Profile

Markus Jakobsson

Markus Jakobsson

Follow this member

Member since: July 2008

Bio: Dr. Markus Jakobsson is Principal Scientist at Palo Alto Research Center. He is a founder of the security startup RavenWhite, which addresses security problems associated with authentication, malware and click-fraud. He is also one of the founders of SecurityCartoon, an educational approach targeting typical Internet users. He is a firm believer in technology to address security problems, but believes that a holistic view that includes the end user and his/her behavior is crucial. Unexpected user behavior can thwart the best security measures, and any security measure must be designed with social engineering and human failure in mind. Dr. Jakobsson's recent books Phishing and Countermeasures (Wiley, 2006) and Crimeware: Understanding New Attacks and Defenses (Symantec Press, 2008) chart new territory in online security. He received his PhD from University of California at San Diego in 1997.

Areas of Interest:

Activity

  • Markus Jakobsson Markus Jakobsson wrote Sarah Palin goes the way of Paris Hilton

    Wednesday, it was reported that VP candidate Sarah Palin's Yahoo account was hacked by a perpetrator wishing to find incriminating information in her emails. It was not done using some strange computer security vulnerability. It was not done by guessing her password. It was done just in the same way as Paris Hilton's T-Mobile account was hacked some time ago: by guessing the answers to security questions. For Paris Hilton, it was the name of her dog. For Sarah Palin, it was her zip code, date of birth, and where she met her husband.

    3 years 21 weeks ago

  • Markus Jakobsson Markus Jakobsson wrote How Herbert Thompson stole his friend's identity
    A recent Scientific American article describes how easy it is to steal somebody's identity. It uses blog entries, password reset mechanisms, and simple detective work. Make no mistake. You are not secure if you are not a blogger -- this is simply an account of what could be …

    3 years 25 weeks ago

  • Markus Jakobsson Markus Jakobsson wrote What you always wanted to know about malware (but were afraid to ask)

    Malware, like real-world epidemics, has the strange property that it does not only matter to your health how well protected you are, but also, how well average people "out there" are. The more machines that are infected, the higher is your risk of also becoming infected. But that is not all: You are at risk even if you are well protected!

    3 years 25 weeks ago

  • Markus Jakobsson Markus Jakobsson wrote Why no news is bad news -- at least when it comes to malware

    Once upon a time, malware authors wrote code to infect thousands of machines for entertainment and intellectual stimulation. Today, it's all about the money, and the greatest threat may lie in the silence, making a far more dangerous landscape.

    3 years 25 weeks ago

  • Markus Jakobsson Markus Jakobsson wrote Google Tech talk on Password Reset
    In a recent post, I described the problems with password reset, and how current password reset questions can be attacked. Here's an in-depth tech talk at I …

    3 years 26 weeks ago

  • Markus Jakobsson Markus Jakobsson wrote What is worse than reusing passwords?

    Do you use the same password all over the place? Yes, you probably do -- whether you know it or not.

    3 years 26 weeks ago

  • Markus Jakobsson Markus Jakobsson wrote Forty-one million stolen credit cards is just the beginning

    Federal prosecutors have charged 11 people with stealing 41 million credit cards, obtained by wardriving. (Read news story here.) The criminals drove around and scanned wireless networks for vulnerabilities, then installed sniffers that stole credit card information. Was this kind of attack inevitable? I believe it was.

    3 years 27 weeks ago

  • Markus Jakobsson Markus Jakobsson wrote Google knows who you are

    Search engines and ISPs know who you are and where you've been. Phishers and advertisers do too. But can the average Joe learn this about you? Yes -- for good and bad.

    3 years 27 weeks ago

  • Markus Jakobsson Markus Jakobsson wrote Can you tell a good URL from a bad one?

    Look at these three URLs: www.accountonline.com, www.democratic-party.us, www.wachovia.pin-update.com.

    3 years 28 weeks ago

  • Markus Jakobsson Markus Jakobsson wrote Better law enforcement -- always good for us?
    If law enforcement improves, we will all be safer. Right? Well actually, maybe not.

    Online fraud is rampant, and the trends are sinister. However, law enforcement, in collaboration with affected service providers, is making substantial progress in going after criminals. The good guys are now routinely capturing drop boxes (the machines used by phishers to collect stolen user credentials), and are often able to trace attacks back to the likely offenders. Newspapers occasionally run stories about busted crime rings. Crimeware writers spend time in jail. Hopefully, increasing risk of being caught will deter many would-be criminals. But to some extent, it is also changing the nature of the crimes.

    3 years 29 weeks ago

  • Markus Jakobsson Markus Jakobsson wrote Free iPhones -- then what?

    Consider a world in which increasingly advanced and impressive consumer electronics are free to the consumer. For example, the electronics might be subsidized by service providers in the business of understanding consumer behavior -- purchase preferences, location, activities -- in order to provide better search, advertising and fraud detection. It is not so hard to believe that we will be there in just a few years. Then what?

    3 years 30 weeks ago

Friends' Activity

Follow other ITworld members or sign in with your Facebook account in order to view your friends' activity.

Comments

Markus Jakobsson's Comments (5)

  • Commented on What is worse than reusing passwords?

    The thing is, you are not likely to change ALL your preferences next week, are you? As long as you remain 70% what you used to be, the system will say it is you. Less than that and you are considered an impostor. The problem with social security number is that it is not too secret. A lot of sites already have it, and maybe you do not want more of them to know it. Especially if it is a site that is not a financial service provider. And other common questions today have the same problem. My CryptoBytes article of last year (http://www.rsa.com/rsalabs/cryptobytes/CryptoBytes-Winter07.pdf) shows how easy it is to get mothers maiden names from public records, for example. Password reset is not an easy problem, and what people do today really is not all that secure.

    3 years ago

  • Commented on What is worse than reusing passwords?

    This strategy works until you forget the answers to these questions, too. Why would you forget the "real" password, but not these "new passwords"?

    4 years ago

  • Commented on What is worse than reusing passwords?

    Here are two papers you can read for more details on preference-based authentication: http://www.ravenwhite.com/files/quantifying.pdf (to appear in DIM '08)http://www.ravenwhite.com/files/chi08JSWY.pdf (appeared in CHI '08)Cheers,Markus

    4 years ago

  • Commented on Can you tell a good URL from a bad one?

    James, From what you are writing, you are more knowledgeable than the average user. Most people do not know how to evaluate a URL (for a 30-second tutorial, see http://www.securitycartoon.com/index.php?comic=20070621)But as for the URLs I listed ... one of them is legitimate. The accountonline.com. The other two could have belonged to phishers. They actually do not, they belong to me. I registered them to demonstrate how a phisher could have taken them. Cheers,Markus

    4 years ago

  • Commented on Free iPhones -- then what?

    Liu, I do not see this as an educational issue. This is about industry preparedness, and a willingness to deal with problems that have not arisen. It is a matter of how to anticipate trends, and the importance of doing it.Markus

    4 years ago

Ask a Question