or, They Really Are Out To Get You
I’ve been warning about spam in True since 1996 — ten long years. My warnings have been summarized in my Spam Primer, which is now on its own site. As I predicted more than 10 years ago, it’s gotten worse — much worse. And the stakes are much higher than just clogging your inbox: your life savings are at risk.
Last week I got a “phishing” email from eBay that looked so perfect, I suspected it was real. Essentially, it said that my account had been compromised and that several auctions (for cars) had been canceled. I hovered the link in the message, and it looked right — eBay.
Still, I was suspicious — looking right isn’t enough. Rather than click the link in the email, I went to eBay on my own …and couldn’t log in. I went back to the email to see what they said to do: click “Forgot My Password” on the login page. I did that on the web site, went through the security questions I had apparently set up Way Back When, set a new password …and found copies of those emails about how my account had been compromised and that several auctions (for cars) had been canceled.
So yes: my account really was compromised by someone trying to use it to steal from others. Luckily, eBay caught it, locked them out (by changing my password), canceled the bogus auctions they set up under my ID, and notified me — presumably before anyone lost money to the scam. Kudos to eBay!
Big Lesson Learned
My password was, I thought, a good one: a nonsense word that means something to me, plus digits. I have no idea how my account was compromised, but I went cold when I realized something: I used a very similar password (same odd word, but different digits) for most of my accounts — including my bank account.
As you can imagine, I immediately changed all of my passwords at every place that matters. Happily, my Paypal password (Paypal is owned by eBay) was very different, and the crooks didn’t get in there, too. I was lucky.
Are your passwords secure? Are you sure? Are you willing to risk everything that you’re right? There are things you can do to increase your odds dramatically, yet few actually do those things.
Eight characters is not long enough for a password. Longer is better than complex.
But One More Factor is Key
Importantly, any critical password should be very different from every other password you use. A friend had one of her accounts compromised, and they tried the same login/password other places — and got into her brokerage account. She was lucky too: she didn’t lose her entire retirement fund. Still, hearing her story recently didn’t change my habits. Had I really listened, I may have been able to avoid this.
All of my passwords are now completely random combinations of letters, numbers, and “special” characters (&, -, and the like). How in the world can I remember them all? Keeping track of random strings of data isn’t a great task for a human brain; sounds more like a job for a computer, doesn’t it? So I got software — a “password vault” — which does it for me. It only requires that you memorize one password, the vault’s, and it remembers the rest, storing them in an encrypted file.
You could try to keep track of them in other ways. But don’t be a fool and think you can use easy-to-remember (read: easy for hacker software to guess) passwords and get away with it forever. Spammers and other scammers would love to get hold of your money or steal your identity. They’re trying hard, and there are thousands of them against you and any simple passwords you use.
Don’t wait until it’s too late — when your money and identity is already stolen. Do something about it now, because thanks to their software, scammers are good guessers. Roboform is only $30. LastPass is free for personal use. That’s cheap insurance to keep your bank accounts much safer.
One more important thing: is “phishing” a new term to you? Do you fully understand how it works, and how these slimeballs can steal your identity? If not, you really, really need to read my “Help with Spam and Phishing” site, Spam Primer — which (no surprise) I spent a lot of time updating today. Read it and send its URL to your friends and, especially, your family. We all need to do what we can to thwart spam (especially phishing) and identity theft.
– – –
Bad link? Broken image? Other problem on this page? Use the Help button lower right, and thanks.
This page is an example of my style of “Thought-Provoking Entertainment”. This is True is an email newsletter that uses “weird news” as a vehicle to explore the human condition in an entertaining way. If that sounds good, click here to open a subscribe form.
To really support This is True, you’re invited to sign up for a subscription to the much-expanded “Premium” edition:
Q: Why would I want to pay more than the minimum rate?
A: To support the publication to help it thrive and stay online: this kind of support means less future need for price increases (and smaller increases when they do happen), which enables more people to upgrade. This option was requested by existing Premium subscribers.
For secure yet memorable passwords, try this: Your wife’s maiden surname followed by the first telephone number you can remember – your home when growing up.
Or perhaps the license plate number of your first car, followed by the number and street name of your parent’s home.
Or some other such combination.
If you always have two memorable things that only you know, then the chances of anyone guessing it is very remote.
And yes, I both use 1Password on my Mac (Mac OSX is Unix, very secure!) and have different memorable passwords for my important online accounts.
Unfortunately, Chris’s ideas are often the sort of thing that knowledgeable thieves will try. The best way I know of for creating a random looking but memorable password is to think up a sentence and use the initial letters. Even better if there are numbers and symbols. For example:
Manchester United beat Chelsea 2-0 on 1st November 2006.
this translates to: MUbC2-0o1N06
You will remember it, but it is extremely unlikely that anyone could guess it.
BTW, this score and date are made up.
Two free options for password storage:
Keepass – Available for many platforms, including mobile devices
Sourceforge’s Password safe.
—
I think one has to use great care in such matters, especially when it comes to protecting personal information. I’ve never heard of Keepass; could be fantastic, but I’d have to do research before I would trust my very identity to them. I’m cool with Sourceforge, but you typo’d the URL and it actually went to a squatter site. Imagine if they had nefarious intent! So the bottom line is, great caution is required for all software, and especially security software. Do your homework. -rc
Connected to this, I use a system for remembering PIN numbers for cash cards/credit cards, which means I can even put a reminder on the card itself. I simply refer to a year when I saw someone come down in front of me on a parachute when I was a kid (and they broke their leg in doing so!) and another significant year in my life and then I draw a small picture of a parachute and a one letter reference to the other significant year and write + or – and the difference in years between those dates and the corresponding two-digit pair of the PIN. For example, if the parachute incident happened in 1932 (which it didn’t, of course!!) and my child was born in 1922 (again, he wasn’t) and my PIN number were 2751 I’d scratch or write on the card a representation of a parachute followed by -5bh+29 (bh = birth) – (19)32-5 = 27 and (19)22+29 = 51, put them together and you have the PIN, 2751. Totally comprehensible to me, but to no one else, and easily remembered however rarely I use the card. As all PIN numbers here are four-digits, it works a treat. The same can be done for computer-based passwords, simply by having in mind set alternatives for certain letters (e.g. a = @) and using place names or long words of significance to oneself.
This is a composite suggestion from several readers:
—
I won’t have a chance, because I don’t have time to research whether I trust the company that’s producing the software, and that’s critical. What, I “don’t have time” to ensure I have great security? No: I’ve already done that. I have my solution, which I recommended. So I certainly can’t go out and research them all. But yes, there certainly are other solutions out there, with their own advantages and, perhaps, disadvantages. -rc