September 21st, 2008

Webmail providers can fix Palin hack-style problems

Posted by Adam O'Donnell @ 8:46 pm

Categories: Data theft, Uncategorized, Web 2.0, Web Applications

Tags: Software, Technique, Password, IP, Productivity, Adam O'Donnell

One of the most important questions we should be asking ourselves in light of the Palin webmail hack discussed at length here, here and here is how it could have been prevented. There are several software techniques that I can think of off the top of my head that would help webmail prevent malicious password reset attacks.

I am generally not a believer in the “throw software at the problem” model of security. Software is a tool that should be purchased and applied when necessary, but it is not a panacea. However, I could think of several software solutions that would have stopped the social engineering attack. For example, some form of anomaly detection could be used on connecting IP addresses for the password reset form on Yahoo’s website. The trigger rules for when to prevent an IP from resetting a password could be as simple as “if this person has never been to the geographical area associated with this IP address, don’t allow the password to be reset.” Another could be a client-side fingerprinting technique to determine if it is a completely novel computer system that is attempting to reset the password. A third could be using her cell phone number as a second authentication factor, and have the password reset by sending a short code to her handset.

Providers have to be very careful in the implementation of each of these proposals lest they increase the number of people who can’t use the automated systems and need to talk to a human being. Free webmail is not a huge moneymaker, and any increase in human-oriented remediation steps will raise the fiscal bottom line on the service. Then again, providers can choose not to improve security, and rely upon a shirking user base to lower their bottom line.