|
Randy Cassingham's BlogHistorical Details and Author's Notes from This is True®
|
Identity Theft: Protect Yourself
They Really Are Out To Get You
I've been warning about spam in True since 1996 -- ten long years. My warnings have been summarized in my Spam Primer, which is now on its own site. As I predicted more than 10 years ago, it's gotten worse -- much worse. And the stakes are much higher than just clogging your inbox: your life savings are at risk.
Free Weird Newsletter
Last week I got a "phishing" e-mail from eBay that looked so perfect, I suspected it was real. Essentially, it said that my account had been compromised and that several auctions (for cars) had been canceled. I hovered the link in the message, and it looked right -- eBay.
Still, I was suspicious -- looking right isn't enough. Rather than click the link in the e-mail, I went to eBay on my own ...and couldn't log in. I went back to the e-mail to see what they said to do: click "Forgot My Password" on the login page. I did that on the web site, went through the security questions I had apparently set up Way Back When, set a new password ...and found copies of those e-mails about how my account had been compromised and that several auctions (for cars) had been canceled. So yes: my account really was compromised by someone trying to use it to steal from others. Luckily, eBay caught it, locked them out (by changing my password), canceled the bogus auctions they set up under my ID, and notified me -- presumably before anyone lost money to the scam. Kudos to eBay!
My password was, I thought, a good one: a nonsense word that means something to me, plus digits. I have no idea how my account was compromised, but I went cold when I realized something: I used a very similar password (same odd word, but different digits) for most of my accounts -- including my bank account. As you can imagine, I immediately changed all of my passwords at every place that matters. Happily, my Paypal password (Paypal is owned by eBay) was very different, and the crooks didn't get in there, too. I was lucky.
Are your passwords secure? Are you sure? Are you willing to risk everything that you're right? There are things you can do to increase your odds dramatically, yet few actually do those things.
Your password scheme is key. Here's what my buddy Leo (the computer guru at Ask-Leo -- a good place to go for tech help) says:
Select a good password. "iLoveMikey" is a bad password. "qicITcl}" is a great password. You can see the problem though -- great passwords are hard to remember. So compromise: never include full English words or names; always include a mix of uppercase and lowercase letters and numbers; always make sure that the password is at least 8 characters long. 'Macintosh' is bad, 'Mac7T0sh' might be good, and probably easier to remember.Bottom line: pick a random looking password that YOU can remember, but that THEY would never guess -- and assume that THEY are always really great guessers.
Importantly, any critical password should be very different from every other password you use. A friend had one of her accounts compromised, and they tried the same login/password other places -- and got into her brokerage account. She was lucky too: she didn't lose her entire retirement fund. Still, hearing her story recently didn't change my habits. Had I really listened, I may have been able to avoid this.
All of my passwords are now completely random combinations of letters, numbers, and "special" characters (&, -, and the like). How in the world can I remember them all? Keeping track of random strings of data isn't a great task for a human brain; sounds more like a job for a computer, doesn't it? So I got software -- RoboForm -- which does it for me. It only requires that you memorize one password, RoboForm's, and it remembers the rest, storing them in an encrypted file. You could try to keep track of them in other ways. But don't be a fool and think you can use easy-to-remember (read: easy for their software to guess) passwords and get away with it forever. Spammers and other scammers would love to get hold of your money or steal your identity. They're trying hard, and there are thousands of them against you and any simple passwords you use. Don't wait until it's too late -- when your money and identity is already stolen. Do something about it now, because thanks to their software, scammers are good guessers. Roboform is only $30. That's cheap insurance to keep your bank accounts much safer.
One more important thing: is "phishing" a new term to you? Do you fully understand how it works, and how these slimeballs can steal your identity? If not, you really, really need to read my "Help with Spam and Phishing" site, Spam Primer -- which (no surprise) I spent a lot of time updating today. Read it and send its URL to your friends and, especially, your family. We all need to do what we can to thwart spam (especially phishing) and identity theft.
RSS
Most Recent Comments
Posted by Dave in NYC on January 27, 2009:
Two free options for password storage:
Keepass - Available for many platforms, including mobile devices
Sourceforge's Password safe.
---
I think one has to use great care in such matters, especially when it comes to protecting personal information. I've never heard of Keepass; could be fantastic, but I'd have to do research before I would trust my very identity to them. I'm cool with Sourceforge, but you typo'd the URL and it actually went to a squatter site. Imagine if they had nefarious intent! So the bottom line is, great caution is required for all software, and especially security software. Do your homework. -rc
Posted by Bryan - Northern Greece on January 31, 2009:
Connected to this, I use a system for remembering PIN numbers for cash cards/credit cards, which means I can even put a reminder on the card itself. I simply refer to a year when I saw someone come down in front of me on a parachute when I was a kid (and they broke their leg in doing so!) and another significant year in my life and then I draw a small picture of a parachute and a one letter reference to the other significant year and write + or - and the difference in years between those dates and the corresponding two-digit pair of the PIN. For example, if the parachute incident happened in 1932 (which it didn't, of course!!) and my child was born in 1922 (again, he wasn't) and my PIN number were 2751 I'd scratch or write on the card a representation of a parachute followed by -5bh+29 (bh = birth) - (19)32-5 = 27 and (19)22+29 = 51, put them together and you have the PIN, 2751. Totally comprehensible to me, but to no one else, and easily remembered however rarely I use the card. As all PIN numbers here are four-digits, it works a treat. The same can be done for computer-based passwords, simply by having in mind set alternatives for certain letters (e.g. a = @) and using place names or long words of significance to oneself.
Posted by Various Readers on February 6, 2009:
This is a composite suggestion from several readers:
---
I won't have a chance, because I don't have time to research whether I trust the company that's producing the software, and that's critical. What, I "don't have time" to ensure I have great security? No: I've already done that. I have my solution, which I recommended. So I certainly can't go out and research them all. But yes, there certainly are other solutions out there, with their own advantages and, perhaps, disadvantages. -rc