Gone Phishing

I got a call on Sunday afternoon from a long-time client who has become a close friend.  He was having trouble with his email username and password.

He had a simple question: what’s my password?

Because of our special relationship, I manage his passwords.  

The first thing I did was test the account myself.  I entered his username and password into the webmail client. It worked. So what was he talking about?

Normally, when a password changes you have to enter it again.  Fair enough.  But his hadn’t changed. So why was he being asked to enter it again?

At this point alarm bells go off in my head.  I’m thinking: phishing attack.  

You technophiles out there can now tune out.  For us mere mortals, here’s the deal:

A phishing attack is one where the user is tricked into providing their username, password, or other personal info.  Simple.  A box pops up on your screen. It  says: “to access your email you need to re-enter your password, please type here..”, or words to that effect.  You enter it. It says, ‘nope - try again’.  You enter a different password you commonly use. Rats, still no luck. So you enter another.  And another. And after maybe 4 or 5 you think: hmmm...hang on...I know my password. Why isn’t this working?

Why doesn’t it work? Because you have been ‘pwned’ (long story - it is a typo of ‘owned’, from an attack long ago made public).  In plain English: You have just handed over to a bad guy your five or six favourite passwords. Doh!

At this point you are in trouble.  Either the eastern European mob, or the 12 year old next door has access to your stuff, your money, your identity.  

Here’s what you need to do. Right now. You have a long to-do list to tackle:

  1. Stop everything. Take your hands away from the keyboard.

  2. Turn off your computer.

  3. Make a list of all the services where you use the passwords you typed in, or close derivatives.

  4. Get on to another computer (because yours might now be loaded with malware and other bad stuff).

  5. Using your list, log into each site and change your password.

  6. When you change your password:

    1. Use upper and lower case letters

    2. Include some numbers

    3. Include some symbols like $ or ^ or ( or #

    4. DON’T spell a word

    5. DON’T use ‘password’ or ‘Password1’ or 1234567890 or anything as dumb

    6. Make it l-o-n-g. 10 or more characters.

    7. WRITE IT DOWN on your list

  7. At this point, you MAY be back in the safety zone.

  8. If one of the passwords you offered up was a banking password, tell your bank that you think you have been the victim of a phishing attack. Right NOW. Stop reading this and call them NOW.

OK. You’re back.  I hope the bank was helpful.

Now that you have serious passwords, and each one is different, how the heck are you going to remember them?

There are some great programs out there that will help. I love 1Password, but LastPass, RoboForm, KeePass, Dashlane are also good.  Pick your favourite.  Load it up with the information from the paper list we spoke about that earlier.  Then eat the list. If you want more information, read these articles in the New York Times for guidance:

Managing Your Passwords, With a Little Help From an App

Remember All Those Passwords?  No Need

Last thing to deal with, your computer that started all this fuss in the first please.  Next time you turn it on, change it’s password (what password you say?  well get one).  Then run your anti-virus/malware software (what anti-virus/malware software, sigh..).  If you need help get a pro, like your 12 year old neighbour or a real pro to help ensure it’s safe again.

So what happened to my friend?  Is his entire life now laid bare for all to see?  Nope.  Turns out he was lost on in his web browser, and thought his password was being prompted. It wasn’t. Thank goodness.

It all ends up being a cautionary tale with a happy ending. And some robust passwords.

Who could want for more?

- Steve Ellwood, EnCE