NEAL CONAN, host:
This is Talk of the Nation. I'm Neal Conan in Washington. These days, most of us live our lives online. We pay our bills, juggle our accounts, email incessantly, shop on eBay, blog about our daily activities, and offer up personal information on social networking sites like Facebook and MySpace. These conveniences save time and make it easier to connect with others, but there can be a cost. Email hacking has become a real threat. Just ask Sarah Palin, and it can lead criminals to your credit card number, your bank account, and identity theft. Today, a security strategist will talk us through the anatomy of an email hack, and we'll get your tips on how to maintain your Internet hygiene and reduce your vulnerability. We'll also get the latest on the Sarah Palin hack.
Later in the program, a new documentary portrait of the man who defined modern political operative for better or worse, "Boogie Man: The Story of Lee Atwater." But first, if you've ever hacked someone's email or been hacked, give us a call. We want to hear your story. Our phone number, 800-989-8255. Email us, email@example.com. You can join the conversation on our blog, too. That's at npr.org/blogofthenation.
We begin with Herbert Thompson, chief security strategist at the consultancy firm People Security in New York. His article, in Scientific American magazine is called "How I Stole Someone's Identity." He joins us now from our bureau in New York, and nice to have you on the program today.
Mr. HERBERT THOMPSON (Chief Security Strategist, People Security in New York; Author, "How I Stole Someone's Identity"): Hi. Thanks, Neal. Happy to be here.
CONAN: And what you did was basically, as a demonstration, you asked a few friends and acquaintances if they wouldn't mind if you hacked into their bank accounts.
Mr. THOMPSON: Yeah. So I got some strange looks at the beginning.
CONAN: I bet you did.
Mr. THOMPSON: And you know, it's kind of interesting. So the idea was to ask some folks that I didn't know very well if, with their permission and under their supervision, if I could try to break into their online banking account and not hacking or anything strange or complex that you might read about. But instead, just using a feature called password reset. And it's - you know, it's fascinating how this thing works. If you've ever used Yahoo or Gmail or even your online bank account, the problem of resetting passwords is a pretty significant one, right. If you forgot what your password is, and you call in to some customer support number, there's a huge cost associated with that for the bank. They got to have people there, they got to be waiting, got to be standing by.
CONAN: So they have this automated system set up where they ask you a series of questions that you've answered before, when you signed on the first time. Mother's maiden name, typically.
Mr. THOMPSON: Yeah, that's right. And the problem is that we're now broadcasting more of our lives online. I mean, if you think about how many people you probably know that have a Facebook profile or a MySpace page or even use things like Linked In - more of ourselves, and little details about our lives are online. So people can actually take and mine the answers to these questions.
CONAN: So they'll know your birth date and maybe the state and the town that you were born in and where you went to high school. Well, all of these pieces of information turned out to be handy when you hacked the bank account of your friend named Kim.
Mr. THOMPSON: Yeah, they were. So Kim was an interesting case. So she had an online banking account. So the first thing that I did was went there, click "forgot your password." And like many of the online banks do, it then sent an email - in her case, to a Gmail account, and if you then - you know, the next step is you've got to get in to her Gmail account, and Gmail uses the exact same mechanism. You go in, you say well, I forgot my password. I can't remember what it is, and then it asks you a series of questions.
CONAN: Wait. Don't you have to know her account name?
Mr. THOMPSON: Oh, yes. That's a great question. So for online banking, for example, typically, it can be pretty easy to guess at what that is. So in Kim's case, Kim actually - in the interest of time, I actually asked Kim what hers was. But for two of my wife's other friends, I just had to guess. And it was really easy. Amazingly, after about four tries, just using some - again, some really simple biographical information - first letter of first name plus last name. That kind of thing.
CONAN: OK. KJones, for example.
Mr. THOMPSON: Right, exactly.
CONAN: So, you type KJones and say all right, I forgot my password. And then you - so you go into the Gmail account and so, you hit forgot my password again, and it asks you some questions.
Mr. THOMPSON: Right. It asks you some questions. And in the case of Kim, the questions were really simple. There were things like - well, for her email account, there were things like what city were you born in. No problem. She had a blog. It was really easy to get that information. It asked her birth date. So originally, I went to the DMV because the DMV is such an amazing source of information if you've ever gotten a speeding ticket or jaywalking ticket. But then, I just went back to her blog. And of course, she blogged about her birthday party.
