Dear Mr. Mrs.
To home is my concern from couple months ago some one has my e mail
address stolen and I dont know haw I can report for this till some one
till me about this web Sid and my email address was ******@hotmail.com
and my password is 123456 please give me an answer as soon as you can
you can call me ###-###-####
Thank you
Email owner
(name redacted)
With the exception of the obviously removed information, this is a
question exactly as I recently received it, sent to my personal email
address.
Now, set aside the fact that this email is clearly written by a
non-English speaker; that’s very common, as the site is visited by
people from all over the planet.
There are several very serious problems with this email
that I want to make sure you never, ever duplicate.
Can you see them? One of them is absolutely frightening.
]]>
<
The same thing happened to me for my Hotmail and Facebook accounts, since they had the same password. My original password was great. It contained upper case, lower case and numbers, but the person was able to change the password because she could answer the security questions when you have supposedly forgotten your password. Facebook supplied the birthdate (I have since deleted the year) and I have changed my identity question, which I had forgotten about completely. It used to be the name of my first dog, however, this person knew the answer. I am pretty sure I know her identity, but can’t prove it. I calmly sent an email to my captured accounts and asked that a password I suggested be used and they be given back to me. The person complied and sent an email back to me. By getting it into Outlook and looking at the information in the header, I was able to determine where the server was.
I was rather upset at Microsoft, though. They were unwilling to give me more information on the activity of MY ACCOUNT and the location of the computer that was using it while it was stolen. If I am right that they could have zeroed in on it, I think that the laws need to be changed. Like your record at school, you should be able to see the information in your account – where you sign on.
I approached the person who I think stole my account, but she denies it. I have since changed my password, although it is no more secure than the first one, which was very secure, but I have changed my identity question on Hotmail.
By the way, this same person tried to change my password and hijack my account in Yahoo. Fortunately, their security question allowed greater flexibility, so it wasn’t about my dog, but something I would only know and I had a different password, which also involved numbers, upper and lower case.
To keep my email accounts secure, I answer the security questions with something that only I would know (because the answer makes absolutely no sense to the question).
For example:
Q: What is your favorite flower?
A: cat
This way, someone cannot guess a series of flowers and hit upon the right one.
Of course, you must make sure that YOU remember your wacky answer or you will be in trouble!
Yes, those common questions are a weak spot. I have a couple of very simple solutions for the problem:
1. don’t pick a question that has a very limited answer set like colors or car makes.
2. When asked for personal information in online forms my first response is LIE LIKE A RUG!!!! Do not give true information unless absolutely necessary. ie give them a first name but last name “aaaa”, address “000 anystreet ave”, phone “000 000 0000” etc. Read this article for a scary view of personal information security:
http://www.schneier.com/blog/archives/2007/12/anonymity_and_t_2.html
In it he talks about techniques that can be used to “de-anonymize” anonymous information ie
(snip)
Using public anonymous data from the 1990 census, Latanya Sweeney found that 87 percent of the population in the United States, 216 million of 248 million, could likely be uniquely identified by their five-digit ZIP code, combined with their gender and date of birth. About half of the U.S. population is likely identifiable by gender, date of birth and the city, town or municipality in which the person resides. Expanding the geographic scope to an entire county reduces that to a still-significant 18 percent. “In general,” the researchers wrote, “few characteristics are needed to uniquely identify a person.”
(/snip)
So unless your personal info is truly required, like mailing info for an online purchase, there is no reason for you to enter correct info.
I think the most important aspect is the password. Even if its about your favourite TV show, actor or sportperson always insert numbers, lower/upper csse combinations, and special characters(if allowed) into the password. Also don’t just give the bare minimum number of characters. Give atleast 8-10 in the password.
The security question is your secondary defence, the password is the primary one so make your primary defence as strong as possible.
I’m in the UK and recently we’ve been treated to one of your tremendous televised serials “Damages”. Therein Patti Hughes offers the best advice to all of us. “Trust no-one”. Sad, but true and something we need to remember when choosing passwords and security questions.
This was an eye opener. Having been taught to always tell the truth I’ve always put in the true address or info required…now I’ll do the “color”/”cat” thing with a different twist. I’m sure nobody knows my father’s name but I’ll be safer from now on and try to be more creative and instead of having it remembered, I’ll keep a log of my stuff and keep it in a paper file.
Good tips on security. The first reader comment also struck a chord. Social networking is all the rage now, but we must not forget the fatal pitfall of sharing loads of personal information with our “friends”. Even my Yahoo profile asks for far more than I am willing to divulge. And, as if the social sites don’t get personal enough, (too much) if you answer the endless stream of “20 Questions” e-mails, you’re giving out most of the answers to most of the common security questions available. Let’s stop the insanity and keep our Alma Mater, pets’ names, favorite movies and boxers or briefs preferences to ourselves!
Hmmmm…I’ve never has any problem with my profile or email address being compromised.
However…this article has made me more aware
of the big picture. From here on I will be more carefull with my profile/personal information.
Thanks a bunch!!!!
I would like to suggest having 1 or more email addresses from another provider. When I went to reinstall my ISP I forgot my password, and found that the one I wrote down was an older one. Fortunately I gave my provider an alternate email and was able to get the password, and change it. By the way I was discussing the Conficker with friends and was appalled to find out they did not update their windows, and she just made files and dumped unopened mail into them. Sigh.
To keep up with passwords, account information, etc, I suggest an application like Password Safe (passwordsafe.sourceforge.net). I can store Usernames, Passwords, and any other information about that site (challenge/response) in one place. I only have to remember 1 password to open the database, and then I have access to all my account information.
Good suggestion about ‘flower/cat’ – I’ll start using that!
Love the “flower/cat suggestion. Whats the procedure on applying “Password Safe”? Now that is a very, very good idea, especially for me as I have trouble remembering what happened yesterday.
I have found that a few sites will allow a space in the middle of your pasword. Combining this with my (German) grandparents last name, a space for a missing letter and close with a number.
my account was stolen. Whom ever did this, sent bogus emails to my contacts trying to scam money?I am worried about the information in my emails. Could these people use that information? I am able to report this to authorities? Who?
05-Jun-2010