The site is not strong enough, hackers say Hackers love a challenge. And more than that, they love cash.That’s what Telesign found out this week. A provider of voice-based authentication software, the company challenged hackers to break into its StrongWebmail.com Web site late last week. The prize? US$10,000.On Thursday, a group of security researchers claimed to have won the contest, which challenged hackers to break into the Web mail account of StrongWebmail CEO Darren Berkovitz and report back details from his June 26 calendar entry.The hackers, led by Secure Science Chief Scientist Lance James and security researchers Aviv Raff and Mike Bailey, provided details from Berkovitz’s calendar to IDG News Service. In an interview, Berkovitz confirmed those details were from his account. However, Berkovitz could not confirm that the hackers had actually won the prize. He said he would need to check to confirm that the hackers had abided by the contest rules, adding, “if someone did it, we’ll kind of put our heads down,” he said.Contest rules prevent the researchers from disclosing how they performed their attack, but they were also able to compromise a test StrongWebmail account set up by IDG News Service. The IDG attack did not work initially, but succeeded when security software called NoScript was disabled on the Firefox browser, running on a Windows XP machine. “We found multiple cross-site attacks that allow us to attack other users,” James said. “You have to have a registered account to launch the attack.”StrongWebmail uses Telisign’s telephone authentication system to give webmail users another layer of security. Instead of logging in with a username and password, customers must also enter a secret code that gets telephoned to them whenever they want to log into the site.Banks have been using these phone-based authentication servers to help fight cybercriminals who often steal usernames and passwords from victims.But this kind of authentication — called two-factor authentication — can be thwarted by hackers using what’s known as a man-in-the middle attack. In this attack, the hacker’s software waits for the user to legitimately log into the Web site and then takes over. “They just wait for you to log in and they can do whatever they want,” James said.James said that these contests might be fun, but they don’t provide a realistic measure of real security because they are encumbered with rules. The StrongWebmail contest prohibits working with a company insider, for example. “A bad guy won’t care about rules, he said.Webmail security has gotten a lot of attention over the past year. In September a hacker gained access to Alaska Governor Sarah Palin’s e-mail account and published details of her correspondence on the Internet. A college student named David Kernell has been charged in that incident. Whatever the contest’s outcome, Berkovitz says he hopes his contest gets users — and webmail providers like Google and Yahoo — thinking more about security. “We’re not claiming that this is the ultimate, ultimate solution,” he said. “But we’re trying to bring attention to the username and password portion.” Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe