It turns out it was fairly predictable: her first initial + last name.) Based on this information, my task was to gain access to her account.
Step 1: Reconnaissance: Using her name and where she worked, I found two things with a quick Google search: a blog and an old resume. Her blog was a goldmine: information about grandparents, pets, hometown, etcetera (although it turns out I didn't need to use most of this). From the resume I got her old college e-mail address and from her blog I got her G-mail address.
Step 2: Bank Password Recovery Feature: My next step was to try the password recovery feature on her online banking site. The site didn't ask any personal questions, instead it first sent an e-mail to her address with a reset link which was bad news, because I didn't have access to her e-mail accounts. So e-mail became my next target.
Step 3: G-mail: I tried to recover her G-mail password, blindly guessing that this was where the bank would have sent its password-reset e-mail. When I tried to reset the password on her G-mail account, Google sent its password reset e-mail to her old college e-mail account. Interestingly, G-mail actually tells you the domain (for example, xxxxx.edu) where it sends the password reset e-mail to, so now I had to get access to that…ugh.
Step 4: College E-Mail Account: When I used the "forgot my password" link on the college e-mail server, it asked me for some information to reset the password: home address? (check—found it on that old resume online); home zip code? (check—resume); home country? (uh, okay, check—found it on the resume); and birth date? (devastating—I didn't have this). I needed to get creative.
Step 5: Department of Motor Vehicles: Hoping she had gotten a speeding ticket, I hit the state traffic courts' Web sites, because many states allow you to search for violations and court appearances by name. These records include a birth date (among other things). I played around with this for about 30 minutes with no luck when I realized that there was probably a much easier way to do this.
Step 6: Back to the Blog: In a rare moment of clarity I simply searched her blog for "birthday." She made a reference to it on a post that gave me the day and month but no year.
Step 7: Endgame (or How to Topple a House of Cards): I returned to the college e-mail password recovery screen and typed in her birth date, guessing on the year. Turns out that I was off on the year of birth but, incredibly, the university password reset Web page gave me five chances and even told me which field had inaccurate information! I then changed her college e-mail password, which gave me access to her G-mail password reset e-mail. After clicking the link, Google asked me personal information that I easily found on her blog (birthplace, father's middle name, etcetera). I changed the G-mail password, which gave me access to the bank account reset e-mail, and I was also asked for similar personal information (pet name, phone number and so forth) that I had found on her blog. Once I reset the password, I had access to her money (or at least I would have).
See what we're tweeting about
64 Comments
Add Commentoverall i found this to be an extremely informative article. however, as someone who has done penetration testing and vulnerability assessment for years, i find the assumption of having the bank and username a bit too much.
Reply | Report Abuse | Link to thisthe css attack in the link did not work even on my luddite neighbors' computer. it assumes that you can get the victim to surf to your site with history enabled and weak security after visiting the bank and before history times out. also, it does not yield the username. furthermore, after a cursory examination of the bank names searched, i can assure you that a significant portion of those do not have a standardized username generation schema.
obviously the author has the skills to do a full attack and i would love to see this type of thing realistically documented in such a widespread, thoughtful publication.
What algorithm did you use. How did you bust PKI and Cipher, on these people? Social engineering is cake, technology is a different story.
Reply | Report Abuse | Link to thishttp://www.poundinghearts.com
Ok, so I tried this on my own accounts and it actually worked! I'd used the sme reset questions for everything. I didn't have the answer's anywhere online - I don't blog and don't have a MySpace page - but my brother does and it had enough information on it about our family to reveal MY answers. I put in some harder reset questions but it seems like a losing battle. Am I liable if someone get's into my bank account like this and transfers money out?
Reply | Report Abuse | Link to thisYa know, you don't HAVE to put valid information in the challenge/response (password reset) questions.
Reply | Report Abuse | Link to thisAlthough some sites can be a pain with the selection of questions, you could keep a common set of random answers lying around - no one would be the wiser.
I think you're lying. I doubt very much you could find out that sort of information on someone's blog. When would anyone possibly post their father's middle name or actually put their real pet's name as their reminder.
