We (should) all know the importance of password security, yet a staggering proportion of people still don’t have adequately strong passwords for their important data, be it email accounts, online shopping sites, or at worst internet banking.
The banks realised some time ago, that letting people be responsible for the security to their online bank accounts was a huge point of failure, so virtually all now employ some sort of card reading device that requires the card PIN and then provides a one-time secure code to use to login. This makes for a far more secure system.
I recently heard a story though which has prompted me to write this article, to ram home yet again the need to have
- secure, strong passwords
- secure storage of these passwords (if you can’t keep them in your head)
- different passwords for different sites
I recently was meeting with a client who told me about how her personal and business life was severely affected by a single compromised password.
The client in question had a single, weak password for several of her online accounts. Not her online banking because as mentioned previously, this is thankfully secured by a system that cannot be ‘guessed’. At some point her email account password was obtained, it doesn’t matter how, it could have been a brute force dictionary attack (yes it was a single word) or someone had obtained very limited knowledge about her (yes it was her daughters name), but unlike trivial hacking where the attacker sends huge amounts of spam from your account, or changes the password to lock you out of your own account, this attacker gave no visible indication that her account had been breached.
This attacker simply cloned her email, by which I mean they set-up her email to forward a copy of every message to another account. Then watching her emails they saw where she had online accounts and accessed them. If the password was different, they had a password reset email sent through, and reset it (deleting the original so she had no idea). They made purchases of several items that didn’t require physical delivery – software downloads, music and video downloads, electronic gift certificates. Fortunately after a short while this was picked up by her card company and much of this was refunded / cancelled, after which she had to go through the rigmarole of replacement cards being sent out.
But there was an added deviousness to this attacker – they started replying to her emails. One day her business website simply shut down, upon querying it with the hosting company it turns out “she” had replied to the renewal email confirming she no longer required it and requested to have everything immediately deleted. The site was recovered and put back online, but there was a lot of expense involving the hosting and web design company to get everything restored. Not to mention the loss of sales her non-existent e-commerce website took.
Finally she had confirmation through that the table she had reserved at her favourite restaurant for her and her husband’s wedding anniversary meal had been cancelled as she had requested by email.