We have a lot of passwords to remember these days. It’s understandable that we forget them every now and then. It’s usually pretty simple to get them reset so you can start again. However, while very convenient, this can also be risky. When you forget your password, many websites will allow you to enter your email address to get a link via email to reset it. Nothing else is required. A persistent criminal can use email addresses to get access to accounts like PayPal or even your financial institution, where the payoff could be very big.
Jim Stickley of Stickley on Security wanted to prove this to a group of conference attendees. He wrote an app designed to collect the emails that went out to the users who forgot their passwords. He asked for volunteers who agreed to download an application that appeared to be a WiFi signal booster. They didn’t know what the demonstration was about, but willingly installed the app on their mobile devices knowing it would be of no real harm under those circumstances.
The app stealthily perused the devices and collected information from it, including email addresses. He could simply go to PayPal or Amazon, for example, request a password reset and intercept the emails sent. He then clicked the included links, changed the passwords, and had control of those accounts with no one knowing what happened.
In addition to getting access to certain online accounts, he was also able to peruse everything in the person’s email account. This is significant because there is a lot of information that can prove very valuable to someone who doesn’t have the best intentions.
The conference attendees agreed to be part of the above exercise, but there are thousands of malicious apps available on the Internet from third parties and even in the official app stores that don’t always ask for permission to access your information.
The danger that lurks on the Internet is perhaps not as dangerous as a mugger lurking in a dark alley. However, it does have its own version of that mugger and the dark alley. Read reviews of apps you consider for download and don’t sideload them. Use multifactor authentication (MFA) whenever offered, be skeptical of links and attachments you receive in email messages, and be conservative with the information shared on social meeting and online networking sites.
No one is going to look out for you or your information better than you. So take time to learn about the dangers and how to protect yourself. Stickley had no intention of using the information he gathered for evil. Others aren’t so courteous.
© Copyright 2017 Stickley on Security