Reply | Report Abuse | Link to thisThe only way you could access someone's information is if you have their social security number and know a lot about them from personal interaction.
Reply | Report Abuse | Link to thisWow dude, fascinating article indeed.
Reply | Report Abuse | Link to thisRD
www.Ultimate-Anonymity.com
Another reason to use whisper bot ( http://www.whisperbot.com ) instead of email to send your personal or secure information. It's all encrypted and people can't get to it - Much safer than e-mail...
Reply | Report Abuse | Link to thisYou can easily figure out whom somebody is banking with from their browser history. See www.browser-recon.info (this is a safe site).
Reply | Report Abuse | Link to thisAs for user names, they are often very predictable.
Cheers,
Markus
hehe... My mates and I have been following a similar 'procedure' on 'friends' since back in our high school and Uni days... We never quite went as far as milking bank accounts but I must confess I've changed or accessed 'required' information for my own benefit or just to mess with peoples heads ;)
Reply | Report Abuse | Link to thisI think a lot of people these days know how easy it is to crack an easy targets hotmail/gmail pw via some sly social engineering/blog mining to get their 'secret' answer and gain access to a wealth of personal information.
Here is what you have to do to access *my* online banking account:
Reply | Report Abuse | Link to this1) Steal my cryptographic token (a little calculator-like device that generates one time passwords and signs transactions)
2) Spy on me when I am using it to see the PIN I use for the token (or torture me to tell you :). No, it is not my birthday (it's not a date at all), nor phone number, nor anything like that. If you try to guess it, you have three tries before the token goes dead.
Of course, one time passwords are valid for a minute or so; spying on me (electronically or otherwise) to see one will not help. Besides, even if you manage to surmount identification barrier, there is still the transaction authorization one.
Alternatively, you can try to impersonate me and claim to have lost the token. You will have to do that in my branch, in person, and have a government-issued photo-id (knowing our equivalent of SSN will *not* do). In addition, you will have to convincingly fake my signature, and if you run into my personal banker, you are toast.
Having online banking account protected just by a simple username/password is incredibly naive. I would never use such a service.
Hmm, I thought I posted this already. Anyway:
Reply | Report Abuse | Link to thisHere is what you have to do to access *my* online banking account:
1) Steal my cryptographic token (a little calculator-like device that generates one time passwords and signs transactions)
2) Spy on me when I am using it to see the PIN I use for the token (or torture me to tell you :). No, it is not my birthday (it's not a date at all), nor phone number, nor anything like that. If you try to guess it, you have three tries before the token goes dead.
Of course, one time passwords are valid for a minute or so; spying on me (electronically or otherwise) to see one will not help. Besides, even if you manage to surmount identification barrier, there is still the transaction authorization one.
Alternatively, you can try to impersonate me and claim to have lost the token. You will have to do that in my branch, in person, and have a government-issued photo-id (knowing our equivalent of SSN will *not* do). In addition, you will have to convincingly fake my signature, and if you run into my personal banker, you are toast.
Having online banking account protected just by a simple username/password is incredibly naive. I would never use such a service.
http://news.softpedia.com/news/Gmail-Accounts-Automatic-Hacking-Tool-Presented-at-Defcon-91747.shtml
Reply | Report Abuse | Link to thisYou went to alot of trouble for nothing.. most people arent smart enough to
use encryption and if you use gmail for anything important you deserve
pain and suffering.
That's why my pet's name is a4f27bde, the make of my first car is 29d9f582, and my mother's maiden name is 64f9ea9f. It surprises me that so many people feel the need to provide the actual answers to these questions instead of making something up and recording the fake answers in a secure location.
Reply | Report Abuse | Link to thisThis is a great article to remind us how to keep our personal information as private as possible and protect ourselves. However, I can't help thinking how some deviant types may see this as a guide for how to best access others' personal information for their own gains.
Reply | Report Abuse | Link to thisMost banks disable your password after the third attempt. The first password only allows user to see the accounts. For any operable instruction, transaction password is additionally required. Banks insist upon password/transaction password which contain alphabets, special characters and numerals.
