A new wave of online crime is on the way – and all that's required is your username. Hackers may soon be able to identify which screen names belong to one person just by analysing the characters that make up the name.
This would allow criminals to send out better-targeted spamming and phishing attacks. For instance, cross-referencing eBay usernames with Google email accounts could allow accurately targeted phishing attacks, using freely available data about a user's eBay purchasing habits.
"I don't think it would be hard to pull off such an attack," says Daniele Perito at the National Institute for Computing and Automation Research, in Grenoble, France, the lead author of the work.
"Usernames are like digital fingerprints – on a given service, they are the only pieces of information that have to be unique," explains Patrick Fitzgerald of internet security company Symantec Security Response. But even though they are so specific, extra information, such as a date of birth or location, is usually required before multiple names can be pinned to a single user.
Now Perito and colleagues have studied how usernames alone can identify a person. The team took almost 10 million usernames from Google, eBay and MySpace, and used statistical analysis to create a tool that calculates how unique a username is. Unsurprisingly, they found that names owned by an individual tend to be extremely similar.
From there, they developed a method for cross-referencing usernames across different sites. By analysing the text that makes up usernames, how different they are to each other, and how likely it is that a user chooses a particular set of names, they're able to accurately match multiple names to a single physical user.
"The tool can find linked usernames 50 per cent of the time with almost absolute accuracy," says Perito. The technique only gets caught out when users deliberately choose disparate names. "But users tend to choose and change their usernames in predictable ways, and they tend to have a small set of distinct usernames," explains Perito.
The technique could be used by scammers who would be able to create a detailed profile of what you buy online, and what sites you visit.
"It's interesting research," says Fitzgerald. "If these techniques were extended… then far more sophisticated profiles [than available at present] could be created."
"But the ultimate risk is the information that people freely give away," he warns – personal details that go far beyond usernames. "People need to think about the consequences of sharing their lives on the internet."
No comments:
Post a Comment