Your Email Has Been Hacked… Just Yawn??

Another friend’s Yahoo email account was broken into this morning.

Phishing Link
Link in the Email

My clue was that he sent me an email at 4:11 am.  And, the only content of the message was a link to a page on the Internet that runs a PHP programming script.

The message was sent to me, his sister, his ex across the continent, and bunch of other people I don’t know.  The email had a long TO: list that looked like a random group of emails from my friend’s address book.

So, another person’s email account was compromised.  Probably hackers went through and guessed his password.  Or, maybe his email address and password were stolen from another site that had been broken into. Do we, or he, care?

The recipients of the email shouldn’t worry, as long as they don’t click on the link and visit the site in Latvia (.lv).  I am sure that waiting on the .php destination page there is a malicious script that will try to infect the computer of any visitor that goes there.  Even so, you’d probably have to also click on a confirmation box to run a program before you got into trouble.  If you receive an email like this, you’re okay so long as you delete it without clicking on any link.

My friend, however, has a few worries:

  1. First, he needs to stop the damage.  He should go to Yahoo and try to regain control of his account.  If they bad guys are nice, they didn’t change the password. He can log into Yahoo and pick a different, stronger password. Some bad guys are not so nice.  They will change the email password so that you’re locked out of your own email account.  In that case, you’ll need to contact Yahoo (or whoever owns the hacked site) and ask them to help.
  2. The bad guys controlled/control his email account for a while.  If they are truly evil, their programs visited all of the major banks, credit card companies, online stores, investment houses, etc.  They typed in my friend’s email address, saying that they had lost their password. Many stores and financial institutions responded with an email link to reset the password.  The bad guys, who had access to the Yahoo email account, clicked on the reset password link, created a new password, and gained control of my friend’s financial resources.My friend should go to every place he used the Yahoo address and enter a different email address for the account. He should also look over recent transactions to make sure his account hadn’t been compromised.
  3. The bad guys could go to every online store, and see if the combination of the email address and Yahoo password logged them in.  If my friend reused that password anywhere where he also used the Yahoo email address, that account is vulnerable.  My friend should change the password everywhere he used the same credentials he used for his Yahoo email account.
    He should also look over recent transactions to make sure his account hadn’t been misused.

You should use unique passwords for every site, especially sites like banking or ordering sites which remember your credit card number.  When you use unique passwords, if a site is broken into you have to change your password for that one site.  If you share passwords among sites, you have to change that password on every site it’s used when it’s compromised on any of the sites.  — from a post about Kickstarter being hacked

My earlier post recommends that you sign up for the free password management program, LastPass.  I am going to suggest, really suggest strongly, that my friend do that today!

Kickstarter Hacked — User Data Stolen

Kickstarter Email
Kickstarter Email sent February 15, 2014

I just received email from Kickstarter warning us that bad guys had hacked their site and stolen user data.

Kickstarter is doing the responsible thing by notifying its users, and it’s reassuring that credit card data was not taken.

The one gotcha is that encrypted account passwords were stolen.  Kickstartser says that with enough time, the bad guys could break the encryption, copy your password, and try signing on to other sites on the Internet using your email address and the de-crypted password stolen from Kickstarter.

Fortunately, if Kickstarter used reasonable encryption technology, it’s not likely that bad guys would be able to easily or quickly break the encryption and get your password in a readable form.  But, Kickstarter’s message provides a concrete example of the security mumbo-jumbo we are given every day.

  • You should use unique passwords for every site, especially sites like banking or ordering sites which remember your credit card number.  When you use unique passwords, if a site is broken into you have to change your password for that one site.  If you share passwords among sites, you have to change that password on every site it’s used when it’s compromised on any of the sites.

Remembering and managing passwords can be a pain, I know. The solution is to use  a  password management tool that learns and remembers your passwords as you type them online.

I use LastPass, and recommend it highly. The basic service is free, and the premiem features are $1/month.

