Third In A Series: A recent post featured true stories of people who had their email accounts hijacked, and what happened to them as a result.

A follow-up explained how webmail services like GMail, Yahoo Mail, and Hotmail can be exploited by using the password reset feature.

A hacker without any sophisticated skills can burglarize a web-mail account by using the same password reset feature that is provided for the legitimate user who forgets their password.

If your account gets hijacked, you’ll be locked out of your own email. You may realize what has happened, but by then it is too late. The attacker has had access to your personal information, possibly using your email address to gain access to other accounts, such as Facebook or your online banking.

There are three simple things you can do to improve the security of your web-based email. Let’s take a look at how to make the password reset feature in Yahoo Mail more secure. (We will examine the features of Yahoo Mail; other popular web-based email has similar features.)

When you create a new Yahoo Mail account, you are asked to provide:

1. An alternate email address (optional) and
2. Answers to 2 “Secret Questions” (required)

Do you remember when you created your web-mail account?
Were you were in a hurry (like a lot of other users) to use your new email account?

Maybe you didn’t take a lot of time to fill in the required information. If so, you should go back to your account settings and strengthen your password-reset info:

1. Create your own personal secret questions
2. Set up an alternate email account
3. Use your mobile phone to provide yet another layer of security

Step 1: Get Rid of The Secret Question

The “secret question” is probably the weakest link in protecting your online email. Many of the secret questions do not provide much security to a reasonably well-informed attacker. Here is a list of Yahoo’s standard questions:

Where did you meet your spouse?
What is your oldest cousin’s name?
What is your youngest child’s nickname?
What is your oldest child’s nickname?
What is the first name of your oldest niece?
What is the first name of your oldest nephew?
What is the first name of your favorite aunt?
Where did you spend your honeymoon?
Where did you spend your childhood summers?
What was the last name of your favorite teacher?
What was the last name of your best childhood friend?
What was your favorite food as a child?
What was the last name of your first boss?
What is the name of the hospital where you were born?
What is your main frequent flier number?
What is the name of the street on which you grew up?
What is the name of your favorite sports team?
What was your first pet’s name?
What is the last name of your best man at your wedding?
What is the last name of your maid of honor at your wedding?
What is the name of your favorite book?
What is the last name of your favorite musician?
Who is your all-time favorite movie character?
What was the make of your first car?
What was the make of your first motorcycle?

In many cases, these questions could be guessed by an acquaintance, co-worker, or anyone with access to basic information about you. A much better choice is to write your own secret question.

When you write your own secret question, make sure that it cannot be guessed easily. Here are some very bad secret questions…

• What is my dog’s name?
  (Hopefully your dog doesn’t have one these names.)
• What is my favorite color?
  (Unless it’s something like gamboge, it isn’t going to be too hard to guess.)
• Who was president when I was born?
  (Obviously, you don’t want to use questions like this!)

So what kind of question should you use? You want to choose something that has many possible answers but is easy for you to remember. Yahoo recommends: “Make sure your answer is private, memorable and does not change over time.”

If at all possible, just memorize a short word or phrase. As long as it’s not too obvious, you could use a favorite book, quote, or song title, etc.

Think of a sentence like: “My favorite book is Gone With The Wind.” That can converted to MFB=G@TW. In other words, it’s sort of like a second password (but note that Yahoo’s secret questions and answers are not case sensitive).

Don’t give many clues it in the question itself.  You might have something like this:

Step 2: Add a Backup Email Address

Although it is not required, you should configure another email address to be used to reset your web-mail password. (Here’s a suggestion: Do not configure two email accounts as password-reset addresses for each other. If one of them is hijacked, then the second is vulnerable too.)

Choose an email address that you will have access to in the future, and that you do not share with anyone else.

Step 3: Enlist The Help Of Your Mobile Phone

One of the best ways to secure your email is to add your mobile phone number to your password recovery options. If you do, and you forget your password, you can receive text message with a code to change your password.

Conclusion

Eliminating generic “Secret Questions” is the first and most important step to securing your online email. If you have chosen a strong password that you will not forget, and configured your mobile phone and your backup email account just in case, you don’t really need the Secret Question option at all.

If you prefer to eliminate that password recovery option altogether, you can do that as follows:

1. Choose any of the generic Secret Questions
2. Type a lot of junk in the Answer box
3. Hit Save
4. Forget about it …Now you don’t know the answer to the secret question, and neither will anyone else
5. Use the other password recovery tools if needed.

Just be sure that you have your backup email address and mobile phone number added BEFORE you perform the steps above!

Coming soon:
Generate a strong password that’s easy to remember and hard to forget!

More:
Image: Lock by AMagill
TechCrunch: RockYou Hack: From Bad To Worse
net-security.org: Analysis of 32 million breached passwords
Jimmy Ruska: Most common passwords list from 3 databases

Second In A Series:

Could this type of attack happen today? Yes.

Should a non-celebrity, average person be concerned about their email security? Absolutely.

Everyone needs to be concerned about email security

Even if you’re not famous …even if you’re not involved in anything illegal or embarrassing …even if all your email is really, really boring …you need to keep your email account secure. Here are three reasons:

Your contact list: If someone took control of your email account, they could attempt to impersonate you and defraud your friends and family before you realized what was happening. Would you be able to warn all everyone before it was too late? You do have your contact list backed up …don’t you?

Personal data: It’s great that Gmail gives us over 7 GB of storage. But, a lot of people keep important personal or business documents stored in their web-mail inbox. This could be a gold mine of identity theft: online billing statements, bank account information, calendar information and contacts. Also, some data might be irreplaceable if deleted.

Access to other accounts: Once inside your email, a hacker could discover information about other online services that your use.  Consider that you email account is often used to verify your identity when you forget a password. A compromised email account could result in a hacker getting access to online banking, PayPal, etc.

How celebrity e-mail gets hijacked

In Sarah Palin’s case, the accused “hacker” is David Kernell, a 20 year-old economics student at the University of Tennessee (also son of longtime Democratic Tennessee State Rep  Mike Kernell of Memphis).

The technique used to get Palin’s e-mail was not very sophisticated, and does not require any specialized knowledge of computers.  It simply used Yahoo’s standard password reset feature, provided for users who have forgotten their own password.

The hacker discovered Palin’s e-mail address—the now-defunct gov.sarah@yahoo.com—through publicly available sources, then used Yahoo’s password recovery feature to reset the password. To reset the password, he had to supply three pieces of personal information: Palin’s birthday, her zip code, and the place she met her husband.

Before Kernell was arrested, a person claiming to be the hacker posted the following in an online forum:

“it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes ….

the second [security question] was somewhat harder, the question was ‘where did you meet your spouse’ …they met at high school, so I did variations of that, high, high school, eventually hit on ‘Wasilla high’”

Many web-based email accounts are still vulnerable to this type of attack. In 2009 Salma Hayek was victimized in a similar manner.  According to gawker.com, “Breaking into the account was a simple matter of knowing Hayek’s birthday — September 2 — and guessing at her security word (they claim it was [Frida,] the name of her best known movie role) to reset the account’s password.”

Why your email might be vulnerable

What happens if a web-mail user locks themselves out of their own email account? Usually there is a “forgotten password” link that enables them to create a new password …but first they must provide proof of their identity. Typically, this proof involves the giving answers to “secret” questions, matching the response given by the user when the account was created. Here are some questions that Yahoo uses:

• Where did you spend your honeymoon?
• Where did you meet your spouse?
• What is your oldest child’s nickname?
• What is the first name of your favorite uncle?
• What town was your father born in?
• What was your first pet’s name?
• What is the name of your favorite sports team?
• What is the last name of the maid of honor at your wedding?

Someone trying to get unauthorized access to your email account could use the same procedure. The problem with many of these security questions is that they can be easy to guess, especially if the if the victim if famous, or if the “hacker” is an ex-husband, former girlfriend, creepy brother-in-law, or psycho coworker.

Despite the highly publicized incidents of email hijacking, password security for web-based e-mail accounts is not much better today than in the past. Regular people frequently forget their own passwords, so email providers need to have an automated, easy-to-use mechanism for legitimate (but befuddled) users to create a new password.

In the next post in this series, I’ll provide some steps anyone can take to make their web-mail more secure.

Sources:
Wired: Palin E-Mail Hacker Says It Was Easy
PCMag: Salma Hayek’s Email Gets Hacked
PCMag: Why the Palin Hack Could Happen Again and Again
Gawker: Salma Hayek’s Hacked Emails Reveal Celebrity’s Quotidian Existence
Image “US Mail” by Steve 2.0

But what about your e-mail password?

