Sony announced today that a large number of accounts were hijacked using an attack based on the fact that people reuse passwords across websites. These “weakest link hijackings” are an evolution of the phishing attacks that have become so well known over the last few years.
These attacks are referred to as “weakest link hijackings” because the hackers attack websites with the weakest security, and then collect user passwords. Since it is common for users to reuse passwords across websites, hackers can then try those collected passwords against other websites like Sony as well as social network accounts, email accounts, work accounts, etc. When hackers take over the user’s social network or email account, they frequently change the user's password on the account to lock the real user out, then use it to try to trick the user's friends into sending money. One scam claims the person was stuck while travelling and needs money wired to them. Imagine losing access to all your contacts, email, photos, etc. and then having your friends lose thousands of dollars.
Unfortunately it is extremely difficult for websites to protect themselves against the weaker security of these other websites. Only some of the largest websites with the most sophisticated security tools can detect these types of attacks and try to automatically reduce their impact on their own accounts as Sony has done. Some of those websites offer users the option to add an additional layer of security to their account, for example by sending a code to their phone number each time they want to login. However if every website took that approach, users would revolt because of the pain it would create for them.
It's time for website owners to wake up and realize they are probably the “weakest link.” Most websites need to stop trying to run their own login system and instead rely on third-party tools and websites that provide users with highly secure login systems. This type of login approach has become popular with websites that want to integrate with social networks, but it can also be used by any website by simply letting users choose an identity provider that runs a secure login system. It also has the advantage of making it easier for users to register for a new website on a mobile device and we all know what a hassle that can be.
Consortiums of companies such as the OpenID Foundation are working together to solve the problem of passwords and weak login systems, and are making great strides on security, usability, and privacy. With so much of our digital identities and information at stake, it’s critical that we create a better, more secure system before we see more victims of the “weakest link”.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.