All the latest UK technology news, reviews and analysis
|
|
|
09 Mar 2010
The security mechanisms used to protect online accounts are inherently flawed, according to a new paper by researchers at Cambridge and Edinburgh universities.
Joseph Bonneau, Mike Just and Greg Matthews argue in a paper entitled What's in a name? (PDF) that security questions used to verify an account can often be beaten by simple guesswork or through some personal knowledge of the account holder.
"Despite their ubiquity, personal knowledge questions have received relatively little attention from the security community until recently," the paper said.
"User studies have demonstrated the ability of friends, family and acquaintances to guess answers correctly, while other research has found that some questions used have a tiny set of possible answers.
"Many common questions have also been shown to have answers readily available in public databases or online social networks."
The researchers looked at the type of security questions asked using data from a range of online service providers, including banks and financial institutions, as well as webmail services such as Hotmail, Gmail and Yahoo Mail.
One in three asked for a person's name, and one in five asked for a place name. The researchers said that, when faced with these questions and given three guesses, an attacker can compromise roughly one in 80 accounts.
The use of names is unwise because it is possible to identify and focus on the most common names in any given location. The name Smith is popular in the Western world, for example, while Kim is very common in Korea.
"Given names are a matter of fashion and vary in several interesting dimensions. In the countries studied, female names seem to provide slightly higher resistance to guessing than male names," said the paper.
"The diversity of forenames has been increasing slowly but steadily over the past six decades in the US. Curiously, pet names are slightly harder to guess than human names."
Latest stories from Security
Related articles
Related jobs
Poll
Are you confident that the UK's IT infrastructure is secure from attack in the wake of the Flame malware revelations?
Orange and Intel talk us through the ins and outs of their San Diego smartphone
Connect with V3.co.uk
Social networking is almost ubiquitous. This white paper examines the benefits and risks and it looks at the different ways companies can reconcile them
The importance of understanding your infrastructure
Development Manager / PHP Developer / MySQL / LAMP...
Process Expert for Information/Content Management...
SQL Server / SSIS / ETL / T-SQL Data Migration A...
Linux Systems Administrator / Linux CentOS / Network...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?
Make sure you are Security Savvy
In light of further security glitches, it's important to remain savvy to viruses and software issues. Here are some top tips on PDF security by Global Graphics (http://bit.ly/GlobalGraphicssecurity): 1. Keep your PDF software and virus software updated by visiting your providers' website 2. Don?t open PDFs from people you don?t know, no matter how tempting the title! 3. Keep an eye out for any PDF security advice coming out from the likes of SANS 4. Be wary of PDF software that has had security scares or is targeted by hackers. There are alternatives. 5. If you do use free PDF software from smaller providers, make sure you know they have strong support services
Posted by: TamaraDigi 11 Mar 2010
Use fake answers
Surely no-one gives their real place of birth, or pet's name? Use fake answers, e.g. born on the Moon, cat called Rumpelstiltzkin.
Posted by: David 09 Mar 2010