The State of Hacked Accounts

Orome1 writes "Most users get hacked at high rates even when they do not think they are engaging in risky behavior, with 62% unaware of how their accounts had been compromised, The results of a Commtouch survey presenting statistics on the theft, abuse and eventual recovery of Gmail, Yahoo, Hotmail and Facebook accounts, shows that less than one-third of users noticed their accounts had been compromised, with over 50% relying on friends to point out their stolen accounts. Also, more than two-thirds of all compromised accounts are used to send spam and scams, which is not surprising, as cybercriminals can improve their email delivery rates by sending from trusted domains such as Gmail, Yahoo, and Hotmail, and enhance their open and click-through rates by sending from familiar senders."

This will never end

[thecrotch]

People just don't care enough about it to inconvenience themselves with strong authentication, how many of our mothers use their dog's name, in all lowercase, as their password on every single one of their accounts?

Re:This will never end

[snakeplissken]

Or requiring that you answer one of a limited number of fixed "security questions".

who cares what the question is, just put in an unguessable answer that you make up, that way no amount of personal knowledge about you can give it away

snake

Re:This will never end

[RsG]

Doesn't matter in context. You're bitching about the wrong problem for the article.

Most of the time when a web based email account gets cracked it isn't that you set your password to "password". Instead it's that you logged in from a compromised machine, and someone got ahold of your actual password, whether it's "fido" or "1xe34v3tsAad". There's a damn good reason I don't check my email anywhere other than devices I know are clean.

(Had something like what TFA describes happen to someone I know; it took her forever to realize that what had transpired was that she'd checked gmail on a coworker's computer and said coworker had been grossly lax in terms of safety. When a scan was run on the box for the first time ever it returned over a hundred bits of malware, some of it serious. The coworker, incidentally, was a private secretary to a lawyer, so this was a "holy shit" moment if ever there was one.)

Think about it for a moment and you'll see why the perpetrators use malware and/or social engineering rather than, say, a dictionary attack; there's nothing google, facebook or yahoo can do about it. They can easily limit the number of login attempts, encrypt usernames and passwords, reject really common passwords during account creation, etc, but if some third party gets the correct password from an infected PC, then when they log in it will appear legitimate.

That isn't to say you shouldn't bother with strong passwords, but if you think having a strong password protects you from everything, you're fooling yourself. The solution here also requires security software and education about admin privileges and trusted vs. untrusted sources for "free" software as it's the likeliest vector for infection (presupposing for a moment that the user needs a windows box, and frankly half the time the answer to that is "yes" for a number of reasons).

Re:Duh. The sites themselves have no security.

[Firehed]

Can we get past this already? SSL is not heavyweight, and has not been for years. It's a couple percent of overhead*. Most authentication systems are going to have significantly more overhead than turning on SSL, since they'll be most likely hitting the filesystem or a database to retrieve session information on top of the actual code logic that goes into authentication.

I agree that an authentication system tied more tightly into the browser would be of great value, but it won't happen anytime soon if ever. See: IE6. Hell, even Safari is updated quite infrequently (and even then mostly just security patches, not feature releases), never mind the plethora of mobile browsers floating around these days. That also solves a completely different problem than SSL. There's no getting around the fact that in order to have hijack-proof sessions, all of the authentication data - whether in the form of a session cookie or some new, novel mechanism - needs to be sent encrypted. Not necessarily SSL, but that's more or less a solved problem so why not? I also quite like the idea of nobody knowing what URLs I'm hitting.

* Excluding the time spent tracking down that one damn analytics script that's pulling in a tracking pixel over http and making browsers throw up all over the place