A hacker used social networking sites Facebook and Friends Reunited to crack passwords used by his neighbours for online banking services, and stole £35,000 over two years.
According to a report in the Telegraph, the hacker, Iain Wood, logged into the bank accounts of other tenants at his block of flats, and tried to reset their passwords.
As with most online services, these banking portals prompt the user to answer a security question that often involves giving personal information such as the user's mother's maiden name, date of birth or name of their first school.
Many people make these details public via social networking, which Wood used to gain access to his neighbours' online bank accounts.
Some banks, including the Co-operative Bank's Smile, issue customers with secure tokens to enable two-factor authentication, so a randomly generated number is required along with personal details before cash transfers can be made.
However, Woods changed the home addresses associated with the accounts he targeted, and requested that new cards were sent to him, which he then used to withdraw cash. Changing address is rarely protected by two-factor authentication.
Graham Cluley, senior technology consultant at security firm Sophos, said that banks should change their policies so that all online services, including an address change, are protected by two-factor authentication.
"When I log into my work email externally I have to use my authentication fob right from the outset. Why don't banks say right at the beginning when you log in you should use two factor authentication, not just when you're transferring money?"
He also said that if people must give out their personal details via social media, they shouldn't use the same information to secure essential online services such as banking.
Or alternatively, they should provide false information via social media.
"Under Facebook's terms and conditions they say you have to tell the truth," explained Cluley. "I choose not to trust them to look after my personal data, so I use fictitious information, which means they could throw me off the site if they wanted to.
"Unfortunately most people are too open with social media sites, meaning identity thieves and scammers can scoop up that data and use it for their own purposes."
Have your say on this article
Newsletters
Latest stories from Hacking
Latest videos
You may also like
Hacking jobs
Technology Patent Wars
Case studies from large organisations across all sectors
... And rich media, and flexible working, and peaks in traffic ...
Upcoming Events
Join us for this Computing web seminar, in which the Head of BI at the Co-operative Group Nick Colebourn will be explaining just how he reigned in the Group’s sprawling database estate and how significant savings were realised and data quality improved as a result.
Date: 31 May 2012
Time: 11:00 AM
Live June 13th 11:00am: Register now. During this web seminar we will be looking at the sorts of incidents that can bring data centres grinding to a halt and what can be done about them.
Date: 13 Jun 2012
Time: 11:00 am
Receive the latest jobs direct to your inbox
Are you being paid what you are worth?
