Vulnerability in Xoom’s Password Retrieval Procedure?
After reading my post about online payment systems “not being as easy to implement as we think,”:http://racoma.com.ph/archives/electronic-payments-in-the-philippines-it-may-not-be-as-simple-as-we-think/ Marhgil earlier emailed me about how he discovered “Xoom”:http://www.xoom.com accounts are potentially vulnerable to cracking. He “details in his blog”:http://kaluskoskuskos.com/marhgil/technology/xoom-accounts-easy-target-for-hackers/ how a user’s password can easily be changed if a malicious hacker (or “cracker” in this case) correctly figures out three things: the user’s email address, bank account number and ZIP code.
Not really easy, but can be done
I tried it out myself, and it was so shockingly simple. Of course, you would need to correctly input the email account that a person uses for Xoom, and since people usually give out their email and IM addresses on their blogs or email/forum signatures, it won’t be too difficult to guess. Xoom makes it even easier by helping you out. The system even tells you when you’ve guessed incorrectly!
Bank account numbers aren’t as easily guessed, however. But with a bit of social engineering or stalking, you can easily figure out a person’s bank account details. For instance, some ATMs print receipts with the full bank account included. Or perhaps you can call or email a potential victim posing as a bank employee (don’t get any ideas here).
ZIP codes might not be readily available, but you can check out any zoning references (available online), and if you know where a person lives, you can easily guess his ZIP code.
The point here is that a combination of an email address and bank account number are difficult to correctly guess. But it’s not impossible to do so. And to the determined thief, any effort exerted would be worth it, if only to get into the e-wallet of an individual.
Level of risk
You have to consider the level of risk and the vulnerability here. What exactly does access to another person’s Xoom account entail? Xoom doesn’t serve as an e-wallet like PayPal does (you cannot load it up with funds, like PayPal). However, if you have already registered a credit or debit card on your profile, then the cracker can use your Xoom account to transfer funds to his own account (by using the _Send Money_ feature) or pay for merchandise online.
How to mitigate this risk / A simple change of procedure
Marhgil suggests you change your ZIP code to a different value to make it difficult for a potential attacker to reach the _change password_ screen. This is only a stop-gap measure, though. Xoom should make its password retrieval procedure more secure by either sending the retrieval link to the user via email or requiring another form of verification, such as via SMS.
The fact that Xoom directly allows you to change your password once the correct detials are keyed in adds to the risk. Perhaps if Xoom emails the user a link to a password-reset form, the system would be more secure. It’s easy enough to acquire an email address, but it’s not as easy to enter a user’s inbox.
Around the blogosphere
As of this posting, here’s what other people think about this issue:
* “Yugatech”:http://www.yugatech.com/blog/?p=1282
* “Techno Pinoy”:http://www.technopinoy.com/?p=233
* “PinoyTechBlog”:http://www.pinoytechblog.com/archives/does-your-bank-mask-your-account-number
