Tag Archives: Privacy

AVG

Is your “secret answer” hard to guess?

Leave a comment

When it comes to recovering our account details, we are all familiar with questions such as “what is the name of your favorite sports team” or “what city were you born in”. Know the answer to this question and you’re well on your way to resetting a password and getting back into your account.

However, Google has just released a paper documenting its findings after analyzing the strength of hundreds of millions of secret questions and answers.

The findings led the search giant to conclude that secret questions are neither secure nor reliable enough to be used as a standalone account recovery mechanism. That’s because they suffer from a fundamental flaw: their answers are either somewhat secure or easy to remember—but rarely both.”

The most obvious example of a weak secret question in action was the answer to “what is your favorite food”, giving hackers a 19.7% chance of cracking it in a single guess among English-speaking users.

On the other hand, just as with passwords, secure answers to secret questions are often very difficult to remember. One example of a strong secret answer was “what is your frequent flyer number” but that only had a recall rate of 22%.

So if easy to remember answers are too simple and secure answers are too difficult to remember, what should we do?

The most important recommendation that Google provided to adding extra security to the account recovery process was to add an SMS or secondary email address. Just like adding two-factor authentication for a password, including one of these two extra steps will help dramatically reduce the risk that an attacker could maliciously recover your account details.

For more information on Google’s report check out the infographic below:

Google Secret Answer Infographic

 

 

 

 

 

Security

Head-Scratching Begins on Proposed Wassenaar Export Control Rules

Leave a comment

Experts point out that the proposed Wassenaar rules in the U.S. leave unanswered questions regarding exploit development and the use of commercial penetration testing tools.

AVG

Hackers Using Starbucks Gift Cards to steal money

Leave a comment

Earlier in May, researcher Bob Sullivan reported that hackers were targeting Starbucks mobile users and using the Starbucks app to steal money through linked credit cards.

The Starbucks app links to a credit card so that the user can prepay for goods and purchase Starbucks gift cards for friends and family to spend in store.

Reports indicate that the gift cards are fundamental to the attacks.

After gaining access to the victim’s Starbucks account, attackers create a new gift card for the entire balance of the account and issue it to themselves. The problem is then compounded  as the Starbucks app automatically tops up the user’s balance when it gets low. This means that the attacker can then strike again.

Within a few minutes, attackers could potentially siphon hundreds of dollars through gift cards without even needing the victim’s credit card details.

In a recent blog post, Starbucks recently defended the security of their app and said that “News reports that the Starbucks mobile app has been hacked are false.”

Instead, they say that it is reusing login details from other sites that is putting customers at risk:

Occasionally, Starbucks receives reports from customers of unauthorized activity on their online account. This is primarily caused when criminals obtain reused names and passwords from other sites and attempt to apply that information to Starbucks. To protect their security, customers are encouraged to use different user names and passwords for different sites, especially those that keep financial information.

 

This isn’t the first time that the Starbucks app has come under fire, after last year it emerged that it stores users’ passwords on the device in plain text.

 

How to help protect yourself from attacks such as these:

Pick a strong, unique password

It goes without saying that this attack would not be possible if hackers were shut out of Starbucks accounts. Therefore, keeping a strong and unique password (one that is not used on any other site) is one of the most important things you can do to help protect yourself from an attack like this. For help creating a strong password, check out this simple guide.

 

Turn off or limit auto-top up

One of the things that makes this attack so dangerous is the fact that the damage can escalate rapidly thanks to the auto top-up functionality used by the Starbucks app (and many others like it).

While automatically replenishing your account balance can be an incredibly convenient thing, if you are concerned about attacks like these, disable or set a deposit limit on your auto top-up.

 

Regularly check your accounts

Just like with online banking fraud, one of the best ways to protect yourself or recover from attacks such as this is to stay vigilant. Regularly check your bank statements and online account histories for suspicious activity and do not hesitate to get in touch with your bank or retailer should something unexpected appear.

For Starbucks users, if you see any suspicious activity on your Starbucks Card or mobile app, please immediately notify Starbucks customer service at 1-800-STARBUC.