The popular and widely used Voice over IP service Skype has once again been in the news lately with a spate of new allegations suggesting that its flimsy account recovery policy is presenting hackers and hijackers a like with ample opportunities to maliciously gain access to many Skype accounts from its large and ever expanding user base of approx 700 million users worldwide.
Skype was released back in 2003, produced by Estonian developers. The service accommodates users to communicate with friends, family and colleagues by using a microphone, webcam and instant messaging. Although seen as a vital communication tool for many people, Skype has been the subject of much criticism over the years as its security and account recovery features have suffered some setbacks.
The most recent network security rumblings are coming in response to what is being seen as lacklustre security measures put in place by Skype to protect the accounts of its users from hijackers trying to gain access to targeted accounts via a rather unsecure account recovery process. According to Skype user and security researcher @TibitXimer, his account was compromised as many as six times and he warns that anybody else’s account may suffer the same fate.
He outlines that a Skype account can be hijacked quite simply if the attacker makes contact with Skype support and provides the first and/or last name on the account, 3-5 contacts on the Skype account and one email address that has been associated with Skype. In order to cover himself in a his word versus Skype’s word on their security measures, he made sure to capture his research with screenshots while chatting to a Skype support agent, which provide evidence that the agents only requested the outlined above before verifying @TibitXimer’s account.
A similar account hijacking issue came to light five months ago when it was learned on a Russian website that any attackers could sign up for a new account with an email that was already in use, and from there could continue setting up the account to receive the victim’s password reset notification details. Although that time Skype managed to rectify the issue and have it fixed shortly after. But these sort of gaping security holes shouldn’t exist in the first place to be taken advantage of.
Time for Skype to clean up its Recovery Policy
How many attacks will it take for Skype to recognise the urgency of this case? Surely it’s time for Skype to adopt proactive security measures like so many of the other communication and social media giants that are occupying the same space at Skype. Suggested security practices to be put in place include:
Like many sites use, security questions are used in account recovery scenarios where the person attempting to log into the account will be required to provide an answer to a question initially set up by the account creator such as a memorable fact or person.
Two Factor Authentications
Two step verification provides that extra security and peace of mind by adding an extra layer of security. This is an approach to authentication that requires the presentation of two or more of three authentication factors including a knowledge factor (something the user knows – security question) and a possession factor (something the user has – mobile phone). Some companies such as Google require users to enter a code sent to their phones via text.
Other security measures suggested for Skype come in the form of more comprehensive support that looks into these cases with more urgency, 24/7 support and an actual security policy that allows users to verify ownership of accounts.
Until then SpamTitan's main recommendations for all Skype users is to change their Skype account email addresses to a unique email that is not associated and linked to any other accounts and to stay extra vigilant.