CONAN: And there was the birth date.
Mr. THOMPSON: And there was the birth date.
CONAN: And so was she surprised when you presented her with the exact amount of money that was in her account?
Mr. THOMPSON: I tell you, Kim was shocked. Kim was shocked, and it's interesting because I think these mechanisms, these - you know, this technique of going and asking personal questions might have been legitimate or a fair security mechanism to use 10 years ago. But since then, we've gotten so many MySpace users and Linked In users and Facebook users. And it's just incredibly easy to get that data and bring it from this little profile.
CONAN: And again, not rocket science - pretty simple stuff.
Mr. THOMPSON: Yeah, it's not rocket science. You don't need a technical background. It's really just data mining. You just need Google and a dream.
CONAN: Well, joining us now is Kim Zetter. She's a reporter for Wired News and joins us now from the studios of Youth Radio in Oakland, California. Nice of you to be with us today.
Ms. KIM ZETTER (Reporter, Wired News): Thanks for having me, Neal.
CONAN: And one of the reasons we wanted to have you on the show is to bring us up to date on the Sarah Palin hack. But we just heard that story from Herbert Thompson. Boy, doesn't that sound familiar?
Ms. ZETTER: Yeah. But I just want to put a little disclaimer in. I'm not the Kim that Hugh hacked.
Mr. THOMPSON: Thanks, Kim.
Ms. ZETTER: Although I know Hugh.
Mr. THOMPSON: Yeah.
CONAN: Go ahead, please.
Ms. ZETTER: So basically, what happened was pretty much someone did exactly what Hugh did to his friend Kim's account. They knew - well, there'd been some news stories in the Washington Post and the New York Times already that Governor Palin was using personal email accounts and one of them was a Yahoo account. And I think the one that was published was firstname.lastname@example.org. And so, this person decided to see if there were other accounts similar, and they found one that was email@example.com. And basically, he did what was just been described. He reset her password using her birth date and her zip code, all easily available online. And the security question that Yahoo asked on that account was where did you meet your spouse? And that of course, was also online. She had met her spouse in high school, and the person typed in Wasilla High and got into the account.
CONAN: And all those emails were on the web moments later.
Ms. ZETTER: Not all of the emails, but he did - he grabbed the text of two emails. So we saw screen shots of two emails, but we saw screen shots of her inbox. So we saw - potentially, what other emails were in there as well as her contacts in the address book and some other information. And then, yes, it was posted on a forum online.
CONAN: And as I understand, the FBI is investigating the situation and has searched the home of a 20 year old in Tennessee who I guess is now suspected of being Rubico, the person who claimed credit for this.
Ms. ZETTER: Yeah. Surprisingly, this has been a pretty easy case to solve if indeed he is the person. Hackers like to brag about their exploits, and the person who hacked into Palin's account - although this technically wasn't a hack. He bragged about it the next day, posted it on the same forum describing exactly what he did, and he posted it using a handle called Rubico. And bloggers traced that Rubico to a Yahoo email account firstname.lastname@example.org, which was then traced to a University of Tennessee student named David Kernell, who as it turns out is the son of a Democratic state representative in Tennessee. And he used a proxy service, which is an anonymizing service, to access Palin's account. And a proxy service hides your IP address, but it only hides your IP address to the website that you access, so it hides it to Yahoo but it doesn't hide it to the proxy servers that you use to access Yahoo.
Ms. ZETTER: So authorities went to the proxy service and looked at the logs and found the IP address that was used to access the Yahoo account. And that pointed to the student at the University of Tennessee. So far that's what we understand. There was a grand jury convened this morning in Chattanooga; three of the student's roommates were subpoenaed to appear before the grand jury. And so far there hasn't been an indictment out of that. The grand jury recessed this morning.
CONAN: Well, let's continue our conversation now about the general idea of password and email security and right on from there to things like online bank account security. Call us at 800-989-8255. Email us, we promise we'll keep it secret. The address is email@example.com, and let's see if we can begin with - this is Russ, Russ with us from Kansas City.
