Email accounts at risk from not-so-secret questions

The "secret questions" used to secure online bank accounts and email services are worryingly easy to crack. So says Joesph Bonneau of the University of Cambridge, whose team has calculated the chances of an attacker correctly guessing secret answers.

Using data from sources such as national censuses and pet registries, the team calculated that if allowed three guesses, the norm for many websites, an attacker could correctly guess 1 in 80 answers.

That's too low to target a specific individual. But it is more than enough to allow a hacker to build software to compromise online accounts, such as webmail services, by attempting to guess questions in large volumes, says Bonneau.

An attacker who knows where accounts are based has an even higher chance of success, Bonneau adds, since they could restrict their guesses to names that are common in that region.

Twelve per hour

Bonneau and colleagues say that this weakness could lead to criminals gaining access to large numbers of personal accounts. This is particularly true for webmail accounts, which often rely on secret questions when a person forgets their password. For example, US vice-presidential hopeful Sarah Palin had her Yahoo email account compromised by someone who worked out her secret answers.

Banking sites require an extra security check before revealing a password. But some email services, including Gmail and Yahoo, will allow a user to choose a new password if one or more secret questions are answered correctly. An attacker that does this can then simply login to the account. "Email accounts increasingly have enough financial information in them to make it worth trying to take them over," says Bonneau.

Both Gmail and Yahoo require users to solve a CAPTCHA – blurred text designed to foil automated attacks – when recovering a password. However, a motivated hacker could work through 1000 in an hour, says Bonneau, enough to allow secret-question guessing software to break into around 12 accounts.

No more secrets

A spokesperson for Google noted that the company's secret questions are more secure than those used by rivals. This is partly because they include questions that are harder to guess, such as a person's library card or frequent flyer number.

When asked for comment, Yahoo! would not reply to Bonneau's specific concerns. A spokesperson said: "We have many security measures built into the registration and sign-in processes to protect our users and make every effort to educate them on how they can stay safe online."

But Bonneau says that websites should consider abandoning secret questions altogether. One option, already offered by Google, is for users to provide a cellphone number when registering an account. Passwords can then only be reset using a code sent to that number.

This method fails when a phone is lost or stolen, though, so Bonneau suggests using a more time-consuming but safer technique known as "social back-up". Each user provides the addresses of five trusted friends, who are sent unique codes when a password reminder request is made. To retrieve their password, a user must obtain codes from three of their contacts.

Courtesy Computer Crime