Almost everyone forgets a Web site password once in a while. When you do, you click on the familiar "Forgot your password?" link and, after entering your pet's name, identifying your high school mascot or answering some other seemingly obscure questions, you can get back into your account.

But there's a problem: A criminal can do that, too. With the help of social networking sites like Facebook and MySpace, personal trivia is getting less obscure all the time. You'd be surprised how easily someone can uncover Fido's name or your alma mater with a little creative searching.

Some security researchers are beginning to sound the alarm about "password resetting" tools, suggesting they could be the weakest link in Web security.

As an experiment, Herbert Thompson, chief security strategist of People Security, recently asked a few friends for permission to "hack" into their bank accounts. Using only information gathered from Web sites, Thompson found his way in within minutes.

"This is a serious problem. It kind of blew me away," Thompson said.

Here's what Thompson did. Using only one friend's name and place of employment, he found her blog and résumé. That provided a font of information on her grandparents, pets, hometown and more. He then visited her bank's Web site, where her user name was simply her first initial and last name. He asked for a password reset. The bank sent an e-mail with that information to her Web mail account. Thompson then asked for a password reset there, which sent a link to her old college e-mail account. There, Thompson needed only supply the woman's address, zip code, and birth date. Once successfully in the college account, Thompson hacked his way into the Web mail account – supplying her birthplace and father's middle name -- and ultimately entered her bank account by supplying her pet's name.

"I did this a couple of times. But the scariest thing would be someone doing this with some scale," Thompson said. A more detailed description of his romp through someone else's identity can be read on the Scientific American Web site.

There are no known cases in which hackers have widely exploited "forgot your password" links, but there are indications that both researchers and criminals are training their eyes in this direction. Markus Jakobsson, principal scientist at the famed Palo Alto Research Center in California, said answers to password reset questions have become so valuable that a black market has developed for personal information like dog's names. Criminals buy buckets of personal information, obviously with an eye towards foiling security systems, for about $15 per set, he said.

In most cases, such information sets are probably the result of successful phishing attempts, Jakobsson said, where a victim unwittingly supplied personal information in response to an e-mail. But he's seen demonstrations of far more sophisticated tools designed to "scrape" information off blogs and social networking pages for later use by hackers.

"It's an automatic dossier building tool," he said.

Like Paris Hilton
Questions about hacking through password resets have been raised before. When Paris Hilton's cell phone was famously hacked in 2005, some tech sites reported that criminals simply used her dog's name, easily found online, to break in. That theory was later discredited, but it likely sent criminals scurrying to find famous people's dog's names.

It also prompted researchers to study the issue, which is also known as "fallback authentication." Ariel Rabkin, a researcher at the University of California at Berkeley, is probably the first to attempt to quantify the problem. He recently published a research paper (PDF)titled in part, "Security Questions in the Era of Facebook." It examined password reset questions at 20 banks. Of the 215 questions used by the banks, he classified only 75 as secure and usable. The others were either easy for hackers to guess or obtain, or simply too hard for consumers to remember.

"Security questions are getting weaker over time," he said. Mother's maiden name, for example, continues to be asked even though it's often now available from various online sources. "We can't seem to get rid of that question. … If we do nothing this will get steadily worse."

In some situations, statistics give the criminal an advantage. For example, data published by some U.S. cities indicated about 1 percent of the nation's dogs are named "Max," making that a pretty good guess for a criminal trying to break into thousands of bank accounts. When a bank asks consumers who their favorite president was, it rarely takes more than two guesses, Rabkin said.

Even if the questions are more personal, and even if the subject doesn't have their own blog, others might blog about their dog, car or high school. And search engines can easily unearth such minutiae.

"There is an arms race here between people who trying to ask obscure questions about (us) and people who are trying to answer obscure questions about (us)," Rabkin said.

Not a bad idea
Thompson, the People Security expert, said that asking "challenge" questions with so-called "out of wallet" answers – questions that even a criminal who stole your wallet couldn't answer – once was a secure way to confirm someone's identity.

"If you think about it, 10 years ago this didn't seem like horrible idea, to ask for someone's personal information," he said. "You could say, 'It's probably unlikely that someone will know all of this information about me, or spent the time necessary to gather it.' But now it's really easy for someone who's never met you to know all this about you."

