Beverly Hills, CA- Lance James and his team won StrongWebmail.com's "Break Into Our CEO's Email Account and Win 10K" contest. They did it using an XSS script that took advantage of a vulnerability in our vendor's webmail program.
It is important to note that the frontend protection offered by StrongWebmail.com was not compromised. In fact, Lance and his team were forced to find a way around the phone authentication. We are working with our email provider to solve this vulnerability and ensure that the backend email software is more secure. We remain confident that our authentication solution - sending a verification call or text message to a person's cell phone - is the best frontend protection for usernames and passwords. Vulnerabilities in backend cloud-based data such as webmail are a universal security issue for every webmail provider. TeleSign's two factor authentication solution provides the best protection for items where a username and password are not secure enough: health records, financial logins, email, and corporate intranets. The two factor authentication approach has been proven, evidenced by the success of the security tokens. TeleSign' solution is a substitute to the token industry because it is a simple non-hardware and non-software solution. With tokens, multiple accounts require carrying multiple tokens. Moreover, a company is forced to maintain a "token department" that deals with lost or stolen tokens. TeleSign's two factor solution uses the item that everyone carries with them: their cell phone.
We hope this contest brings attention to the importance of email security. Specifically, most email accounts are protected by a simple username and password. It's easy to steal a username and password using a key logger, phishing attack, or guessing the correct password. Sarah Palin's Yahoo email account was breached last year by resetting her password using publicly available information. StrongWebmail.com hopes that the largest webmail providers will offer the option of two factor authentication to their users, as most email breaches happen when a username and password are stolen.
Congratulations to Lance James and his team for winning the contest. Once this vulnerability is fixed, TeleSign will announce a new competition. We won't rest until we have proven that telephone-based authentication is the most secure form of username/password protection available.