Peter Nguyen Team : Web Development Tags : Technology
13Oct2009

Passwords to email accounts exposed using a scam – how to get yourself protected

Peter Nguyen Team : Web Development Tags : Technology

If you are one of the hundreds of millions of people who own a G-Mail, Hotmail or Yahoo account, your email could be compromised (stolen) right at this very moment. All your personal data, electronic bills, credit card information (if you were ignoring all the warnings on not sending your credit card information via e-mail), messages that probably shouldn’t be read by others is no longer just on your account.

Recently, BBC reported that Gmail, Yahoo Mail, AOL and other accounts have been targeted in an “industry-wide phishing attack”. On October 1, 10 000 or more Hotmail accounts were published on the pastebin.com website – a website used commonly by developers to post extracts (called “snippets”) of their code. The site has now been pulled down for maintenance.

This isn’t just another attack.

Nothing internal was compromised. No system was “hacked” per se. Users fell for this phishing attack by a scam. A simple scam. A fake login page that appears to be real but isn’t. BBC News has confirmed that many - including Gmail and Hotmail addresses - are genuine.

How do I protect myself?

Believe it or not, it’s very easy to check if the site is real or not. Just follow these steps so you can protect yourself.

Upgrade your browser.

Just like the older your car is the more vulnerable it is to breakdowns, the older your browser is the more vulnerable you are.

Check if you’re actually on the right page.

Example:

When logging onto Hotmail, this is the right address:

http://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1254871068&r
ver=6.0.5285.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2F
default.aspx&lc=1033&id=64855&mkt=en-au

This is not the right address:

http://loginintohotmailfree.com/thissigoingtoberedirected
/http://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&
ct=1254871068&rver=6.0.5285.0&wp=MBI&wreply=http:%2F%2F
mail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-au

Notice how they are different? Yes! One looks genuine and the other looks dodgy.

Click “Use enhanced security” (hotmail) or “Use SSL” (gmail) if it’s available. Then always make sure your address starts with https:// at the very beginning.

This encrypts the data being sent from your computer to theirs.

If an email has been sent to you from Hotmail or Gmail asking you to reset your password make sure it has your name on it.

Either that or the name you signed up with. If they need you to reveal your personal information, they should at least address you personally (it’s most likely fake if they don’t)

Use an antivirus scanner.

It’s just the same as injecting your children with vaccines when they’re young – to protect against viruses and infections.

That covers protecting you against attacks. But all that is pretty much useless if you have a password like fishcakes.

My password is fishcakes, or something that can be found in a dictionary.

If your password can be pronounced, or said out loud without spelling it out, then your account is vulnerable to “dictionary attacks”. These “dictionary attacks” are basically attacks in which the hacker will run your password against a dictionary. If they are able to successfully login, then your account has officially been compromised. This method takes less than 10 minutes with the right resources. To put it short, in 10 minutes your account could be hacked if you had a dictionary word (or even two dictionary words).

What is a strong password?

JoeJT3#ga.

That is a strong password. Notice how it’s a completely random combination of uppercase and lowercase letters, numbers and symbols. It’s more than six characters.

Now how would I remember that?

[Joe][JT][#][ga]

That’s the password, broken up. Each word/letter can stand for something. That’s one way to remember it. You might have difficulty remembering it at first, but over time, it will become easy. And what’s easier? Remembering a fairly difficult password at first or trying to cover-up/recover all your personal information? Your identity could be stolen. That’s extremely hard to fix.

A way in which I use to remember the password is to write it down. I write it again and again. I don’t use the remember password tool. I log into it many times, until I remember the password. I then get rid of the paper that has the password on it.

My password’s the same or similar on every account.

In light of these recent attacks, you should change it. Hackers will try and login to other sites (such as Netbank) with your email and password.