Maryland Bar Bulletin
Publications : Bar Bulletin : July 2008




“Help, I’m on vacation, I’m stranded and I’ve lost everything. This is no joke, please send money.”

That’s the e-mail I received. Not only was it from someone I knew, but they were actually on vacation. I wasn’t sure exactly where they were, but I was pretty sure it wasn’t Lagos as the message had said. Also the message didn’t sound quite right. The grammar and punctuation were horrible and the whole thing just didn’t make sense. Of course, it could have just been the result of being frazzled because of the purported situation. So, expecting that the message was sent by some automated spam-bot, we sent a reply asking if the message was true and how they ended up in Nigeria. The response was almost immediate, stating that Lagos was an unplanned business trip and that, yes, it was not a joke and they did need the money. But it still didn’t feel quite right.

After contacting the e-mail address owner by phone, we were able to confirm that her e-mail address had been hijacked. Someone had hacked her account and changed the password, locking her out of her own e-mail account while sending messages to any concerned friends, family and colleagues. After jumping through quite a few hoops to prove who she said she was, the e-mail provider was able to reset the password – but all of the contacts and saved e-mails were deleted in the process.

How Did This Happen?

While we are unsure of what actually happened in this case, there are a few different methods of getting someone’s password. It can be done locally or remotely. Hacking from a distance can be done by programs that submit common passwords to accounts to see if any work. This is usually easily detected and hackers often resort to more clever methods of tricking you out of your password, such as phishing. Phishing is when you receive an e-mail or link asking you to login to your account. They then send you to a fake copy of the website.

A flaw in Gmail’s security allowed hackers to add malicious filters to an account while simply visiting an infected website while logged in to Gmail. This by itself does not disclose your login information, but it is still a huge invasion of privacy. The issue has since been fixed, though it warns that the fix only prevents new alterations and that users should check for any existing modifications. If you are a Gmail user, you can do this by logging in and clicking on the “Settings” tab in the upper right of the screen. Then check both the “Filters” and the “Forwarding and POP” sections. Look for any unrecognized e-mail addresses.

Hackers can also steal a password locally by simply watching as someone types in their password or by installing a program on a computer that will record all keyboard input.

Unfortunately, when we are on vacation we are often less careful rather than more careful, and using public computers, Internet cafés and public Wi-Fi can pose serious threats.

How to Protect Yourself

Tough passwords. Make your passwords difficult to guess. A strong password should be six to twelve characters in length, contain numbers, upper- and lowercase letters and special characters such as the * $ or !. The best passwords will also never be an actual word. One tip is to take a line from your favorite song and use the first or last letter from each word, changing the case and adding numbers and symbols to the beginning, end and middle.

Built-in security features. Some web-based e-mail providers like Yahoo have a “sign-in seal” which will protect against phishing scams. You upload some text or an image and later, if your sign-in seal is not there, it’s likely a fake page.

Have a travel account. When you take a trip, many usually leave their full-size toothpaste and shampoo at home. Well, perhaps you should do the same with your e-mail account, especially if you leave the country. If you think you will need e-mail access while traveling, you might want to consider a separate e-mail account. Keep the contact list empty, and print the contact you need and keep with you – that way, if someone gets your login info, they can’t do as much damage with it. You’ll be able to send messages, but the only messages you will be able to read will be from those to whom you gave the travel e-mail address.

Back-up your data.If you use Yahoo or Google apps such as calendar, docs or other tools, keep in mind that you are only given access to this information if they let you. Unless you keep a copy, all that information could just go away. Periodically, back-up the information from your account and keep it on your computer, or back-it up to CD, DVD or other back-up service.

Archive important documents. I have more saved e-mail messages than I probably should, and I clear out as many outdated ones as I can from time to time, but there are those messages that I know I’ll need to reference again later. But while it’s nice to always know where to find them, perhaps online isn’t the best location – especially if they contain account activations or password reminders. If the message contains personal information, the best thing to do would be to print it or copy it to an electronic file on your computer. How to best protect it after that is your decision.
This type of problem doesn’t happen often, and it doesn’t happen to everyone, but if you take some of these steps you can help keep it from happening to you.


previous next
Publications : Bar Bulletin: July 2008

back to top