Coming up with secure challenge questions is no easy task. There are two problems to consider: The question must be difficult for a stranger to answer but it also must be easy enough so the customer doesn't forget. Quick: What's your kindergarten teacher's name? Was it McFadden or MacFadden or Mcfadden?

"In some cases, it's easier for an attacker with good data mining skills than the real person to answer these questions," Jakobsson said. He is hard at work developing a new solution, one which relies on the answers to "preference" questions rather than fact-based personal questions. A consumer who requests a password reset might be confronted with questions like, "Do you like antique stores?" or "Do you like opera?"

Asking 16 questions like these would provide positive identification in better than 99 percent of cases, he said. "And preferences are rarely stored in databases." (More on this idea can be found at I-Forgot-My-Password.com.)

Rabkin is all for improving the problem of forgotten passwords, but he is careful to not exaggerate the problem. In addition to the lack of proof that any widespread forgotten password hacking has occurred, he says banks have multiple systems in place to prevent thefts from online services. When a password reset is initiated, for example, banks automatically set a red flag on an account and watch it for suspicious behavior. Any large transactions following soon after would surely be stopped, he said.

"The problem is not as bad as you think," he said. "It's not so easy to match up a pet name from Facebook with another database of login names and another database of Social Security numbers," and use that to withdraw cash, he said.

Still, there is another problem associated with the importance of personal questions in security. A consumer who falls for an extensive phishing e-mail or has their blog copied by a hacker, may find it nearly impossible to navigate the digital world in the future. How would such a person ever reclaim a password or otherwise authenticate their identity?

"It would be incredibly difficult to recover from something like that," Thompson said. "You can't really change your mother's maiden name or these other things."

RED TAPE WRESTLING TIPS
Researchers like Jakobsson are looking for new ways to authenticate consumers. One obvious area of potential is biometrics. The chief criticism of this technology, which uses people's eyes, fingerprints, etc., to verify their identity, is the "doomsday" possibility that once such information is compromised, it could never be trusted again. You can't change irises, for example. But Thompson points out that the same is true for personal information such as your first pet's name or you mother's middle name. While biometrics has potential flaws, new systems will soon be necessary, Thompson said.

Of course, these security enhancements are still in the future, so for now, consumers must fend for themselves. When answering password recovery questions while registering for online banking and other Web sites, don't always pick the most obvious question. Consider what someone might be able to find about you on your blog. Better yet, consider not disclosing any personal information on your blog.

Alfred Huger, a security researcher at Symantec Corp., offers this suggestion: Some sites now allow consumers to make up their own question. While that might be a hassle, it's probably much more secure. Again, think of a question only you can answer, and something that's unlikely to be in any database. That probably means the name of your first girlfriend or boyfriend won't cut it.

Could a hacker steal enough information from a store you've shopped at to print up fake debit cards in your name and withdraw cash from your checking account at an ATM? Even if you've never told a soul your PIN code?

In fact, said the Justice Department last week, it's already happened, possibly to millions of people.

Buried in last week's indictments of 11 alleged international computer hackers accused of stealing 40 million credit and debit account numbers from U.S. retailers was something far more unsettling: At at least one retail chain, the indictments accuse the group of swiping encrypted versions of debit card PINs, decrypting them, then using the information to print debit cards and get cash from ATMs.

If proven true, that could mean criminals have crossed a new threshold in the pursuit of plastic card fraud -- PIN hacking.

For decades, the only security layer standing between criminals and cash from stolen debit cards has been the secret PIN code, which has proven surprisingly robust. When hackers steal a large set of debit cards numbers, there is generally no way to obtain their corresponding PINs, limiting the value of the stolen data.

Criminals have stolen small numbers of PINs in old fashioned ways, such as installing tiny cameras on ATMs that record PINs while they are entered.

But uncovering a way to obtain PINs from a stolen batch of debit card account data would give hackers the ability to withdraw thousands of dollars at a time from any ATM in the world – a holy grail of sorts for card thieves. That's precisely what the U.S. government says some of the suspects did as part of their five-year scheme, detailed last week.

