Many people don't realize just how valuable their email account is. Now, thanks to researchers at the University of Illinois at Chicago, a nifty tool called Cloudsweeper calculates how much your account would be worth, if cyber-criminals ever managed to get control.
Whenever someone's email gets hacked, whether through a phishing attack, malware, guessing passwords, or plain brute-force, a common complaint goes something like this: "Why did I get hacked? There is nothing interesting in my account." The thing is, the criminals aren't looking for exciting gossip buried within your correspondence or looking at the pictures you've emailed people. They are looking for valuable data, such as passwords to other accounts.
Your email account is quite frequently used for password resets. If someone gets control of your account, that person can search through the saved messages and figure out what other sites use the email address for account recovery. Access to your online banking account, login credentials for Facebook and Twitter, and details for iTunes and Amazon accounts are all accessible via your email account. I know many people who treat their email accounts as secret storage, frequently emailing private keys and password reminders to themselves.
My Gmail Is Worth $15Enter Cloudsweeper, a project from researchers at the University of Illinois at Chicago. The tool scans all the messages in your account to figure out what other services use the address to send password reset emails, or to login to the service. The tool also tracks services that sent the actual password when the user clicked on the "forgot password" link. The tool assigns a dollar figure to the data pieces found to determine how much the account is worth in the underground market.
I ran one of my Gmail accounts through Cloudsweeper, and it determined my account would be worth approximately $15.30 to bad guys. I was surprised, because I use this account purely for accessing Google services and don't use it to sign up for third-party services (I keep a separate account for that) or for regular correspondence (a different account for that). I'd forgotten that I did use this account for one of Twitter accounts, as well as my Kindle account on Amazon. According to the tool, my Amazon.com account was worth approximately $15 to the criminals and Twitter was worth $0.30.
There were some false positives, as a result of the fact that I long ago used this account for my PayPal account. I've since then changed the email address associated with PayPal, but since I still had some of their emails archived, CloudSweeper flagged the service as a potential risk. I asked a friend to scan his account, and Facebook popped up (worth $5) on his list of risks, except he doesn't have an account on that social network. The alert seems to have been fooled by various Facebook friend requests he received in the past that he never deleted.
How Much Are You At Risk?Cloudsweeper uses prices for account types and data collected from various sellers across multiple underground forums to calculate how much the information in the user's email account is worth, said Chris Kanich, assistant professor at UIC's computer science department and principal organizer of the project. It uses OAuth, so you just have to be logged in to the account when you run the "audit" from the project's page. No passwords are stored, and you can just revoke permissions at the end so the tool no longer has any visibility into your account.
If nothing else, this tool is great for spring cleaning, to wipe out some of the old emails that you don't need to keep anymore. Close accounts you aren't using, or at least make sure your information has been removed. And once you realize just how valuable your account is, perhaps you will consider setting up two-factor authentication to protect yourself?
No comments:
Post a Comment