Reply | Report Abuse | Link to thisAbove mehodology is not workable. Maybe enought to get mail passwords but not bank passwords. More often than not, the bank's data bank is hacked into after clandestinely getting administrative tools through blackmail, favours or bribes.
Personally I don't feel unconfortable about this - my bank uses a combination of a one-time pad (a combination of table 1: letters + table2: digits - use it once, then forget it forever) plus a seperate password. In order to get access to my account you'll need physical access to my one-time pad plus you must guess the separate password (kS9w,P2@g.4 - quality). Please try.
Reply | Report Abuse | Link to thisHow does one remove old passwords and one item not mentioned was changing passwords regularly and not using your name as a User ID.
Reply | Report Abuse | Link to thisExcellent article.
Cali
LB, CA
You didn't mention changing passwords regularly. Also how does one remove old passwords. Do they stay around even if you change to a new one?
Reply | Report Abuse | Link to thisExcellent article.
Califa
I found it interesting that a couple of posters seemed to think that you couldn't possibly access someone else's account without a SSN. I logged into someone else's bank account by accident, and I was shocked at how easy it was.
. I had opened a new account a few months ago, and when I tried to register it, the system would not accept my username because someone else had already registered it. So I registered with a variation of my username.
. Of course the password was rejected, since that isn't my username. The security question was 'What is your favorite animal?' I entered my favorite, which was not correct, so I guessed, and put in 'dog'. When the account information was displayed, my first thought was that my balance was wrong. Then I realized that I was looking at an account belonging to someone whose last name is the same as mine.
Reply | Report Abuse | Link to thisMy username of choice is
Yesterday I tried to logon using
Needless to say, I was shocked. I immediately called the bank and told them what I had done, and they said they would take care of it. Thinking back on this, I should have told them that they needed to rethink their security questions. How many people do you know that would say that dog is their favorite animal.
Wow, she posted her father's middle name knowing she used it as a password recovery question? That seems all sorts of strange to me. But I know many different people use computers and many aren't very knowledgeable about internet security..my mother hasn't changed her 6 digit password since she first bought a computer in 1997.
Reply | Report Abuse | Link to thisI've long since gotten rid of ties to my university email address because of how slow the system was to catch up to security improvements. Biggest complaint I had about it was that we couldn't use it once we graduated..we were told it would stop after a few months but weren't told when exactly or how to make sure all our correspondence/passwords/security answers were securely deleted.
There's really no excuse for people getting into your email. Don't give out your password, which shouldn't be a word tied obviously to you. GMail now lets you know where your account was accessed and at what time and where. Don't use a university address as a secondary address..better yet, don't use a secondary email address at all. Make your own obscure questions (most places let you now) with obscure answers.
"Go for questions that ask about obscure things that you won't forget (or can at least look up), like your favorite frequent flyer number". Favourite frequent flyer number is not a good idea. Before electronic crime became popular, we made the mistake of putting our home address on our bags when we went on holiday. Yes, the house was burgled while we were away. Now, when I fly with my "favourite airline" I tag my bags with my frequent flyer number. The airline has my details on record if the bags get lost.
Reply | Report Abuse | Link to thisA further point is that lots of other travel sites have my frequent flyer number details, because they all link in to the points collection system.
when you need to use a parents middle name, give them something you will remember, like a grandparents middle name, the middle name of your very best friend, etc. no need to tell them the name you are giving them is not exactly what they were asking for. i do this, as well as changing my passwords every 30-60 days. it is ez to do (remembering, not writing down)as long as you follow a pattern. never tell anyone what your pattern is.
Reply | Report Abuse | Link to thisif you are not clearing your cookies, cache, and history everytime you log off, you should be. and never walk away from your computer w/out logging off. home pc security is not that complicated.
Reply | Report Abuse | Link to thisVery interesting article. I am glad I bank with a credit union in which the user name is an access number and they ask for last 4 of your social plus a password, plus the access number. I know my old bank did the first initial last name which can be very easily figured out. Banks need to ask for at least 3 different types of information such as account number/access number, last 4#'s of social, and or birthdate plus the password. Simple thing for people to do is not post private information online such as on myspace (keep only your friends to view your page) facebook, etc. I can't believe people have so much free time to blog anyway. I have a page but since I am a parent of two and work full time I have no time for nothing but my family's needs.
