June 2nd, 2009

Email service provider: 'Hack into our CEO's email, win $10k'

Posted by Dancho Danchev @ 12:54 pm

Categories: Anti Virus, Botnets, Browsers, Complex Attacks, Hackers, Malware, Passwords, Phishing, Privacy

Tags: Phone, Password, Spamming, Computer, CEO, E-mail, Telecom & Utilities, Online Communications, Dancho Danchev

A newly launched startup called StrongWebMail is aiming to add a new layer of secure authentication for its customers - phone verification prior to logging in and alert services for potential email compromises.

The company is in fact so confident in its approach that it’s currently offering $10,000 reward to the person who breaks into the CEO’s email. To make things even easier, they have in fact provided his user name and password (CEO at StrongWebmail.com; Mustang85).

The catch? Aspired participants would have to figure out a way to intercept the 3 digit PIN send over SMS/phone call required for logging in :

“StrongWebmail.com is offering $10,000 to the first person that breaks into our CEO’s email account…and to make things easier, we’re giving you his username and password.  There’s just one catch: to access a StrongWebmail.com email account, the account’s owner must receive a verification call on his pre-registered phone number. So even though you have our CEO’s username and password, you still have some work to do because you don’t have access to his telephone.”

StrongWebmail is indeed innovating by coming up with a pragmatic feature that if implemented and configured correctly, can greatly improve the authentication process. However, due to exploitation of the weakest link, which in this case would be a malware/crimeware infected end user, some of the features can be easily rendered useless.

Darren Berkovitz, spokesman for TeleSign Corporation was kind enough to not only briefly respond to my questions and concerns, but also, has increased the PIN digits from three to five. Here’s the Q&A:

Dancho: How many people are currently participating in the contest?

Daren: So far over 200 people have signed up to participate in the contest.

Dancho: Among your key differentiation features is the so called “Panic Button”. What is the purpose of it?

Daren: The purpose of the panic button is so that if someone (ie:boss) comes by your computer while you are checking your email, you click the panic button and it pops up a screen that looks like an excel spreadsheet.

Dancho: At StrongWebmail’s login page, there’s a option to “Don’t call me when I log in from this computer” based on the fact that “If you check this box, you won’t be required to receive a phone call the next time you log into your StrongWebmail.com account, so only check the box if it’s safe to do so” citing convenience reasons such as “If you have a computer no one else uses, you can set it as a “safe” computer. That way you don’t have to receive a phone call every time you log in.”

Would a malicious attacker that has already obtained the accounting data of the customer simply avoid receiving a phone verification by using the feature?

Daren: In order to activate the “do not call” feature, a person must successfully enter their username and password and receive a verification call. So a thief would need to steal your username and password and your phone in order to activate this feature.

Dancho: What anti-brute forcing measures have you implemented? For instance, upon multiple failed login attempts I wasn’t challenged in any way, by either restricting my logic session attempts based on my IP, or receive a CAPTCHA challenge that could at least slow down the efficient abuse of the service.

Moreover, even though the “phone protection” is theoretically protecting a malicious party from logging in even when knowing the correct login details, isn’t the 3-digit PIN number disturbingly easy to brute force, an attack which in a combination with the correct login would result in a successful authentication based on the short PIN number?

Daren: We restrict by IP address to 3 times per session. This happens once you correctly enter your username and password. Also, the code is now 5 digits long, further reducing the chance of someone guessing the code to 1/3,333.

• Go through related posts: $1 Million prize offered for cracking an encryption algorithm; $10k hacking contest announced

Dancho: Nowadays, the majority of email compromises occur through sniffing of accounting data by using botnets, compared to the much more inefficient brute forcing attempts and dictionary attacks. In fact, the use of compromised legitimate email accounts for spamming purposes is prone to increase due to the automated tools and modules available at the spammers’ disposal through managed spamming services.

Despite the phone protection as yet another authentication factor, isn’t the already malware infected, and also, marked as safe home based computer of one of your customers, the place where all the spamming and account compromise activities could be taking place?

Daren: The “do not call/safe computer” feature should only be used with caution. IF your computer is infected and you have the “do not call” feature on, yes, someone could easily breach your SWM account. It is important to only use this feature on computers that no one else has access to and that are free from malware.

Another important feature of SWM (StrongWebmail) is the fact that if someone successfully steals your username and password, you will receive a phone call. This is kind of like a silent alarm that notifies you that someone has breached your account.