Monday, January 08, 2007

Protecting Your Client Communications

We hear a lot in the consulting literature about "communications," but mostly they (me, too) are talking about the psychology of getting information from one person to another. That's a tough topic, but there's also the physical problem of getting information from one person to another. In the past week, I've been alerted to several instances where electronic communications have been corrupted or diverted. It's time to take a serious look at what's happening to your electronic messages.

Case 1. AOL Security Hacked

This is a note from one of my correspondents:

Last night was horrific. I lost my screen name. Some hacker stole it from me and no one - *NO ONE* - from AOL would help me. When the hacker got in, he changed my password, my security question, my billing. Yep, he changed it so that he would be billed. Why? Because he liked my screen name. It's XXXXXX. He wanted it. He was willing to pay for it. And he was willing to screw me over to get it.

I was on a secondary screen name at the time - one that I use when I'm online and I don't want to be distracted by e-mails and such. I got an e-mail. It was from AOL telling me that the master screen name's password was changed. I didn't change it. No one has that password but me. No one.

I immediately tried to access that name. No luck. I called AOL and suffered through repeated recordings that tried to "solve my problem" for me before sending me to a real person. No... hitting "0" didn't work. But I found out that "9" does. I talked to everyone I could.

No one would talk to me. Why not? Because I was no longer the owner of the account. I've had this account since 1996 and they would not listen. They told me that since I was not the current owner, they could not talk with me. They claimed to have no record of me at all. The guy had had control for less than an hour and they wouldn't budge because I wasn't the owner of record.

You can't imagine my frustration. Or maybe you can. I conduct *ALL* my consulting business from this screen name. Losing it would be disastrous. Hideously so. I was apoplectic. I offered to prove that I owned the account - to no avail. THEY WOULD NOT TALK TO ME.

They referred me to the Fraud department, which was closed till nine this morning. But I couldn't wait. I couldn't stand it.

I was still on my secondary e-mail and I waited till the (expletive deleted) signed on. And then I IMed him. I called him a nasty name and then started in on the questions - why? how?

He laughed. Sent me "LOL" and told me I'd just learned a lesson the hard way.

He knew I was a consultant. And I asked him how he knew.

Here's what happened: I'd put some information in my AOL profile, thinking that it was a cool way of promoting my services in case anyone was browsing. Mistake. That gave him my name. He googled me and found out what college I went to. Bingo. That gave him the answer to my security question.

He didn't even need my password to get in. He used the "password reset" option and used the security question to bypass it all. This bears repeating: HE DIDN'T NEED MY PASSWORD.

He said he collects screen names for a living and laughed at me.

All this in an IM.

And then, I asked, please. I told him that he was messing with my career. That my screen name was my lifeblood and that losing it would hurt more than he could ever imagine.

And then the hacker did what AOL refused to do. He gave me my screen name back. He gave me the new password (which I promptly changed) and the new security answer. He got suddenly chatty and started giving me hints about him and where he lives and such. Not that I believe any of it. He made my XXXXXX to a lower case xxxxxx and offered to send me the program he used to change it. I declined, telling him that the lower case "x" would be a constant reminder to me to be vigilant.

I have no idea why he did this. But he did. He said he was a hacker with a conscience. I believe it. I still hate that it happened. But I learned a lot last night, in the midst of all the angst. I have a cryptic answer to my security question now. I have all new passwords. I have NO profile on AOL now. I'm sure someone can still make the connection, but I'm taking steps to protect myself.

Jerry, can you make this into a well-worded warning and try to get it out there on your blog for other consultants?

AOL did not help me when I needed them. I called the Fraud department this morning and I ripped into them. Did they care? No.

They're the ones who forced me to set up a security question. I never wanted one. I foolishly believed that the question would come into play only *AFTER* the password was given. I was wrong.

Double check your security. Do not go through the agony I went through last night.

MORAL: 1. Don't count on AOL for security help.

2. Don't count on any ISP for security help. It's your responsibility.

3. Don't be stupid about your passwords.


Case 2. Don't Be Spoofed and Don't Be a Pfish


I receive income from Amazon for my short essays posted on their site. Yesterday, someone tried to hijack my Amazon account. If they had succeeded, they could have diverted my income directly to their bank account. Even worse, there are cases where they could post counterfeit writing under my name, which could kill my reputation.

