How I Would Try to Hack Your Account

About a month ago I wrote an article called “ in 2010 – Is it Safe?” As a new user I wanted to objectively evaluate real privacy and security considerations when using the site. And I tried to think about it from the perspective of a penetration tester. If I were trying to hack someone’s account, how could I try to get at a user’s information?

The following is nothing new or really original. These are common techniques used, but may be new to you as a victim. If you routinely think about security when online, it’s unlikely you’d fall for this. However, for users are unaware of some of the vulnerabilities below, there’s a likelihood of a successful hack.

The point of describing how your account could currently be hacked is to a) make you aware of the possibilities and b) understand what you can do to protect yourself.

How I would try to hack your Account

Brute Force Might Work, But…

Brute forcing the password is one way, but a bit ham-fisted. There is no account lockout or notification of failed attempts. Technically if I knew what a valid account was (which can be determined), I could have script run through a dictionary of passwords, and if that didn’t work have the script try by brute force until it got it. Assuming that would not block the login attempts (which appears to be the case) if a user does not have a strong password or an attacker is able to guess the password before the victim changes it, the account will be compromised.

Hacking an account by brute force could be noisy, time-consuming, and not exactly elegant by some standards. It is possible however to do a targeted attack against someone using a combination of technical and social engineering.

A More Social Approach

Pieces to the compromise

  • Victim using WiFi
  • Victim is logged in to
  • Victim checking email via POP or IMAP (unencrypted)
  • Attacker can see the top of the Victim’s screen

This attack assumes that for whatever reason, you’re being singled out. It could be random, it could be bored script-kiddies, or it could be a targeted attack. Maybe you’re a school principal and the students want to dig up some dirt, someone’s boss that just got fired, or you have a roommate that thinks you should be paying more for your share of the rent.

It’s not unrealistic to assume that someone might be logged into their account over WiFi. The victim may be in a coffee shop, public library, fast-food place, etc. Let’s call it The BreadPlace. The connectivity in TheBreadPlace could be WPA, WEP, or unencrypted. WEP is essentially worthless, although it is still used.

It’s also not unreasonable that the victim might be checking email with Thunderbird, Mail, Outlook, or other clients at the same time they are browsing. The average user might assume that because they are using a password for their account their mail is protected. What the victim might not realize is that unless they are encrypting or tunneling their email traffic, their username and password are sent over the network in clear-text. Some ISPs do not provide the option to encrypt mail traffic and will instead recommend you use a web interface to check mail.

When the victim is logged into, their username is displayed at the top of the screen. As an attacker there are any number of ways I could get that information. Sitting by you, looking over your shoulder as I walk by, pretending to take a picture of my friend when I’m actually taking a picture of you, or stopping and saying , “hey I’ve heard about this…” has a forgot password feature that allows you to submit your email address. It then emails you a link to reset your account to a new password. There are no challenge questions or security checks. You simply use the link emails you.

I can read your email. I can do this because I’ve either easily cracked the WEP traffic or I’ve impersonated the WiFi hotspot. You thought you were using the free WiFi from TheBreadPlace but you’re actually going to my laptop first, where I sniff your wireless traffic traffic and then send it on to wherever you were going. And because you were using plain old email and sending your email authentication in clear-text, I know what your password is and can log into you email account.

At this point, as the attacker I have everything I need. I don’t have to get the victim to request a password reset because I can submit it myself, because I know the email address for the account. So I log into your email account, submit the forgot password link, get the reset link when it is emailed to you, and delete the email. Because there are no challenge questions, I get immediate access to reset your account. I set a new password to one I know. Then I change the email address on the account to a random email account I have already setup.

As the attacker, I now own your account, and I believe you would have no idea where your account or data went. You could not recover your account or password as your email is no longer associated to the account. At best you could send a help email to support asking them to look into their data to see what happened to your account and what the current email address is. But I’ve already run screen shots and captured as much as I can to export, PDF, or an Evernote account.

Principal Skinner, I see you what’s in your wallet. You purchased from recently…

Protect your Account

Your account doesn’t currently have access to write to any of your financial accounts. Why does it matter if your account gets hacked? If you don’t care, or don’t have any privacy concerns, then it might not matter. But understand what people could learn about you if they did get access – see the account compromise section in the linked article for details.

How to Protect Your Account from Brute Force Attacks

  • Don’t use your regular email address, setup one specifically for (you could have it forward to your real address so you still get notifications)
  • Make your new email address random so it’s difficult to guess.
  • Use a strong password
  • Change your password
  • Store your login information in a password database like KeePass so you don’t need to remember it

How to Protect Your Account from Social Engineering and a Reset Attack

  • Know how to Protect Your Email
  • Make your new email address random so it’s difficult to guess
  • Don’t be bullied or manipulated
  • Remember if you’re in public, be protective of what’s on your computer screen
  • Don’t click on suspicious links in email
  • Don’t log into your account from shared unprotected public computers, such as the library

Other Recommendations to Request

Your could ask to add the following functionality

  • The ability to hide or disable the display of your account name when your logged in
  • The ability to add challenge questions to the password reset function
  • A two-step process that would require follow-up confirmation of the reset process
  • The ability to optionally approve the reset from more than one account
  • The ability to do a password recovery from any email you previously associated with your account

Pass It On

Follow Jason on Twitter @jason_owens and subscribe to the RSS feed.

If you like these ideas, retweet (RT) this article to others and to @mint and let them know, or use the referral links below. And any errors please let me know, I want to make sure this is accurate.

Try Angie's List Today!

Related Posts:

1 Star2 Stars3 Stars4 Stars5 Stars (9 votes, average: 4.67 out of 5)
Follow Jason on Twitter @jason_owens


  1. Very informative article, thanks for writing!!

  2. Like a lot of people these days I keep my tinfoil hat where I can quickly reach it. So if I were a bank or credit card company wanting to do the responsible thing and make sure my customers weren’t a danger to me, what would stop me from hiring top-notch hackers on the QT to find out everything they could about those customers? Oh, of course: my ethics and the certainty that alert regulators would find me out in no time at all. A big boost in profits certainly wouldn’t be worth the risk.

  3. great articles thanks for writing. i was considering setting up a account for my mom so she could better manage her finances but it looks like there’s still some holes that need to be patched before I’d let her use it.

  4. Thank you so much for this great webite! It is very informative.


  1. […] security problems. Jason Owens, a certified security specialist, writes on his site about how he would hack in to your […]

Speak Your Mind