Dear Mr. Mrs.
To home is my concern from couple months ago some one has my e mail
address stolen and I dont know haw I can report for this till some one
till me about this web Sid and my email address was ******@hotmail.com
and my password is 123456 please give me an answer as soon as you can
you can call me ###-###-####
Thank you
Email owner
(name redacted)
With the exception of the obviously removed information, this is a
question exactly as I recently received it, sent to my personal email
address.
Now, set aside the fact that this email is clearly written by a
non-English speaker; that's very common, as the site is visited by
people from all over the planet.
There are several very serious problems with this email
that I want to make sure you never, ever duplicate.
Can you see them? One of them is absolutely frightening.
]]>
<![CDATA[
Become a Patron of Ask Leo! and go ad-free!
First, let me give the answer I gave to the questioner:
You can try the instructions on Windows Live Hotmail's What to do if you think your
account has been stolen page.
Now, I'm not hopeful, and you'll see why in a moment, but it's worth
a shot.
the ways."
What's wrong with this scenario? Let me count the ways.
- I did not obfuscate the password above. This
persons actual password was "123456". My first reaction? No
wonder your account was stolen. This is absolutely frightening. - A couple of months? Perhaps within the first few
days of a theft you stand a chance, but after weeks, or months my
belief is that things are pretty hopeless. - She gave her password to a total stranger. Yes,
that stranger was me, but she doesn't know me, and has no clue on how
trustworthy I may or may not be. She contacted me using a different
Hotmail account, but given her abysmal choice of password for the first
account there's a very high likelihood that she kept using the same
password for the new account, or one just as easy to crack. - She gave her phone number to a total stranger. Once
again, me, but still it's clear that even after having her account
stolen privacy and security lessons have not yet been made apparent.
(And no, I'm not calling her - that's just not something I do.)
So, after all the fault finding I've just indulged in, what can you
learn from this exercise? How can you stay secure?
Let's just turn each of my concerns around:
- Use a strong
password. Always. No excuses. Keep it safe, and share
it with no one. - Act quickly if you suspect that your account has
been compromised. Use the resources available to act on your situation
as quickly as possible. Hotmail users have http://windowslivehelp.com/ specifically for Hotmail
support and discussion. - Keep your private information private. Don't go
throwing your phone number and most certainly not your password to just
anyone in the hopes of getting help. There are too many people out
there who will abuse your trust and cause you more trouble.
I honestly don't mean to make fun of or shame the person with the
original problem - in fact, I responded to her well prior to posting
this article, not expecting her ever to return to my site anyway. My
hope is that by pointing out the deep flaws in her approach to
passwords and privacy that some of you who might see even vague
similarities with your own approach will rethink your situation, and
take steps to keep yourself more secure.
Sadly, the other thing that's frightening about this scenario is
simply how common it is.
The same thing happened to me for my Hotmail and Facebook accounts, since they had the same password. My original password was great. It contained upper case, lower case and numbers, but the person was able to change the password because she could answer the security questions when you have supposedly forgotten your password. Facebook supplied the birthdate (I have since deleted the year) and I have changed my identity question, which I had forgotten about completely. It used to be the name of my first dog, however, this person knew the answer. I am pretty sure I know her identity, but can’t prove it. I calmly sent an email to my captured accounts and asked that a password I suggested be used and they be given back to me. The person complied and sent an email back to me. By getting it into Outlook and looking at the information in the header, I was able to determine where the server was.
I was rather upset at Microsoft, though. They were unwilling to give me more information on the activity of MY ACCOUNT and the location of the computer that was using it while it was stolen. If I am right that they could have zeroed in on it, I think that the laws need to be changed. Like your record at school, you should be able to see the information in your account – where you sign on.
I approached the person who I think stole my account, but she denies it. I have since changed my password, although it is no more secure than the first one, which was very secure, but I have changed my identity question on Hotmail.
By the way, this same person tried to change my password and hijack my account in Yahoo. Fortunately, their security question allowed greater flexibility, so it wasn’t about my dog, but something I would only know and I had a different password, which also involved numbers, upper and lower case.
To keep my email accounts secure, I answer the security questions with something that only I would know (because the answer makes absolutely no sense to the question).