LastPass has browser plugins for Chrome, Internet Explorer, and Firefox… the browsers I use.  They have plugins for other browsers, too. These plugins watch for me to enter usernames and passwords, and they they ask me if LastPass should remember the data. If I say yes, LastPass stores the information securely, and I can have LastPass enter the username and password for me next time I visit the site.

Moreover, the information LastPass captures in Chrome is available to me in Firefox and on other computers.  I just sign on to LastPass when I start my browser and all of my usernames and passwords are available for retrieval.

As far as my Kickstarter password, it was a unique nonsense series of numbers, letters, and special characters which was itself generated by LastPass. I am feeling very smug.  I logged on to Kickstarter, had LastPass generate a new password there, and was done.

So, if you are a Kickstarter user, go to their site and change your password.  Maybe start using LastPass while you do it!  And, if used the Kickstarter password at other sites, then definitely visit all those sites and replace the common password with the random bits that LastPass will generate.

Don’t Let Your CAPTCHA Get in the Way of Your Business

CAPTCHA examples from LastPass forumsMore and more sites are using CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) to keep spammers from registering on web sites, from posting phony comments on blogs, and from generating in-bound breast enhancement messages on forms.

I approve of CAPCHAs in general because they are simple for site users and they cut down on bogus messages, both those publicly posted and those sent to the business owner from a form.

But, enough!

CAPTCHAs are not going to be 100% effective against determined spammers, and efforts to increase the effectiveness of the CAPTCHA test has crossed the line into driving visitors away from doing useful business on some sites.

The CAPTCHAs on the right are full-size copies of ones I copied from my screen this morning when I was registering for a forum on the LastPass web site.  Once I completed the registration form, I would be sent a confirming email to activate my account — another validation step to prove my humanness.  But, I couldn’t get the CAPTCHA right in my first 6 tries.

But, look at these images!  LastPass is doing more than protecting itself from automated comments in its forums, it is driving away real-life users.

These CAPTCHAs are simply too difficult to read.

  • The colored characters are too well camouflaged by both the background color and background pattern.
  • The characters are ambiguously drawn.  8’s and B’s, numeric 0’s and alpha o’s  are possible answers for some of the drawings. How is the user supposed to know which o/0 to choose?
  • There are a variable number of characters in the images.  This makes me wonder if the CAPTCHA-generating routines were working, or if some of the CAPTCHAs are simply faulty and impossible to answer.
  • These CAPTCHAS are particularly hostile to people with visibility issues.  I am not colorblind, but the use of red and green images is plain nasty.  And, unless you blow up your screen, the images are sized for the eyes of the young.

LastPass provides great functionality and responsive customer service, but they’ve joined so many organizations in over-CAPTCHAing their web sites. And, they are far from the worst offenders.

Craigslist is at the top of my list of  CAPTCHA-crazy sites.

Admittedly Craigslist is a very juicy target for spammers and outright criminal frauds.  But, their CAPTCHAs are ridiculous.
CAPTCHAs from Craigslist
The images on the right are ones Craigslist offered to me this afternoon when I was going to post an event for my church — information about the Sunday service.

Before seeing these images, I have had to register with Craigslist. Registration includes providing them with:

  1. An email address which they validate.
  2. A telephone number which they contact with a validation code. The automated message from Craigslist comes into my phone and gives me a numeric PIN which I have to type into a validation page on the Craigslist web site.

So, with Craigslist, I have to have an active account with a checked email address and a validated telephone number.  THEN every time when I want to post an event, I have to type in a CAPTCHA.

And, look.  Some of the CAPTCHAs have foreign-language characters. Others are too blurry for me… maybe an automated character recognition program could read and type in what’s presented by Craigslist, but I can’t!

Time for Dangerous Common Sense for CAPTCHAs

CAPTCHAs are intended to make sure real humans are filling in the forms. But, soon only the character-recognition programs will be able to decode what the CAPTCHA-generating programs have created.

It’s nuts.

Designing your web site design for determined crooks is not good business!  Focusing on the crooks will cost your web site legitimate business.  Pass it on!