Friday, October 15, 2010

How to get your accounts hijacked

A recent incident has reminded me that the easiest way to discover someones password is simply to ask them!  OK, it's not as blatant as that but sometimes amongst all your spam emails you may find something which is doing just that.

In this case someone received an email about their Gmail account.  It claimed to have come from Gmail and looked very credible and said that they believed the account had been compromised and asked for such things as full name, date of birth, PASSWORD, etc.  These were duly given.

In this case it has resulted in no longer being able to access that Gmail account and the account being used to send out whatever emails the bad guy wants.  There is also the potential that emails had been sent or received containing sensitive data!

There was another case a few years back where one of my clients had exactly the same scam pulled on his eBay account.  This time it was slightly more serious because some money was spent from the account.

Although eBay had methods in place to quickly deactivate the account, with Gmail it is proving to be a lot harder so it's probable that the account will be lost to the user.  How awkward would it be if that happened to you?  Would you lose all your emails?  Contacts?  Calendar?

So the basic rule is NEVER give your password to ANYONE unless you are ABSOLUTELY SURE who they are and whether they are justified in needing it.  Organisations who are running things for you (banks, eBay, Gmail, Hotmail, etc) don't need your password to access your details.