This may be the most valuable information regarding personal cyber security that I have ever seen. All the anti-virus programs and firewalls in the world will do little good if you're blabbing your "secret" information to the world via social networking sites.
This is precisely how Sarah Palin's e-mail account was hacked. A malicious individual, seeing publicly-available details about her, was successfully able to provide the correct answers to the security questions Mrs. Palin used for one of her e-mail accounts. Through this vulnerability, the hacker obtained access to the governor's personal e-mail.
Thank you, Leo, for such thorough coverage of this personal security problem.
MmeMoxie
November 10, 2009 11:23 PM
I fully agree with Tony M. Leo, you are 'right on' with your information.
Only one note, the good ISP's will tell you to close down the 'hacked' account and create a complete new one. New user name, password, secret questions, the whole nine yards.
Digby Lowe
November 11, 2009 1:43 AM
The 2nd email address could be used to break the hacker's stranglehold on the primary account if the primary mail provider were to automatically refer to the 2nd mail address all changes made to password and proposed changes to 2nd mail addess - i.e. effectively pass master control of the primary account to the 2nd account. Do I get a prize for that idea?!!
Rick
November 11, 2009 8:26 AM
A bigger problem is that the major webmail players have password recovery mechanisms that do not even rely of 'secret' questions, but rather a recollection or best guess of how you have used the service.
For example, GMail's Password Recovery page starts with, "If you've already tried to reset your password and you're still unable to access your Google Account, fill out the form below. Please answer each question as thoroughly and accurately as possible; the strength of your answers will determine if we can return your account. If you're not certain about some of the dates, provide your closest estimate."
The problem here is that a hacker gets to offer an alternate 'alternative' email address and answer a few questions about what other Google services the user might have used (along with estimates of dates) . . . and a few other tidbits that are not super difficult to work out. If the mix seems probable to Google they sent a reset email to the proferred alternate email address.
In other words, if a hacker can work out what other Google services this user has and the approximate creation dates, he or she had a pretty good chance of taking control of the account.
Evan B Merz
December 15, 2009 7:25 PM
While I have had no difficulties in this area (knock on wood), I remain concerned. I check credit card charges at least twice a month and my credit card and debit card likewise, so I think I'm on top of this problem. Incidentally, my ISP has withheld emails because they are questionable and appear to be complete strangers to me.
Ron Inabinet
January 6, 2010 3:50 AM
I believe that my computer has been compromised to a degree. Several months ago,I don`t even remember when, I checked to see if I was the only name logged into my computer. To my amazement I was NOT the only person logged in. I kinda freaked and shut my computer down without writing down the "other" name.I have checked back often but found no one else logged in; this might be due to the fact that I have gotten a router.Just a couple of weeks ago I was going to log into my yahoo email account but I saw my computer password already typed into the space provided. I still get those stew-pid nigerian scams about money but, I always just delete them. I believe the unsolicitated emails of offers to view womens` private photos and chat sessions with unknown women,supposedly are nothing but hacking or spoofing scams. My yahoo email account hasn`t been hacked but I have suspicions that my computer is watched by parties unknown.
craig
February 2, 2010 1:54 PM
In regard to 'secret' questions; if you have a set question there are limited 'truthful' answers. Try using one or two universal answers for all secret questions on all your web-based security. Like, Mothers maiden name? Venus, or blue whale, or Mitsubishi, or River Phoenix, and First pet you had? River Phoenix, Mitsubishi... etc.
This makes guessing the answers nearly impossible and we've now made the answers endless, rather than the limited truthfull stock - AND it makes ur answers easy to remember IF you stick to the same ones all the time.
FYI - Some profile setting areas in some web sites will show you your 'secret answers' which make the secret viod if you account is hacked.
kate
March 26, 2010 4:24 AM
Leo, I have read a few of your articles. I have had the 'free email - hotmail problem' where my hotmail is sending spam email (always the same email, copied below - hope that's ok... but the link is in it). I have changed my password. I have tried to contact hotmail on windows help, but no reply. http://windowslivehelp.com/thread.aspx?postid=7B1464C2-0DA5-4A0B-85A3-C6BF19B4DF4A#7B1464C2-0DA5-4A0B-85A3-C6BF19B4DF4A.
I have used my hotmail account for some time and would hate to give it up and lose touch. Do I have any choice but to close it? I can't seem to get any help from hotmail / answers on the windows forum.
Thank you for your good articles and links to more of your articles... I found it good to know that really there isn't much I can do... but I thought I would ask: Is there anyway to report this email to an authority?
Thanks.
SPAM email below
Hi,my friend,
I find a good website,I would like to introduce it to you It will give you big surprise:excellent products,high quality competitive price.If you are free, please visit it: [link removed] have a nice day! ~--b
As the article you're commenting on states, changing your password is not enough. If you can cover everything else outlined, and have attempted to get help at the support forum, then I know of nothing else left for you to do.
26-Mar-2010
Faith
April 14, 2010 9:54 AM
Thank you so much for this. My gmail account was hacked just this morning, and although I logged the hacker out and changed my password to a much stronger one, I hadn't thought about any of these other possibilities until I read this article, and I'm so glad I did.
Jennifer Wolford
May 6, 2010 11:48 AM
I have always added a contact to my e-mail contact lists. I add: aaaaaaaaaaaaa@aa.com
Since this does not exsist, and will be the first email address to be used (alphabetically) anytime mail is sent from me (bulk, all included) I get a notice that it could not be delivered to that account. Since I know I would not have sent to that contact, I know something is wront.