In the indictment of alleged ringleader Albert Gonzalez, the Department of Justice accuses him of:
• Downloading "tens of millions of credit and debit cards and PIN blocks associated with millions of debit cards."
• Obtaining "technical assistance from criminal associates in decrypting encrypted PIN numbers."
• Cashing out "by encoding the data on magnetic stripes of blank credit/debit cards and using these cards to obtain tens of thousands of dollars at a time from ATMs."

The Justice Department would not comment on the indictments or on the specific methods that might have been used to perform the decryption. A spokeswoman would only confirm that the agency is indeed accusing some of the suspects of decrypting PINs.

Speculation for years
Encrypted PIN codes are supposed to be impenetrable. After a consumer enters their code into a PIN pad at a store, or at an ATM, the data is immediately converted into an unintelligible string of text called a "PIN block." That block of text is then sent along the payment processing network, ultimately back to the cardholders' bank, where the PIN is verified.

There has been speculation for years that criminals had found some way around the PIN encryption. In 2006, after a spate of fraudulent ATM withdrawals, Citibank began cutting off ATM cash access to some overseas travelers. Consumers around the country reported phantom withdrawals from their checking accounts of $1,500 or more from far-flung places like Bulgaria.

At the time Citibank, Bank of America, Wells Fargo, and Washington Mutual all reissued some debit cards. There was conjecture that criminals might have stolen PIN information that was accidentally left "in the clear," or unencrypted, by a retailer.

Earlier this year, Wired News reported that a Citibank server that processes transactions initiated at 7-11 stores ATMs had been "breached," according to an affidavit filed by an FBI investigator. The affidavit claims a single suspect, who has now been arrested and charged with theft, stole $750,000 from ATMs in a single month during early 2008.

But last week's indictment accuses the criminals of taking everything they need to print fake debit cards and steal money directly from retailers. The specific case outlined in the indictments involved downloading PIN blocks from a Florida OfficeMax store in 2004 through a vulnerable wireless network, then later decrypting them. The indictments also accuse the group of downloading PIN blocks associated with millions of debit cards," hinting that the PIN problem might be even wider.

The scheme was apparently so successful that at several times the suspects allegedly sent boxes full of cash through express mail services to make payments to one another.

How it might have happened
PIN blocks are transmitted from retailers to credit card processors and are sometimes stored on computers along the way, where they would be available for the taking by criminals who knew how to decrypt the secret codes. This is sometimes called stealing data "at rest." Retailers have no need to keep PIN blocks in the stores, but poorly configured systems sometimes store this information anyway.

The hacking gang indicted last week also was capable of stealing data on the move, according to the indictments. The group is accused of using various methods to install "sniffer" programs that grabbed account numbers and PIN blocks as they flew by on computer networks. Initially the suspects sat in parking lots and used insecure wireless networks to gain unauthorized access, the government charges. For example, in July 2005, while sitting in a Miami TJ Maxx parking lot, the criminals are accused of worming their way into the firm's central credit card server in Framingham, Mass.

Later, some of the suspects brazenly walked into stores and physically installed sniffer software onto computers in other stores, the indictments say.

In May 2007, for example, they entered a Dave & Buster's restaurant in Islandia, N.Y., and installed sniffer software. Afterward they re-entered the store every month to empty the catch from their virtual net, eventually stealing 5,000 account numbers from that store alone and using those numbers to steal $600,000. In that case, they are accused of stealing only debit and credit card numbers.

Still, even with data stolen using such hands-on methods, stolen PIN blocks should be useless to criminals -- unless they can be unscrambled.

Encryption expert Ross Anderson, a professor at Cambridge University in England, has testified before about the possibility of "phantom withdrawals" involving PIN codes stolen from British banks. He says potential vulnerabilities in bank encryption software have been known by researchers for years. In 2003, a British court imposed a gag order on Anderson, preventing him from revealing some elements of his research.

He called this week's indictment "the first documented recent case" of PIN hacking, but added that it was "not surprising."

