Attacked by "Arm Robbers"....!?
He should be glad he can still type the email asking for help then shouldn't he :-)
The Lads from Lagos have apparently expanded their repertoire to incorporate hacking into Hotmail accounts. Fraudsters broke into the account of a Register reader's colleague to punt a person in peril scam. It's a far more subtle scam than offering promises of wealth for minimal effort to the credulous. Instead of receiving …
in my moments imagining i'm some 1337 H4x0R i have always wanted to put a theory to the test.
Given the plethora of sites people log into these days i'm pretty sure most people dont have a separate password for each and every "secure" site they visit, in fact my theory is based around the fact that the more naive a user is, the fewer passwords they use.
So, my imagined hack is quite simple really, set up a site that requires a user to register with an email and password and i'd bet that the very same password they use to register will work against the email account in a lot of cases, probably pretty obvious but surely a very simple way to lift a "percentage" of people's passwords.
I can confirm this has happened to at least one other person. A friend of mine in Bangladesh "mailed" me, telling me he had travelled to Nigeria for work and had suffered a similar fate. Email follows:
"How are you doing today? I am sorry i didn't inform you about my traveling to Africa for a program called "Empowering Youth to Fight Racism, HIV/AIDS, Poverty and Lack of Education, the program is taking place in three major countries in Africa which is Ghana, South Africa and Nigeria. It as been a very sad and bad moment for me, the present condition that i found myself is very hard for me to explain.
I am really stranded in Nigeria because I forgot my little bag in the Taxi where my money, passport, documents and other valuable things were kept on my way to the Hotel am staying, I am facing a hard time here because i have no money on me. I am now owning a hotel bill of $ 1550 and they wanted me to pay the bill soon else they will have to seize my bag and hand me over to the Hotel Management., I need this help from you urgently to help me back home, I need you to help me with the hotel bill and i will also need $1600 to feed and help myself back home so please can you help me with a sum of $3500 to sort out my problems here? I need this help so much and on time because i am in a terrible and tight situation here, I don't even have money to feed myself for a day which means i had been starving so please understand how urgent i needed your help.
I am sending you this e-mail from the city Library and I only have 30 min, I will appreciate what so ever you can afford to send me for now and I promise to pay back your money as soon as i return home so please let me know on time so that i can forward you the details you need to transfer the money through Money Gram or Western Union."
This mail was swiftly followed by three from a new GMail account he had set up telling people what had happened.
I have to confess, I'm guilty of using the same passwords all over. At last count, I have 81 websites for which I've supplied passwords, and there's no way I'm going to try to make up unique codes for each. Now I DO have several tiers of passwords for various levels of security I desire - the password on my primary PC is TOTALLY unique and quite complex. But I'll bet many people don't go to that trouble.
"other valuable things like my I'D card is missing along with the wallet"
A bit odd: the "international passport" is still available. I wonder whether that somehow could be used in lieu of the "I'D card"?
Certainly I wouldn't hesitate for one moment to assist a friend in an emergency, and obviously this plea was composed while the victim was in much distress and unfettered by the usual high standards of spelling, grammar and structure of email communication. So I would overlook those.
The easiest solution (it seems obvious) would be to direct the friend, while s/he is at our embassy or consulate seeking help, to inquire about the funds that I have wired there to be picked up with proper passport ID (of course). S/he will have to speak at the security desk with a certain Officer I. P. Daley (or similar). Sure, a local good Samaritan who knows the area much better could do it just as well, but be sure to bring proper photo ID and a print-out of our email exchange as proof s/he is authorized to receive the funds.
A more entertaining response might be expressing surprise about the incredible coincidence that I was also abroad, on that tour that I'm sure I must have mentioned when we last had lunch together, and in fact for the next day or so I'm staying in a nearby village, so have a local contact person meet me by following very detailed, convoluted, and cost-incurring instructions, including some combination of rail or bus station addresses, schedule of connections/departures/arrival, etc., and by the way since I'm using my cell phone call [at #--but has to be dialed as an international call, unfortunately] if there's any problem; later followed by apologies for the missed connections, mis-communications, etc., "now this time be sure to have your local good Samaritan stand in front of the visitor's aid desk at the station waving a sign over their head with the following text in large type...".
I'd agree with Carl. Every blasted site seems to need a password as well as a user name these days.
