Last week Lex, WhiteHat Security co-founder, was saying to me that it’s much worse to have your email (Web Mail) broken into than your bank (Web Bank). Confused, my first though was, “how can this be, that’s where my money is?” He explained that a very common forgot password (FP) system asks you to enter your email address, in return sends you a new password or a reset link. We’ve all seen and probably used these simple implementations. Lex’s logic was if your email box is hacked, every web-account associated to that address (using a send-email-forgot-password-system) could be compromised, including your bank. A malicious hacker could simply sift through the victims email to get the target list. This is a scary thought.
Lex may be right, I never thought about it this way before. Hundreds of millions of people regularly use GMail, AOL Mail, Yahoo Mail, Microsoft Hotmail, and a million other Web Mail providers everyday. Websites using a send-email-forgot-password-system are offloading identity verification to another website. Today’s savvy netizens have online accounts for airlines, hotels, rental cars, tax records, books, auctions, payment systems, loans, insurance, often all tied together via a single email address with a web-based interface. A well-crafted Cross-Site Scripting (XSS) attack would give direct access to crown jewels.
I’m going to have to rethink my personal information security strategy. Maybe this is also a good reason to create a top-5 list for normal users.