Bits from Bill

Technology thoughts leaking from the brain of "Bill Pytlovany"

Monday, May 04, 2009

Please Enter Your Name and Password

Do you always know for sure where you’re entering your name and password?

This week many of my friends on Facebook reported getting stung by yet another hacker trick to get someones name and password. Many received an Email with a message about something new on Facebook and received a link which appeared as it if was Facebook. Surprise, surprise it turned out to be a completely different website that just looked like the Facebook login page.

Simple tricks like this remain the most common distribution methods of deceptive programs and ID theft on the Internet. Once someone has your name and password, they have access to your valuable contact list.  Your unsuspecting friends will start to recieve similar invitations and even downloadable files with every possible kind of malware. Many of your contacts will trust an attachment because they think it comes from somone they know.

While this is a typical phishing senario, there are many other ways to give away your name and password. Many social networking sites will want you to give them your Email and password so they can collect information on your contacts and provide you with a better experience. While I’m sure some of them are legitimate and trustworthy I say Don’t Do It. I have no reason to believe my example below from Facebook is devious but I still think it’s a bad idea.

Example from Facebook friends page

This is typical of many social networking sites including LinkedIn and Twitter. Some are more aggressive and trickier than others. Twitter has a lot of new 3rd party tools popping up so it has been the target of many new scams to obtain name and passwords. Don’t just try a 3rd party tool for Twitter just based on Tweets from your friends.  It’s always possible the people doing the recommendation have had their accounts compromised.

While I’m on the subject, let’s talk about your password.  Do you use the same password at multiple locations?  Come on, I know you do and it’s another really bad idea.  Even if you don’t fall for one of the tricks I’ve mentioned your name and password could be compromised by some other method. The first thing a hacker will do is try the same password to access PayPal, eBay, gmail, hotmail, AOL, banks, credit card sites, Facebook, Twitter etc…  Not only could you lose money, anything they say or post online using your name will exist forever.

Yes, it can happen to everyone. Check out what Steve Bass had to say in his TechBite newsletter.
Password Disaster: My PayPal Account was Hacked.



Share on Facebook


Blogger John L. Galt said...

It's amazing that people keep falling for the same old tricks with slightly new spins to them.

My sister fell for the DHL exploit a few months back b/c she, as a mortgage office, deals with DHL on a near daily basis and did not read the message carefully enough to spot that it was a fake. I spent several hours with her on the phone, getting rid of the pesky thing, and then I submitted the 0-day affliction to so they could get a new definition file out in a hurry.

I just wish email clients would come with HTML mail disabled by default, and that more people used safeguards like WinPatrol, OpenDNS, MBAM, etc. (not to mention up to date anti-malware software) to keep them more safeguarded than they are trying to just monitor themselves. My sister, whilst not necessarily an IT pro, nevertheless sis pretty safety minded, and has worked in the past in IT doing contract jobs - she is definitely well above the average user in terms of savvy and awareness, but if someone like her can make the odd mistake or two, then the average and novice user categories have little hope for being able to catch these exploits.

Also amazing is how people will willingly listen to other people they know that are *not* computer techs / IT professionals when it comes to getting 'free' things, but will only turn to the resident geek for help fixing their blunders....

Is there no end to the madness?

11:50 PM  
Anonymous Anonymous said...

I simply won't use passwords for anything except access to the site for which I created them. Other sites need to learn (by users complaints or lack of use) that we won't be a part of that promiscuous 'sharing'... probably dreamed up by a marketing rep.

And I have a simple system for creating different passwords for each and every site I access... a personal prefix added to a suffix determined by something obvious about the site. So, for an oversimplified example, I might use "pass4cnn" at CNN, and "pass4tv" at TVGuide, and "pass4imdb" at Choose your own prefix key instead of 'pass4'... and add a site-specific suffix (one that's obvious or guessable to -you-).

That gets complicated by some sites which don't allow numbers (or require them)... or require including at least one capital letter (or ignore them). So one must try to build a personal prefix that you can tweak a little, like dropping off the special characters or numbers, when they're not allowed. As mentioned, you need to choose something obvious from each site for a suffix, so you have a good chance of remembering or guessing it. Like choosing CNN or 'news' for the CNN site, TV or 'guide' for TVguide site, etc.

Settle on one or two 'special characters' and/or numbers as favorites to use in your personal prefix... and your password becomes a little more secure... just remember you might have to drop them for some restrictive websites.

3:38 AM  
Anonymous Anonymous said...

In aol version 9.1 I still can't get rid of the ads at the bottom
of my emails HELP

3:16 PM  

Post a Comment

<< Home