Email service provider: 'Hack into our CEO's email, win $10k'

Email service provider: 'Hack into our CEO's email, win $10k'

Summary: A newly launched startup called StrongWebMail is aiming to add a new layer of secure authentication for its customers - phone verification prior to logging in and alert services for potential email compromises.The company is in fact so confident in its approach that it's currently offering $10,000 reward to the person who breaks into the CEO's email.

SHARE:

A newly launched startup called StrongWebMail is aiming to add a new layer of secure authentication for its customers - phone verification prior to logging in and alert services for potential email compromises.

The company is in fact so confident in its approach that it's currently offering $10,000 reward to the person who breaks into the CEO's email. To make things even easier, they have in fact provided his user name and password (CEO at StrongWebmail.com; Mustang85).

The catch? Aspired participants would have to figure out a way to intercept the 3 digit PIN send over SMS/phone call required for logging in :

"StrongWebmail.com is offering $10,000 to the first person that breaks into our CEO's email account...and to make things easier, we're giving you his username and password.  There's just one catch: to access a StrongWebmail.com email account, the account's owner must receive a verification call on his pre-registered phone number. So even though you have our CEO's username and password, you still have some work to do because you don't have access to his telephone."

StrongWebmail is indeed innovating by coming up with a pragmatic feature that if implemented and configured correctly, can greatly improve the authentication process. However, due to exploitation of the weakest link, which in this case would be a malware/crimeware infected end user, some of the features can be easily rendered useless.

Darren Berkovitz, spokesman for TeleSign Corporation was kind enough to not only briefly respond to my questions and concerns, but also, has increased the PIN digits from three to five. Here's the Q&A:

Dancho: How many people are currently participating in the contest?

Daren: So far over 200 people have signed up to participate in the contest.

Dancho: Among your key differentiation features is the so called "Panic Button". What is the purpose of it?

Daren: The purpose of the panic button is so that if someone (ie:boss) comes by your computer while you are checking your email, you click the panic button and it pops up a screen that looks like an excel spreadsheet.

Dancho: At StrongWebmail's login page, there's a option to "Don't call me when I log in from this computer" based on the fact that "If you check this box, you won't be required to receive a phone call the next time you log into your StrongWebmail.com account, so only check the box if it's safe to do so" citing convenience reasons such as "If you have a computer no one else uses, you can set it as a "safe" computer. That way you don't have to receive a phone call every time you log in."

Would a malicious attacker that has already obtained the accounting data of the customer simply avoid receiving a phone verification by using the feature?

Daren: In order to activate the "do not call" feature, a person must successfully enter their username and password and receive a verification call. So a thief would need to steal your username and password and your phone in order to activate this feature.

Dancho: What anti-brute forcing measures have you implemented? For instance, upon multiple failed login attempts I wasn't challenged in any way, by either restricting my logic session attempts based on my IP, or receive a CAPTCHA challenge that could at least slow down the efficient abuse of the service.

Moreover, even though the "phone protection" is theoretically protecting a malicious party from logging in even when knowing the correct login details, isn't the 3-digit PIN number disturbingly easy to brute force, an attack which in a combination with the correct login would result in a successful authentication based on the short PIN number?

Daren: We restrict by IP address to 3 times per session. This happens once you correctly enter your username and password. Also, the code is now 5 digits long, further reducing the chance of someone guessing the code to 1/3,333.

Dancho: Nowadays, the majority of email compromises occur through sniffing of accounting data by using botnets, compared to the much more inefficient brute forcing attempts and dictionary attacks. In fact, the use of compromised legitimate email accounts for spamming purposes is prone to increase due to the automated tools and modules available at the spammers' disposal through managed spamming services.

Despite the phone protection as yet another authentication factor, isn't the already malware infected, and also, marked as safe home based computer of one of your customers, the place where all the spamming and account compromise activities could be taking place?

Daren: The "do not call/safe computer" feature should only be used with caution. IF your computer is infected and you have the "do not call" feature on, yes, someone could easily breach your SWM account. It is important to only use this feature on computers that no one else has access to and that are free from malware.

Another important feature of SWM (StrongWebmail) is the fact that if someone successfully steals your username and password, you will receive a phone call. This is kind of like a silent alarm that notifies you that someone has breached your account.

Topics: Collaboration, CXO, Hardware, Mobility, Security, Telcos

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

21 comments
Log in or register to join the discussion
  • cool idea

    Sounds like a really good idea. No reason this
    shouldn't be implemented in all webmail
    providers.
    dmg348
  • If hacked it's unlikely the method will be...