I received an email that looked exactly as if it had come from Amazon and asking me to update my account information. Heeding previous advice, however, I did not click on the link but instead wrote directly to Amazon using their website (which I reached by typing the url myself). I received the following information and advice, which applies to all such 'update your account" messages:


Greetings from Amazon

The e-mail you received was not from Amazon.com. We are investigating the situation, and we appreciate you letting us know that you received this.

For your protection, we suggest that you never respond to requests for personal information that may be contained in suspicious e-mail. It is best to assume any e-mail that asks for personal financial information (or web site linked to from such an e-mail) is not authentic.

If you did not click on the link in the fraudulent e-mail, your account at Amazon.com is fine--there's nothing more you need to do. If you did click the link, but didn't enter any personal information (such as your login or password), the phishers will not have your Amazon.com account information.

However, please know that if you ever respond to a phishing e-mail and do enter your Amazon.com login and password (or any other personal information) on the forged web site, the phishers will have collected that information and you should take appropriate action. We recommend that you update your Amazon.com password immediately, and, if you entered financial information, you may want to contact your bank or credit card provider.

If you encounter any other uses of the Amazon.com name that you think may be fraudulent, please do not hesitate to contact us again.

Thank you for contacting Amazon.com.

WHAT IS PHISHING?

Phishing e-mails have been around for years. The term phishing comes from the use of increasingly sophisticated lures to "fish" for users' personal or financial information. In phishing, the scam artist usually sets up a spoofed a web page, which looks like the real one, but is owned and operated by the phisher.

Go to www.amazon.com/phish to read more about ways to protect yourself from phishing.


WHAT IS SPOOFING?

Spoofing, in this context, refers to a counterfeit web page or e- mail that is made to "look and feel" authentic but is actually owned and operated by someone else. It is intended to fool someone into thinking that they are connected to a trusted site, or that they have received an e-mail from a trusted source.


MORAL: Don't be so trusting. These are not people you're dealing with.


Case 3. They're Faster Than You Are


Fraudulent abusers of the internet are at work 24/7, and there are thousands of them, so one little lapse will cost you. As the Amazon warning said, by the time you notice you've been pfished or spoofed, they will already have your "secure" information, which they will sell many times over.

My SHAPE forum is subscription-only, and guarded by a password. The other day, however, we accidentally published a "clean" email address for special use, but mistakenly put it outside the protected area. In less than 24-hours, we started receiving spam on that address.

Imagine what would happen if you exposed one of your clients' email addresses or secure websites--or, heaven forbid, one of their passwords.

MORAL: One mistake, for one minute, can cost you your business.

Case 4. Watch Your Blog: They're Not Script Kiddies Playing Around


The other day, some of us started seeing strange, obscene material on Don Gray's blog. Don asked the AYE Conference hosts about this, and Dave Smith, our internet guru, gave this reply:

I took a close look at your blog. You've been hacked. Pull up http://www.donaldegray.com/tiki-view_blog.php?blogId=2 and View Source. The chunk of JavaScript at the bottom adds a hidden section that will render the links invisible to modern browsers (Some probably saw it because she's using an older browser like Lynx). Google will see the links, and will drop your site from the Google index. I'll dig up the procedure to get reinstated.

I suggest checking with the TikiWiki people to see about security updates. I recall there being an issue several months back that caused someone else I know to get hacked. Might be the same issue. You might also want to check the rest of your blog to see how widespread the damage is.


Don wrote back: I'm curious, what good does it do someone, if the primary result is dropping the site from the Google index? Script kiddies having fun?

Dave replied: This stuff isn't script kiddies. Basically, it's organized minor crime. By using automatic attack tools to hide a bunch of links for their clients, they're bumping up the "rank" of their sites on various services that aren't (yet) as aggressive as Google in culling out junk. Using automated tools is cheap; just park a laptop in a coffee shop with an open wifi, and let it rip. If you get caught, move down the street. The more sophisticated crooks rent time on large networks of compromised home windows machines. It's a huge problem. This, sadly, is why nobody who tries unfiltered or unmoderated blog comment systems survives for long in the open. I don't have comments enabled on my blog, but still see daily evidence of automated attack attempts in my server logs.

