Tricks, Hacks and Fixes for Everyday Problems.

In the past few years people have become more aware of the danger of having their passwords stolen. Email, facebook, and twitter passwords are especially easy to acquire without any “crazy hacks” and by simply using some good old fashioned detective work and a little social engineering.  I’m going to outline some things that most people overlook.

THEN, I’m going to show you how to protect yourself from these types of attacks. A slight disclaimer, however, is that if someone really knows what they are doing and is determined enough, they can get just about anything they want from you – regardless of how aware you are of these attacks. Let’s hope no one hates you that much!

A lot of people might disagree with me showing people how to break into these accounts. I, however, feel if you don’t know how people get in, how can you properly protect yourself?

If you have a strong technical background or tinker with computers you already know everything in this article; I am not going to show you any complicated hacks this time around. This article is geared towards the everyday computer user to hopefully make them more aware of the silly things we often overlook when we set up our accounts.

*Another small disclaimer*

Everything in this article is hypothetical and for illustrative purposes only. I would not do this myself, nor do I promote its use. Everything in this article is written for educational reasons only, in order for you to understand how to protect your accounts.

How to Steal Yahoo / Gmail / Hotmail, Facebook and other free account passwords.

The easiest method for someone to steal your password is  the ‘Forgot Password’ question. If you have a Hotmail and Yahoo account, you know that there is a link to click if you have forgot your password. While this was designed to help you, unfortunately it can quite easily be used against you. When you initially click this link, you are asked to enter your Country, Postal/Zip Code, Province/State and then a secret question and answer to this question. In the future, this information is what is used to verify that you are, in fact, you before the provider will reset your password. Unfortunately, the answers to the six most commonly used questions on Hotmail and Yahoo only have to be 5 characters long, and are ridiculously simple to figure out. If I can guess your ‘Forgot Password’ question, I can reset your current password and login to your account…and then you can’t. You are able to create your own ‘Forgot Password’ question, but people usually use something with an answer that is easy remember. Not-so-coincidentally,  this information can likely be found online with a little research.

The 6 most common ‘forgot password questions’ are:

My first pet’s name?
Where is my mother from?
What is my favourite food?
Who is my best childhood friend?
Who are my two best childhood friends?
Favourite person from history?

In most cases, a trip over to Facebook.com reveals that ‘Your first pet’s name’ is bound to be in a picture in one of your albums, contained in the comments of a picture, or (possibly worst of all) in one of the “quizzes” or “25 things about me”-type things you’ve done. Your mother is often from the same place you are. Your favourite food is probably pizza (I don’t know why this is, maybe because most people use the account they made when they were 15). Your best childhood friend’s names are also in that survey you filled out in your notes (probably the same one with your first pet’s name). Now, don’t get upset about the following generalization, but people from African American decent often put Malcolm X or Martin Luther King for their favourite person from history, and many white kids (unfortunately) often  put Hitler or someone equally ridiculous. I hope they don’t actually think of him as a “favourite”, and that it’s more of a series of unfortunate associations – when they think history, they think of WWII; when they think WWII, they think of Hitler. Maybe they actually put their LEAST favourite person so no one will try to guess it? Who knows. The point is, these answers are silly as they are very common answers.

Getting your Country & Province/State is easy: the person can just look at your facebook or twitter profile. Even if he/she don’t have access to your account they can see what Network you are in.

If they need more information, they can punch your email into google.com – “Joe@hotmail.com” – and this will reveal other sites you are on. Now they can read those posts and learn even more about you. If this still isn’t enough, they can go to pipl.com and an email or name search will also give me even more sites you are on. There are almost unlimited resources on the internet to find out information about anything…including you most likely!

What about the postal code? Best case scenario (for the person trying to get this information) is that you posted it on your Facebook. Worst case? They go to 411.com or 411.ca and can determine approximately where you live now. If they want to know where you were when you made the account (usually in middle- or high school) they can go to classmates.com and the name of your high school and your class will pop up – you had to be in a certain radius of that school to attend. Now they can just go back to 411 and look for people in that area who have the same last name as you (if you’re not there anymore, these people may be your folks).

Remember how I mentioned that the internet has almost unlimited resources allowing people to find out information about anything? Remember that when you set your password. A quick example: A while back I asked my friend his ‘Forgot Password’ question out of curiosity. He smugly explained that it had nothing to do with him, so he didn’t think I would know the answer. His question was “Who wrote A Shot of Rhythm and Blues“. Initially, he was right – I had no idea. But, a quick look on google gave me the answer – ‘Terry Thompson’. The moral of this story… Never use anything that other people can find the answer to by spending two seconds on Google!

Gmail.com, on the other hand, only requires the correct answer to your secret question to reset your password. In other words, even less information needs to be gathered. Thanks Gmail!

