Due to a new scam going around and worryingly working quite well, this article is designed to highlight what it is, how to avoid it and also how to recover from it.
Inspiring this post is an email I received from a friend based in the US at around 3am local San Francisco time (conveniently!) It’s a new type of scam/threat that was recently reported on in the London Evening Standard. The scam involves getting into an email account and emailing all contacts a sympathetic request for money due to being mugged while travelling (click images below to see larger version):
What’s dangerous about this scam is the following:
1) The email is personalised, signed from the first name of the person that owns the email account
2) The “reply” email address is an email account setup for this specific scam which uses the same email suffix as your account! For example, if your address is email@example.com, it will automatically create an account called firstname.lastname@example.org and send all replies to that account. This means the scammer can co-ordinate receiving money from a different email account which looks like the real owners!!!
3) In extreme cases, the reply email address will be the persons original email address but they would have been locked out of their account. This is even more dangerous as the person sending money verifies whether it’s real by emailing to ask!
4) Friends vulnerable asking for help is a great way of getting some quick bucks
The world we live in is actually more friendly and trusting than you may think. According to the Standard post, someone within security in the Armed Forces coughed up over €500 for his friend in need without spotting it was all a bit hoax.
In the case where the hacker gets in and simply emails your contact list, you can see this has happened by looking in your sent mail which will show all the outbound emails. The easy remedy is to email all your contact list explaining whats happened (and of course change your password to something complex! See post on security of passwords..!)
If you’re locked out your account, it’s a little worse. You will need to get in contact with your email provider with legal identification in order to get your account reset as the hackers change the security and recovery options on the account as well.
For more advice please feel free to email me (joshuasugarman@[removethis]gmail.com)
Paypal and Lenovo have just joined Google and others in developing the “post-password” era which will look at modern alternatives to the age old text based password. I wanted to give my thoughts into passwords, the problems and what potential resolutions there are in the future.
For any website with a login, you require at least 2 pieces of information:
The username can be hard enough to remember as many websites have their own unique take on what is or isn’t allowed. An email address? An 8 digit username? 15 digit?
If usernames weren’t hard enough to remember, the password field adds another layer of complexity due to the following reasons:
1) Websites have different requirements on what is an acceptable password
2) You should never use the same password for more than one website (if one gets hacked, your entire digital world could be at risk)
3) A password isn’t enough because:
Nope, even with a username and a unique complex password, this isn’t enough. Google, Microsoft, Facebook and all the major banks now add the ability for two-factor authentication. This is compulsory for banks, though an optional extra for your social media and email sites. This usually takes advantage of a secondary password, and having to remember certain digits within it. I.E “What is the 1st, 3rd and 5th digit of your secret word?”. Alternatively, you may use your mobile phone for verification, an RSA ID tag or a little card reader that generates something called a “one-time password” in order to login.
That got a little technical, but going back to basics we can see that it’s a difficult process to login to a website, never mind logging into 10 different sites. This means we have some shocking statistics including:
64% of end users report that they have written down their password at least once Study: Rainbow Technologies Password Survey: 64 Percent Write Passwords Down Compromising Corporate Data – April 28 2003
70% of people do not use a unique password for each Web site Study: Attitudes and Behavior Towards Password Use on the World Wide Web – October 11 2000
A quarter of Brits forget their online passwords on a regular basis Study: Microsoft UK Password Survey – November 2 2004
The Microsoft one is the most interesting for me personally. 25% of people on a “regular” basis have to reset their online password. I must have logins for over 100 various online websites, so that means I’d regularly have to reset my password for around 25 of those. What’s more concerning, is I can fully relate to that!
What Paypal & Google Plan to Do:
-Password Protected USB Sticks
-Embedded Hardware Modules
These are the main contenders for the post-password era. Biometrics is an idealists view on digital identification. The best way to login to a site is to prove it’s us based on biological identifiers. In a basic form, this could be a fingerprint scan, though these can be quite easy to replicate for people who do want to gain access. Alternatively, facial scanners are available with the obvious flaws (putting a picture up of the person you’re immitating?), and eye scanners which are intrusive, expensive and uncomfortable.
Alternatively, password protected USB sticks are limited as my phone, nor tablet, have USB ports. Hardware embedding has the obvious problem of losing the device, which leaves us with the final option “Other”.
Google has been toying around with the idea of a ring containing a small NFC (Near-Field Communication) chip which, if present, will allow the user to instantly prove it’s the correct owner of the account. Losing the ring is the obvious concern, and adding other authentication methods on top of this means the process is more complex than systems today.
Summary & Thoughts:
There’s a lot of talk about the “post-password” era, and authentication is certainly a technical and complex problem to solve. In reality, there is no developed solution to this [INSERT BUSINESS IDEA HERE]. The best possible solution to this would be a master login to your entire digital world, which uses some form of two-factor authentication with your phone or something similar. Most websites are starting to integrate single sign on with Facebook which is certainly reducing the need for so many, but it’s still not an ultimate solution.
Will we see the end of the 8 digit password (With an upper case letter and number)? N0chanc3
As a final tip, don’t write passwords down on paper (or anywhere), use a different password for every site, and use some sort of application such as LastPass to store/remember them all which is a secure password database.