Reply | Report Abuse | Link to thisI use two different methods to protect myself. First off, I own the ISP that handles my email. And I don't use a mail client at all, rather a a telnet program known as "putty," and I telnet into the server, then read my email in linux, using software called "Pine." This is the old was to access email, but with newer security around the ISP. You can't click on links in pine. It's all text based, and not local to your computer, rather to the server. nd yes, the server can gat hacked, but I really don't think anyone cares about my 'server reset notifacations,' or the next time I'm going to play paintball.
Reply | Report Abuse | Link to thisTo avoid possible phishing on my own system, I only browse using Microsoft's virtual PC. It's another virtual computer running on top of your computer. There is a allmost no sharing (note the word 'almost') between the host and the virtual system. The entire thing is backed up, and if I happen to catch a virus there, I simply delete the virtual computer. If I feel that the connection was comprimised in any way, I delete the computer, and replace it again with the backup. Search for it on microsoft's site and read up on it.
And it is absoulety correct, you do not have to enter correct information. In fact, I rarely do. I otfen enter information about my grandmother's life. Easy to remember, but hard information find, considering she was born is 1904 and is now deceased. Just a thought,
i don't do any banking on line but concerned about using my credit card on line.question for you. iwas on line looking up county ordinances when my blocker pop up said the county gov. was trying to pull up information from my computer,why?
Reply | Report Abuse | Link to this"I have a page but since I am a parent of two and work full time I have no time for nothing but my family's needs. " alexmac816, are you going to tell me that after getting home you cook dinner, eat then go directly to bed EVERY night? No where in there do you help your kids with homework, clean up after dinner, watch television, read a book/magazine, do other household chores, go outside, play a game etc... Because unless you do, it is a matter or prioritization. Yes, one could probably remove help kids with homework, and cleaning up after dinner and possibly household chores, however everything else that I have mentioned are a matter of what YOU like to do in your free time. I am a software developer that also works full-time, although I do not have the same family responsibilities as I am still young, however after returning to my house and undertaking my daily routine of showering and eating, I have my own agenda to fill up my night before I head to bed around 10pm. The next morning I wake up at 630am and start the whole process again. I am fortunate, that I get to sleep on avg 8.5hrs a night, and I do understand family obligations, as I have 4 siblings, but you not going onto a computer is a matter of personal priority. The fact that you responded to this article proves that while you may not log-in a lot, you do have time to roam around the busy world of the internet. Please do not take this as a blatant attack, I am just trying to point out that personal priorities are a big factor into what people choose to do and what people must do on a daily basis.
Reply | Report Abuse | Link to thisScary stuff...I will definitely keep your warning in mind! Also, don't forget to log out of any accounts that you have to log in to access.
Reply | Report Abuse | Link to thisAH
www.MomsWallet.com
I NEVER answer those challenge questions honestly. I make up passwords for those too.
Reply | Report Abuse | Link to thisThis is why I'm never honest about anything online... I never use real information... My birth date, name, family's names, place I live... Everything is made up... The only things I'm honest about are in my reminder questions, and that's only because I need to remember them, but I still feel safe, just because there are only a handful of people in the world who could guess the question and even fewer who could translate the obscure dialects I use as answers... Somehow, I don't think I have too much to fear from Archaeologists...
Reply | Report Abuse | Link to thisMy credit union allows only three attempts to log-in, after which it locks the account and you have to call the CU and they ask multiple questions challenging you to prove your identity. Also, it's a two-screen log-in, which makes it very hard to enter through guesswork. If you don't know the account number and password, you can't get to the second screen. It's a bit of a pain from the account holder standpoint, but I feel it offers a decent level of protection. I wish my credit card provider and broker handled security in a similar way.
