Monday, March 15, 2010

Go Phish

The other Inkers here and some of our other regular readers already know my Facebook and Gmail accounts were hacked last week. A whiny, poorly written email went out to everyone in my address book saying I'd been mugged in London and needed money.

In fact, you're probably pretty tired of hearing about it. I don't blame you.

Mother necessity is a wonderful taskmaster, though, and after setting things more or less to rights, I did a little research. The first thing I discovered was that I was incredibly lucky.

  • I was online and could respond quickly. When my chat window opened and "I" started chatting with other Facebook folks, I sent out a status update telling everyone to ignore all chat requests and messages from "me" for a while.
  • The scam is well known. Facebook and Google responded very quickly to my reports. Facebook suspended my account before the hackers started sending messages to all my Friends, and only a few people got the weird chat thing.
  • I more or less remembered when I had started my Gmail account. It's one of the things they ask, and if you're way off they won't help you reset your password.
  • The hackers didn't seem interested in actually stealing my identity, just this single-minded phishing scam.
  • My email accounts forward to one another. The hackers put a filter on the hijacked account to hide all responses to the initial phishing email. However, even when I couldn't get into my Gmail account, those emails were being forwarded to another account so I could see everything going on.
  • When I regained control over my Gmail account I checked all the forwarding options and found a new one, to a yahoo account that looked like me -- but wasn't. DELETE.
  • All my financial, banking, paypal and online ordering is done out of totally separate account that has no connection whatsoever to any social networking sites.
  • Everyone was so incredibly nice and supportive.

I also ran across a few things to help avoid hackers in the future -- standard wisdom, things I'd ignored at my own peril, and a few completely new suggestions.

  • First and foremost is have a complicated password, and have a different one for every account. That should go without saying, but it doesn't. Complicated means twelve characters or more, with upper and lower case letters, a number or two, and a symbol or two. Plus -- don't use dictionary words, the names of gods/goddesses or popular fictional characters (sob!). Yes, this makes those passwords really long and ugly and hard to remember. It's worth it.
  • Change your passwords at least every three months. No more twice a year for me.
  • Have a separate email account associated with Facebook, Twitter, and other social networking sites that forward activity to your inbox. This, too is a pain. However, I'm going to pretend that it'll help me compartmentalize online promotion from writing.
  • Of course you should never log into financial accounts from public computers. Key loggers abound for the sole purpose of getting your logins and passwords. But you also shouldn't log into email or social networking sites from Internet kiosks, coffee shop computers and the like.
  • If you see any indication of hanky panky in your email, change your password at once.
  • A lot of phishing scams get your login and password information by asking for it. Never respond to an email asking you to verify login information, or directing you to a site where you can verify login information.
  • Avoid games and apps on Facebook, as they are often gateways for hackers, and spread virally from player to player. Maybe now people will forgive my complete disinterest in Mafia Wars and Snowball Fights.

And yet, despite that disinterest and my refusal to click on links unless I knew what they were, someone weaseled in. It could have been so much worse, but still -- it seems like there should be more we can do.

I'm not alone in this experience. Anybody have stories to share? Suggestions to add to those above?

No comments: