When we think of phishing attacks and hacked user accounts, it’s usually weak passwords that are at the root of the vulnerability. Soon, however, your usernames could actually be the key that cybercriminals use as the basis for staging phishing attacks.
In a new study published by Cornell University, researchers studied more than 10 million usernames from websites including eBay, Google, and MySpace. Using statistical analysis, the team was able to create a tool to calculate how unique usernames were across the different sites. In the end, they found that a user tends to use very similar usernames across multiple services. These similarities could allow hackers to easily match up several pieces of identifying information that would provide an open door for fraudulent transactions, experts say.
"I don't think it would be hard to pull off such an attack," says Daniele Peritoat the National Institute for Computing and Automation Research, in Grenoble, France, and the lead author of the study.
"The tool can find linked usernames 50 per cent of the time with almost absolute accuracy," explains Perito. He does note that if a person deliberately changes a username to something out of their usual realm, the tool will not work. "But users tend to choose and change their usernames in predictable ways, and they tend to have a small set of distinct usernames," the research discovered.
"Usernames are like digital fingerprints – on a given service, they are the only pieces of information that have to be unique," Patrick Fitzgerald of internet security company Symantec Security Response told New Scientist. Of course, more information than the username would be needed to stage a phishing attack on an individual, he notes.
"But the ultimate risk is the information that people freely give away," Fitzgerald warns about the personal information that people often reveal in their online profiles, such as date of birth, location, or home town. "People need to think about the consequences of sharing their lives on the internet."
Just how well can your usernames be used to identify you on the internet? Peritoat and his team have made their username uniqueness calculator available for public use. The tool not only gives you an idea of how unique a name is, but can also be used to gauge if two different usernames are linkable by various traits.
I wasn’t surprised that the username I checked on the site had a rather high entropy of over 38 bits which, according to the site falls into the range of a “good identifier”. So am I worried that hackers will try to match up my online accounts to use against me? I wouldn’t put it out of the realm of possibility, but I don’t think I’ll be losing any sleep over it tonight.
This study is an exercise in hypothetical situations, not unlike the warnings you see on the nightly news about homes getting robbed because people posted on Facebook that they were on vacation. It makes for a good story, but there just isn’t enough hard evidence to support the supposed dangers quite yet. Still, a little bit of caution can go a long way toward keeping personal data safe. Maybe next time I sign up for a new online account I’ll use something a bit out of the ordinary.
