By Harry McCracken | Thursday, April 23, 2009 at 7:03 pm
Poor Salma Hayek. She may be a gorgeous, accomplished, award-winning actress, but she’s apparently not very good at keeping her online accounts secure. A post at Electronic Pulp reports that pranksters have figured out how to get into her e-mail at Apple’s MobileMe service by using the “Forgot Password?” feature to reset her password. And they’ve been sharing stuff they’ve found (nothing scandalous).
Could this have been prevented? Did Salma do anything wrong? Did Apple? If the reports are true, the answers are yes, yes, and yes.
As MobileMe’s “Forgot Password?” feature is implemented, you need three things to reset the password to one of your choice and thereby get into an account:
1) The person in question’s MobileMe name/e-mail address (often easy to guess, since chances are good it’s some form of the person’s first and last names–and even if it isn’t, it’s by definition not secret);
2) The person’s birthday (a cakewalk to determine if the account holder is a famous movie star, and really not that difficult for civilians, too, especially in a day of social networks);
3) The answer to the person’s “Secret Question” (which with MobileMe can be any question of the account holder’s choice–you’re not limited to standard ones like your mother’s maiden name).
If you have these three pieces of information, you’re in. Unlike many online services, MobileMe doesn’t require verification via e-mail before letting you reset the password. That’s understandable, I guess, given that it’s possible that a MobileMe user’s only e-mail account is his or her MobileMe one; in such cases, you can’t receive e-mail verification if you can’t remember your password. But it opens up a gigantic security hole.
E-mail user names are easy to guess at; birthdays are easy to find out. The one piece of information that’s potentially impossible to guess is the secret question. But Salma apparently made the mistake of choosing a question and answer that anyone vaguely familiar with her career could guess–in fact, you might be able to guess the answer even if you didn’t know the question. But I’m not letting Apple completely off the hook–here’s the section of its MobileMe settings where you specify your secret question and answer:
Apple’s example of a “Secret Question” is by definition one that’s not secret in the least–unless you’re a hermit with a pet who you’ve never mentioned to another living soul. Even assuming that MobileMe users are smart enough not to use that question, it’s a lousy example to give them.
I don’t mean to bash Apple–or at least to bash it alone. There are other services with more or less identical security systems, and they’re all deeply flawed.
What’s a user to do?
1) It’s a good idea to check out the “Forgot Password?” features for services you use. Ones that send you an e-mail as part of the process are probably reasonable secure; ones that let you reset the password in the browser are risky.
2) Give some thought to making up an imaginary birthday you claim to have only when signing up for online accounts (assuming there are no legal repercussions to fibbing). If Salma had claimed she’d been born on March 19th, her MobileMe account would never have been compromised.
3) Don’t use secret questions with answers that aren’t truly secret. Again, lying about things like your mother’s maiden name or your high school mascot is worth considering. If you get to make up your own question, make it cryptic. Or even nonsensical–if your question is “What is my favorite ice cream flavor?” and the answer is “plaid,” nobody’s going to break in by guessing once or twice.
4) If you’re a movie star, never use the name of a person you’ve played as the answer to your secret question.
I hope that the publicity surrounding Salma’s misfortune causes Apple–and other proprietors of online services–to tighten up their security by a notch or two.
[…] Don’t Be Like Selma Hayek! – Technologizer (Poor Salma and her guessable thing…) […]
[…] Since this kind of hacking is so common, we suggest using a total non sequitur as an answer for the custom security question. For example, did you know that my favorite ice cream flavor is Brian Lam? [ElectronicPulp via Technologizer] […]
[…] Don’t Be Like Salma Hayek! […]
[…] Don’t Be Like Selma Hayek! – Because of weak security practices, actress Salma Hayek’s MobileMe account was […]
[…] Since this kind of hacking is so common, we suggest using a total non sequitur as an answer for the custom security question. For example, did you know that my favorite ice cream flavor is Brian Lam? [ElectronicPulp via Technologizer] […]
[…] Don’t Be Like Salma Hayek … […]
[…] Since this kind of hacking is so common, we suggest using a total non sequitur as an answer for the custom security question. For example, did you know that my favorite ice cream flavor is Brian Lam? [ElectronicPulp via Technologizer] […]
[…] Since this kind of hacking is so common, we suggest using a total non sequitur as an answer for the custom security question. For example, did you know that my favorite ice cream flavor is Brian Lam? [ElectronicPulp via Technologizer] […]
[…] Fonte: https://www.technologizer.com/2009/04/23/dont-be-like-selma-hayek/ […]
[…] someone broke into Salma Hayek’s MobileMe account in April, I wrote that using easily-obtained information like a user’s birthday or the maiden name of […]
April 23rd, 2009 at 7:17 pm
This is awesome! Not for Salma, that’s a bummer, but I’ve been complaining about Apple’s password recovery system for a couple years now precisely because of this.
If you’re an ADC member, the situation is worse, since Apple imposes a number of extra restrictions on passwords such as requiring you to change it every few months. Add it all up and I used to frequently use the password recovery system every time I wanted into ADC.
April 23rd, 2009 at 8:03 pm
The most interesting thing about this non-story is that you didn’t even spell her name correctly.
“SALMA HAYEK”
Nice editing, guys.
April 23rd, 2009 at 8:07 pm
Mea maxima culpa on getting her name wrong! Corrected. Still think it’s an interesting story, though…
–Harry
April 23rd, 2009 at 10:07 pm
My secret question is one that no one would know the answer to apart from an ex-girlfriend from high school who has likely long since forgotten the answer to. “what are you thinking right now?” it’s a question with a very random answer.
April 24th, 2009 at 6:11 am
Whatispunk, is the answer something involving “cottage cheese and lederhosen”?
(from Ren and Stimpy)
Bot
April 24th, 2009 at 6:57 am
I would have preferred a different (meaning showing a lot more boob) photo of Salma.
April 24th, 2009 at 7:01 am
A relative of mine once had her Yahoo e-mail account cracked in this way. I started getting strange e-mails purportedly from ‘her’; within a few days the authentic person e-mailed to explain and apologize. This was 3-4 years ago and I hope Yahoo has changed its procedures since then. At the other extreme, the last time I used my PayPal account, it stopped and made me set up no less then 5 security questions (of their own design).
April 24th, 2009 at 9:40 am
Given that I just spelled the name like you did, you think you can correct the spelling in my comment so I don’t look like an ass here? 🙂