RUSS (Caller): Hello, there. Yes I've, have neither hacked, aside from the old fashioned sense to work at code so it's perfect, nor been hacked, but being a rocket scientist I can tell you, it's not rocket science to not be so. When you answer your mother's maiden name, use a made-up word from your childhood that you used to use when you are three or some such thing, like zornorblast or snorkeldorf. That sort of thing, a word that nobody would know, you would remember, nobody could guess. Lie about answers like that, stuff that's easy to remember, hard to guess.
CONAN: Bob Newhart would remember kazorninplat since I think he made it up.
RUSS: Well, exactly. It's not going to exist online anywhere in reference to me. A word that's from my childhood, that sort of thing nobody is going to get. Passwords, make a mixture of letters and numerals, like a Mother Goose word spelled backward with zeroes for the o's, threes for the e's and that sort of thing. Again make it something that's not easily guessable, not a dictionary word, not your dog's name. It's not trivial, but it doesn't take a lot of brain work, if somebody gives a darn they can do it.
CONAN: Herbert Thompson, is Russ on to something here?
Mr. THOMPSON: You know, he is. When we published this Scientific American piece, it's amazing, the comments that came back from a lot of people in the U.S. were that that's exactly what they do. So, they come, and they make up basically a dossier online, this alias, and they write down all those questions and they put the answers on a little text file on their machine. The question comes down to when you really need it, can you remember it?
CONAN: That's the question for those of us who can't remember our own middle names much less our mothers' maiden names.
Mr. THOMPSON: Right, exactly.
CONAN: Russ, thanks for the suggestion, thanks for the phone call too. We're talking with the Kim Zetter of Wired News and Herbert Thompson also known as Hugh, the chief security strategist at the security consultancy firm People Security in New York, about how to keep our email accounts and other business online secure. If you'd like to join the conversation, 800-989-8255. Have you been hacked, have you hacked? I'm Neil Conan, stay with us. It's the Talk of The Nation from NPR News.
(Soundbite of music)
CONAN: This is Talk of The Nation. I'm Neal Conan in Washington. We got this email from Kate in Rock Hill, South Carolina. "In 2004, I innocently accessed the email account of my fiance, a soldier fighting in Iraq. I found that he had 29 other fiancees in five states, was not a Navy SEAL as he claimed, and not even in the military. He had a string of women believing that he was fighting for our country and lovingly waiting for him to come home. In truth, he had never left his house in North Carolina. Hell hath no fury like a woman scorned. Needless to say, when I told the other ladies the truth, his life was significantly chaotic for some period of time."
Well, there can be more nefarious purposes to hacking into your email. By one estimate, more than eight million people in the U.S had their identities stolen last year, many of them online. Hackers can use basic information like your first elementary school, your pet's name, to access email accounts, and then move on to your bank accounts. Today we're talking about how hackers do it and what you need to do to know to stop them.
Our guests are Herbert Thompson, chief security strategist of the security consultancy People Security in New York. He wrote an article titled "How I Stole Someone's Identity" in Scientific American. Also with us is Kim Zetter who reports for Wired News. If you ever hacked someone's email or been hacked give us a call 800-989-8255. Tell us your story. Email us, firstname.lastname@example.org or check out what other listeners have to say on our blog at npr.org/blogofthenation. And let's see if can go now to Jason, Jason with us from Traverse City in Michigan.
JASON (Caller): Hello, Neal.
CONAN: Hi, Jason.
JASON: So, where do you want me to start?
CONAN: At the beginning.
JASON: OK, I once was purchasing something online from a friend who had store down in Florida, and I put my email, or no, my credit card and all my credit card information in my email, which I should know better because I'm an IT person. And it was taken and then someone purchased a camera using - created an Overstock account, created an account, purchased a camera, and I found it before - ahead of time before - within a couple of days and then...
CONAN: And then?
JASON: Let's see.
CONAN: Just a suggestion, you're lucky they didn't start an Overstock company with your credit card.
JASON: Oh, yeah, no kidding. They - I found out what was happening. I called up - oh, that's what it was. I wrote Overstock using their tech help people and - I'm sorry, I'm slightly nervous, but I wrote down notes so I wouldn't trip up too much on air.
CONAN: It's happened to the best of us, Jason. Don't worry about it.
