Tuesday, 13 October 2009

Secure your password, protect your privacy

My eyes widened when I read the news earlier last week.
At least 30,000 user passwords of popular Web mail services
like Hotmail, Yahoo and Gmail had been stolen and posted
on the Internet.

Mine could have been one of them, and the prospect of losing
a huge part of my life sent a shiver down my spine.

No, I am not exaggerating.

Information on who I am, who my friends are, what
I do and what I own, is on the Internet, and all it takes
to figure me out and take over my life is to know my e-mail
address and password.

E-mail accounts started off as individual repositories of online mail,
but today they have become the very essence of our online identities.

There are 35,060 e-mail messages in my Gmail account now,
accumulated since I joined the beta in June 2006, and all my
e-mail messages from my Yahoo, Hotmail and office Lotus Notes
accounts are forwarded there.

I have never deleted a single attachment since I started on Gmail
and busted my free 8.2 GB of Gmail space in June, only to sign up
for another 10 GB for US$20 (S$28).

Every Google Talk chat I have ever made is also there. Scanned
images of my IC and passport are there as well, as attachments in
my Sent folder, the first for my bank relationship manager to open
an account and the second sent to a travel agent to apply for a visa.

Since I started using Google phone last month, I have also linked
my SMS messages to my Gmail account, so all my sent and received
SMSes are stored there like Gmail message threads.

I have a unified phone and PC contacts database of about 2,000 people,
some duplicates, and they are all stored online under Google Contacts
(the default address book in Gmail).

You will also be able to find in seconds my credit card’s number and
expiry date, PayPal number, Krisflyer number and more by simply
typing the right keyword under the top-notch search bar in Gmail.

I have never touched Internet banking but if you are like my friend
who sends all his statements to his Gmail account, your net worth is
up there as well.

Knowing so much about a person is just the tip of the iceberg.
Any Web service – from World Of Warcraft to Facebook to Krisflyer –
will ask you for an e-mail address when you sign-up.

If you have forgotten your password to that service, you just need to
click a link on that service’s website and it sends you an e-mail with
a new password. The hacker who has access to your e-mail can do
that too, and even change your password for those Web services to
assume your identity.

Many online services also contain valuable digital property.
World of Warcraft (WOW) players who spent six years of their
lives accumulating virtual loot are huge targets of hackers, simply
because the slay-six-orcs-in-one-stroke swords are worth real money on eBay.

There are hundreds of “WOW moneychangers” online who will
willingly trade your virtual gold for real hard cash.

Online game download sites like Steampowered.com and GOG.com
let you buy video games through your credit-card and if you switch
computers, you can download them again. Anyone who knows your
username and password can simply steal all of those.

And there are definitely people out there trying to. In the last month,
I have received a dozen e-mail notifications from Blizzard
(the makers of WOW) confirming that I have tried to reset my password at the WOW website. I never sent a single one of the 12.

The scary thing is this: A recent report from security firm
Sophos states that four in 10 people use the same passwords
for their different online services. So all the bad guy needs to
do is to figure out your weakest link.
Easy AdSense by Unreal

To complete the takeover of my life, the hacker now only
needs to log in to Account settings of my Gmail and change my
password to his favourite tagline.

I know what you are thinking – the hacker still needs to answer
the secret question correctly to be able to change passwords,
maybe like the name of my first dog or my mother’s maiden name.

That information could be out there if you are a highly social
networking butterfly who shares personal information on Facebook
and Twitter without a second thought.

For hackers, they have other ways.

Maybe they know your phone number?
They can try to pretend to be your bank and
call you to get personal particulars and see if
your answers match those secret questions.

There is a buzzing underground economy that trades just
about anything. According to security firm Symantec’s
recent research, credit card numbers go for as much as
US$30 each and e-mail accounts for up to US$100 each.

There are two main ways that hackers try to get your personal
information – by infecting your computer with a virus that has
a keystroke logger (it records every letter you type and sends
the information back to the hacker) and by “phishing”.

Phishing (which sounds like fishing) is a social engineering
strategy to get innocent chaps like you and me to divulge
our personal information.

The most common method is when the culprits pretend to
be your bank and send you an e-mail asking you to click
on a link there to a website to key in your account details
and password, often ironically on the pretext that they need
to “verify” that your account has not been compromised.

Thankfully, there are defences against these attacks by making
use of what is called a second-factor authentication, often used
by banks here for Internet banking. The usual method is to provide
you with a security token.

Whenever you log in to your account online, you also need to press
a button on the token which generates a random number which you
need to key into the website along with your password.

Since that random number is only valid for a limited time, say one
minute, the thief needs to have that token to break into your account.
This is not foolproof, but it is a lot better than just relying on passwords.

Unfortunately, this added security layer has not been widely adopted
outside the Internet banking sphere.

The only exception is World Of Warcraft, where the hardcore player
can pay extra for the security token.

I say it is time for it to be extended, particularly among the Web mail
services like Gmail, Yahoo and Hotmail.

Make it an option for those, like me, when so much of our lives is in that
e-mail account. Naturally, we will have to fork out extra for it.

But for peace of mind, and to be able to continue to enjoy the convenience
of having all my information stored in my Gmail, I am more than happy
to do so.

Meanwhile, if you haven’t done so, do reset your e-mail account
passwords immediately. Because you could have been one of the
30,000 whose passwords were posted at online forums and if the
hackers haven’t had the time to change your password, you can
still save yourself.

No comments:

Post a Comment