Slashdot Mirror

← Back to Stories (view on slashdot.org)

The State of Hacked Accounts

Posted by samzenpus on from the how-bad-is-it? dept.

Orome1 writes "Most users get hacked at high rates even when they do not think they are engaging in risky behavior, with 62% unaware of how their accounts had been compromised, The results of a Commtouch survey presenting statistics on the theft, abuse and eventual recovery of Gmail, Yahoo, Hotmail and Facebook accounts, shows that less than one-third of users noticed their accounts had been compromised, with over 50% relying on friends to point out their stolen accounts. Also, more than two-thirds of all compromised accounts are used to send spam and scams, which is not surprising, as cybercriminals can improve their email delivery rates by sending from trusted domains such as Gmail, Yahoo, and Hotmail, and enhance their open and click-through rates by sending from familiar senders."

21 of 69 comments (clear)

  1. Lower limits. by John+Hasler · · Score: 2

    These are lower limits: consider the large but unknown number of users who are not and never will be aware that their accounts have been cracked. Then there are the billions of abandoned accounts...

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  2. trusted domains such as hotmail and yahoo? by way2trivial · · Score: 5, Funny

    WTF happened while I was napping?

    --
    every day http://en.wikipedia.org/wiki/Special:Random
  3. This will never end by thecrotch · · Score: 4, Insightful

    People just don't care enough about it to inconvenience themselves with strong authentication, how many of our mothers use their dog's name, in all lowercase, as their password on every single one of their accounts?

    1. Re:This will never end by snakeplissken · · Score: 4, Insightful

      Or requiring that you answer one of a limited number of fixed "security questions".

      who cares what the question is, just put in an unguessable answer that you make up, that way no amount of personal knowledge about you can give it away

      snake

    2. Re:This will never end by RsG · · Score: 4, Insightful

      Doesn't matter in context. You're bitching about the wrong problem for the article.

      Most of the time when a web based email account gets cracked it isn't that you set your password to "password". Instead it's that you logged in from a compromised machine, and someone got ahold of your actual password, whether it's "fido" or "1xe34v3tsAad". There's a damn good reason I don't check my email anywhere other than devices I know are clean.

      (Had something like what TFA describes happen to someone I know; it took her forever to realize that what had transpired was that she'd checked gmail on a coworker's computer and said coworker had been grossly lax in terms of safety. When a scan was run on the box for the first time ever it returned over a hundred bits of malware, some of it serious. The coworker, incidentally, was a private secretary to a lawyer, so this was a "holy shit" moment if ever there was one.)

      Think about it for a moment and you'll see why the perpetrators use malware and/or social engineering rather than, say, a dictionary attack; there's nothing google, facebook or yahoo can do about it. They can easily limit the number of login attempts, encrypt usernames and passwords, reject really common passwords during account creation, etc, but if some third party gets the correct password from an infected PC, then when they log in it will appear legitimate.

      That isn't to say you shouldn't bother with strong passwords, but if you think having a strong password protects you from everything, you're fooling yourself. The solution here also requires security software and education about admin privileges and trusted vs. untrusted sources for "free" software as it's the likeliest vector for infection (presupposing for a moment that the user needs a windows box, and frankly half the time the answer to that is "yes" for a number of reasons).

      --
      Erotic is when you use a feather. Exotic is when you use the whole chicken.
    3. Re:This will never end by QuantumRiff · · Score: 4, Interesting

      I use a different random 20 character Password for EVERY website and service I use (thank you lastpass!).

      Last week, google told me my account needed to be verified, after a mobile phone in korea logged into my account. (I also use Firefox or chrome on linux). Only thing I can think of was that there was some sort of XSS (since I keep myself logged into gmail) on either a website my linux box visited, or my android phone. I'm leaning towards the phone, since I use gmail over https on linux.

      --

      What are we going to do tonight Brain?
    4. Re:This will never end by txoof · · Score: 2

      I was pretty disappointed that TFA didn't offer any suggestions to best practices to prevent hacking, or even suggest how a user might determine if they were compromised. It was just a moment for everyone reading the article to feel aloof and point their fingers at all the plebes under them.

      I've been using Google's 2 Step Authentication for a few months, and HTTPS since it was offered and feel pretty secure about the security of my Google login, but if someone hijacked my account, I don't think I would really know until a friend pointed it out, or the hijacker changed the password.

      How would YOU tell? What steps can an average, non log-poking user figure they've lost control of their account?

      --
      This one's tricky. You have to use imaginary numbers, like eleventeen... --Hobbes
    5. Re:This will never end by IamTheRealMike · · Score: 5, Informative

      I work for Google on anti-hijacking and account security. The message you saw is very common. The cause is that there was an attempt to abuse your account to spam your friends. One of the popular tools that does this identifies itself to Gmail as various types of mobile phone, which is why it shows up as such in your account history. In fact, it's a regular program that runs on the desktop. No XSS involved.

      In this case, it sounds like we detected the hijacking attempt, rejected the spam, sent your account to phone verification and forced you to choose a new password. This is a standard procedure for when we detect a hijack attempt at mail send time. We're getting better at stopping these attempts at login time using heuristics, so it'll become less common in future.

  4. Duh. The sites themselves have no security. by dgatwood · · Score: 4, Interesting

    When you have websites like Facebook that, by default, use unencrypted HTTP and a trivially sniffable session cookie for their authentication, there's really nothing a user can do to protect themselves. (Okay, now they offer HTTPS, but that wasn't always the case.)

    The problem with HTTPS, of course, is that it is seriously heavyweight. Most content doesn't need encryption; it just needs authentication. For those sites, SSL is serious overkill.

