Ahh i’m safe i have a difficult password for all my accounts! no one will dare crack it!
Well this kind of thinking is wrong, there are many ways apart from password cracking that a user can crack your web based accounts.
Websites like Facebook, Gmail, Yahoo! etc, use great measures to protect the online accounts from being cracked, but its not the same always. People know today that it is almost impossible to get access to another person’s Facebook account, still i somehow managed to get access to my friends FB account, who like me is also a student of IT, this is how i managed to get access of his account and how he failed to prevent me.
The IT era has gone way ahead than anyone on this planet could even imagine, from complex algorithms to simplicity everything is ever evolving. Also web development has taken growth beyond vision, we now have the power to integrate complex DBs using PHP to interactive UIs using AJAX. But with all this evolution, there is one thing that has failed to evolve, the naivety of human beings. While i type this there are not less than 10 naive web users who just have been compromised at some part of the globe.
Lets take example of Facebook, they have a very talented security team who continuously manages and monitors suspicious activities across the globe. One can say that it is nearly impossible to break their authentication protocols, but still it can be done by making use of the naivety of the owner of the web account.
Vulnerabilities of Web based Login
Following are the vulnerabilities of web based login that uses passwords. Passwords come under the “Something We Know” technique for authentication, thus if you know the password, you own the account. At such scenarios, it is very essential to make note of some points as follows:
- Is the link of the webpage correct?: This comes under Phishing, where the hacker tries to manipulate the source code of a original webpage, such that on clicking the login button the credentials are sent to hacker. This kind of attack was once very popular, The attacker tries to send the malicious link to the victim either using a mail account or by getting physical access to the victim computer.
Ways to Prevent Phishing attacks:1. Always check the URL, this is the best method to check whether the page is the correct one or a phishing page.2. Check for the SSL Certificate. Every web based social networking website or a website that undergoes monetary transaction has a SSL Certificate, and also the URL starts as HTTPS://….. indicating that the identity of the website owner is verified by a trusted third party (TTP). With these websites it always secure to do monetary transactions.
Tip: HTTPS based websites have a small padlock, this can be a visual hint indicating that the web page is secure.3. Never attend to E-Mail links that say login here to access your web account until and unless the sender’s address looks appropriate.
- Is the computer having public access?: Sensitive information should never be transferred from computer that have public access, the main reason behind this is because a large number of phising softwares are available that are simply untraceable, and can steal even login activities.
One such example is of a Key Logger, (that is how a got access to my friends FB account 😛 ) A key logger or a keystroke logger is a open source software available to keep a record of keys pressed. Well that’s not it, some modern key loggers can even detect the software keyboard presses (i.e. keys pressed on the On Screen Keyboard) . I used the family key logger available from : http://www.safeandfreefiles.com/family-key-logger-5-07-full-download-with-crack-2/ but many are available online.
Prevention measures: There is not much that you can do, but you can prevent it from happening by using the following tips:1. Do not access via public computers, such as college PCs, or Cyber Cafes etc.2. Check for anti virus programs, well it is for sure that almost every major anti virus program blocks a keylogger, it is always safe to check for one before performing any transactions.3. Check for malicious softwares in installed programs under control panel.
4. Use web based keyboards provided by certain websites.
Well that’s all from this post, stay tuned for more, adios & have a cyber safe day.