Monday, October 06, 2014

How Did Someone Get My Email Password?

All your friends are saying you’ve been hacked because you emailed them malware.
In some circles I’m known best for my knowledge and experience with computer security. Occasionally I find a topic that is so important yet easy to understand I want to share it with friends and neighbors in Scotia. This is one of those topics.

pier
Interested in hacking into the Email account of Charlie Sheen, Rob Lowe, Sean Penn or Carson Daly?  You’ll want to know they attended Santa Monica High School. Want access to the CEO of a large retail corporation?  Keep reading.

 

 highschool
Simple question used by Yahoo to verify your identity.


Truth is we’re all screwed but having good password habits will keep out the amateurs. It may save you from emailing people on your contact list to say, “I’ve been hacked, if you received email from me don’t click on the link.”

My security expert friends will advise you to use…

1) Strong Passwords
2) Unique passwords for each of your password protected websites
3) Two-step verification

 

Important Advice to Share From BillP
My most important tip to family and friends is “Use fake information when asked for answers to security questions.”


Example of Fake Security Answer
Example of making up your own unique answers to security questions.


I had plenty of time this summer to research malware and identify the first step in the infection process.  The most common way to get hacked is someone using the small amount of public information needed too reset your email password. Once they have one of your email addresses it’s not hard to receive a new password on other services.

I recommend creating easy to remember jokes to use when asked for answers to security questions.  Some examples may be “What high school did you attend?” Pick something like Jefferson High School (Happy Days) or Rydell High(Grease). I won’t tell you what it is but people often laugh out loud when they see what I use for my mothers maiden name. Yes, some company’s still use it.

maidenname

Target’s Easy Target

Using real data is dangerous. In less than 15 minutes I was able to find information about “former” Target CEO Gregg Steinhafel. His mother’s maiden name was Schreindl. He graduated from Homestead High School.
His first job was at Steinhafel's Furniture and he attends Wayzata Community Church. Born in Milwaukee, Steinhafel graduated from Carroll University in 1977 and earned an MBA from Northwestern University two years later. I could say more but for the safety of his wife and three children I’ll stop here.

When a high school kid gained access to Sarah Palin’s email he wasn’t a computer genius. He just looked up the answers to the security questions used by Yahoo. Even though that was way back in 2008 this method has continued to grow as the number one way to steal personal data.

yahoovalidate

I’ve also noticed a set of quizzes common on Facebook specifically designed to collect personal data used in security questions.  I am currently investigating the background of the companies who spread these quizzes. Most created their domain within the last 30 days. I will share any information in the future.


Some Security Advice May Be Outdated
Complicated passwords:
Some may recommend a complicated password like “hfY4df$dhEW_!cvrh3H7D&d.” It’s safer than 123456 but isn’t very easy to remember. A complicated password may be useful to beat programs which try every possible combination but most systems will lock you out after a handful of incorrect attempts.

Unique passwords:
Using different passwords on different services is good advice but unless you’re using a program that remembers your passwords it’s too easy to forget unique passwords. If you’re like me you’ll just end up resetting your password using security questions.

Two-Step Verification

The two step verification process is a step in the right direction For banking or any service where real harm could be done it’s worth the extra step. If someone gains access to your cell phone or one of your email accounts the benefit is lost. Unfortunately, you’re trusting that the company is not going to take advantage of having more of your personal data like your cell phone number or alternate email address.


Some Advice Will Never Change

As far as recent failures by Home Depot, Lowes and other large companies the advice hasn’t changed much in 20 years. When your bill comes, check all your charges and make sure they’re legitimate. Most likely you can access your credit card online and see charges as they come in. If you haven’t already, register an account connected to your credit card and review charges regularly.

Reviewing your bills doesn’t just apply to credit or bank cards. Keep an eye on any charges like your cable or phone bill. Legitimate companies have been known to add bogus charges. Verizon wireless added a monthly charge for ring tones on Cindi’s phone. They claimed she agreed to the monthly charge by not responding to a text message. They removed the charge when I explained her cell phone at the time didn’t support test messaging.