E-mail accounts are often a snap to hack

San Jose, Calif. —- The hacker who infiltrated Sarah Palin’s e-mail account last month may have intended to embarrass the Republican vice presidential candidate, but the prank also exposed one of the Internet industry’s most uncomfortable secrets: It is remarkably easy for someone to break into your online e-mail account.

In a post on an online community bulletin board, the hacker, who called himself “Rubico,” described how he broke into Palin’s account at Yahoo by using an automated password recovery tool that asked for Palin’s birthday, her ZIP code and where she met her spouse. “It took seriously 45 mins on Wikipedia and Google to find the info,” Rubico wrote.

“Account recovery is a problematic area from a security perspective,” said Michael Barrett, chief information security officer at PayPal. “The problem is if you make the process too weak then people can get in at will and if you make it too strong then people can’t recover their accounts.”

Internet companies such as Yahoo, Google and Microsoft, which own the biggest online mail services, don’t disclose how often accounts are compromised, but they acknowledge that it does happen.

“We know the bad guys are out there,” said John Kremer, vice president of Yahoo Mail. “Everyone is trying to figure out how to straddle the line between making an account recoverable and at the same time making it secure.”

Kremer said the first line of defense is good consumer practices. He said users of Yahoo Mail should be careful when they set up their accounts not to choose security questions that can be answered through publicly available information.

But Markus Jakobsson, a principal scientist at the Palo Alto Research Center and security expert, said it is not fair for Internet companies to put the onus on the customer. “It shouldn’t be the guy or gal on the street who has to worry about his or her security,” he said.

Jakobsson said ordinary people are running the same risks accessing their mail at companies like Yahoo and Google and managing their 401(k)s at companies like Fidelity Investments because the systems for safeguarding accounts rely on information that can be found either online or through public records.

In a statement, Google said it takes security seriously and asks for information, such as someone’s frequent flier number, that isn’t easy to find online. Google also notifies users if their account is open in another location.

Barrett, of PayPal, said the payment service, which is owned by eBay, employs different levels of security depending on whether someone has money in their PayPal account or has linked a bank account to their PayPal account. In that case, a person may be required to fax over a copy of a driver’s license or a passport to regain access to an account, he said.

But Jon Fisher, who sold an authentication services company to Oracle last year, said there is no bulletproof solution. “The one-to-one attack, human being to human being, is very hard to defend against,” he said.