"The banks have encryption boxes that are claimed to be 'secure' but the claim is of course untrue," he said. "

Not so alarming
Mike Urban, who runs a debit card fraud-fighting service called CardAlert at Fair Isaac Corp., counters such talk by saying the most likely explanation for the crime is also the least alarming: Hackers didn't reverse engineer PINs; they simply managed to steal encryption keys from the same retailers where they stole the data, he said.

"I'm speculating here, but more than likely, to compromise that many PIN blocks they would have to have gotten the encryption keys somehow," he said. "More than likely there was a breakdown in management of keys wherever the keys were compromised. " Armed with the keys and a little know-how, he said, criminals could readily discern PIN codes from PIN blocks.

Urban said it would not be terribly alarming if the hackers obtained PINs that way, noting that retailers routinely secure keys carefully and that PIN compromises are "extremely rare." He also said that while the government's case against the hackers mentions theft of PIN blocks from several retailers, evidence of actual PIN-block decryption is offered in only one case – the one involving OfficeMax. He said he believed that could be an isolated incident.

"Fraud on PIN-based transactions is much lower than signature-based debit or credit transactions," he said.
Gonzalez, the alleged ringleader of the hacking ring, who also went by the moniker soupnazi -- apparently a reference to the "Seinfeld" character -- is being held in New York while awaiting trial. He faces life in prison if he is convicted of all charges. Only two other suspects out of the 11 indicted are in custody. Ukranian national Maksym Yastremskiy is being held in Turkey, and Aleksandr Suvorov is in Germany. Both are facing extradition.

RED TAPE WRESTLING TIPS
There's no need to panic over the possibility that hackers could steal PINs from places you shop. Consumers who are hit with fraud related to debit cards have strong legal protections. Losses reported within two days of discovery are limited to $50, and most banks give full refunds to consumers. Still, debit fraud can be a huge hassle, because consumers who are victims may find their bank accounts emptied and their ability to access cash severely limited until the money is replaced. The hassle factor is much higher than with standard credit card fraud.

But possible PIN theft is another incentive to use debit cards only to withdraw cash at ATMs – not for purchasing. There are already plenty of other good arguments for keeping your debit card in your wallet. We've written about the case for credit here; so has Consumer Reports.

If you really want to buy things with your debit card, perhaps as part of a monthly budgeting plan, consider signing the sales slip instead of entering your PIN, to keep your PIN a secret. And if you really want to enter your PIN, consider setting up a separate checking account, isolated from your standard account, for your purchases. That way, if your account is hacked, the criminals won't have access to all your money. But be sure to keep that fully stocked with cash; overdrawing your debit account can lead to costly overdraft fees.
Also, resist the urge to use the same PIN code for all your accounts.

Airline travelers may want to think twice about swiping their credit cards at airport self-service check-in kiosks following the possible theft of credit card account numbers from the kiosks at Canada's largest airport in Toronto.

One Canadian airline, WestJet, already has suspended use of credit cards for check-in at the Toronto kiosks in the wake of the investigation by Visa and MasterCard, which was revealed last week. Fliers can still use the machines, but now must use other methods – by swiping frequent flier cards, entering confirmation codes or using their passports.

About 31 million passengers fly through Toronto's Pearson International Airport every year, making the potential haul for credit card thieves able to access data entered into the 150 check-in kiosks enormous. But a possible kiosk-related heist raises questions about the security of the self-service machines at other airports, which are used by millions of travelers every day in the U.S and elsewhere.

It's still unclear how thieves could have stolen credit card numbers from the kiosks. A Canadian government report is expected later this week.

One possibility: Scammers attached small skimming devices to the kiosks that lifted the numbers from unsuspecting travelers, a technique often employed by criminals to steal information at bank ATMs.

But Scott Armstrong, spokesman for the Greater Toronto Airports Authority, which owns the machines, said investigators inspected the devices and found no signs of tampering. That suggests the data was collected by the machines and stored somewhere, then stolen by hackers who managed to access it – either directly or through the network that connects the kiosks to the airlines.

Put away your credit card?
Because of the uncertainty about the system in light of the investigation, some security experts are suggesting consumers should change the way they check in for flights.

