The "hacker" sent an email to the popular Gawker website, explaining where he or she discovered the existence of the email address, that he or she guessed the correct answer to the security question "What is your favorite pet?", then accessed the account and reset the password.
Apparently, the same password was used to secure Romney's Dropbox account.
Whether the tipster has or has not actually managed to enter those accounts is unknown, as no screenshots were offered to prove it, and Gawker journalists didn't try to use the new password given to them to check themselves, being that unauthorized accessing of other people's email and other accounts is a crime in the US.
They did contact Romney's campaign communications director Gail Gitcho to see whether Romney had noticed the he couldn't access those accounts anymore. She initially declined to comment and asked to contact Gawker's attorney.
After a while, though, she issued the following statement: "The proper authorities are investigating this crime and we will have no further comment on it," so still no confirmation of the "hack".
Pierluigi Stella, CTO at NetworkBox USA, commented the alleged hack for Help Net Security.
For years, security "gurus" have been talking about “something you know and something you have,” two factor authentications; security questions, and a number of other solutions to address the issue of password security, which is inherently flawed for public figures, whose lives have basically nothing private.
The issue allegedly occurred to Romney is typical. You lose your password, you try to reset it; to identify that it's really you, the site asks you a question for which supposedly only you should know the answer.
First of all, this opens up my account to anyone who knows me well! My friends know where I was born; they know the make and model of my first car; they know all the answers to the typical and most common “security” questions. Has anyone ever thought that I might not want my friends to hack into my account? Crime or no crime, I would just prefer these questions to display a higher level of intelligence.
That said, I've been on the side of having to decide what those questions should be, and I can tell you, this is no easy task. My recommendation, therefore, is to allow the user to set the security questions when he/she first sets up the account; you decide your question, you decide your answer, and you assume full responsibility for your account. Period! This way, you can insert/pose a question/answer no one else truly knows and no one can guess (well, hope springs eternal).
Google’s method of sending you a text message is a valid one; if I get an SMS stating, “here is your new password” and I'm not the one trying to reset it, of course I'd be more than a little suspicious and act upon it. My bank does the same when I try to execute certain transactions; despite having logged in to my online account. For instance, if I attempt to transfer money or set up a new payment, they send a six digit code to my cellular phone, which I would then need to enter to be able to proceed. I do like that method, because if I lose my phone and my passwords, I will likely call the bank and block everything anyway.
Adding on, is there anyone on this planet who does not have a cellular phone? We live and thrive by it, be it a smart phone or otherwise. So the true question is ~ when are these other companies going to modernize their methods?
Well, herein lies the issue – these methods are expensive. My bank sets it up because they're responsible for my money, so they want to be sure only I can access the cash. But Hotmail? They offer a free service, and make money by selling advertisements. Do we truly have the right to expect more from them? If I were on their side I would respond with a resounding NO, most wholeheartedly and emphatically. Theirs is a free service, do not expect too much from it; you get to use the email, we can’t spend millions of dollars to improve your protection like we would for a paid service. If you are willing to pay for it, maybe we’ll do something; but then, who would use Hotmail if it weren’t free?
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.