The Associated Press is reporting that a California man pleaded guilty to seven felonies, all stemming from breaking into email accounts of women, looking through their sent folders for nude photos and videos, and then forwarding them off to everyone in the victim’s address book. The man would look for Facebook profiles that provided personal information like email address, birthday, favorite color, and the like. Armed with these details, he would initiate a password reset request on the email account and answer the security questions to gain access, From here, he would look through the sent messages folder for racy pictures that the woman may have sent and would then forward those images to everyone in the woman’s address book.
While everyone will be quick to point out the issues with Facebook or that people share too much information on the site, the real issue is that companies are slow to adopt robust security measures for their systems. Even worse, they frequently sabotage the front line defense (password) with a side entrance that is much easier to get through (security questions). A user could have the perfect 35 character random password, but if all an attacker needs to know is the user’s favorite color, city of birth, or father’s middle name, that random password becomes useless. Bruce Schneier has written about this multiple times in the past and says that, “if the password is controlling access to something important -- like my bank account -- then the bypass mechanism should be harder, not easier.”
Some sites, like PayPal.com and World of Warcraft, offer a token that generates a new code every 60 seconds that is requried to login. Others can send an SMS message to your phone with a code that is required to login to the site. These measures are called "two factor authentication," adding a "something you have" to the "something you know" equation.
What should we take out of this incident? Either make the answers to your “security questions” random passwords as well, or empty the sent folder after sending nude photos of yourself.