Reply | Report Abuse | Link to thisMy credit union allows only three attempts to log-in, after which it locks the account and you have to call the CU and they ask multiple questions challenging you to prove your identity. Also, it's a two-screen log-in, which makes it very hard to enter through guesswork. If you don't know the account number and password, you can't get to the second screen. It's a bit of a pain from the account holder standpoint, but I feel it offers a decent level of protection. I wish my credit card provider and broker handled security in a similar way.
Reply | Report Abuse | Link to thisI would have a lot of trouble with the preference questions some have suggested: Do you like opera? (some days I do, some not, depends on the opera.) I also have trouble with 'favorite' questions: favorite pet (Pookie? Dookie?); favorite teacher (Mme X or Mr Y?) My answers change and I find that one month later when I pay that bill I can't remember what I answered and we reset the password again. Mother's maiden works with me and in my case is not very trackable. [Let's say I was adopted] Maybe part of a solution would be to find a way to inform people about some of the problems as they choose their answers right on the websites. I know those little blurbs that suggest using alphanumeric combinations or Caps made me think up better passwords. Not paragraphs of warnings, but a sentence or so on the security question entry page would help people.
Reply | Report Abuse | Link to thisWhat ever happened to common sense? When asked I never give my mothers real maiden name. When I am asked for secret question info I never use my real information. Geeze anyone that knows me would know my pets name or the high school I attended zip code, home town etc. Come on people use some common sense people!
Reply | Report Abuse | Link to thisWireless internet access is a killer for typing in a persons password and user name while pout and about. I was told that if you type your user name and password on a word document, then cut/past onto the area that is required, your information will not be available to hackers. Is this true?
Reply | Report Abuse | Link to thisI travel internationaly and have to preform computer task over the internet sometimes on a wireless non-securied network. I had a mate tell me that if you type your used name and password onto a word document, then cut and past onto the seecuried web page such as you email, hackers would have a tough time stealing you information. Is this true?
Reply | Report Abuse | Link to thisThanks for the info.
Reply | Report Abuse | Link to thisNow I wonder about the security of databanks of e-mail servers. And now I guess a wannabe hacker has gotten a new idea from this post.
there are other ways of hacking into a person's accounts, per example remoteviewing skills, if a person is highly skilled in remoteviewing abilities, they can hack into your mind and get the names and numbers directly from the person's conscious. this was done to me too many times. wave frequency machines are top secret machines, these machines can control the frequencies of the brain and can cause a person's conscious to transmit any type of information that is wanted by the perpitrator.
Reply | Report Abuse | Link to thisthere are other ways of hacking into a person's accounts, per example remoteviewing skills, if a person is highly skilled in remoteviewing abilities, they can hack into your mind and get the names and numbers directly from the person's conscious. this was done to me too many times. wave frequency machines are top secret machines, these machines can control the frequencies of the brain and can cause a person's conscious to transmit any type of information that is wanted by the perpitrator.
Reply | Report Abuse | Link to thisUnbelievable how you've just found out how easy to open you accounts. These are the simplest logical steps that could be performed by anybody with working brain. This "hacker" thing was done millions times years ago and you get so ugly surprised just now. Hahahaha I bet most of you have detailed background posted in your blogs and DOB passwords! Morons
Reply | Report Abuse | Link to thisUnbelievable how you've just found out how easy to open you accounts. These are the simplest logical steps that could be performed by anybody with working brain. This "hacker" thing was done millions times years ago and you get so ugly surprised just now. Hahahaha I bet most of you have detailed background posted in your blogs and DOB passwords! Morons
Reply | Report Abuse | Link to thisI can't believe that you just gave the world information on how to steal someone's identity! Sure it's informative for us to know how someone can do that, but it also gives others ideas to hack those who have not read your article. Ugh.
Reply | Report Abuse | Link to thisThis actually works! About two years ago i tried to do the same thing with success! I had a weird feeling my girlfriend at the time was spending too much time chatting in myspace. So i decided to get her password, and i was able to get into her e-mail and retrieve the password. People's privacy now a day is so vulnerable......
Reply | Report Abuse | Link to thisIf you want to know more about my story reply back!!!!!!
