How Leaky Web Site Allow For Hostile Consumer Profiles
from the build-a-profile dept
Last week, there were reports that phishers were getting more personalized, including specific data they knew about you to make the phishing attempt more effective. Apparently, the folks at Citibank didn't realize this, because their latest method for distinguishing legit emails from phishing ones is to include personal info in their emails. Of course, some may ask just how phishers and identity thieves can get more info about a person, and Business Week has just provided one answer. While it's unclear whether or not any scammers are actually doing this, Stephen Wildstrom explains the fairly simple technique of building a "hostile consumer profile." If you know someone's email address it's quite easy. All you need to do is go to various websites and put in the email address and say that you forgot your password. On many sites, if they recognize the email address, they'll admit that you have an account on the site and say that you've been sent an email. If you don't have an account, the site will simply say that no such account exists. In that way, someone could enter your email address in a few different sites, and find out which ones you have accounts on. Wildstrom fears that someone will write programs to throw millions of email addresses into such systems, and build up huge profiles of info about people. Of course, if someone did this to you, you would suddenly get a bunch of emails reminding you of your password -- so you might suspect something was up. Also, plenty of sites have usernames, rather than email addresses, as the unique identifier for logging in. However, that doesn't change the fact that someone can pretty easily check to see if you've registered on certain sites.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
No Subject Given
Or you might not, if that mail is automatically junked or deleted by virtue of your mail filter or the strange admin email address that isn't in your whitelist.
[ link to this | view in chronology ]
Don't use the same email address everywhere
mybank.com@mydomain.com
victoriassecret.com@mydomain.com
llbean.com@mydomain.com
You get the picture. Now if you register somewhere and they decide to share your email address, you can easily set up a filter for mail to that address.
More to the point of this article, though, it makes it a little more difficult to use this technique to figure out where you're registered. Especially if you "salt" the address you use like:
llbean.com_xx@mydomain.com
The salt ("_xx" in this case) stays the same every time, but you make it up uniquely for yourself -- so that if everyone starts using a scheme like this it is harder for the harvesters.
[ link to this | view in chronology ]