Marhgil pinged me about Xoom’s accounts being easily hacked (I think it’s more like cracked). He explained more about it here on his blog.
Since I have been a regular Xoom user, I was very curious on how this could be done. So, I tried the simple steps he outlined — figure out the login email, figure out the bank account number, and figure out the zip code. Let’s look into how easy it is to find the 3 required data to reset your password.
We’ll use a scale of 1 to 10, 1 being the hardest to figure out and 10 being the easiest.
1) Email Address – if the Xoom Account owner has a webiste or a blog, chances are his or her email account is posted there. This is practically the easiest data to mine on the net. I’ll give this 8 points in the scale.
2) Bank Account Number – I’m not sure if the regular Xoom Account holder adds his or her bank account in their Xoom profile but what’s the likelihood that this person also publishes his or her account number online? Ok, maybe for people who have some sort of business and posts his bank account online, this could be a huge drawback. I’ll give this one just 2 points in the scale.
3) Zip Code – there a good chance you can find a person’s address online, depending on how much info he or she publishes on the internet. Say 5 points?
Adding up all three factors, we get something like 15 out of 30. That’s dead even. Actually, the critical information there is the bank account number. So, it really depends on the Xoom user and for people like me this sure does pose a huge security risk. I tried cracking into my account and was able to do so with Google in less than 5 minutes (without cheating!).
Now, let’s say someone cracked into your Xoom account. What can he do with it? Not much actually. he can change your password and profile but that’s about it. If you send money, you’ll still have to supply and verify your Paypal account ot credit card account.
So there, not a really huge deal for most but it’s all worthy to look into.
*Email dispatched to Xoom support.*