These days, we all realize the convenience internet has brought to us, and it seems to reach an era of web here, web there, and web everywhere. People communicate via chat and email, manage their bills online, store their docs online, buy tickets and make reservations online. I have been enjoying such convenience without thinking too much about the risk until yesterday noon, when one of my colleague and friend forwarded me an email:
Hello
How are you today, I and my family had a visit to London,United Kingdom,Unfortunately we got mugged at a gun point last night! All cash, Credit card and phone were stolen,we are messed up in another country, stranded in London, fortunately my passport was back in the hotel room. It really sucked and was scary too.I was hit on the head by the muggers but i am getting better. I am sending you this message cos i don't want anyone to panic,i want you to keep it that way for now.
I need you to help me with a loan of 1,750 Dollars ($1,750.00) to pay my hotel and hospital bills and to get myself back home. I will appreciate whatever you can afford to assist me with, I will return the money back to you as soon as i return, let me know if you can be of any help? ASAP. I don't have a phone where i can be reached. I am so confused right now. You can send it to my name and hotel address via Western union you would find one close to where you stay just visit(www.westernunion.com/locator )
Here are the details below:
Name : Shijun Song
Address : 31 Saffron Hills, London, EC1N 8QX England, UK
Please help me write out the MTCN Number/Confirmation code given to you at the western union outlet.i will be waiting anxiously for your positive response.
Shijun
This scam was sent to my friends through a hotmail account that I used as primary account long time ago. As Gmail provides more compelling features, I had switched to Gmail years ago and used that hotmail account only on untrusted places. Therefore, at the beginning, I am not surprised for this kind of scam since I guess there might be many of this kind went through my "garbage collector". But I soon realized it might be worse than I thought because it was my colleague that received this, and I had never used hotmail to email my colleagues. Someone might have gained the control of my primary email. I immediately checked my Gmail account and sadly found out that it had been compromised.
The hacker probably first broke into my Facebook, where both of my hotmail and Gmail address are listed (mistake #1). Then he/she easily broke into my hotmail which shares the same weak password (mistake #2) with Facebook. From there, he/she traced back to my Gmail and had Gmail sent a password-reset link to hotmail. I do have a very strong password for Gmail, but it wouldn't help in that case. Password reset through email doesn't work because when I activated my Gmail account years ago, I set recovery email as that hotmail (mistake #3). Password reset through SMS doesn't work either, because I used my Google Voice number as the contact number (mistake #4). When I lost the control of my Gmail, I lost my control of Google Voice. Fortunately, I remembered lots of information of the Gmail account and was able to fill out a verification form that Google can manually investigate the account, validate my ownership, and recover it for me.
When I got it back and logged in, I found that all of my contacts were deleted by the hacker who logged in with a Nigeria IP. I manage all of my contacts through Gmail without local backup (mistake #5) and my Android phone is in sync with my Google account. When all the contacts were deleted, I also lost all the numbers on my phone. What a bummer!
Now I have to think hard and dig through previous emails in order to recall my contacts as many as possible and send them warnings. However, I do learn a lot from this experience:
1. Recovery email and primary email should NEVER EVER show up together. Then even one is exposed, there is no way to trace to another one.
2. It is better to have a dedicated recovery email address, and all other account send recovery options to this place. Its exposure should be minimized and it should not have any saved communication with other accounts. The reason is obvious. This dedicated email address will serve as a safe island, that nobody will identify it or even guess it.
3. If one chooses to manage contacts online, it is a good idea to backup to local periodically, and vice versa. Local and cloud have different characteristics regarding which is safe and which is fragile. Most of the time, they are mutual complement.
4. Choose strong password, even for the accounts that are not important. The security of a chain is determined by the security of the weakest knot, instead of the one that is considered to be important.
5. Don't put all eggs in one basket. Now I use my cell phone number instead of Google Voice number as the recovery option. They are mostly independent.
No comments:
Post a Comment