    ...a direct attack on the user ID / authentication method but
    rather a bug in the configuration of the server/application.
    ye
    • If hacked it's unlikely the method will be...

      Or get your hands on the cookie?
      jlone
      • The easiest method of hacking

        Clone the phone. Wouldn't take much since he's the CEO.
        tmsbrdrs
  • RE: Email service provider: 'Hack into our CEO's email, win $10k'

    Novel approach to protecting a persons email. I had mine hacked already and to be honest, it cost me a fortune in my reputation and legal fees from what was in there. Nice.
    readyfreddienow
  • Great Idea

    I own my own business and email security is key for me.
    I'm definitely going to sign up for StrongWebMail
    jbl58
  • RE: Email service provider: 'Hack into our CEO's email, win $10k'

    Just signed up for an account. This is a great idea. I wish I had this when my account was broken into last year. Thanks for the heads up!!!
    glennmunney
  • RE: Email service provider: 'Hack into our CEO's email, win $10k'

    Selma Hayek and Paris Hilton should've looked into strongwebmail.com before they had their passwords hacked. The vast majority of password hacks come from educated guessing of the password. If you are concerned about protecting the information on your account, then I don't see why you wouldn't opt to use this service.
    mjohnny
  • RE: Email service provider: 'Hack into our CEO's email, win $10k'

    I had my email hacked last year, the person stole my credit card and used my mail account to send spam. He then sent emails to my friends asking for money as me!! It took me about 3 months to recover..I am going to give this service a try.
    frank9283
  • RE: Email service provider: 'Hack into our CEO's email, win $10k'


    $10K? Not enough.
    Tsingi
  • RE: Email service provider: 'Hack into our CEO's email, win $10k'

    This is sounds like a long, long time ago (yes, I'm showing my age) when there only modems around to connect to your workplace computer and to prevent an illegal use you would dial in to the modem first and log in with your proper credentials and then log off then the work's modem calls you back on you set phone number you are at. So if a cracker (hacker gone bad) tries use your credentials to log in you have to be in the on that phone to receive that reply call. However, a determined cracker or criminal can break into your house to receive the reply call or even tap into your phone line to intercept the reply call also.
    An interesting reuse of a old idea.
    phatkat
  • RE: Email service provider: 'Hack into our CEO's email, win $10k'

    If the don't call me feature is activated, and the machine is infected, having access to the registry can permit to duplicate the info and use it to create a fake pc which can impersonate the original one

    Therry
  • gmail shows the last 5 ip's logged in, and any open sessions

    with gmail, at bottom of page, after you log in, you can see the last 5 ip locations you logged in from and any currently open sessions, (youll see these if you forget to log out somewhere, so dont forget to log out).

    if someone got in, take appropriate measures... like changing your password.

    and changing bank cards etc.
    pcguy777
  • Pretty darn easy to "hack" if you ask me.

    For 10k i would just walk up to the CEO and put a gun to his head and say give me your phone and password.

    Now how do i collect my money ??
    easyaspie
    • you'd threaten someone for $10k?

      You'd threaten to kill someone for $10k? That isn't all that much money to risk a long time in jail. $10M, and maybe it would be worth it ;-P.
      eliavecellio@...
    • A bribe?

      You could offer to split the $10K with the CEO to cooperate; then again, that's chump change to such a guy. Ah, I have it, offer him $100K! Wait, is there a hole in my plan?
      ProfQuill
  • RE: Email service provider: 'Hack into our CEO's email, win $10k'

    If you stick a gun in his head, there's no guarantee he'll give you the correct username/password and phone.


    Martmarty
  • 2 factor authentication still not the answer xss or not

    Well, I was really hoping I'd get to it before Lance did, my hat's off to you brother. I would have just attacked it form the phone phreaking side, we know the CEO's phone # for authentication ends in 5930, I had people scanning 310-xxx-5930 all night last night for me. Once we found the phone number all we would have had to done was make one phone call to the telco, temporarily forward the line to our phone number, intercept the code and log in, no XSS or computer skillz needed =)
    lucky225
  • RE: Email service provider: 'Hack into our CEO's email, win $10k'

    OK, can anyone else see some guy trying to win this money, but because of the verification thing had to do something illegal, succeeded, won the money, but was then charged since he'd have to admit to having done the illegal action to do it?
    gnesterenko
  • RE: Email service provider: 'Hack into our CEO's email, win $10k'

    Conference call enables numerous people to communicate in real time despite being remote from one another. It is very easy to set up so anyone can take advantage of it.
    http://www.conferenceshopper.com/sitemap/advantages-of-voip-conferencing
    jennyrice41