You shouldn't have to be an expert to be safe on a computer.

Home

Guides

Seminars

Tips and Tricks
Identity Theft
Computer Security
Privacy
Passwords
E-mail Safety
More Guides...
Log in

Password Mugging

Sunday, May 16th, 2010 (No comments yet)

Hopefully you've already figured out the damage someone could do to you if they get into your e-mail account. They can impersonate you causing problems with your personal and professional contacts. They could read all your stored e-mails and anything medical, financial or otherwise important in them. And, of course, they can unlock your other accounts and do even MORE damage.

Invade my e-mail account? Why SURE!
Invade my e-mail account? Why SURE!

So knowing that, why is that people give up their passwords willingly to services like Facebook, MySpace, and other social networking sites?

They promise not to store the password or peek at anything except your contacts which they say they'll use to find out if anyone with those e-mail accounts is already using the same service. This way they can add your friends for you without you having to do it manually for each one. Sound tempting? So did Snow White's apple.

Consider the following:

  • If the company or anyone working for them has more plans than they say, there's nothing to stop them from storing the password or anything else they find in your mailbox.
  • Does your login and password and all the other details they send back and forth from your e-mail account have any kind of protection to keep it safe while it's being sent? Chances are that it doesn't and all that important information (including your password) will be sent all over the net unprotected.
    • No matter what they promise, if they don't use HTTPS for transmission, you're at risk anyway!
  • Even if all the above were somehow safe, the very practice of asking people for passwords is a violation of one of the most basic rules of computer security. Call it a personal rant, but it's irresponsible to train users to engage in risky security. It's an abuse of trust.
  • And speaking of abusing trust, if you're not very careful about reading all that small print, you may end up embarrassing yourself when they use your e-mail contacts for more than you expected.

Example: E-mail Account Abuse

"You've just been added to John Doe's Reunion.com Address Book!"

"John Doe wants to connect with you! I looked for you on Reunion.com, but you weren't there…"

Any of these messages look familiar? If so, a friend of yours (or at least someone who has your email address in their address book) has fallen prey (knowingly or not) to what many say is an overly aggressive way to coerce people into joining Reunion.com's "get in touch with old friends" service.

In this article you can read a description of how Reunion.com abused the trust of their users and sent out spam e-mails to everyone in their contact list when they gave up their password.

I received an e-mail just like the ones described above that said something like "Someone's looking for you on Reunion.com! Sign in to find out who it is!". Immediately following that was this e-mail:

From:
Subject: My apologies to everyone who recieved this Re-Union E-mail

My apologies to everyone who recieved this Re-Union E-mail, I understand that this was bothersome. You will not recieve it again. There is no need for response.. Eric

Consider that this poor guy had personal and business contacts in his address book all of whom got this spam from Reunion. He was more than a little embarrassed.

What To Do

Remember that unlike places like Best Buy and Kmart online, social networking sites make money by collecting and selling people and their data. Reunion isn't the only one training people in bad security by asking for passwords, they ALL do it:

  • LinkedIn
  • MySpace
  • Facebook
  • Twitter

They're not providing the service for fun or your benefit, they want as many subscribers as they can so they can serve ads or sell your data to data brokers.

Give Us Your Bank Info!

Mint. Give us your bank and credit card passwords!
Mint. Give us your bank and credit card passwords!

You would think people would know better than to give up their banking information, but that appears to not be the case. Consider mint.com, a personal finance website where you can supposedly give them "read-only" access to your online banking so they can show you where your money goes and help you better manage it.

This is all good in theory, but they say in their "About Us" page:

Mint.com offers valuable insights and analytic tools to help you better understand your money…but Mint.com is a "read only" service. Meaning: you can view and organize your money with Mint.com, but you cannot move money between—or out of—your bank, credit union or credit card accounts.

