Be Vigilant: Phishing Works

A friend writes:

I received an email from a colleague this afternoon. She uses Google Drive to send big files. The email said, “Barbara is trying to send you a file too big for email. Please sign into Google Drive.”

Not thinking that I was already signed in, I clicked and signed in, and even gave my phone number. It only took a min for me to realize what happened when I was taken to an art gallery. So I’m changing everything, all credit and bank and passwords, etc.

But I’m guessing they could have sucked every bit of data out of all my Google info in a couple of minutes. Oy vey…

It’s such a horrific — and tragically common — story these days. My friend has made the right move: Changing all his passwords, especially to all the major accounts such as Facebook, Apple, and Google, should secure him for the time being. Also, I think making sure you’re subscribed to a credit-monitoring bureau, and alerting them to such a happenstance, would be beneficial.

So just to make sure you know: Using a password manager such as 1Password [affiliat link], Dashlane, or LastPass helps immensely in these situations. You can use 1P to change all your passwords much faster than doing it manually, ensuring their all different and superlong. I even use 1Password to help me store the fake answers I create for the security questions.

J2 News: Prevent Someone From Becoming You

Black HatIf you got my last newsletter, you know that this is the year when we all — the whole internet-using universe — become targets for bad hackers. We’ve already learned how they will try to get at our Macs. Now we need to look at how our online accounts and identities are vulnerable. Please at least read the first section, on passwords.

Got GSP? Picking a Good, Strong Password

You know how, recently, you might see a spate of emails from a friend that you know are junk — invitations to off-shore pharmacies and the like? And then that same friend emails everyone in his or her address book, to the effect of, “Sorry, someone hijacked my email!”?

Well, that happened because your friend had a password that was too simple, too easy to crack, and someone cracked it and took control of the mailbox.

This intrusion is not just an inconvenience to your friend and the people in their inbox. If someone has your email password, they can get passwords to ALL of your other online accounts, including possibly banking. And hackers make money — more than you might think — by acquiring access to things like passwords, online accounts, credit card numbers, etc. (Hackers commit other kinds of crimes, too, but let’s continue.)

How do they do it? I’m not a hacker, but I can abstract it: The bad guys have their computers scan the internet for, say, addresses. Then they point other software at the Gmail servers, and run software to try to log in to known accounts by guessing all the possible password permutations. Unless you’re famous and being specifically targeted, they’re not researching the names of your kids and pets. They just run through the dictionary, and common names, and number sequences (e.g., “1234”), and their bots work really fast. If your password is more simple than what I’ve outlined below, they can guess it.

Here’s a real disconcerting site, which I found by googling “crack gmail password.” There are others.

So, I’ve already posted this, but it’s well worth restating:
Please — as in, umm, now — please create a Good, Strong Password for your email and any other important online accounts.

A Good, Strong Password contains:

  • at least 10 characters of both letters and numbers
  • at least 1 capital letter, preferably in the middle
  • at least one non-alphanumeric character, preferably in the middle
  • no recognizable names or words.

Microsoft words their recommendations slightly differently, and offers one tip for creating a password. I like their suggestion of choosing a memorable phrase and building the password from there. I even think that choosing a full sentence with capitals and punctuation might be a good way to remember the password; a bunch of recognizable words would be safe-ish. I also like passwords that are easy to type, as long as they don’t contain keys in order, such as “fghj.” Here are some other tips.

I have met every different kind of personality when it comes to creating and remembering passwords. And believe me, I have every sympathy for people who feel they have more important things to do with their brains. Unfortunately, we have come to a time when, from here on out, you either keep your digital stuff locked tight, or you get your life messed with.

Keeping Track

The natural question that follows is, how do I keep up with all my passwords? Fortunately, your Mac has an excellent built-in device for this, called the keychain. Several software packages are also available for Macs and PCs. Check out my full write-up on the keychain and other options.

Do the It’s-Really-Me Two-Step

There is another method to lock your ID even tighter. It’s called “two-factor” or “two-step” authentication. Not every service offers it, and I won’t lie and say it ain’t for those who like to keep technology simple. But Google has rolled it out, even to their free accounts, and it is as smooth as I could expect something like this to be.

You dance the Google two-step like this: When you sign into a new computer — or every 30 days on your usual computers — besides accepting your password, Google sends you a text message with a code. You have to enter that code on the Google web site to continue.

Google two-step verification

Also, for all your other apps that access your account, such as an email or calendar program, Google will generate a single-use “application” password that you only have to enter once; it will get stored by your computer or phone, and if said device gets stolen, you can revoke permission.

“Gosh, this sounds like fun!” you’re saying. You can’t wait for us to come over and show you this awesome new computery thing. Just wait! There’s more…

Google offers a couple of backup verification methods in case you can’t get a text: You can receive a voicemail with the code, or your phone can run an app that generates a code for you, or you can carry a piece of paper with 10 “backup” codes on it. Really, I’m not kidding.

They also will do a retinal scan and test your DNA against a sample they keep in a cryo-vault… OK, that time I was kidding.

Enabling Two-Step Verification for your Google account is in your Account Settings. It’s a bit of a process, and I recommend reading carefully each step of the way.

Facebook also does this login two-step now, which is good because 750,000,000 accounts are a terrifically big honey pot, and we all know someone whose account got hacked. Go to the Account Security section in Account Settings, and make it look like this:

Facebook Account Security settings

Facebook should already know your cell number, and will text you a code to enter.

I dearly wish more services were doing the two-step. Yahoo, Amazon, eBay, Apple iTunes — they should all get on this bandwagon. But the smart ones are at least starting to require Good, Strong Passwords.

Welcome to the Age of the Hack. Don’t shoot the messenger.