My own blogs, including this one, receive numerous spam messages every day, which I block, but some of my colleagues still have unmoderated blogs. Everything that goes up on your blog reflects on you. Just the fact that you allow it to go up there reflects on you. Yes, you can moderate posts off your blog after they're posted, but that's too late. You want your clients to read your blog, don't you? Some of them will see the posts before you are able to remove them, so stop them before they reach the site.

MORAL: Everything on your blog or your website reflects upon you. Make sure it's the reflection you want.

META-MORAL: I could go on endlessly with examples of corrupted or diverted communication, but I couldn't keep up with the new scams that appear every day. You have to be super-cautioius, and well-informed, but many consultants I know are failing in this responsibility.

Yesterday, I talked to a consultant who uses "password" for her password. When I asked her why, she said, "Yes, I know better, but it's just not a high priority." Well, maybe this is the psychology of communication after all.

6 comments:

Anonymous said...

Jerry,

I just found your blogs through the AYE home page. I hope to make 2007 my year to finally make it to the conference.

I'm glad you are feeling better.

On topic - We are all hit with phishing every day. It's critical to be aware of what's going on all the time.

Jerry L. in St. Louis

Danny R. Faught said...

A few comments about your AOL-subscriber friend. 1) Don't use AOL if you want a professional image. Perhaps your friend isn't in the computer industry, which makes this somewhat less of an issue, but if I told my colleagues that I used an AOL account for my primary business email, my credibility would drop to the floor. AOL has a reputation for being easy to use for beginners, which gives the impression that you're a beginner with computers if you use it.

And 2) Get a domain name that you control, so you don't have to beg for help from some other company's tech support if you get hijacked. Granted, I use a hosting service rather than running my own servers, and my administrative account could get hacked, but I still have much more control than if I were using AOL.

Regarding phishing - I get several of these a day, and junking them is becoming pretty routine. I can usually pick up some part of the wording that is obviously written by a non-native English speaker, which is a big tipoff. That and Thunderbird's scam detector keep me pretty safe. It's sad that financial institutions can't really rely on email communication with their customers any more, because their messages will likely be thrown out along with the fraudulent messages.

Ken (K.C.) said...

If you use an Earthlink email service (including numerous acquired domains, such as Mindspring.com), there *is* a setting that will secure *all* pages of their webmail tool.

Click on the "Preferences" link, then the "Web Mail Options" link, then find "Session Security" and make sure the "On" button is set.

Sign out, then back in to https://webmail.earthlink.net and you will see all reader pages come up with "https://" in front of the address on each page, letting you know these are encrypted so they can't be read on the network. Depending on your web browser edition, you may now also see a padlock icon in the browser status bar.

Ken (K.C.) said...

Hotmail and Yahoo users beware! Their webmail readers do not yet offer a feature for securing the content (only the login/password pages), as of January 2007, and to the present...
"Hotmail and Yahoo not secure via wireless networks" - according to the article here,
http://www.interall.co.il/hotmail-yahoo-https.html

I am also a Yahoo! user, and I found this is still true today. I was unable to secure the reader pages. Only the login and password administration pages use "https." I also discovered that the Account Profile editing page is *not* encrypted.

cara said...

I just read Case 1. AOL Security Hacked and I felt obliged to add my case: I spent the last 2 days trying to get though to people at AOL. My ex had a master screename and wouldn't let me move my email (which I am using for 10 years) to a new account. After many tries I got someone to go in and take me off his account and set me up with my own account, but MY HORRENDOUS, disgusting without-a-conscience EX managed to get it back---don't know how. I spent an hour with a supervisor at tech support and an hour with FRAUD protection and they absolutely wouldn't help me at all. So I cannot access an account i have been using for 10 years, with business and personal email on it. AOL is absolutely the worst. Even if you no longer know the master screen name, they will not do anything for you. I hate to give up my account. It would be disasterous. ANY IDEAS, ANYONE?- ?

Rea Yohannes said...

oh my god..., it's sooooo nice to know that i'm not the only one!!!
I lost my yahoo account, still lose it till now. The stealer chat with my friend not so nicely, until my friend checked with me to see if I'm online that day and I'm NOT! Somebody stole my account name and NO ONE at yahoo will help me. Since I got the questions wrong, then they just STOP talking to me. I was frustrated!! But then I let go of it. I don't know if s/he still uses it. I don't know anymore. I demanded to yahoo that my account be deleted if I cannot regain power of it again, but then again deaf ear. Frustrating. But it seems that my account is now died by itself. Thank goodness.