Human trust is probably the weakest aspect of humans, easily created and easily exploited. With the right methods, anyone’s trust can be penetrated and exploited. I will demostrate today something more specific, how to obtain access to almost all of someone online accounts (doesn’t work always, but majority of the time). Its pretty scary, but knowing this it will help you better protect you self.

It seems everything online these days are tied to your email account. People with multiple email accounts tend to link them together. Your bank account, news website accounts, work websites login, your universites accounts, paypal, ebay, and even almost every forum out there is linked to your email. A feature called “Forgot password” is also tagged everywhere, which usually almost always simply sends a password to your email account. So for example if you want to break into this website, you could simply use the forgotten password link, have the password (or password reset links) sent to a email account, and instead of breaking the website, simply break the email and obtain proper access to the website. This leading to the perfect crime, which is one that is commited without the knowledge of the victim in anyway.

Usually email accounts are password protected. Many use cryptic passwords are the least likely to be guessed or broken technically. But for everything, including access to the email, there are more than one way. Email accounts also have a forgot password system, in which the user can answer a few simple questions and have the password reset. Well if the attacker can answer those questions asked in the forgotten password link, then will easily obtain access to email, thus gaining access to almost all the other websites that person has a account for. Another weak practice people do is have only a few passwords they use for everything (3 or so) so a attacker only needs to find out the few passwords the victim uses and will have acess to almost everything. So the first step is to initiate a converstation with the victim, I mean how can one do a social engineering attack without a converstation. It could be over a instant messenging protocol, face to face, in the form of a IRC flame war, or simply the easiest method to communicate with the victim. A few things asked in most of these password reset forms is the birthday.

A easy trick to obtain their birthday is to let them know that your birthday is coming up, and how special or interesting it is. Even say something very popular happened at that day, and that was the first time it came to mind. Usually by then, the victim will reveal their birthday for comparison. Another is pet name, birth location, mothers maiden name. All of these can be obtain the same method as the birthday. Here is an example.

attacker: My sister just got another kitten, quite the hyper thing
victim: (some generic awe comment)
attacker: yeah, pretty small (explain more, take the time)
attacker: but its still missing a name
attacker: trying to name it something but none of us clues on what pets are usually named
victim: (gives away the pets name)

And usually the favorite ones name is the one used in the secret question. Again, same applies to other information as well. Below are some of the things email accounts does/ask for.

gmail: send a reset email to the original email account used for registration
yahoo: birthday, zip, country, secret question later on
hotmail: country, state, zip, secret question (school name, favorite football..)
other accounts might go deeper, but the information is still obtainable

Secret questions can be tricky, but people tend to chooses something that they are interested in. And something of their interest means they will also be interested in talking about. To find out other information, one can even go far as contacting those in their address book in the email or those who have had recent email converstation with, to obtain other email addresses of the victim. Such as asking “I am trying to delete a few of my old accounts, which ones do you know of?” and so on. Even getting access to Instant messenging protocols (since now you can get the password emailed to you) you can talk with people and get other email accounts as well.

This is one of the dirty easy social engineering tricks that you can fall into easily, and I really hope this information will only be used for a good purpose. So knowing how easy it is to get into your email, get your username/passwords for other websites (such as paypal, ebay) you should treat all the information you enter for your secret question just like password. Best is to answer the secret question falsely (but the problem arises if you really did forget your password and the secret answer) now that becomes a recursive problem. Hopefully that won’t happen to you, until my next post don’t get your email owned by someone else.

Short Version
Almost all accounts online are linked to your email, meaning that gaining access to your email is like gaining access to all other accounts. Emails have a feature called forgot password, which asks for simple questions like birthday, pet names, mothers maiden name, zip code, etc and simply talking with the subject can reveal those. After gaining access to the email, you can use the forgot password feature in other website, which usually emails the password or a password reset to the email. How you have access to that account. I intended this information to protect your self, not attack innocent people.