This article will give examples of what can happen when someone gets unauthorized access to your e-mail account. In an upcoming post, we’ll take a look at a couple of reasons why your e-mail password may not be as secure as you might think. After that, we will examine some methods for keeping your e-mail account private and secure.

“It’s impossible to move, to live, to operate at any level without leaving traces, bits, seemingly meaningless fragments of personal information.”
William Gibson

With each passing year we depend less on the postal service and more on the Internet to interact with our banks, utilities, employers and customers.  We realize that a lot of personal information about us is stored on computers connected to the Internet; we accept this reality (if we think about it at all) because online shopping, online banking, online bill pay, and social networking provide great convenience.

Frequently the humble e-mail account provides the common link between the user and various online services, whether these services are trivial or essential.  For this reason, it’s important to keep your e-mail secure.

Often banks have password security rules and require customers to create complex passwords with both letters and numbers.  But what happens if you forgot your password?  In many cases you can click on a password recovery link, provide your e-mail address, and then check your e-mail for a code or hyperlink that you can use to create a brand new password.

The following stories illustrate problems that can occur when a hacker gains access to someone’s e-mail account:

Edward Mendelson on AppScout tells the story of “What Happens When Your Webmail Gets Hacked” – about how a friend’s Gmail account was hijacked by a scammer.  The hacker e-mailed everyone in the victim’s contact list, claiming to be stranded out of town with no cash: “please I need you to loan me some money, I will refund you as soon as I’m back home, I promise.” It took over eight hours to regain control of the hijacked e-mail account …by which time the hacker had persuaded one well-meaning friend to wire money overseas.

This scam happens quite often, as when a retired Cornish vicar innocently shared information that allowed hackers to get into his Yahoo e-mail account. Shortly thereafter, his friends received an e-mail claiming “I am really stranded in Nigeria because I forgot my little bag in the Taxi where my money, passport, documents and other valuable things were kept…” Fortunately, his friends were not deceived by the faked message. According to the victimized vicar, “It was so long-winded and badly spelled that most of my friends were laughing by the end of it.”

It was not a laughing matter when another Yahoo email account was compromised:  Sarah Palin’s Yahoo e-mail was hacked during the presidential election campaign in September 2008. Palin, while governor of Alaska, had used the Yahoo address gov.sarah@yahoo.com to conduct state business. After the account was breached, confidential e-mail messages were posted on the Internet. The “hacker” (tracked down by the Secret Service and FBI) is now awaiting trial and faces up to five years in prison if convicted.

The technique used to gain access to Palin’s e-mail account does not require any special skill or technical knowledge, and many web-based e-mail accounts are still vulnerable to it today. My next post will show how it was done, and how you can take steps to protect yourself.

Sources:

AppScount: What Happens When Your Webmail Gets Hacked
BBC: Fraudsters Hijack Vicar’s E-mail
Wikipedia: Sarah Palin Email Hack
Washington Post: Governor Is Asked To Release E-Mails
Image by Esparta

Most new computers do have a trial version of some famous-brand antivirus product pre-installed, and it will function normally for a month or two …or maybe even a year. But when the trial period expires, the computer is no longer fully protected, because the antivirus is no longer receiving updates to enable it to catch and eliminate the newest viruses. Many people choose to rely on outdated antivirus software in order to save money.

A much better solution is avast! Free Antivirus 5.0 from ALWIL Software, now in Version 5.0. The popularity of earlier versions of avast! made it the world’s most popular free antivirus program, with over 100 million users. New avast! 5.0 has new features and a new interface, and performs impressively in virus and spyware elimination tests. The new 5.0 edition of avast! is free for non-business home users; the “Pro” version is available for business use and has additional features and customization options.

The new avast! Free Antivirus 5.0 includes…

• Transparent scanning of all files, programs and email
• Automatic updates
• Improved antivirus and anti-spyware engine
• Scanning on-demand
• Scheduled scanning
• Impressive anti-spyware and anti-root-kit protection
• Online tech support

You can download avast! Free Antivirus 5.0 from http://www.avast.com/free-antivirus-download

I have recommended previous versions of avast! for years, and have had many people tell me that it removed viruses and spyware left behind by other products.

For more a detailed product review of avast! Free Antivirus 5.0 features and, visit PCMag.com

avast! Free Antivirus 5.0 runs on any recent version of Microsoft Windows: Windows 2000, Microsoft Windows XP/Vista/7 (32/64 bit)

Before installing new antivirus software, be sure to uninstall any existing antivirus software