How Leaky Web Site Allow For Hostile Consumer Profiles
from the build-a-profile dept
Last week, there were reports that phishers were getting more personalized, including specific data they knew about you to make the phishing attempt more effective. Apparently, the folks at Citibank didn’t realize this, because their latest method for distinguishing legit emails from phishing ones is to include personal info in their emails. Of course, some may ask just how phishers and identity thieves can get more info about a person, and Business Week has just provided one answer. While it’s unclear whether or not any scammers are actually doing this, Stephen Wildstrom explains the fairly simple technique of building a “hostile consumer profile.” If you know someone’s email address it’s quite easy. All you need to do is go to various websites and put in the email address and say that you forgot your password. On many sites, if they recognize the email address, they’ll admit that you have an account on the site and say that you’ve been sent an email. If you don’t have an account, the site will simply say that no such account exists. In that way, someone could enter your email address in a few different sites, and find out which ones you have accounts on. Wildstrom fears that someone will write programs to throw millions of email addresses into such systems, and build up huge profiles of info about people. Of course, if someone did this to you, you would suddenly get a bunch of emails reminding you of your password — so you might suspect something was up. Also, plenty of sites have usernames, rather than email addresses, as the unique identifier for logging in. However, that doesn’t change the fact that someone can pretty easily check to see if you’ve registered on certain sites.
Comments on “How Leaky Web Site Allow For Hostile Consumer Profiles”
No Subject Given
Of course, if someone did this to you, you would suddenly get a bunch of emails reminding you of your password — so you might suspect something was up.
Or you might not, if that mail is automatically junked or deleted by virtue of your mail filter or the strange admin email address that isn’t in your whitelist.
Don't use the same email address everywhere
I started doing this so that I could easily blackhole addresses that got shared by sites I registered with. This only works if you own your own domain and have a catch-all address. Every time you have to register somewhere, just make up a new email address for that website. To be able to keep track of the address you used at a new site, use a standard convention:
mybank.com@mydomain.com
victoriassecret.com@mydomain.com
llbean.com@mydomain.com
You get the picture. Now if you register somewhere and they decide to share your email address, you can easily set up a filter for mail to that address.
More to the point of this article, though, it makes it a little more difficult to use this technique to figure out where you’re registered. Especially if you “salt” the address you use like:
llbean.com_xx@mydomain.com
The salt (“_xx” in this case) stays the same every time, but you make it up uniquely for yourself — so that if everyone starts using a scheme like this it is harder for the harvesters.