16 July 2010

Email Account Takeover

It just happened to another one of my friends: suddenly everybody in their address book is telling them that they got some serious spam, intent on fraud.   Apparently, someone got into their email account, stole their address book, and mailed spam to everyone in it.

It happens all the time.  It happened to Sarah Palin and it happened to me last month.  It is very embarrassing.  It was quite a shock to have a ton of people in my address book writing me back with "Hey!  What's this?!"  and me, a security guy!

The usual reason is that either somebody got your password or they answered the security questions for "I forgot my password."


Because we tend to use the same user ID and password at many sites, a breach at one site becomes a breach at all the rest.  When you enroll at a site for moms or quilters or whatever, you have no guarantee that they store the passwords correctly (as a one-way hash, with a unique salt per password), or that they manage their personnel or operational security at all, so that some dope-crazed disgruntled admin can't steal all the data.

What to do if it happens to you:
  • You should change your password and the "I forgot my password" security questions on the account.   This will stop it.  
  • You should use a password that you don't use anywhere else, or only at very trusted sites.  I use three passwords: one for my ultra-high security accounts, like my bank and brokerage; one for my pretty secure accounts, like my email and Amazon; and one that I use everywhere else.  A good password has mixed case and numbers.  Two small words concatenated with a number or two is good.  
  • Pick security questions that can't be figured out from Facebook.  Don't use mother's maiden name, city of birth, or high school.  If you have to use one of those, type some wrong answer in there, but you better write that down, because you'll never remember it. 
  • Yes, it is okay to write passwords and stuff down. What, somebody is going to break into your house or hold you up at gunpoint to get your password list?!

I work for a company, Ping Identity, that is part of an industry that is trying to do away with passwords.  It can't happen soon enough!  The Internet has made our lives better in so many ways, but our security and privacy is just getting worse and worse.  We can do better.