So many logins to keep track of. You can use a handful of strong passwords across all your accounts but if somehow one gets figured out, your entire networked life could be at risk. But by creating an easy-to-remember pass phrase that uses part of the website’s name it its construction, you have a unique strong password for every account you have without ever even writing any of them down. [More]
If you spend a lot of time online, you’re probably aware of phishing scams and know what to look out for. In other words, you’re not one of those ignorant types who clicks on links and starts entering personal information without hesitation. Writer and blogger Cory Doctorow is what you might call hyper-vigilant–he keeps unique passwords, uses a VPN when going online in public, and generally knows not to trust strangers. Still, he got phished a couple of weeks ago. [More]
Wilson is switching from Sprint to T-Mobile and fielded an unusual, off-putting request from a T-Mobile CSR: “Please provide your password.” Wilson refused and wonders aloud whether or not it’s kosher to make such an indecent proposal. [More]
Twitter is looking out for you. When you register, in addition to telling you how strong or weak your password is, there are also certain passwords that are forbidden. These include “computer,” “twitter,” and “vagina.” [More]
William wrote to us this weekend to point out how little Microsoft does to fight phishing attacks on their hugely popular Xbox LIVE network. It’s unfortunate they don’t take this sort of crime more seriously, since so many kids—who by all rights should have less experience with phishing—are on Xbox LIVE. Below is what two different Xbox CSRs told William when he contacted them to complain about phishing attacks.
We’re no longer indignant about Amex’s weirdly lax security policies anymore, we’re just confused. Why would a major credit card company cold call new customers and insist they give up bank and address info over the phone, or email sensitive data to strangers? Or, we just learned, demand that you use a lame password that isn’t case sensitive, is only 6 to 8 characters long, and can’t contain special characters?
Jonathan wanted to opt out everyone in his family from direct marketing campaigns, something the DMA promises is possible via their website. Surprise! It turns out the DMA doesn’t really care so much about whether or not you want to be taken off any mailing lists, and they have a rotten website and poor security protocols to prove it.
We’re not sure why a company would bother with offering a password feature on their customer accounts if they disable them without warning 3 months later as a matter of policy, but that’s how Southern California Gas Company rolls. Does it really matter, you ask? It might if you’re a victim of domestic violence.
Andy logged in to Gmail on Sunday, and his friend Jeff started to chat with him. Things seemed a bit off, but Andy really became suspicious when Jeff asked him to wire $500 to an injured friend in Nigeria. The real Jeff, of course, was off playing XBOX and has no friends in Nigeria. Like the scammers hitting up people’s friends for money via Facebook, thieves can log in to your e-mail and chat accounts, pretending to be you.
We’ve posted before about security keys—those little digital keyfobs that generate expiring security codes over and over and make it incredibly hard for someone to gain unauthorized access to your account. They’re a great idea, and now if you own an iPhone you can install a Verisign app that will work with Paypal and eBay, as well as about two dozen lesser known sites. It’s probably the easiest step you can take to vastly improve security on those accounts.
Everyone knows that one of the best ways to protect yourself from online security disasters is to use a different password for each account. But do you do it? Probably not, because at first glance it looks like an unreasonable burden, having to either remember dozens of unique passwords or having to keep them all written down somewhere (which in itself is a security risk). The website ideashower.com offers a simple way to create a unique, easy to remember password for every account.
The New York Times has reported that a list of over 8,000 Comcast user name and passwords were available to the public via Scribd for two months, before a Wilkes University professor discovered it over the weekend after doing a search for his identity online. Comcast is saying it looks like the result of a phishing scam and isn’t an inside job, and that there are so many duplicate entries on the list that it’s closer to 4,000 customers.
Dear DVD Planet, you might want to sit down with the person who designed your customer account system and have a long talk. You know, about things like data security. After we posted this story yesterday about an Amazon shopper who was surprised to find you’d automatically created a barely secure account in his name with his data, another reader—this time a former eBay customer from nearly two years ago—decided to check whether you’d done the same thing to her. Yep! And the password was “Ebay.”
Joel says when he ordered a disc from DVD Planet via Amazon, the company automatically created an account for him on their website. The problem is that the default password they used was so easy to guess that he figured it out on the second try, and he suspects it’s the same password they use on every account. Once you guess it, you can see the customer’s past orders and credit card billing address. When Joel contacted them to have the account removed, he was told that wasn’t possible.
Last Friday, Monster.com announced that their database had been attacked, and that account names, passwords, email addresses, and phone numbers had been stolen. Unfortunately, they haven’t sent out email alerts to anyone—they just put the announcement up on the security section of their site. As our tipster Erica points out, “Given people’s tendencies to reuse passwords on multiple sites (BAD!), that they aren’t actively emailing and informing members of this breach is quite irresponsible.”
BoingBoing has the 500 worst passwords. We’ll sum it up: if your password is password, 123456, or 696969, say goodbye to your identity.
The ease with which a student was able to reset Sarah Palin’s Yahoo email password highlights a vulnerability of so-called “challenge questions” designed to verify your identity: if the questions are about personal details from your life, there’s a risk that somewhere out there on the web, that info is visible to the public. That might be a realistic risk only for public figures, but it’s also possible that friends or family members could answer your questions with a little guesswork. If you want better security, make up fake answers that you’ll remember.
All the security in the world can be rendered useless by human error, it seems. Marko Karppinen, a software designer, says Apple gave his password to someone who simply emailed them and asked for it.