|
Ever hear of StrongWebmail.com? It claims to work unlike any other form of email protection on the market today. “Your private correspondence remains just that – private,” it boasts on its website. “ No snoopers, no hackers - period! How do we do it? By using a telephone verification system that stops hackers dead in their tracks. We have it, and no one else does.”
StrongWebmail.com. launched in the last week of May. On June 3, the provider of voice-based authentication software issued a challenge: Hackers who could break into its CEO account and find out his schedule for June 26 (the service provides calendaring) would win $10,000. Darren Berkowitz, the company CEO, even published his account name and password.
This is the kind of bravado move that the new kids on the block sometimes make to get attention. Unfortunately, StrongWebmail was soon getting the wrong kind of attention. On Thursday, a group of security researchers led by Secure Science Chief Scientist Lance James, who is widely viewed as a leading expert on computer security techniques, and security researchers Aviv Raff and Mike Bailey, claimed to have won the contest and had the details of Berkowitz’s account to prove it.
Now what takes this story out of the realm of yet another start up that talks the talk, but fails, in this instance at least, to deliver, is the fact that StrongWebmail.com was based on phone verification, meaning in order to get access to a StrongWebmail account, the account owner must receive a verification call on their phone. This means that even if your password is stolen, the thiefs can’t access your email because they don’t have access to your telephone.
What’s more the StrongWebmail approach is powered by TeleSign, a leading, privately held provider of telephone verification services to web-based companies of all sizes including many Fortune 500 companies. Now it may just be a wild coincidence, but TeleSing and StrongWebmail are both based in Beverly Hills, California. In fact, they are both headquartered in the same building, 9454 Wilshire Blvd.
This would lead us to suspect that TeleSign and StrongWebmail are one and the same, or at the very least TeleSign is a StrongWebmail backer. (We have a call in to TeleSign to verify this.) If so, Lance James and company didn’t just breech a start-up email security company. They hacked TeleSign’s vaunted telephone verification system, one that’s widely accepted throughout corporate America.
StrongWebmail confirmed that the data obtained was correct, but is holding off in paying out the prize because management is yet to be convinced the James and the others stuck to competition rules which prohibit the use of social engineering trickery, whatever that might be. And now Berkowitz is hedging on the company’s ‘the most secure email accounts on the planet” boast, saying, "We’re not claiming that this is the ultimate, ultimate solution…But we’re trying to bring attention to the username and password portion.”
Maybe you should have told us so earlier. In the meantime, if the hackers need to collect their winnings in person, they ate least know Berkowitz’s June 26 schedule. Or they can simply drop by 9454 Wilshire Blvd.
Only registered users can write comments.
Please login or register. |