For example:
Q: What is your favorite flower?
A: cat
This way, someone cannot guess a series of flowers and hit upon the right one.
Of course, you must make sure that YOU remember your wacky answer or you will be in trouble!
Yes, those common questions are a weak spot. I have a couple of very simple solutions for the problem:
1. don’t pick a question that has a very limited answer set like colors or car makes.
2. When asked for personal information in online forms my first response is LIE LIKE A RUG!!!! Do not give true information unless absolutely necessary. ie give them a first name but last name “aaaa”, address “000 anystreet ave”, phone “000 000 0000” etc. Read this article for a scary view of personal information security:
http://www.schneier.com/blog/archives/2007/12/anonymity_and_t_2.html
In it he talks about techniques that can be used to “de-anonymize” anonymous information ie
(snip)
Using public anonymous data from the 1990 census, Latanya Sweeney found that 87 percent of the population in the United States, 216 million of 248 million, could likely be uniquely identified by their five-digit ZIP code, combined with their gender and date of birth. About half of the U.S. population is likely identifiable by gender, date of birth and the city, town or municipality in which the person resides. Expanding the geographic scope to an entire county reduces that to a still-significant 18 percent. “In general,” the researchers wrote, “few characteristics are needed to uniquely identify a person.”
(/snip)
So unless your personal info is truly required, like mailing info for an online purchase, there is no reason for you to enter correct info.
I think the most important aspect is the password. Even if its about your favourite TV show, actor or sportperson always insert numbers, lower/upper csse combinations, and special characters(if allowed) into the password. Also don’t just give the bare minimum number of characters. Give atleast 8-10 in the password.
The security question is your secondary defence, the password is the primary one so make your primary defence as strong as possible.
I’m in the UK and recently we’ve been treated to one of your tremendous televised serials “Damages”. Therein Patti Hughes offers the best advice to all of us. “Trust no-one”. Sad, but true and something we need to remember when choosing passwords and security questions.
This was an eye opener. Having been taught to always tell the truth I’ve always put in the true address or info required…now I’ll do the “color”/”cat” thing with a different twist. I’m sure nobody knows my father’s name but I’ll be safer from now on and try to be more creative and instead of having it remembered, I’ll keep a log of my stuff and keep it in a paper file.
Good tips on security. The first reader comment also struck a chord. Social networking is all the rage now, but we must not forget the fatal pitfall of sharing loads of personal information with our “friends”. Even my Yahoo profile asks for far more than I am willing to divulge. And, as if the social sites don’t get personal enough, (too much) if you answer the endless stream of “20 Questions” e-mails, you’re giving out most of the answers to most of the common security questions available. Let’s stop the insanity and keep our Alma Mater, pets’ names, favorite movies and boxers or briefs preferences to ourselves!
Hmmmm…I’ve never has any problem with my profile or email address being compromised.
However…this article has made me more aware
of the big picture. From here on I will be more carefull with my profile/personal information.
Thanks a bunch!!!!
I would like to suggest having 1 or more email addresses from another provider. When I went to reinstall my ISP I forgot my password, and found that the one I wrote down was an older one. Fortunately I gave my provider an alternate email and was able to get the password, and change it. By the way I was discussing the Conficker with friends and was appalled to find out they did not update their windows, and she just made files and dumped unopened mail into them. Sigh.
To keep up with passwords, account information, etc, I suggest an application like Password Safe (passwordsafe.sourceforge.net). I can store Usernames, Passwords, and any other information about that site (challenge/response) in one place. I only have to remember 1 password to open the database, and then I have access to all my account information.
Good suggestion about ‘flower/cat’ – I’ll start using that!
Love the “flower/cat suggestion. Whats the procedure on applying “Password Safe”? Now that is a very, very good idea, especially for me as I have trouble remembering what happened yesterday.
I have found that a few sites will allow a space in the middle of your pasword. Combining this with my (German) grandparents last name, a space for a missing letter and close with a number.
my account was stolen. Whom ever did this, sent bogus emails to my contacts trying to scam money?I am worried about the information in my emails. Could these people use that information? I am able to report this to authorities? Who?
05-Jun-2010