Break into my email: get $10,000. Here is my username and password.

[darkrose0510]

StrongWebmail.com is offering $10,000 to the first person that breaks into our CEO’s StrongWebmail email account. And to make things easier, Strong Webmail is giving the username and password away!

Here’s the thing, in order to get into a StrongWebmail account, the account owner must receive a verification call on their phone. This means that even if your password is stolen, the thief can’t access your email because they don’t have access to your telephone.

This looks interesting, having spent some time working on phone/SMS verification systems I can think of a couple of possible ways to get around it. For 10K it might even be worth a try!

Break into my email: get $10,000. Here is my username and password. | Press Releases for Strong Web Mail

[Krendoshazin]

Interesting idea, but in practice I can see that becoming annoying very quickly. Why should I have to receive a phone-call every time I want to access my email? Unless I'm busy receiving top secret information from the government I fail to see the point. This has to be one of the most over-engineered solutions I've seen.

[Freston]

Interesting idea, but in practice I can see that becoming annoying very quickly. Why should I have to receive a phone-call every time I want to access my email? Unless I'm busy receiving top secret information from the government I fail to see the point. This has to be one of the most over-engineered solutions I've seen.

Only when you access your mail from a computer that has not been added to your trusted list. So your home and/or work computer can get whitelisted to bypass this technology. Which is more convenient, but also may prove the trick to defeat this here thing.

IP's can be spoofed, MAC can be spoofed, certificates can be copied, trusted laptops can be stolen/cloned/whatever.

All it is, is an extra layer of security. Accessing the webmail from untrusted devices is more secure now. You may know, I do the same on my server. Anyone not on the whitelist has three attempts to login and request to be whitelisted. Fail, and you are out. No further rules, no exceptions.

It's just that this uses telephony as method of verifying a login attempt. That makes it pretty secure. Steal the CEO's mobile, or laptop, or run from behind his office computer when he's in a meeting (CEO's spend notoriously little time behind their desk) and you have a chance.

Trouble is of course that it's not /my/ CEO whose account needs to be cracked for the $10,000, but a virtual one. That makes it more difficult to steal his|her mobile, or to sneak into his|her office.

This looks interesting, having spent some time working on phone/SMS verification systems I can think of a couple of possible ways to get around it. For 10K it might even be worth a try!

I have a good mind to share it with you, if you can device a scheme





EDIT: What would happen if some unsuspecting cracker would try to brute force an account like that from multiple bots? If every unique IP would result in another phone call, our virtual CEO would go crazy, wouldn't he?

[Freston]

It's been done!

[Krendoshazin]

Let this be an example of what overconfidence does to security.

[Hal343]

Done.

researchers claimed to have won the contest, which challenged hackers to break into the Web mail account of StrongWebmail CEO Darren Berkovitz and report back details from his June 26 calendar entry. The hackers, led by Secure Science Chief Scientist Lance James and security researchers Aviv Raff and Mike Bailey, provided details from Berkovitz's calendar to IDG News Service. In an interview, Berkovitz confirmed those details were from his account. However, Berkovitz could not confirm that the hackers had actually won the prize. He said he would need to check to confirm that the hackers had abided by the contest rules, adding, 'if someone did it, we'll kind of put our heads down.'"

posted on slashdot this morning.