(Soundbite of laughter)
JASON: All right, thanks. I said, all right, someone has charged something, created an account on Overstock. Can you please shut it all down for me? It felt like it was a broken English of someone overseas and they just said, you know, I'm sorry, I can't help you. I called up - I then started another session with an Overstock help person. And I had previously gotten the username and told them that I lost my password and lost my password to my email. Please reset it. Please help me. And they reset it, redirected everything to my Gmail account and...
CONAN: And so that way, when the guy tried to log in next time, was he shut off?
JASON: Oh, he was completely shut off. Yes.
JASON: I mean, there's a couple more things, and I'll just go - I'll bounce back and forth. I had the address of the person who it was going - or where the camera was being sent to.
CONAN: Ah, their shipping address, yeah.
JASON: Yeah, which happened to be only a hundred miles from where I live. So I then found out the name of the person, where they go to church, everything from Gmail. I had everything - I made a huge dossier of everything, gave my information to the FBI or my local police. And I believe, unless you have a high profile such as Sarah Palin or someone else, nothing will be done. I have no access to the IP numbers of what this person did. So that's about it. There's a couple more details, but that's about it in a nutshell.
CONAN: Even if nothing was done, at least they are aware of this person and have a big dossier. But Kim Zetter, Jason's activities seem to suggest that if you are quick enough and maybe if your hacker is a novice, you do have some opportunities.
Ms. ZETTER: Well, I think it was unusual in his case that the person who bought the camera actually used a real shipping address. And that was - that's a mistake that's not usually made by a person that's using your credit card number. Quite often, credit card numbers are stolen by gangs, criminal gangs. What will happen is that the numbers are used to purchase equipment, computer equipment, electronic equipment by someone who's a mule here in the U.S. The numbers are often stolen overseas by people overseas. A mule here in the U.S. will buy electronic goods with them here, will sell them on eBay and then will wire the money through...
CONAN: Through PayPal or something like that.
Ms. ZETTER: Right, overseas. And so what happens is that the drop box where the electronic goods are sent is usually an abandoned house or P.O. box or anything else. But it's generally not a legitimate address.
CONAN: And what is - Jason, thanks very much for the call. What is more valuable these days? Is it a credit card number or is it a password, Herbert Thompson?
Mr. THOMPSON: You know, it's interesting because there's an entire underground economy that exists. Think of it like an eBay where you can buy and sell things like credit numbers, passwords for accounts. And if you look at the prices for certain items, it really tells you a lot about how criminals value this stuff. So a credit card number, for example, if you're trying to buy a stolen U.S. credit card number with the CVV2 verification number that's usually on the back, that's about two bucks. If you're paying more than two bucks, you're overpaying. But if you augment that with information about that person, things like mother's maiden name, pet's name, address, then you have a value that's somewhere in the neighborhood of 10 to 12 times as much. So that tells us it's the difference between giving somebody a fish and teaching them how to fish.
CONAN: Where do you go to get there? What, do you log on to your account at mafia.com?
Mr. THOMPSON: Yeah, that's right. Well, I think mafia.com may be taken. But there are lot of these chat boards, and they're hosted mostly in Eastern Europe, Russia, and surprisingly, South America, which is kind of interesting. And you just sort of go on there. You search for things like CVV2, and then you find all these listings of individuals. And what they'll do - it's a fascinating transaction process. You tell them you're interested in this pool of credit card numbers, and then they will give you a sample set of data. So, maybe five credit card numbers.
CONAN: Oh, a loss leader.
Mr. THOMPSON: Yeah, a loss - exactly. A taste. And you check those out. You make sure they work for whatever nefarious purpose you're buying them for, and then you decide to buy the entire bundle. It's really fascinating.
CONAN: And Kim Zetter, then it seems it's just a hop, skip and a jump from the credit card number to having your whole identity stolen.
Ms. ZETTER: Well, there's - it's a little more than that. If you just got a credit card number, it doesn't necessarily mean that your identity is going to be stolen. But if you do want to target an individual, it's just as easy as what he was describing to get a full dossier on someone. What's called a full info report, which includes your credit report, could include property listings, suspected relatives, that kind of thing can cost maybe about 100 dollars on the internet, on the underground.
CONAN: And could easily be worth tens of thousands.