So, after the person guesses/acquires the answer to your ‘Forget Password’ question, they get to set the new password for you account. You don’t have access, and they do

Now that they have access to your email, your Facebook and other account passwords are theirs for the taking; they can use this info to cover their tracks.
If someone changes your password, you may figure it our pretty quickly since your old password won’t work. To avoid this, they can use the handy search button in your email account to search for other passwords hanging out in your account (you know, those emails you get whenever you register for a new website). Unfortunately, many people use the same password for all of their accounts (or at least a couple). Thus, there’s a good chance if the bad guys/girls get one, they get them all. For example, an email from plentyoffish.com might give them the password you use for this account. An easy check to see if you use this password for other accounts is to give it a try as your Facebook password. If (unfortunately) it works, they can then re-reset your email password using the Plenty of Fish/Facebook password on the hopes that this was also your original email password. If it was, you may never know that they were even in your account. If it wasn’t, well, they still have access to your email anyway – now you just know about it. From here, if they don’t already have access (i.e., if your Plenty of Fish password didn’t work for other sites), they still go and change your Facebook password and any other password they want because these new passwords will be sent your your email account…THAT THEY HAVE ACCESS TO.

Now you may be thinking, “But what’s the big deal? Does it really matter if someone reads the forwarded chain emails, spam and LOLcatz I have in my inbox?” Well, think of the havoc that could be caused by someone who has your email, a copy of your resume (which probably has your current address and phone number), your birth date (remember those “happy birthday” emails and Facebook posts?), cell phone bills, cable bills, Paypal accounts (which links directly to your bank account)…  they could call up the phone company, who always use your birthday and address as the security question, and add some more lines and rack up your bills or just cancel cell phone, cable, or internet; they could use your paypal account to buy some nice things on ebay… It could be bad!

So, how can you protect yourself?

Beating the forgot your password question.
It’s very simple. Change your ‘Forgot Password Question’ to something random like, “What is my ninja’s name?” and change the answer to something completely unrelated like your first and last names backwards with your birth year. My question might be “What is my real middle name” But my answer would be “hsojdreinfmy0891″ – something that, even with access to all my personal information, no one would guess.

If they are able to get access another way, then you should be prepared.
Try not to keep the passwords for other accounts, or personal/confidential/compromising information about yourself or others in your email. Delete the naked pictures of you from your email (in- and outbox) NOW! Seriously though, don’t keep receipts or banking information in your email account. I only keep things in my email that I wouldn’t mind if someone else got ahold of.

Pick a good password.

A bad password choice to me is any password that contains words in the dictionary, names, words that are all one case (upper or lower), and all-numeric passwords. It only takes a couple of minutes to crack a 6 digit password, even less if that password is just letters or just numbers. You’d think this goes without saying but most people have the simplest password. Look at the Google, Yahoo and Hotmail Password leak that happened today http://bit.ly/TOGnJ – 20,000+ Email accounts were leaked on the website www.pastebin.com and the most common password found was  ‘12345′. That password would take about three seconds if I were to crack that it.

Also, use different passwords for all of your accounts (or at least your important accounts – don’t use the same password for you internet banking that you use for your email account!) and try and change your passwords regularly. This may sound complicated, and given the number of different accounts people have today it can be difficult to keep them all straight. I recommend keeping this information safe someplace – the best place is encrypted on a USB key.

The Password method I use.
Use a minimum 9 characters including numbers and letters (both upper and lower case) and one symbol if your email allows it. A longer, more complex password has a lot more possibilities so it’s a lot more difficult to get and most people won’t bother.

Stealing Internet Service Provider Email Passwords (Rogers, AT&T, Telus, Bell, etc.)

Internet Service Providers are extremely insecure for as big as the companies are. If you have an email with your Internet Service Provider (e.g., “JaneDoe@telus.ca”) it can be broken into in 5 minutes.

Scenario: Pretend someone has grabbed your address, phone number and date of birth from your Facebook . Now they make a quick call to your internet company’s tech department pretending that they are you and say, “I forgot my old password. Can you reset it for me?”  Like the other companies I mentioned earlier, Internet Service Providers generally use your name, address, and date of birth as verification that you are you. So with this information, the can convince the tech that they are you. The tech will now reset your password to whatever the bad guy/girl requests. Even if you put a “special password” on the account, they can tell them that they forgot that as well. Again, because they have all of your info, the tech will likely still let them change it. A really advanced hacker can even change(spoof) their phone number, so when they call the Internet Company it appears that they are calling from your home/cell number, making them appear even more legitimate.

How can you protect yourself?

One method to protect yourself is to put a note on your account that before any changes can be made to the account you require a callback. Basically, what this means is that if anyone tries to change your account info, the company is required to call you back at your home or on your cell. There is a good chance that the bad guy/girl will not be in your home to answer the phone so they have been foiled. Simple as that. This isn’t foolproof, but it’s better then leaving yourself unprotected.

So that wraps it up! I hope this information helps make you safer while using the internet. **Add something funny/witty**

Joshua