About a month ago I wrote an article called “Mint.com in 2010 – Is it Safe?” As a new user I wanted to objectively evaluate real privacy and security considerations when using the site. And I tried to think about it from the perspective of a penetration tester. If I were trying to hack someone’s account, how could I try to get at a user’s information?
The following is nothing new or really original. These are common techniques used, but may be new to you as a victim. If you routinely think about security when online, it’s unlikely you’d fall for this. However, for users are unaware of some of the vulnerabilities below, there’s a likelihood of a successful hack.
The point of describing how your Mint.com account could currently be hacked is to a) make you aware of the possibilities and b) understand what you can do to protect yourself.
How I would try to hack your Mint.com Account
Brute Force Might Work, But…
Brute forcing the password is one way, but a bit ham-fisted. There is no account lockout or notification of failed attempts. Technically if I knew what a valid account was (which can be determined), I could have script run through a dictionary of passwords, and if that didn’t work have the script try by brute force until it got it. Assuming that Mint.com would not block the login attempts (which appears to be the case) if a user does not have a strong password or an attacker is able to guess the password before the victim changes it, the account will be compromised.
Hacking an account by brute force could be noisy, time-consuming, and not exactly elegant by some standards. It is possible however to do a targeted attack against someone using a combination of technical and social engineering.
A More Social Approach
Pieces to the compromise
- Victim using WiFi
- Victim is logged in to Mint.com
- Victim checking email via POP or IMAP (unencrypted)
- Attacker can see the top of the Victim’s screen
This attack assumes that for whatever reason, you’re being singled out. It could be random, it could be bored script-kiddies, or it could be a targeted attack. Maybe you’re a school principal and the students want to dig up some dirt, someone’s boss that just got fired, or you have a roommate that thinks you should be paying more for your share of the rent.
It’s not unrealistic to assume that someone might be logged into their account over WiFi. The victim may be in a coffee shop, public library, fast-food place, etc. Let’s call it The BreadPlace. The connectivity in TheBreadPlace could be WPA, WEP, or unencrypted. WEP is essentially worthless, although it is still used.
It’s also not unreasonable that the victim might be checking email with Thunderbird, Mail, Outlook, or other clients at the same time they are browsing. The average user might assume that because they are using a password for their account their mail is protected. What the victim might not realize is that unless they are encrypting or tunneling their email traffic, their username and password are sent over the network in clear-text. Some ISPs do not provide the option to encrypt mail traffic and will instead recommend you use a web interface to check mail.
When the victim is logged into Mint.com, their username is displayed at the top of the screen. As an attacker there are any number of ways I could get that information. Sitting by you, looking over your shoulder as I walk by, pretending to take a picture of my friend when I’m actually taking a picture of you, or stopping and saying , “hey I’ve heard about this…”
Mint.com has a forgot password feature that allows you to submit your email address. It then emails you a link to reset your account to a new password. There are no challenge questions or security checks. You simply use the link Mint.com emails you.
I can read your email. I can do this because I’ve either easily cracked the WEP traffic or I’ve impersonated the WiFi hotspot. You thought you were using the free WiFi from TheBreadPlace but you’re actually going to my laptop first, where I sniff your wireless traffic traffic and then send it on to wherever you were going. And because you were using plain old email and sending your email authentication in clear-text, I know what your password is and can log into you email account.
At this point, as the attacker I have everything I need. I don’t have to get the victim to request a password reset because I can submit it myself, because I know the email address for the account. So I log into your email account, submit the forgot password link, get the reset link when it is emailed to you, and delete the email. Because there are no challenge questions, I get immediate access to reset your account. I set a new password to one I know. Then I change the email address on the account to a random email account I have already setup.
As the attacker, I now own your Mint.com account, and I believe you would have no idea where your account or data went. You could not recover your account or password as your email is no longer associated to the account. At best you could send a help email to Mint.com support asking them to look into their data to see what happened to your account and what the current email address is. But I’ve already run screen shots and captured as much as I can to export, PDF, or an Evernote account.
Principal Skinner, I see you what’s in your wallet. You purchased from rubberlederhosen.com recently…
Protect your Mint.com Account
Your Mint.com account doesn’t currently have access to write to any of your financial accounts. Why does it matter if your account gets hacked? If you don’t care, or don’t have any privacy concerns, then it might not matter. But understand what people could learn about you if they did get access – see the account compromise section in the linked article for details.
How to Protect Your Mint.com Account from Brute Force Attacks
- Don’t use your regular email address, setup one specifically for Mint.com (you could have it forward to your real address so you still get notifications)
- Make your new email address random so it’s difficult to guess.
- Use a strong password
- Change your password
- Store your login information in a password database like KeePass so you don’t need to remember it
How to Protect Your Mint.com Account from Social Engineering and a Reset Attack
- Know how to Protect Your Email
- Make your new email address random so it’s difficult to guess
- Don’t be bullied or manipulated
- Remember if you’re in public, be protective of what’s on your computer screen
- Don’t click on suspicious links in email
- Don’t log into your Mint.com account from shared unprotected public computers, such as the library
Other Recommendations to Request
Your could ask Mint.com to add the following functionality
- The ability to hide or disable the display of your account name when your logged in
- The ability to add challenge questions to the password reset function
- A two-step process that would require follow-up confirmation of the reset process
- The ability to optionally approve the reset from more than one account
- The ability to do a password recovery from any email you previously associated with your account
Pass It On
Follow Jason on Twitter @jason_owens and subscribe to the RSS feed.
If you like these ideas, retweet (RT) this article to others and to @mint and let them know, or use the referral links below. And any errors please let me know, I want to make sure this is accurate.