The usefulness of that approach (having a bogus address early on in the address book) has been highly overrated. I wouldn't bother.
Comments
Read the article that everyone's commenting on.
November 10, 2009 4:17 PM
This may be the most valuable information regarding personal cyber security that I have ever seen. All the anti-virus programs and firewalls in the world will do little good if you're blabbing your "secret" information to the world via social networking sites.
This is precisely how Sarah Palin's e-mail account was hacked. A malicious individual, seeing publicly-available details about her, was successfully able to provide the correct answers to the security questions Mrs. Palin used for one of her e-mail accounts. Through this vulnerability, the hacker obtained access to the governor's personal e-mail.
Thank you, Leo, for such thorough coverage of this personal security problem.
November 10, 2009 11:23 PM
I fully agree with Tony M. Leo, you are 'right on' with your information.
Only one note, the good ISP's will tell you to close down the 'hacked' account and create a complete new one. New user name, password, secret questions, the whole nine yards.
November 11, 2009 1:43 AM
The 2nd email address could be used to break the hacker's stranglehold on the primary account if the primary mail provider were to automatically refer to the 2nd mail address all changes made to password and proposed changes to 2nd mail addess - i.e. effectively pass master control of the primary account to the 2nd account. Do I get a prize for that idea?!!
November 11, 2009 8:26 AM
A bigger problem is that the major webmail players have password recovery mechanisms that do not even rely of 'secret' questions, but rather a recollection or best guess of how you have used the service.
For example, GMail's Password Recovery page starts with, "If you've already tried to reset your password and you're still unable to access your Google Account, fill out the form below. Please answer each question as thoroughly and accurately as possible; the strength of your answers will determine if we can return your account. If you're not certain about some of the dates, provide your closest estimate."
The problem here is that a hacker gets to offer an alternate 'alternative' email address and answer a few questions about what other Google services the user might have used (along with estimates of dates) . . . and a few other tidbits that are not super difficult to work out. If the mix seems probable to Google they sent a reset email to the proferred alternate email address.
In other words, if a hacker can work out what other Google services this user has and the approximate creation dates, he or she had a pretty good chance of taking control of the account.
December 15, 2009 7:25 PM
While I have had no difficulties in this area (knock on wood), I remain concerned. I check credit card charges at least twice a month and my credit card and debit card likewise, so I think I'm on top of this problem. Incidentally, my ISP has withheld emails because they are questionable and appear to be complete strangers to me.
January 6, 2010 3:50 AM
I believe that my computer has been compromised to a degree. Several months ago,I don`t even remember when, I checked to see if I was the only name logged into my computer. To my amazement I was NOT the only person logged in. I kinda freaked and shut my computer down without writing down the "other" name.I have checked back often but found no one else logged in; this might be due to the fact that I have gotten a router.Just a couple of weeks ago I was going to log into my yahoo email account but I saw my computer password already typed into the space provided. I still get those stew-pid nigerian scams about money but, I always just delete them. I believe the unsolicitated emails of offers to view womens` private photos and chat sessions with unknown women,supposedly are nothing but hacking or spoofing scams. My yahoo email account hasn`t been hacked but I have suspicions that my computer is watched by parties unknown.
February 2, 2010 1:54 PM
In regard to 'secret' questions; if you have a set question there are limited 'truthful' answers. Try using one or two universal answers for all secret questions on all your web-based security. Like, Mothers maiden name? Venus, or blue whale, or Mitsubishi, or River Phoenix, and First pet you had? River Phoenix, Mitsubishi... etc.
This makes guessing the answers nearly impossible and we've now made the answers endless, rather than the limited truthfull stock - AND it makes ur answers easy to remember IF you stick to the same ones all the time.
FYI - Some profile setting areas in some web sites will show you your 'secret answers' which make the secret viod if you account is hacked.
March 26, 2010 4:24 AM
Leo, I have read a few of your articles. I have had the 'free email - hotmail problem' where my hotmail is sending spam email (always the same email, copied below - hope that's ok... but the link is in it). I have changed my password. I have tried to contact hotmail on windows help, but no reply. http://windowslivehelp.com/thread.aspx?postid=7B1464C2-0DA5-4A0B-85A3-C6BF19B4DF4A#7B1464C2-0DA5-4A0B-85A3-C6BF19B4DF4A.
I have used my hotmail account for some time and would hate to give it up and lose touch. Do I have any choice but to close it? I can't seem to get any help from hotmail / answers on the windows forum.
Thank you for your good articles and links to more of your articles... I found it good to know that really there isn't much I can do... but I thought I would ask: Is there anyway to report this email to an authority?
Thanks.
SPAM email below
Hi,my friend,
I find a good website,I would like to introduce it to you It will give you big surprise:excellent products,high quality competitive price.If you are free, please visit it: [link removed] have a nice day! ~--b
26-Mar-2010
April 14, 2010 9:54 AM
Thank you so much for this. My gmail account was hacked just this morning, and although I logged the hacker out and changed my password to a much stronger one, I hadn't thought about any of these other possibilities until I read this article, and I'm so glad I did.
May 6, 2010 11:48 AM
I have always added a contact to my e-mail contact lists. I add: aaaaaaaaaaaaa@aa.com
Since this does not exsist, and will be the first email address to be used (alphabetically) anytime mail is sent from me (bulk, all included) I get a notice that it could not be delivered to that account. Since I know I would not have sent to that contact, I know something is wront.
07-May-2010
To post a comment on "Is changing my password enough?", please return to that article's main page.