In the last few days, my father-in-law and wife's web-based email accounts were compromised.
In each case, the attacker utilized an IP address originating from Nigeria, obtained access to the account, and proceeded to send an email to all contacts purporting to be in the UK, in a stressful situation, and needing money to avoid further stress. They then proceeded to delete all of the contacts in their contact lists.
Kristen was able to regain control of her Google account in a little over two hours -- which let us find that the attackers were forwarding her incoming mail to a phantom @ymail.com account and had changed her security questions. She was also briefly locked out of Facebook, which had shared authentication credentials with her Gmail account.
My father-in-law was only able to regain access to his Hotmail account after a little over two days of frustrating email and forum exchanges with Microsoft. He found that things were similarly infested once he regained control: changed security questions, mobile accounts registered for password resets, etc. -- fortunately, no email relaying on his part.
He's now migrating to Gmail, mainly out of disgust for his experience with Microsoft during the stressful time of account compromise.
After apologizing to everyone, and fielding many, many phone calls from people who were wondering how Kristen got into the UK in the first place, much less into trouble (!) the damage appears done, and we are recovering.
It really was a wake-up call, though -- there's a lot of personal information that can live in one's email account, much less damage to one's reputation if unauthorized people access it and spam people. Things get worse if one's authentication credentials (i.e. passwords) are shared across multiple sites.
If you're like me, you probably do share passwords, because a) passwords are hard to remember, especially cryptographically strong ones and b) people tend to be lazy. Of course, this multiplies the damage that can be done if a password is compromised.
In light of this event, I decided to migrate to a managed password solution: LastPass. More on that later, as I continue to evaluate it. Suffice to say for now that I'm very impressed, and appreciate the Gibson-esque TNO ("trust no one") security model it employs. I first heard about it on Security Now! episode 256, which introduced the concept and this particular solution to me.
No comments:
Post a Comment