Originally published on Benscomputer.no-ip.org Jan 2010.
Password theft is a fast growing business, in the age of the internet a singular word or phrase is often all you need to verify your identity. Unfortunately this token is all that is needed for someone else to adopt your identity, and potentially commit fraud or criminal acts in your name.
Everything seems to be online in this day and age, whether it's your bank, your mail or your shopping. Each of these require a unique login to identify you. Unfortunately usernames can be quite easy to come by, in fact on many sites your username is public (Ebay is a good example of this).
So how do you protect yourself from this threat? Generally it simply requires a little bit of common sense. You wouldn't provide just anyone with a copy of the key to your house, so why do the same for your online persona?
You may, on occasion, receive emails from your Bank, or from PayPal, notifiying you that they are undergoing a security re-vamp and need you to verify your identity. You are usually give a link to open a page requesting your password. If you receive one of these, apply a little bit of common sense and ask yourself exactly why the bank would want this. Check the sender details in the email (though these can be faked, so beware)and contact the supposed sender to verify the legitimacy of the email.
Most Financial Institutions make it clear that they will never ask you to enter your passcode/phrase in whole, and certainly never by email. Yet many people still fall for these scams. One common reason for people clicking these links in emails is that it appears to link to the website you would expect. However in a HTML email it is all too easy to create a link that appears to point to www.barclays.com but will actually open www.gimmeyourdetails.com.
Banks aren't the only organisations targetted for password fraud, everything from E-mail to Facebook accounts seems to get targetted. There are a variety of reasons for this, the first being that it is not always your money that is being targetted. Your account may be required to put a line of anonymity between you and the fraudster, this makes the fraudster harder to track, and puts you in the frame.
Another reason for seeking out the login details of supposedly harmless accounts (let's for example assume Facebook), is that many people use the same password for all their accounts. So if I establish that you registered for Facebook with the email address firstname.lastname@example.org, using the password 'sekretpassc0de' then the odds are that I could login to your PayPal account with the same credentials. Whilst you would probably hesitate to give out your PayPal login in response to an email, you may decided that FaceBook is harmless, so why would an email be fake? I then have possible login details for every account you own.
Aside from the obvious cure of not giving your password out, ever, this eventuality can also be combatted by using different passwords to each of your accounts. It goes without saying that a password should be secure, containing letters, and numbers in as random an order as possible, but passwords can be 'brute forced.' Brute Forcing is the act of trying different password combinations until you find the correct one, the more random your password the harder it will be to break with a 'Dictionary style attack'. Should your password fall prey to one of these attacks, using different passwords will severely limit the damage.
Using the above example, where I gained your Facebook credentials, if you use different passwords for each of your accounts, the most I would be able to do is to login to your Facebook and mis-use that account. Your PayPal account would remain out of reach, unless I could convince you to give me those details.
You should avoid giving your passwords to anybody, and if you believe they may have been compromised, change them immediately. But also be aware that people can find out various facts about you, that may help them discover your password. Most websites have a 'Security Question' which allows you to reset your password. However this does pose the risk that someone could reset the password. One of the most common questions is 'Mothers Maiden Name?', there are plenty of resources online that would allow a determined attacker to examine the birth records for the year you were born. Birth registers contain your mothers maiden name, and so your password could be reset. This weakness is especially dangerous when combined with an account relating to finances, whether it be PayPal, Ebay or an Internet Banking website. It may be an incredibly useful feature when you forget your password, but it also risks your security. Many sites have improved the security of this feature now, by changing the procedure. On sites such as GoogleMail, providing the correct response now triggers an email to your secondary email account. Within this email is a link allowing you to reset your password, however if an attacker has gained access to your secondary account, he/she can still use this method to gain access.
A potential angle of attack that I regularly see, are sites such as Facebook which allow you to enter your email details, and an automated message is sent to your entire addressbook inviting them to join. Never use these, not only will the constant stream of emails annoy your friends, but it would also be childs play to craft a site asking for the details for my own benefit.
Anything that happens under your username will automatically be credited to you, so if someone were to use your Ebay account to commit fraud, you would be the first point of call for the relevant authorities. This can be prevented by following the simple steps laid out in this article.
In conclusion, the steps for fighting password theft are very simple. Don't ever give your password to anyone, a password should always be entered securely, not given to an 'advisor.' Verify the legitimacy of any correspondence received, especially if it asks for your credentials. It is especially important to gain contact details from other sources than the correspondence, a simple google search is usually sufficient. Ensure you practice damage limitation procedures, keep your accounts seperate, use different passwords for each one.
Finally, always choose a secure password. Avoid dates of birth, whether entered in reverse or otherwise. Don't use family names, and never write the passwords down.
Password security comes from adopting a state of mind, treat a password as the key to your life. Never trust anybody with it, and try to avoid obvious password hints.