We looked last week at some of the ways that Mary’s Hotmail email account could have been hacked. They were: fake verification emails, fake login pages; fake “Vote for me!” emails;”man-in-the-middle” attacks; using untrusted computers and/or forgetting to logoff; virus infections.
Here are some more ways that the bad guys could have hacked her account.
Easy-to-answer security questions. Online accounts are easy to hack if you can answer the “security” questions that let you access “lost password” accounts. You know those questions you answered when you first setup the account, such as, “What is your mother’s maiden name,” “what is your favorite restaurant,” or, “who was your first grade teacher?”
If this information is public knowledge, or is on a website like Facebook, the account hacking chore is that much easier. This is how Sarah Palin’s Yahoo email account was hacked (see my column titled, “Sarah Palin email hack another wakeup call,” 9-21-08, on my website). I suggest using phony answers to security questions, i.e., “What is your mother’s maiden name?” Answer: “Fraginstataglug.”
Lost or stolen devices. Zillions of laptop computers, cell phones and other portable electronic devices are lost or stolen every year. Do not store passwords or security question answers in an unencrypted file on these devices; just don’t.
Using crummy passwords. The bad guys use automated hacking programs to crack passwords. They even have ways to get around CAPTHCA protections; you know, those things that make you type in goofy, distorted-looking letters and numbers. A good password will not resemble any word found in any dictionary on earth; in fact, it should look like totally random goobledegook. See my column titled, “Stupid users pick lame passwords,” 3-1-09, on my website.
Using the same password for everything. Well, surprise, surprise: you use the same password for email, eBay, Facebook and your bank account. The bad guys crack your Facebook password. Guess what else they have?
Insecure browsers, websites, programs and operating systems. Insecure websites lead to insecure transactions. Use HTTPS for everything. Read my column titled, “Batten down the hatches with encryption, Part One, 5-24-09,” on my website. After reading that column, consider using HTTPS Everywhere (eff.org/https-everywhere) in combination with the Firefox browser (mozilla.com).
In addition, everything in a computer requires frequent updating. That’s just the way it is. Thousands of security holes have been discovered in all of the most commonly used programs and new security holes are discovered every day. If you are not prepared, the bad guys will use these holes to steal your stuff.
Microsoft Windows, Apple Mac OS X, Flash, Java, Adobe Reader, Microsoft Office, iTunes, QuickTime, Windows Media Player, Firefox, Internet Explorer and Safari all require, as Star Trek’s Mr. Spock would say, “monitoring and periodic adjustment.” Maybe it’s a hassle, but that’s just the way it is; update and be safe.
Computer security breaches and “leaks.” Government agencies, educational institutions and businesses get hacked every day. Sometimes, huge, stupid, accidental information “leaks” occur, compromising the security and privacy of thousands, even millions of people at once.
As it turns out, the passwords to 10,028 Hotmail accounts, all beginning with the letters A and B, were “somehow” posted to an online forum used by software developers on October 1st, 2009. This breach was witnessed and reported by journalists from the BBC. Speculation about hacked Microsoft servers flew around the Web.
Naturally, Microsoft insisted that it couldn’t be their fault. After much harrumphing and negotiating, Microsoft caused the website to delete the list and promised a swift investigation. Now, over a year later, the results of that investigation are still unknown. BBC reporters postulated that since the list was only comprised of accounts beginning with A and B, the actual list, including the letters C through Z, could be much larger.
Was Mary’s email account password part of that list? Is that how her Hotmail account was hacked? We will probably never know. The bad guys of the Internet are sitting of huge stacks of leaked and breached information, potentially compromising the privacy and financial security of millions upon millions of people. God only knows if and when they will decide to exploit what they have. Until then, we wait.