Ms. ZETTER: Yes. You can get into bank accounts, you can get mortgage - into mortgage accounts, yeah. And open new accounts.
CONAN: Let's get Steve on the line. Steve, with us from Phoenix, Arizona.
STEVE (Caller): Hi, guys. How are you doing?
CONAN: Very well. Thanks.
STEVE: I'm calling just to see if anybody on the team there has hears about a technique called sidejacking. It's a technique in which somebody in a wireless location - let's say, a Starbucks or any other coffee shop that has standard wireless - can do something called sniffing where they have some software running on their computer, and they're just watching things going back and forth in the - over the network. Once they have enough information - say you log in to your Yahoo email account, they can grab something like a cookie that's traveling back and forth, and then pose as you. So it's pretty easy to do. I've seen it work.
It takes just a couple of seconds to grab somebody's current cookie that they're using on a specific website, let's say Yahoo. And then start logging - start using it just as if they were that other person. So once that person leaves, this sort of sidejacker has the ability to then change password and log in again at a future date. And that would probably work with almost, you know, most websites today that use that technique of authentication, which I think is secure, but has that weakness.
CONAN: Well, Hugh, Kim, either of you familiar with sidejacking?
Mr. THOMPSON: Yeah. It's actually a pretty substantial problem and it exists when you've got a potential bad person that's on the same wireless access point or same network branch as you are. And really, the defense against it as a user, as an individual is just vigilance. You have to make sure that you make sound choices about when you access your email, when you access your online account at a certain merchant or vendor. And what's really interesting about it is most people still send email from things like Outlook in a completely unencrypted way. So in addition to the sidejacking vulnerability, somebody can potentially just grab the packets - grab your email essentially out of the ether as it's being transferred from your machine through the Internet.
Ms. ZETTER: I want to add to that.
CONAN: You just described me. But anyway, go ahead, Kim.
Mr. THOMPSON: Sorry.
Ms. ZETTER: Well I was going to say - I was going to say it doesn't just describe you because there's an annual hacker and security conference in Las Vegas every year, and they basically sniff the wireless network for people who are using unencrypted email, and these are security professionals like Hugh and other people. And they are sniffing their passwords and getting into their email accounts, and it's called the wall of sheep. So, very sophisticated, intelligent people also have this problem.
STEVE: But I wanted quickly to say that this isn't very difficult to do - anybody who really wants to learn about it or try it could find software, download the software and be in business at a Starbucks within five to 10 minutes. People that sit there and use Outlook, for example, a large proportion of the users, they don't realize it but they set their email account to check, they set their Outlook to check their email accounts and sometimes more than one of them, every five, 10, 15 minutes - each time that happens, their username and their password gets passed right over the network and someone can come and watch usernames and passwords just flash right before their eyes.
STEVE: It's very dangerous.
CONAN: It's interesting, but let me ask another point. If you do do that, do you risk having your next email address being leavenworth.gov?
(Soundbite of laughter)
STEVE: I'm sure it's illegal, and I have - my disclaimer is that I haven't done it, but I've seen it done and I know that it can be done very easily. So, it's just something that - it's one of those things that's common enough and easy enough to do but for some reason, most people just have no idea that it can be done.
CONAN: All right, Steve. Thanks very much for the call. Interesting, interesting thing. Here's Bob in Oregon writes, "major security problem is public knowledge of email addresses which are the same as the account sign-in. I use Yahoo Mail Plus which allows temp email addresses. You will never guess my account sign-in at Yahoo, never mind the password. Knowing this temp email address or 499 others will not let you into my single account. If I start getting junk mail at this email address, I can delete it. It is worth far more than the 29 dollars a year. Of course, it's then difficult to keep all your friends up to date on what your email address is. Isn't that the problem, Kim?
Ms. ZETTER: Well, I would suggest - I mean, he's got a great idea here, and one thing that you have to do is, you know, you were talking about sort of online hygiene here - that you shouldn't use your regular email accounts to register with websites. If you're having personal email, keep it separate and don't use it for any other purpose. If you're registering at a website, create a throw-away email account for that. Don't use the same password for your bank or your personal email account for any other account you use. The point here is to try and limit your damages so that someone - if someone does get into an account, one account, they're not going to be able to get additional information or to get into other accounts as a result of that. So he's on the right track.
