With all the personal data that has been leaked via Website attacks and data breaches this year, Internet users may be wondering if their accounts had been compromised.
A Web service that informs users if they had been compromised sounds like a potentially good thing, but the concept could be abused, according to security researchers.
Avalanche Technology Group’s ShouldIChangeMyPassword.com and HP Tippingpoint’s Pwnedlist.com are two such services that offer to check databases and lists of leaked data for email addresses and other account names. Worried users enter their email address or some other account name into a search box and the service scans all the databases and other known sources to see if there’s a match.
“We’re not talking about fly-by-night opportunists or even blatant phishing sites here, so why do I feel so squeamish about this approach to reassurance?” wrote David Harley, an ESET senior research fellow, on the ESET blog.
Harley notes that there is really no way for a user to know for sure that a service is legitimate and safe. “We all have to trust by proxy sometimes,” he said. If someone decided to abuse the user’s trust and launch a service for malicious purposes, it would be possible, according to Harley.
The perpetrator can take the email address entered and check against the database. If found, the service can lie to user and claim the account hasn’t been compromised. The user is more likely to do nothing, “rather than doing the sensible thing and changing your password anyway,” Harley said, giving the perpetrator, who now knows the account is valid and can see the password in the lookup database, time to go ahead and hack the account or steal information.
“In other words, the answer to ‘ShouldIChangeMyPassword.com’ is almost certainly ‘yes!'” Harley wrote.
Carole Theriault of Sophos agreed, suggesting on the Naked Security blog that concerned users should just go ahead and change their passwords. If the user uses the same password on several sites, or uses dictionary words, then that should be addressed immediately, regardless of whether the account has been compromised, according to Theriault.
Harley said these kinds of services run the risk of “grooming” potential victims of future social engineering scams. It is possible that attackers may create fake “look up your accounts” services, much in the same way scammers insert security messages about the bank never asking for passwords and other sensitive information inside a phishing email.
“Sometimes it almost seems as if the victim is lulled and reassured – by the presence of that text – into trusting an untrustworthy message,” Harley wrote.
It’s “simpler and safer” to change passwords if the user thinks the account has been compromised, instead of relying on these services, Harley said, noting that users should be regularly changing passwords in the first place.