Tuesday, October 6, 2009

More Webmail Passwords Leaked

Reports are surfacing that other webmail providers, such as Google's Gmail, Yahoo Mail, and AOL have also been compromised by a widespread phishing scheme that has resulted in email account passwords being posted online.

Earlier this week, Microsoft's Hotmail was the culprit, as detailed here.

The BBC is reporting as many as 30,000 accounts are impacted industry-wide. Google claims that only 500 users were affected, and that forced password resets were implemented on those accounts. No word yet as to how AOL and Yahoo are dealing with this mini-crisis.

If this truly is resultant from a phishing scheme, it seriously calls into question just what service providers can do to protect users who are unable to protect themselves. Passwords have long outlived their usefulness as authentication components, and as more people create scores of online accounts for banking, social networking, gaming, and other purposes, chances increase that they use the same poorly-crafted passwords across multiple sites.

Short of giving RSA SecureID tokens to everyone, moving to graphical password images or biometric authentication seems the most reasonable alternative. Smart cards would never work, and the logistics required would be staggering.

Authentication via a series of questions that only the user would know might also be a workable approach, although out-of-wallet authentication has been hampered by the bad guys getting LEXUS-NEXIS accounts of their own to be able to research and provide the types of information required for authentication.

Dummy up, people.



No comments:

Post a Comment

Please tell me what you think.