Email Account Security

Compromised Email Account

An old email account I no longer use was compromised this morning. I found out about it because my current email address received an email from my old account. The email contained nothing, but a link (which I never clicked). I knew my old email account had a weak password, but because I never used it, I never thought to change the password. Silly me.

What I did:

  • Immediately, I logged onto my old email account and changed the password to something more secure.
  • I checked the Recent Login Activity log to see when and from where the person had logged into my account. It was someone from Poland who logged on 1 minute prior to me logging in and changing my password (like I said, I acted immediately). I didn’t see a way to force the Poland user to get logged out, so I hoped that the email provider would be smart enough to do so when I changed the password.
  • I sent out an apology email to everyone on my contacts list to let them know what happened and advise them NOT to click the link in the original email. I also reminded them about the importance of strong, secure passwords.
  • I googled to see if there was anything else I should/could do, but I didn’t find much more than changing your password.

Tips:

  • Make sure your current email address is in your contact list on your old email accounts. This helped me know right away that my old account was compromised.
  • Use strong, secure passwords. Ideally, they should be at least 8 characters long, contain both uppercase and lowercase letters, and have a mix of letters, numbers, and symbols.
  • Your email password, in particular, should be unique and your most secure password, because if anyone gets access to your email account, they can easily gain access to any of your other accounts.

I think because I was able to act quickly, I was able to prevent some of the spam. Of the people I talked to today, only about half received the spam email.

Google 2-Step Verification

On a related note, Google recently added 2-step verification to Google accounts. With 2-step verification, it requires something you know (your password) and something you have (your phone). When you try to log in to your Google account, Google sends you a code via text or voice message that you have to enter when signing in. I’ve been meaning to set up 2-step verification on my Google account for a few weeks now, but I made sure to do it today.

Mandatory ISP Data Retention Bill

I just read an article about a bill that has just been approved by a committee in the House of Representatives. If the bill passes, it would mandate that Internet service providers (ISPs) store detailed Internet history (including personal and financial information) of all users for a year. In theory, I think I would actually be ok with Internet history being stored, because I can see how that kind of information would be extremely helpful in preventing and prosecuting crime. However, it’s not a perfect world and I have a few concerns about this bill:

  1. The ISPs may use this data improperly.
  2. The ISPs may not keep this data secure. The wealth of data the ISPs would store would make it a prime target for identity thieves and other mischievous hackers (LulzSec, anyone?).
  3. As was mentioned in the article, criminals could just go to public or commercial venues and use the Internet anonymously there.
  4. The name of the bill. Quote from the article: “To make it politically difficult to oppose, proponents of the data retention requirements dubbed the bill the Protecting Children From Internet Pornographers Act of 2011.” /facepalm
Anyway, it seems unlikely that this bill will pass because people are already raising hell about it. 😛

Playstation & Identity Theft

PlaystationYesterday, Sony announced that the Playstation Network (PSN) had been compromised and users’ personal information was stolen. This information included name, address, email address, birth date, and login info for PSN. Sony also announced that purchase history and credit card information may have also been obtained.

Mistakes happen and, at least for me, it’s not a huge deal that PSN had a temporary security hole that let hackers get in. The hackers gained access to the information because Sony’s bug treated their Playstation consoles as if they were developer consoles.

What really upsets me is that credit card information is at risk. I can’t think of any reason why developers should have direct access to credit card numbers.

And this brings up another thing that scares me: I have no way of ensuring that when I enter sensitive data online, the company/individual on the other end is doing their job to ensure that the information remains secure.  I would hope that developers dealing with sensitive data are competent enough to know how to use encryption and the like (and for goodness’ sake, don’t store it as plain text), but that certainly isn’t always the case.

Last summer, I gave a persuasive speech in my speech class about identity theft. I talked about things like phishing, website spoofing, and downloadable malware. Since it relates to the topic, I figured I would include a few simple tricks from my speech for preventing identity theft:

1. Use strong, secure passwords.
Microsoft recommends using passwords that are at least 14 characters long. They should contain both uppercase and lowercase letters, and a mix of letters, numbers, and symbols. And don’t use the same password for everything. Your email password, in particular, should be unique and your most secure password, because if anyone gets access to your email account, they can easily gain access to any of your other accounts.

WoW Authenticator2. Use an alternate verification source, when available.
World of Warcraft, for example, allows players to get an optional authenticator and have it tied to their accounts. With the push of a button, the authenticator generates a seemingly random six-digit number for the player, who then enters that number along with his or her password. The six-digit number is created based on the time and a special key tied to each individual authenticator, so that the number can be verified on the server end.

Side note: Yes, I talked about WoW in my speech. I even gave an entire informative speech about WoW. I got everyone’s attention when I started the speech with, “Some people say that I don’t exist… because I’m a girl and I play World of Warcraft.” 😛

3. Make sure you use anti-virus software.
And only one anti-virus software program, because having multiple anti-virus programs running at the same time just isn’t good or safe.

4. Verify URL’s before entering any personal data on a website.
Spoofed websites are designed to look like legitimate website and can easily trick people into entering their personal information on fraudulent websites. You should also avoid clicking links directly from email, because they can be disguised.
At the time of my speech, I had also just heard about a new scam called “tabnabbing.” The theory behind the scam is that people are learning to detect spoofed websites, so the webpage will initially look like any normal webpage. After the page detects a period of inactivity (probably due to switching to another tab in your browser), the page will transform itself into the look-a-like of another webpage, like the Gmail login page.

I would hope that most people already know about the things I talked about in my speech, but sometimes people surprise me.