In recent months, I’ve met at least three people who have been the victim of hackers who’ve taken over their Gmail accounts and sent out e-mails to everyone in the address book.
The e-mails, which appear legitimate, claim that the person has been robbed while traveling and begs that money be wired so that the person can get home. What makes the scam even more effective is that it tends to happen to people who are actually traveling abroad—making it more likely that friends and families will be duped.
Although it’s widely believed that a strong password is one of the best defenses against online fraud, hackers increasingly employ highly effective ways for compromising accounts that do not require guessing passwords.
This means that it is more important than ever to practice “defensive computing”—and to have a plan in place for what to do if your account is compromised.
Malware. Sometimes called the “advanced persistent threat,” a broad range of software that was programmed with evil intent is running on tens of millions of computers throughout the world.
These programs can capture usernames and passwords as you type them, send the data to remote websites, and even open up a “proxy” so that attackers can type commands into a Web browser running on your very computer. This makes today’s state-of-the-art security measures—like strong passwords and key fobs—more or less useless, since the bad guys type their commands on your computer after you’ve authenticated.
Today, the primary defense against malware is antivirus software, but increasingly, the best malware doesn’t get caught for days, weeks, or even months after it’s been released into the wild. Because antivirus software is failing, many organizations now recommend antediluvian security precautions, such as not clicking on links and not opening files you receive by e-mail unless you know that the mail is legitimate. Unfortunately, there is no tool for assessing legitimacy.
Windows XP. According to the website w3schools, roughly 33 percent of the computers browsing the Internet are running Windows XP. That’s a problem, because unlike Windows 7, XP is uniquely susceptible to many of today’s most pernicious malware threats. Windows 7, and especially Windows 7 running on 64-bit computers, has security features built in to the operating system such as address space randomization and a non-executable data area. These protections will never be added to Windows XP. Thus, as a general rule, you should not use Windows XP on a computer that’s connected to the Internet. Tell that to the 33 percent.
Kiosk computers. You should avoid using public computers at hotels, airports, libraries, and “business centers” to access webmail accounts, because there is simply no way to tell if these computers are infected with malware or not. And many of them are running Windows XP. So avoid them.
Open Wi-Fi. Wireless access points that don’t require an encryption key to access don’t protect your data as it transits through the air. This means that your username and password can be “sniffed” by anyone else using the access point as well. I haven’t been able to find any reports of malware-infected laptops running sniffers at coffee shops, but it’s really just a matter of time. The only way to protect yourself is to be sure that the websites and e-mail servers you use employ SSL (“https:”) for everything, not just logging in.
Man-in-the-middle attacks. Those same open Wi-Fi access points can sniff your password using a variety of so-called man-in-the-middle attacks, in which your computer sends information to the wrong website, which, in turn, passes it to the correct one—so that the communication channel seems fine.
Man-in-the-middle attacks are especially easy over Wi-Fi, but they can take place anywhere on the Internet. Man-in-the-middle attacks can also be implemented through malware. Here even SSL is not enough—you need to be sure that the certificate of the SSL-enabled website is legitimate (a forged certificate will tell your browser that it’s connecting to the right site using SSL). Most people also ignore certificate mismatch errors.
Phishing scams. Surprisingly, a fair number of users still fall for phishing scams, in which they voluntarily hand over their username and password to a malicious website. Typically users end up at these sites when clicking on a link they receive by e-mail.
Different website, same password. Finally, many websites (including major newspapers and magazines) require that you set up an account with an e-mail address and a password in order to access their content. Don’t use the same password that you use to access your e-mail—otherwise the website owners (and anyone who hacks that website) will be able to take over your other accounts, including your e-mail.
What happens if you follow all of these precautions and your e-mail account still gets compromised?
Here are some ideas:
Be an authentication pioneer. Google, E*Trade, and other firms have deployed systems that allow you to augment passwords with your cell phone or a handheld security token. Although these systems can be defeated with malware, they are still more secure than passwords alone. Currently you need to opt in to these systems. If you care about your security, you should be a pioneer and give them a try.
Be prepared. Google, Facebook, Apple, Amazon, and others allow you to take proactive security measures to protect your account in the event that the password is compromised. This includes registering alternative e-mail addresses, registering cell phone numbers for backup authentication, and providing answers to “secret questions.” Unfortunately, you have to do this before your account gets hacked, not after.
Be alert. Facebook allows you to provide a cell phone number that gets an SMS message whenever someone logs in using a different browser. This is a simple, effective way to monitor when someone other than you accesses your account. If your account is accessed, you’ll be in a race to change your password before the attackers do.
Maintain multiple accounts. Don’t put all of your eggs in one basket! Have accounts at multiple e-mail providers—and accounts at multiple financial institutions for your money, as well. That way, when you get hacked, at least you’ll have a backup.
Keep offline copies. Finally, don’t keep the sole copy of your precious data at some cloud provider—download your data to your home computer, then burn it to disc or copy it to a disconnected hard drive. That way, even if you lose your online access, at least you’ll have a copy.
Simson L. Garfinkel is an author and researcher in Arlington, Virginia, who focuses on such topics as computer forensics and privacy. He is a contributing editor at Technology Review.