Reply | Report Abuse | Link to thisThanks for this informative article and I have to say that this is not new information for me. I learned about this kind of easy to hack issue from an episode of MacGyver back in the late 80's and have been strictly following MacGyver's continually timely information ever since (and no I do not use anything related to MacGyver in any of my passwords). I simple do not post any key information about myself that I might decide to use as a password. That's what MacGyver taught me LOL.
Reply | Report Abuse | Link to thisThanks for this informative article and I have to say that this is not new information for me. I learned about this kind of easy to hack issue from an episode of MacGyver back in the late 80's and have been strictly following MacGyver's continually timely information ever since (and no I do not use anything related to MacGyver in any of my passwords). I simple do not post any key information about myself that I might decide to use as a password. That's what MacGyver taught me LOL.
Reply | Report Abuse | Link to thisThanks for this informative article and I have to say that this is not new information for me. I learned about this kind of easy to hack issue from an episode of MacGyver back in the late 80's and have been strictly following MacGyver's continually timely information ever since (and no I do not use anything related to MacGyver in any of my passwords). I simple do not post any key information about myself that I might decide to use as a password. That's what MacGyver taught me LOL.
Reply | Report Abuse | Link to thisThanks for this informative article and I have to say that this is not new information for me. I learned about this kind of easy to hack issue from an episode of MacGyver back in the late 80's and have been strictly following MacGyver's continually timely information ever since (and no I do not use anything related to MacGyver in any of my passwords). I simple do not post any key information about myself that I might decide to use as a password. That's what MacGyver taught me LOL.
Reply | Report Abuse | Link to thisYea. that's why I use bogus answers for those security questions. Instead of your dogs name, why not just do ralph128 (yes, I know you can guess numbers, but with lock outs, you'll be safe.) You could also just do some bogus word for all with an extra letter indicating a word in the question.
Reply | Report Abuse | Link to thisi already did this over a year ago, but not to get into a bank account...i stole my bf's email password and thru it, her ex's just to make sure he wasn't fooling around with her...i found out they were still exchanging mails...by getting into the girl's email account i found out that she still hasn't deleted her blog that is dedicated to both of them and has lotsa pix of the both of them together...so armed with all the information i gathered thru both their mails and her blog, i deleted her blog about them and deleted all her email accounts that has reference to him like having both their names or pet names for each other on the email address...hehe...crazy, i know...but it made me feel less jealous...i also managed to send an email to my bf thru the girl's account which started a fight between them...and now, they're not talking to each other at all...haha...just hope my bf won't find out coz if he does, i'm dead! he didn't think i'd be able to figure out something like this that's why he doesn't suspect anything...he thinks i'm not that smart =) he's ex is a cum laude, but i'm smarter...they didn't get the inkling that somebody has broken into their emails and blogs...
Reply | Report Abuse | Link to thisoh yeah, after i stole my bf's and his ex's email & blog passwords, i changed my own reset passwords, and answers to reset questions and other required infos...i realized i didn't have to have a valid answer to the reset questions anywayz like i didn't have to put my dad's real middle name or that nobody who knows me would expect me to put "what is your pet's name" as a reset your password question, since everyone i know knows that i don't like having pets that's why i never had one...they'd be stumped in guessing the answer to that ;) hehe
Reply | Report Abuse | Link to thisWow!!!
Reply | Report Abuse | Link to thisIt seems so easy to figure out how to break all the "so called" secutity questions & gain all access to your email id & so on!! There are no doubts that user names are too predictable, mostly with combination of first & last name.
Its too scary to me...
Wow!!!
Reply | Report Abuse | Link to thisIt seems so easy to figure out how to break all the "so called" secutity questions & gain all access to your email id & so on!! There are no doubts that user names are too predictable, mostly with combination of first & last name.
Its too scary to me...
Wow!!
Reply | Report Abuse | Link to thisIt seems so easy to figure out how to break " so called" security questions & get access to all accounts.There are no doubts that the user names are often too predictable, mostly some kinda combination of users first & last name. If you know the person "personally" already you know lot of info .
Its too scary to me...
Thank you for this article.