CONAN: We're talking with Kim Zetter of Wired News. Also, Herbert Thompson of the consultancy firm People Security in New York. You're listening to Talk of the Nation from NPR News. And Dave is on the line, Dave calling us from Anchorage in Alaska.
DAVE (Caller): Hi. Yes. I had - something that happened to me. I had an ATM card that also worked as a credit card that I was using a couple of years ago, and I can't remember why but I had to cancel that card, and called my bank, canceled the card. About six or seven months later, $3,000 worth of charges appeared on my bank account that were - it looked like they originated in Italy. I called my bank and they said, oh well, you know, you've made these purchases, and we're not going to do anything to help you out. And I told them that this number was fishy, that I had canceled it. They had tried to insist that I had lost my card or that I didn't destroy it, somebody stole it. But that wasn't the case because I did destroy the card. Apparently, this number - there was a record of it somewhere, and somebody found it online and used it to purchase goods and services in Italy and fortunately...
CONAN: Even though it was a dead number.
DAVE: Even though it should have been a dead number. And the - fortunately they bought many airline and train tickets in Italy to travel around Europe. And I was able to prove that I was not in Europe on those days, and that I wasn't traveling. So, I got the money back. But I was livid that my bank actually had that number out in the Internet somewhere.
DAVE: So like, I still haven't gotten a good explanation from Key Bank National Association, just a little plug there for them.
CONAN: Have you changed your bank?
DAVE: Still haven't explained it to my - pardon?
CONAN: Do you now bank with somebody else?
CONAN: OK. Thanks very much for the call, Dave. That's fascinating that you can do stuff like that. But we just have a couple of minutes left and I wanted to give you both an opportunity to tell our listeners simple things that they can do to make sure that - well, at least reduce their vulnerability. Again, it's like trying to protect your house, I suspect if it's a real pro, they're going to get you.
Ms. ZETTER: Go ahead.
Mr. THOMPSON: Oh. OK. Just my thoughts on that are, the best thing that you can do is basically a self-examination, see how exposed you are, and an easy way to do that is imagine that you've actually forgotten your password for your bank account, for your email accounts, and just go through the process, see what questions it asks you. And then, do a simple Google search on yourself and see if that data is attainable. And remember, even if you don't have a Facebook profile or you don't blog or you don't use MySpace, if you have a brother or a sister or a cousin or an uncle that does, then they may be revealing this information about you, right? So who's your sister's favorite childhood pet? Well, it's probably yours, and if she blogs about it, then that information is exposed. And if you know that, if you know that your online identity is hinging on a couple of pieces of information like this, then you can go back to those institutions like the bank or Gmail and change them.
CONAN: Be just like my sister to rat me out. Kim...
(Soundbite of laughter)
Mr. THOMPSON: Right. Right.
CONAN: Any ideas from you?
Ms. ZETTER: I totally agree with Hugh. A couple of other things that I would add are genealogical records. A lot of people post those online and that gives a wealth of information in terms of birth dates and your relations.
Mr. THOMPSON: Good point.
Ms. ZETTER: In terms of filing taxes online, I know the IRS would love us to do that, but they - the IRS doesn't operate the sites in what you use to file your taxes online. They're often not secure, and they can also be fished and be phony sites. So that gives a lot of information. I would, you know, insist that your insurance companies and your phone companies don't use your social security number, that they use a unique identification number instead. And then, again, use strong passwords. Don't use a word that's in the dictionary. Use numbers or combination of numbers, letters, symbols that kind of thing.
CONAN: Thank you both very much for your time today and you'll be glad to know we've - in the time that you've been on, we've cleaned out your bank accounts.
Mr. THOMPSON: Great. Thank you, Neal.
CONAN: Kim Zetter, a reporter for Wired News whose finances are perfectly fine. She joined us from the studios of Youth Radio in Oakland, California. And Herbert Hugh Thompson, the chief security strategist at the consultancy firm People Security. There's a link to his article on our blog at npr.org/blogofthenation. He was with us from our bureau in New York. Coming up, a new documentary on the bad boy of politics, the brilliant, ruthless, much hated and much loved Lee Atwater, "Boogie Man." Stay with us. I'm Neal Conan. It's the Talk of the Nation from NPR News.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.