Marhgil pinged me about Xoom’s accounts being easily hacked (I think it’s more like cracked). He explained more about it here on his blog.
Since I have been a regular Xoom user, I was very curious on how this could be done. So, I tried the simple steps he outlined — figure out the login email, figure out the bank account number, and figure out the zip code. Let’s look into how easy it is to find the 3 required data to reset your password.
We’ll use a scale of 1 to 10, 1 being the hardest to figure out and 10 being the easiest.
1) Email Address – if the Xoom Account owner has a webiste or a blog, chances are his or her email account is posted there. This is practically the easiest data to mine on the net. I’ll give this 8 points in the scale.
2) Bank Account Number – I’m not sure if the regular Xoom Account holder adds his or her bank account in their Xoom profile but what’s the likelihood that this person also publishes his or her account number online? Ok, maybe for people who have some sort of business and posts his bank account online, this could be a huge drawback. I’ll give this one just 2 points in the scale.
3) Zip Code – there a good chance you can find a person’s address online, depending on how much info he or she publishes on the internet. Say 5 points?
Adding up all three factors, we get something like 15 out of 30. That’s dead even. Actually, the critical information there is the bank account number. So, it really depends on the Xoom user and for people like me this sure does pose a huge security risk. I tried cracking into my account and was able to do so with Google in less than 5 minutes (without cheating!).
Now, let’s say someone cracked into your Xoom account. What can he do with it? Not much actually. he can change your password and profile but that’s about it. If you send money, you’ll still have to supply and verify your Paypal account ot credit card account.
So there, not a really huge deal for most but it’s all worthy to look into.
*Email dispatched to Xoom support.*
[...] I found this out through Yuga and Marghil. Xoom has a lousy password recovery system, unforgivable for a website where trust and security are important.  Further evidence that shows how important it is to keep your personal information confidential. This is all you need: [...]
That’s scary. If your credit card info goes to the wrong hand, better cancel the account right away.
[...] Others blog got dugg, others got boing-boinged, but my blog got yugateched! hehehe. Well, it’s an honor when a highly respected blogger cited your blog post, di ba? Which post got yugateched? Check it out here. It’s about my post about Xoom’s lousy password recovery system (as termed by technopinoy). [...]
[...] Marghil and Yuga have revealed a security risk in Xoom. All you need is someone’s email address, zip code, and bank account number. [...]
[...] Yugatech [...]
[...] As some of you know, that post got yugateched, j spotted, technopinoyed, pinoytechblogged and gavilaned. I checked their recovery password now, and they already made the necessary changes to mitigate this security risk. The New Password screen link will now be sent to your e-mail address. [...]
[...] After several blog posts and discussion over the recent Xoom Password Recovery Facility (see Easily Cracked Xoom Accounts?), Xoom has wisened up and fixed that feature. [...]
Very interesting… as always! Cheers from -Switzerland-.
My account was closed by XOOM on May 26,2010 and they will not tell me why it was closed except to say I violated there service agreement. The main problem with XOOM is no one will tell you any thing and they do not answer email or return phone calls. The only thing I can say is XOOM and the US Government are alike not user friendly.