Kiosks at Toronto airport are being investigated

"Next time you go to an airport kiosk for self-service check in, just type in your ticket reference number," said Avivah Litan, a security analyst at research firm Gartner. "Unless the kiosks are equipped with the latest in tamper-proof technology and card readers that encrypt data when the card is swiped, they are highly prone – given their public locations – to criminal tampering. They are a perfect target for thieves."

If the kiosks turn out to be the source of the stolen credit card information, that would raise another question: Why would the machines read credit card account numbers and other personal information, and store that data? Security consultants say the kiosks need only read names off the cards to check in passengers, but the machines in Toronto – and similar machines in the U.S. – could be set up to collect and store more data.

The kiosks in Toronto are made by IBM Canada, and the data is managed by two firms -- ARINC Inc., based in Maryland. and SITA Inc., a European consortium based in Geneva.

Linda M. Hartwig, a spokeswoman for ARINC, declined to comment on the apparent security breach. But she said the kiosks read everything on the entire credit card magnetic stripe – including account numbers and expiration dates -- then hand the information off to the airline. She said no data is stored on the kiosk itself.
Spokesmen for the other software company, SITA Inc., did not return calls seeking comment.

U.S. kiosk maker won't comment
In the U.S., about two-thirds of the kiosks used at airports are provided by Florida-based Kinetics, Inc., a subsidiary of NCR Corp. The firm would not discuss how its kiosks worked.

Several airlines contacted referred questions to Visa. A Continental Airlines spokeswoman, for example, said the airline wouldn't reveal if its kiosks collect credit card numbers while checking in fliers.

Christopher White of the Transportation Security Administration said the Toronto incident was "not an aviation security issue, it's more of a customer service issue, " and referred questions to the industry group, the Air Transport Association.

Elizabeth Merida, a spokeswoman ATA, would say only that there are no reports of similar credit card heists in the U.S..

Violation of state privacy law?
It's unclear what consumers expect when they use a credit card at the kiosks. The machines generally display a message such as "Your credit card will not be charged," suggesting that the account number won't even be read by the machine.

But that's probably not technically feasible, said Greg Buzek, president of research firm IHL Group, which studies the self-service kiosk industry. Credit-card-reading software generally will pull all data that's on the magnetic stripe and only later distinguish between names, account numbers, expiration dates, etc., he said.

After the account numbers have been read, they might be deleted -- but only if the software has been programmed to do so, Buzek said.

"What happens is completely up to the way the software is designed," he said. To make sure account numbers are not stored, "somebody has to physically take that information, take that data, and delete it."

Failing to do so might violate various state laws, said privacy expert Larry Ponemon, who runs research firm The Ponemon Institute. In California, for example, companies that collect information about consumers that is otherwise "non-public" are required to disclose that.

"Most people when they go to a kiosk just think of it as a way to identify you, not as a system that captures your credit card information," Ponemon said.

Kiosks wildly popular
Kiosks are enormously popular with airlines and fliers alike. Buzek said about three-fourths of consumers say they prefer checking in via kiosk. At Continental Airlines, more than 85 percent of travelers check in using them, he said.

The trend toward self-service machines has exploded in recent years. There are now about 70,000 ticketing kiosks in North America – including self-service movie theater or bus ticket machines -- performing $370 billion in transactions annually. That figure is expected to rise to $1.25 trillion by 2012.

But favoring machines over humans could have unexpected security consequences, warned Robert Grapes, chief technologist at Virginia-based security firm Cloakware Inc.

"We strive to make things convenient and we strive for a reduction of operational costs, but we focus on convenience more than security and now we're getting bit by that," he said.

RED TAPE WRESTLING TIPS
• Because the airlines and the kiosk makers have so far not been forthcoming about how their systems work, it's unclear how consumers should react to the Toronto airport story. There's no need to stop using airport kiosks, however. It's safe to use airline-issued record locators, such as confirmation codes, when checking in. Most machines accept frequent flier cards, too.

• It's easier to check in with your credit card, though, so it's important to keep the risks in perspective. Remember, your liability for theft from your account is legally capped at $50, and consumers generally aren't forced to pay anything when they report their cards as stolen. Still, a compromised credit card is a hassle, so a little caution could be worthwhile.