DIVINA: Discovering Vulnerabilities of Internet Accounts

Are Your Internet Accounts Safe?

In 2012, Mat Honan found that his Twitter account had been hacked. When trying to figure out what happened, he found that not just his Twitter account was hacked, but also his Amazon account, his Gmail account, and his Apple account — meaning that all data in these accounts was lost. His iPhone was locked, and his Mac was wiped clean. All data was erased. As it turned out, Hackers were able to access his Amazon account. With the credit card numbers stored there, they could access his Apple account. Since his Gmail sent password recoveries to his Apple account, the hackers could access Gmail — and thus all of Mat’s digital accounts. (Read the full story on Wired.) Thus, if your accounts are linked, you could be hacked very easily!

So you should always switch on two-factor authentication for your online accounts, if available. If two-factor authentication is enabled and you want to log in, you have to provide not only your password, but also a second security token. This can be a code that you receive by SMS, a number generated by an app on your smartphone, or a special code that you possess in printing. This would have made the attack on Mat impossible.

The problem is, though, that if you lose your password and do not have your smartphone, you lose access to your account! Owen Williams, for example, woke up one day to find that his Mac was locked. Apparently, hackers had tried to access his Apple account. They failed, but Apple locked the account. To unlock it, Owen had to provide the printed recovery key. It’s just that he never printed it! Thus, he was not able to access his Apple account any more. This meant that he lost access to all data stored on Apple devices — his pictures, documents, contacts. (Read the story on The Next Web.) Thus, if you lose your backup codes, you may lose access to your data!

To make matters worse, security measures are often intertwined. Assume, e.g., that your Gmail password can be recovered from your Apple account, and that you have two-factor authentication enabled on your Gmail account. This gives you some degree of security. However, if you send your Gmail recovery codes to your Apple email address and a hacker manages to gain access to your Apple account, then this security implodes. The more accounts you have, the more difficult it is to keep track of the security dependencies between them.

DIVINA will help you!

DIVINA is a system that determines how vulnerable your internet accounts are. In particular, it computes:

References

DIVINA is being developed at Télécom ParisTech University by Ziad Ismail, Danai Symeonidou, and Fabian M. Suchanek. The software is provided “as-is”, and without warranties or guarantees of any kind.

For more details, see our publication