or, They Really Are Out To Get You
I’ve been warning about spam in True since 1996 — ten long years. My warnings have been summarized in my Spam Primer, which is now on its own site. As I predicted more than 10 years ago, it’s gotten worse — much worse. And the stakes are much higher than just clogging your inbox: your life savings are at risk.
Last week I got a “phishing” email from eBay that looked so perfect, I suspected it was real. Essentially, it said that my account had been compromised and that several auctions (for cars) had been canceled. I hovered the link in the message, and it looked right — eBay.
Still, I was suspicious — looking right isn’t enough. Rather than click the link in the email, I went to eBay on my own …and couldn’t log in. I went back to the email to see what they said to do: click “Forgot My Password” on the login page. I did that on the web site, went through the security questions I had apparently set up Way Back When, set a new password …and found copies of those emails about how my account had been compromised and that several auctions (for cars) had been canceled.
So yes: my account really was compromised by someone trying to use it to steal from others. Luckily, eBay caught it, locked them out (by changing my password), canceled the bogus auctions they set up under my ID, and notified me — presumably before anyone lost money to the scam. Kudos to eBay!
Big Lesson Learned
My password was, I thought, a good one: a nonsense word that means something to me, plus digits. I have no idea how my account was compromised, but I went cold when I realized something: I used a very similar password (same odd word, but different digits) for most of my accounts — including my bank account.
As you can imagine, I immediately changed all of my passwords at every place that matters. Happily, my Paypal password (Paypal is owned by eBay) was very different, and the crooks didn’t get in there, too. I was lucky.
Are your passwords secure? Are you sure? Are you willing to risk everything that you’re right? There are things you can do to increase your odds dramatically, yet few actually do those things.
Your password scheme is key. Here’s what my buddy Leo (the computer guru at AskLeo — a good place to go for tech help) says:
Select a good password. “iLoveMikey” is a bad password. “qicITcl}” is a great password. You can see the problem though — great passwords are hard to remember. So compromise: never include full English words or names; always include a mix of uppercase and lowercase letters and numbers; always make sure that the password is at least 8* characters long. ‘Macintosh’ is bad, ‘Mac7T0sh’ might be good, and probably easier to remember.
Bottom line: pick a random looking password that YOU can remember, but that THEY would never guess — and assume that THEY are always really great guessers.
But One More Factor is Key
Importantly, any critical password should be very different from every other password you use. A friend had one of her accounts compromised, and they tried the same login/password other places — and got into her brokerage account. She was lucky too: she didn’t lose her entire retirement fund. Still, hearing her story recently didn’t change my habits. Had I really listened, I may have been able to avoid this.
All of my passwords are now completely random combinations of letters, numbers, and “special” characters (&, -, and the like). How in the world can I remember them all? Keeping track of random strings of data isn’t a great task for a human brain; sounds more like a job for a computer, doesn’t it? So I got software — a “password vault” — which does it for me. It only requires that you memorize one password, the vault’s, and it remembers the rest, storing them in an encrypted file.
You could try to keep track of them in other ways. But don’t be a fool and think you can use easy-to-remember (read: easy for hacker software to guess) passwords and get away with it forever. Spammers and other scammers would love to get hold of your money or steal your identity. They’re trying hard, and there are thousands of them against you and any simple passwords you use. Don’t wait until it’s too late — when your money and identity is already stolen. Do something about it now, because thanks to their software, scammers are good guessers. Roboform is only $30. LastPass is free for personal use. That’s cheap insurance to keep your bank accounts much safer.
One more important thing: is “phishing” a new term to you? Do you fully understand how it works, and how these slimeballs can steal your identity? If not, you really, really need to read my “Help with Spam and Phishing” site, Spam Primer — which (no surprise) I spent a lot of time updating today. Read it and send its URL to your friends and, especially, your family. We all need to do what we can to thwart spam (especially phishing) and identity theft.
– – –
*Important Note: “qicITcl}” and “Mac7T0sh” are no longer adequate passwords. Much longer is much better, for technical reasons. But the primary point here — that you should have a significantly different password on every important site, like banking and investment sites, is still extremely true. Losing one bank account could be very, very painful. Losing them all could be a total disaster. And if your login and password information is used on multiple financial sites, there is a very good chance that if you lose one, you will lose them all.