YOU can't move money… But can they? And even if they're claiming they can't, did you verify that with your bank first? Unless your bank tells you that they've determined a service such as this is safe, supported, and that they will back up and fraud or accidents, why would you ever take such a risk?

That's not to say that Mint.com is bad (because I don't know that for sure) and, in fact, I really like the idea and wish my bank offered something like this. But if you're giving them the same password you use to access your online accounts, the only thing that stops them from doing whatever they want is their word.

Even Mint.com is nothing compared to these guys!

Even if Mint.com employees and everyone else who has access to the data (the network and data administrators) is safe and trustworthy, they still become a target of hackers. The first one to get into their system will have a goldmine of completely defenseless bank accounts to play with.

You might say, "So what's the difference? Banks have accounts too!" True. But banks also have strong regulation, stiff penalties, and financial responsibility for breaches. Does Mint?

What to Do

Remember to distrust new sites and services until and unless you've verified and validated them personally. But most importantly:

Make good passwords, keep them safe, and NEVER willingly give them away.

Cross-site Login

What you should be thinking is "this site wants the name and password to my other accounts. I wonder if this is safe?

The last thing to watch for are the sites that let you log in with multiple different credentials. It's natural to think "oh hey! I can login with a name and password I already have instead of creating a new account on this site… sweet!". What you should be thinking is "this site wants the name and password to my other accounts. I wonder if this is safe?"

multi-login example
multi-login example

First, the site you're logging into might just be collecting your login information for their own use. Second, if they're legit, there still could be security or implementation issues (like not using https during the transmission from their site to the service that actually owns that login. Third, I'd bet there's at least one if not more ways to trick a site into letting someone into an account when they use this kind of cross-site login.

This is a risky thing to do and should be treated the same as giving away your password for adding contacts.

What to Do

If there's an option to avoid login, do so. In the example I provided, you can leave a comment anonymously or with a simple name/url combo (neither require a password). Otherwise, if you want to use a site or service, just make a new account or use Bug Me Not to see if there's a shared name and password available.

About the only exception is for sites that are owned by others such as the case of Google who owns Youtube and Yahoo who owns Flickr. As two sites owned by the same company, it's unlikely that you're introducing risk by logging in with your same ID. As far as security goes anyway.

You MAY want to consider the privacy implications of tying all your photos or videos to companies that already know so much about you (Google and Yahoo). For Privacy reasons, it might still be worth creating an entirely separate account.

Share to another service:
Add Password Mugging to Slashdot e-mail this to a friend

Making Good Passwords

To understand what makes a good password, let's talk about what makes a bad one first.
Making good passwords can be complex, but here are some tips and tricks that will make it easier.

Password Protection

Once you've taken the trouble to make a good password, the next step is to keep it safe!
Now that you've done all this work, you have to learn the most important rule of all: DON'T GIVE THEM AWAY!

Leave a Reply

Comment Preview
Support the Geek

If you hate ads as much as I do, please consider supporting us by donating or browsing our recommended products

Recommended Products and Services
Quick Tips:

Using HTTPS For Secure Login and Payment Online

Making online accounts is useful and fun, but doesn't mean much if someone can capture your login information and use it against you. Make sure to use this simple trick to prevent that from happening.

[Click for full description]

Data Abuse

Learn how your data is taken from you and used against you by large companies for their own benefit.

[Click for full description]

Bad Passwords

To understand what makes good passwords, first check out some of the worst passwords out there and what makes them so bad.

[Click for full description]

Password Tips and Tricks

It's impossible to expect someone to make good passwords by just giving them some rules. There are tricks that make your passwords secure and easy for you all at the same time.

[Click for full description]

Password Protection

It's really a skill to come up with secure passwords that you can remember. Once you've learned how, remember that it doesn't matter how good you are if you don't protect your password properly.

[Click for full description]

Password Mugging

A disturbing new practice among websites and services is where they ask you for your user name and password to other sites. I call this "Password Mugging"

[Click for full description]