Even with a password vault it's just not practical for even an avid techie to have a different one for each site. Most members of the public haven't a chance of coping. Part of the solution is that sites should consider whether they really do need both a username and a password to log in.
(Like this one, which I had to reregister for, since I have no idea which combination of e-mail address and password I used last time!)
I use the tiered password approach myself. The majority of my accounts are with sites that have none of my personal info and that wouldn't otherwise be a threat if they were to be compromised. I have a handful of 'throwaway' passwords for these sites.
For sites somewhere in between- no actual threat, but I'd prefer if they weren't compromised (like this one) - I use different variations of stronger, but not difficult to remember passwords. Each one is unique, but they're all similar and not particularly strong.
Sites and accounts that actually matter all have unique, strong passwords.
An interesting technique someone suggested to me once was to use very long, complicated passwords but to maintain a physical list (say, in my wallet) that has part of the passwords on it- maybe rearranged slightly according to some simple algorithm. That way you get good, brute-force-resistant passwords but do not have to remember all of them. At the same time, the list itself is pretty safe because it does not contain the entire password and is rearranged somewhat. Often just seeing a small part of the password is enough to remind you of the whole thing.
Probably still too risky for serious security, but not a bad system.
The tiers system is one of the best - I only have 3 tiers at the moment (Banking/Financial, Email/Personal, Forums/Etc and a semi-4th of disposable) but if I ever really catch on to the whole social networking privacy disaster, I'll add a tier between E/P and Forums (social networks tend to accumulate personal info, but not at the same rate as email).
B/F has a long, semi-random password that is changed often (sub-weekly).
E/P has a long, semi random password that are changed less often (weekly-monthly).
Forums has a random choice from 3 passwords, with FF password manager remembering which one I used. If I reinstall, most sites give you 3 choices, so security isn't exactly assured, but it gives a crooked forum op a 2/3 chance of failure on a different board that he knows I am using. Its changed rarely, but has been changed several times (average is probably under yearly, but only just).
As illustrated by this article, you can use trusted accounts to extract money from other members of the community. However, I suspect most forum members aren't sufficiently friendly to part with $3500 to a random member! (I hope so, anyway - if you know any forums where this isn't true, please contact my colleague DR MASABA HIRATA, who has a business offer for these TRUSTWORTHY people - his email address is available in your spam folder).
Seen a little of this on some of the net singles sites lately too. "Hello I'm a cute white girl from <insert your home town> who has been robbed and is now penniless in <insert random place in Nigeria>". If I'm particularly bored I'll start asking her which football team she followed or something else everyone here has an opinion on (even if its just "I can't stand that shit!" like me). Local cultural references work too.
I did spend a while on one occasion asking why 'she' wasn't just engaging the nearest bastion of the consular service... its kind of what they do right? And its kind of fun to watch them twist and turn (like a twisty turny thing) as they try to explain their way past that.
Given the recent news about the guy who flew over there and needed rescuing recently I suspect there may be more of this going on than we imagine...
I love these things - I appreciate people are actually dumb enough to fall for them (and said people should not be allowed to own a computer - or be allowed out without a leash), but they do make you laugh.
An employee at my previous job asked me why she couldnt log in to her personal banking - she was actually entering her details onto a phishing email into a bank that she doesnt bank with - there should be injunctions issued against computers to people like that.
"Is it just me or the obviousness that the said owner of the hotmail account decided to use hotmail"
... not if said user created such account 9-10 years ago, or during the rise of the eeeevil MSN Messenger. Back then, Hotmail/MSN emails were the only way to get a Passport account. Even when using other emails was made possible, well... try telling your 300+ contacts you're swapping addys and watch how many get lost in the change. Mostly my hotmail addy turned into a spamcatcher now ...
Like Phil, I tend to have various levels of passwords depending on the site. Important ones are always unique and my secure passwords tend to be random-seeming (unless you happen to know which line(s) of which poem/song or which inspirational quote I'm using. Mixing in a few numbers and capital letters also helps and I've been known to throw in punctuation marks if I know the software can handle them.
Matt's suggestion for harvesting would not grab anything too critical from me but I'm quite prepared to believe he'd get a "percentage" of useful passwords owing to the number of dumb buggers who think "secret1" is quite adequate for home and work computers, all forums, "exclusive" pron sites, on-line banking etc etc
Biting the hand that feeds IT © 1998–2022