magnifying glass

Scam alert: “I know your password”

The latest scam we’ve seen – “I know your password” – is both beautiful and scary. Read on to find out how to beat it.

Online systems have been compromised, and a new scam is taking advantage of this

Online systems have been compromised, and a new scam is taking advantage of this

Recently, some of our clients have reported receiving strange emails. These are more than the run-of-the-mill spam, they are from persons unknown claiming to know one of your passwords.

And here’s the thing – they do know one of your passwords. It’s there, in the email, in all it’s uncovered glory.

The sender usually uses this information and claims that they have infiltrated your computer with some sort of malicious software, which then used your webcam to record you while on the internet; typically claiming you’d visited some salacious web site or other.

And along comes the blackmail… pay $1,000 in bitcoin (or some variation) or else!

The “or else” usually involves telling the world your dirty little secrets.

Don’t be a scam victim

Most people freak out – and rightly so – because the password shown is genuinely one which they use, and human nature (working the way it does) leads people to be easily convinced that the sender has accessed their computer and will carry out their threat. Even if the receiver has done nothing wrong and visited no seedy web sites, the fear of what might happen is terrifying.

So, let’s pull back the curtain to see why this happened, and what you should do about it.

Many online systems (LinkedIn, Yahoo, and eBay, to name a few) have been hacked in recent years, and if you have an account on these systems it’s possible that your password was stolen. You should use this web site to see if you’ve been a victim of one of these password thefts.

If you have, then a bunch of your information would have been lifted; your name, password, possibly address and date of birth. Credit card information is usually not taken from these sites, as that information is kept separately.

In and of itself having a password stolen from an online system is not a good thing, but the real issue is if you use the same password on multiple systems.

Once the hack is done, the scam begins.

These thieves will try your email and password combination to login to other systems, and if you use the same combination elsewhere then those systems can be accessed by them. Increasingly, systems include 2-factor authentication to stop this; logging in requires more than an email and password for these systems, but most don’t.

Scammers will try many attacks, but the softest target is you.

What to do

If you receive this type of email DO NOT IGNORE IT.

The scammers most likely haven’t installed any software on your computer; their real target is money.

The #1 thing to do is change your password to any online systems which have been compromised; again, check this web site to see if you’re a victim of these.

The #2 thing to do is install anti-virus and anti-malware software on your computer. iHelp IT can help you with that, as part of our iCare Essentials package.

And finally, the #3 thing to do is to not visit any of those web sites…

Protect yourself

Contact us at info@ihelpit.com.au to find out more about protecting yourself with iCare Essentials

 

Related Tag: IT Support Sydney

Password Security

Perfect password security

Your passwords are a tremendous security measure, but sometimes they seem to be no more than an inconvenience, designed to stop or slow you from accessing a computer or web site.

For decades (literally since the 60s) passwords have been the first line of defence to secure access to computer systems, and are increasingly important against a growing cyber threat; from the password you type to log in to your Mac, to the PIN you enter on your iPhone.

Even apparently fancier technologies like Apple's TouchID and FaceID have only one job; ensure access to the existing PIN on your iPhone. It's the PIN (or more complex password) which in turn actually unlocks the phone.

So passwords aren't going anywhere, and consequently it’s always a perfect time to review your approach to passwords, and find out how a few simple changes can give you an immediate security boost.

But, in this digital world, password are everywhere. Each time you login to your computer, iTunes, FaceBook, Google Drive, iCloud, work-based systems, DropBox, Zomato, Seek, Uber, Tinder, and (of course) the numerous financial systems which we take for granted these days. The list is almost endless.

So how do you effectively protect yourself?

Do you go the simplistic route, and pick one really good password and use it everywhere? No. Absolutely not. If someone gets that password then you're compromised everywhere.

But having secure, unique passwords to everything is unusually complex, and entirely impractical. So now what?

Fortunately, technology (the cause of the problem) also has a number of solutions. Below are 6 ways in which you can get the best of both worlds; security and simplicity.

This article should be viewed as essential reading, not just as a set of recommendations.

Related Tags: Mac SupportApple Support Australia

SaveSave

SaveSave

SaveSave

Go Long

Despite what all those prompts for unique characters and uppercase letters might have you believe, length matters more than complexity, as is elegantly displayed in one of our favourite geek comics, XKCD. The more characters, the more mathematically complex it becomes to guess a password, and the longer an attack would take.

Stringing together a sentence, and mixing in some symbols, numbers, and upper-case (think &, 4, U) makes a password much, much harder to assail.

“inever4getaface!” is a great, easy to remember but complex to guess password.

Let your Mac do the heavy lifting

Don’t trust foreign browsers. A convenient shortcut to remembering all those passwords, or getting a paid password manager account, is letting your browser remember them for you. You’ve seen the option yourself. You probably even use it on at least one site. Don’t! The option is convenient, but the underpinning security is often undocumented, and it doesn’t require that your password actually be, you know, good. If you need a free and easy option, go with a password manager like Dashlane instead of trusting everything to Chrome.

The only problem is that apps like Google's Chrome don't take advantage of the keychain, so you'll need to manually enter passwords from the keychain to Chrome, and Chrome can save the password in it's own database.

Use a password manager

Password managers like 1Password or LastPass create strong, unique passwords for all of your online accounts, and then store them for you to access across all your devices. So you have strong, unique passwords, and if one of your passwords does get caught up in a data breach, criminals won’t have the keys to the rest of your online services.

Now all you need to do is remember one master key.

The limitations with these applications is that, like all 3rd party software, you'll need to download a separate app, and then you'll need to install the appropriate browsers plugin for them to work.

Use keyboard patterns

A much-less-often used password mechanisms is using a keyboard pattern.

Instead of making up a sentence or using substitutions, you pick a pattern on your keyboard as a password. This has the advantage of being extraordinarily easy to type in, but hard for others to hack.

Of course, there's an obvious downside; if typing in the password on a foreign or virtual keyboard, the layout may not be exactly the same as your normal keyboard. Also, keys like the numbers and symbols (the top row) may not even appear on virtual keyboard - so you'll need to really remember this type of password.

An example... "cftyuijnbvc" makes so sense as a word, but you'll see how nifty it is when you type it out.

Single-serve passwords

What makes safety glass so safe? Simple... it's designed to stop little cracks becoming big ones, resulting in tiny, relatively innocuous pieces of glass rather than large, sharp, extremely dangerous shards of glass.

In the same way, using unique passwords means that if the password to one online service is discovered, then it means your other online services are not in compromised.

If you’re use a password manager then you’re already all over this. If not, then a midway solution would be to create 10 unique passwords, and evenly distribute their use, so that the exposure of any password is not entirely catastrophic. Don't believe that your passwords may have been compromised? See for yourself: The website Have I Been Pwned has nearly 5 billion compromised accounts on file - and yours may be one of them,.

Use multi-factor authentication

Increasingly, online services are using multi-factor authentication.

Users can be authenticated more than one way, including:

  • Something you know - a password or PIN
  • Something you have - a smart card, a SecureID token, a YubiKey USB key, an app like Authy, or a code via SMS
  • Something you are - a biometric measure like a fingerprint, voice pattern, or retina scan

The third factor is usually only used for physical access to something; a building, a research facility, etc.

But two-factor authentication is increasingly used for online services, and codes via SMS are by far the most popular. If an online service offers two-factor authentication then you should used it. The only down side is that you may not be able to receive an SMS code if you're overseas and don't have roaming turned on.