    What this really points out is the desperate need for a standard mechanism of authentication that is not based on cookies, but rather nonce-based, similar to the way digest authentication works, but integrated with web pages so it doesn't feel ugly and bolted on. Until we get that, there's really no point in users bothering to secure their accounts. Why choose a strong password when you're basically sending it back and forth on the Internet equivalent of a postcard?

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  5. Hacked by exomondo · · Score: 2

    These days users consider their accounts to have been 'hacked' if there is any unauthorized use, like if they leave their smartphone lying around and a friend posts a status update from it that seems to be considered being 'hacked'.

  6. Re:its time by Firehed · · Score: 2

    Define "bs free stuff". Hotmail peaked years ago, but gmail is extremely popular for good reason and yahoo is also very heavily used. And of the probably dozen or so email addresses I have, they're ALL powered by gmail (even though only one of them is actually @gmail.com). Technically two of them are paid, but that's beside the point. I've dealt with having my own mail server. It sucks. And it's not like it's the service's fault that people choose crappy passwords.

    --
    How are sites slashdotted when nobody reads TFAs?
  7. Re:its time by icebraining · · Score: 2

    In fact Gmail now has cellphone based authentication too, which is pretty much safe unless the attacker is specifically targeting you. But people who'll use it are the same who use good passwords, so not much is gained.

    --
    Dilbert RSS feed
  8. Re:Duh. The sites themselves have no security. by Firehed · · Score: 4, Insightful

    Can we get past this already? SSL is not heavyweight, and has not been for years. It's a couple percent of overhead*. Most authentication systems are going to have significantly more overhead than turning on SSL, since they'll be most likely hitting the filesystem or a database to retrieve session information on top of the actual code logic that goes into authentication.

    I agree that an authentication system tied more tightly into the browser would be of great value, but it won't happen anytime soon if ever. See: IE6. Hell, even Safari is updated quite infrequently (and even then mostly just security patches, not feature releases), never mind the plethora of mobile browsers floating around these days. That also solves a completely different problem than SSL. There's no getting around the fact that in order to have hijack-proof sessions, all of the authentication data - whether in the form of a session cookie or some new, novel mechanism - needs to be sent encrypted. Not necessarily SSL, but that's more or less a solved problem so why not? I also quite like the idea of nobody knowing what URLs I'm hitting.

    * Excluding the time spent tracking down that one damn analytics script that's pulling in a tracking pixel over http and making browsers throw up all over the place

    --
    How are sites slashdotted when nobody reads TFAs?
  9. IT departments do it too by shoehornjob · · Score: 2

    I had a customer yesterday that wanted to change her email password so that it could be the same as the checking account and had me do it because she couldn't figure out the " stupid wavy letters thing" (captcha). She was bitching all the time about security requirements (numbers letters min 8 w caps) but she might as well have given me the keys to her bank account. For the most part my customers don't care about security untill someone has drained their bank account and put a bunch or fraudulent charges on the credit card. Whatever...not my problem.

    --
    "We are just a war away from Amerikastan. When god vs god the undoing of man." Dave Mustaine
  10. Re:its time by Jibekn · · Score: 2

    Define real, when there's ISP's http://www.mts.ca/ outsourcing their email systems to hotmail, what exactly is real?

  11. Hacked by stumblingmonkey · · Score: 2

    This would've been much more interesting if you would've posted it as CmdrTaco.

  12. Re:Duh. The sites themselves have no security. by LordLimecat · · Score: 2

    Im not sure that HTTPS qualifies as "seriously heavyweight". A Pentium4 processor can handle about 400mbit/sec of AES SSL-- lets assume this is the home computer. Rendering the HTML, running scripts, and handling the flash content would comprise a far bigger portion of the CPU usage than perhaps 1meg of SSL'd traffic.

    On the server side, you can right now get a $250 Xeon E3 1220L, using ~20watts, which can handle ~13gbit/second of AES traffic (with the AES-NI extensions). If thats not sufficient, you can always get a second one.

    Encryption is now very cheap, CPU-wise. (P4 stats taken from an actual freebsd box with 'openssl speed'; Xeon stats extrapolated from TrueCrypt and OpenSSL benchmarks on E3 series CPUs).

  13. Re:Duh. The sites themselves have no security. by Graymalkin · · Score: 2

    The sustained data rate is not the heavyweight part, it's the heaviness of building a session. With most web services it's the transaction throughput that's important. The problem is magnified by the number of transactions needed for a single page load on modern sites.

    --
    I'm a loner Dottie, a Rebel.
  14. Apple Stores by EEPROMS · · Score: 5, Funny

    If you want to have fun with a random facebook user visit an Apple store and it wont take long to find a machine with a facebook account still logged in. Some of the results can be very amusing

  15. Imitation Watches at Replica Watches by stonefoz · · Score: 2, Funny

    Imitation Watches at Replica Watches

    TOP grade Replica Watches of high quality at wholesale prices!
    Join the wise shoppers to let your dreams come true.
    BEST deals of imitation watches plus FREE shipping!

    *PLEASE NOTE*
    You are receiving this email because you or some one with your email has subscribed in our website.We have No aim of spamming and at any time if you want to stop receiving email from us,Just use the unsubscribe button At the end of the email,But you will Lose out our Special offers and Make money online news

    Unsubscribe me from this list

    --
    I think I just cashed out all my cool points.
  16. Re:its time by Runaway1956 · · Score: 2

    "I've dealt with having my own mail server. It sucks."

    Factor in there that most users aren't competent to set up a mail server, however insecure it might be. In fact, online mail is so very popular because most users can't even set up a mail client! Way back, when the internet was much newer, I set up Pegasus Mail for some people. (at that time, Outlook seemed to be the number one vector for virus/worm infections) They thought I was some kind of genius, based on the ability to set up a client! Had I suggested, and implemented, a server, they probably would have fallen to their knees and worshipped me, LMAO!

    --
    "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br