Secret questions that protect e-mails are vulnerable
By siliconindia   |   Thursday, 25 June 2009, 01:25 IST   |    3 Comments
Printer Print Email Email
Secret questions that protect e-mails are vulnerable
Bangalore: It is very simple for hackers to answer the security questions that protect e-mail accounts, a new study in the U.S. has revealed, reports New Scientist, an international science magazine. The findings by researchers at Microsoft are based on an analysis of an experiment involving 32 e-mail users. What's the name of the school you attended? What is the first name of your favourite cousin? These are the kind of questions asked in case email account holders forget their password. In the experiment acquaintances of the e-mail users, with whom they normally share login details were asked to guess the answers to such questions. The participants managed to guess correctly one-fifth of the time, raising questions over how secure this system really is. A second study by Microsoft has also suggested a more secure alternative, which is to rely on trusted friends to vouch for you if an account becomes locked. "Securing webmail is important because e-mail accounts typically allow an attacker access to other accounts, for example, eBay and Amazon. If I can recover these passwords via your e-mail account then I can spend the balance of your credit card on flat-screen TVs," said Ross Anderson of Cambridge University. Stuart Schechter and Rob Reeder of Microsoft have proposed a new system, whereby users can select several 'trustees'. When a user gets locked out of his or her account, the trustees of the account holder will be asked to download a 'recovery code' and then the user has to collect such codes from multiple trustees before he or she can unlock the account. Around 19 Hotmail users tried the new system and 17 of them managed to regain access to their Hotmail accounts. The success rate was 90 percent as compared to the 80 percent success rate of the secret question system. The new method should be an optional choice for users and should not replace the secret questions approach, according to Anderson. The idea has promise, said Reeder, however pointing out that this is not a new idea.

siliconindia