Seems to me the easiest way to keep the public info you might post from being used to hack your accounts is to make up an answer to the common questions (mother's maiden name, city you were born in, high school, etc.) that bears no relationship to the real answer....i.g., your high school = 'gonzo', city born in = 'podunk'..... these silly questions don't check for 'real' data ... just a text string. As long as you use totally bogus answers (that you can remember, of course) there would be very little chance of somebody guessing them even if they have access to your blogs/dmv info, etc.
Reply | Report Abuse | Link to thisThis is excellent and just confirms my belief that one day hackers or an organized group of them will hack into the major infrastructure systems of our society and cause a major catastrophe. In fact, I've written a book about such a scenario where hackers take over the cell phone network and the power grid and hold the US hostage. Dark End of the Spectrum available at the publisher's website at http://www.lulu.com/content/3515824 is so realistic that a so called covert operative has contacted me and wants me to run sensitive information on my blog at http://aspnovelist.blogspot.com
Reply | Report Abuse | Link to thisCheck it out and see for yourself.
This is excellent and just confirms my belief that one day hackers or an organized group of them will hack into the major infrastructure systems of our society and cause a major catastrophe. In fact, I've written a book about such a scenario where hackers take over the cell phone network and the power grid and hold the US hostage. Dark End of the Spectrum available at the publisher's website at http://www.lulu.com/content/3515824 is so realistic that a so called covert operative has contacted me and wants me to run sensitive information on my blog at http://aspnovelist.blogspot.com
Reply | Report Abuse | Link to thisCheck it out and see for yourself.
plz i need ur help add me at sean_paul664@yahoo.com so that we can hv a chat thetre
Reply | Report Abuse | Link to thisThis is silly now people know how to hack an account!
Reply | Report Abuse | Link to thisGreat story with a great ending! Wish more people would hear stories like this and think about what they are posting everyday on social media sites. In fact this was such a good piece I posted it to my security advice blog www.spikedsecurity.com.
Reply | Report Abuse | Link to thisNot only that, but most banks, if not all of them, also request either an account number or credit/debit card number to reset the password, and most people are not just going to freely give out that information, or post it on Facebook or MySpace.
Reply | Report Abuse | Link to thisi want to be a hacker.and at first i want to know which softwere is used there?
Reply | Report Abuse | Link to thisWell all of this is interesting but keeping in mind that people who go through all the trouble of obtaining your personal information intend to use it in illegal ways. Once one takes the risk of breaking the law and committing a crime, there is pretty much no way to protect yourself. All the precautions in this blog may help against amateur hackers, but in reality one's accounts and passwords can be obtained in much simpler ways. I have experience with computer viruses and especially phishers and keyloggers and anyone reading this article should understand that it is almost impossible to stay 100% protected if you engage in online banking or shopping using credit card or other services such as Paypal. Any skillful programmer will be able to tell you that antivirus programs cannot detect all viruses and some can be stealthy and you wont know anything while every keystroke on your keyboard is being electronically recorded and uploaded to someones server. I only know of the ways I have come in contact with to obtain access to someones computer, but creative hackers are coming up with newer and newer security breaches. Even a small popup on your web browser could in reality launch a stealthy virus of some sort on your computer. All this might be frightening and most computer users dont undersand the danger they put their private information in when they for instance shop online or check their bank accounts. There are an unthinkable amount of ways to infect someones computer but there is only a few ways to protect oneself. Perhaps the best, but also somewhat annoying and time consuming, is to install a separate operating system on your computer to use for banking and entering confidential information such as credit card number to purchase something from an electronic store. I recommend a version of linux, most of the distros now adays are quite simple to use and have step by step installation instructions. Since this post is about protecting personal information, I reccomend dual booting your computer and using either windows or mac for everyday things such as gaming, social networks, or schoolwork because they are more user friendly and you are used to them, but anything involving banking information should only be entered on the Linux operating system if you want your information safe. Yes, creating a dual boot system requires extensive computer knowledge but those with powerful computers can instead use virtual os. A free and popular client is virtualBox. I reccomend googlng to find instructions because it could save you time. (;
Reply | Report Abuse | Link to this