Stay Informed
Suggested Site

▸ Simple to add and manage gift lists for yourself, your kids, or your business

▸ Secret gift coordination

▸ Duplicate gift protection


www.FAMIGR.com
Click to see a demo
Click to see a demo
How can I help you?
Contact Jeremy

Password Mugging

Hopefully you've already figured out the damage someone could do to you if they get into your e-mail account. They can impersonate you, causing problems with your personal and professional contacts. They could read all your stored e-mails and anything medical, financial or otherwise important in them. And, of course, they can unlock your other accounts and do even MORE damage.

Invade my e-mail account? Why SURE!
Invade my e-mail account? Why SURE!

So knowing that, why is that people give up their passwords willingly to services like Facebook, MySpace, and other social networking sites?

They promise not to store the password or peek at anything except your contacts, which they say they'll use to find out if anyone with those e-mail accounts is already using the same service. This way they can add your friends for you without you having to do it manually for each one. Sound tempting? So did Snow White's apple.

Consider the following:

E-mail Account Abuse

"You've just been added to John Doe's Reunion.com Address Book!"

"John Doe wants to connect with you! I looked for you on Reunion.com, but you weren't there…"

Any of these messages look familiar? If so, a friend of yours (or at least someone who has your email address in their address book) has fallen prey (knowingly or not) to what many say is an overly aggressive way to coerce people into joining Reunion.com's "get in touch with old friends" service.

In this article you can read a description of how Reunion.com abused the trust of their users and sent out spam e-mails to everyone in their contact list when they gave up their password.

I received an e-mail just like the ones described above that said something like "Someone's looking for you on Reunion.com! Sign in to find out who it is!". Immediately following that was this e-mail:

From: [obviously I'm not going to tell you]
Subject: My apologies to everyone who recieved this Re-Union E-mail

My apologies to everyone who recieved this Re-Union E-mail, I understand that this was bothersome. You will not recieve it again. There is no need for response.. Eric

Consider that this poor guy had personal and business contacts in his address book all of whom got this spam from Reunion. He was more than a little embarrassed.

What To Do

Remember that unlike places like Best Buy and Kmart online, social networking sites make money by collecting and selling people and their data. Reunion isn't the only one training people in bad security by asking for passwords, they ALL do it:

  • LinkedIn
  • MySpace
  • Facebook
  • Twitter

They're not providing the service for fun or your benefit, they want as many subscribers as they can so they can serve ads or sell your data to data brokers.

Give Us Your Bank Info!

Mint. Give us your bank and credit card passwords!
Mint. Give us your bank and credit card passwords!

You would think people would know better than to give up their banking information, but that appears to not be the case. Consider mint.com, a personal finance website where you can supposedly give them "read-only" access to your online banking so they can show you where your money goes and help you better manage it.

This is all good in theory, but they say in their "About Us" page:

Mint.com offers valuable insights and analytic tools to help you better understand your money…but Mint.com is a "read only" service. Meaning: you can view and organize your money with Mint.com, but you cannot move money between—or out of—your bank, credit union or credit card accounts.

YOU can't move money… But can they? And even if they're claiming they can't, did you verify that with your bank first? Unless your bank tells you that they've determined a service such as this is safe, supported, and that they will back up fraud or accidents, why would you ever take such a risk?

That's not to say that Mint.com is bad (because I don't know that for sure) and, in fact, I think it's a great idea in theory. The problem is that the only thing protecting you once you've given up a password is their "promise" which historically companies aren't very good about keeping.

Even Mint.com is nothing compared to these guys!

Even if Mint.com employees and everyone else who has access to the data (the network and data administrators) is safe and trustworthy, they still become a target of hackers. The first one to get into their system will have a goldmine of completely defenseless bank accounts to play with.

You might say, "So what's the difference? Banks have accounts too!" True. But banks also have strong regulation, stiff penalties, and financial responsibility for breaches. Does Mint?

What to Do

Remember to distrust new sites and services until and unless you've verified and validated them personally. But most importantly:

Make good passwords, keep them safe, and NEVER willingly give them away.

Cross-site Login

The last thing to watch for are the sites that let you log in with multiple different credentials. It's natural to think "Oh hey! I can login with a name and password I already have instead of creating a new account on this site. Sweet!". What you should be thinking is "This site wants the name and password to my other accounts! Heck no!"

Example of a site with login options
Example of a site with login options

First, the site you're logging into might just be collecting your login information for their own use. Second, if they're legit, there still could be security or implementation issues (like not using https during the transmission from their site to the service that actually owns that login). Third, I'd bet there's at least one if not more ways to trick a site into letting someone into an account when they use this kind of cross-site login.

This is a risky thing to do and should be treated the same as giving away your password for adding contacts.

What to Do

This site wants the name and password to my other accounts? Heck no!

If there's an option to avoid login, do so. In the example I provided, you can leave a comment anonymously or with a simple name/url combo (neither require a password). Otherwise, if you want to use a site or service, just make a new account or use Bug Me Not to see if there's a shared name and password available.

About the only exception is for sites that are owned by others such as the case of Google who owns Youtube and Yahoo who owns Flickr. In those cases, you can go to the main website (Google or Yahoo) and sign in THERE. Then try going back to the supposed "partner site" and see if you're already logged in. If so, they really do have some kind of relationship.

You MAY want to consider the privacy implications of tying all your photos or videos to companies that already know so much about you (Google and Yahoo). For Privacy reasons, it might still be worth creating an entirely separate account on each site.

Guide Navigation
prev: Password Protection|INDEX|

Making Good Passwords

To understand what makes a good password, let's talk about what makes a bad one first.
Making good passwords can be complex, but here are some tips and tricks that will make it easier.

Password Protection

Once you've taken the trouble to make a good password, the next step is to keep it safe!
Now that you've done all this work, you have to learn the most important rule of all: DON'T GIVE THEM AWAY!

1 Comment to “Password Mugging”

» Comments RSS Feed

Although there may exist websites that do ask you for the login and password for another website/email account etc. in which case obviously they shouldn’t be trusted, as I understand the current trends are different. There are many websites that let you “log in with your Google/Facebook/etc. account” as opposed to creating a new account.

So let’s say a website example.com allows you to login with Google/Facebook accounts.

As I understand it, the way it works is different – you don’t provide the login and password to example.com, but rather you log in to the Google/Facebook account, then those websites add example.com to your list of “trusted websites” and allows example.com to access your profile information – name, avatar, sometimes other data. And as long as you are logged in to Google/Facebook, you will also be logged in to example.com.

Assuming I understand it right, this does not allow example.com to “steal” your Google/Facebook account, they can only use the Google/Facebook API to access some information in read-only mode and that’s it.

So, as far as account security is concerned, I think this trend seems rather safe. It still does not solve privacy/data brokers issues, so there are other valid reasons to avoid Google/Facebook, but that’s another topic.

IDENTITY THEFT
How to Steal Identities - Why It's So Easy
Credit Freeze
Data Defense
Credit Monitoring
Id Theft Insurance
The Identity Theft Victim's Mini-Guide to Recovery
PRIVACY
The Geek Privacy Principle
Nothing to Hide
Data Abuse
RFID - Radio Frequency IDentification
Privacy Alias/Persona
Data Defense
INTERNET SAFETY
Online Addiction
The Consequences of Posting Online
Photo Safety
Tricks and Scams
Account Hijacking
Trusting Companies
PASSWORDS
Bad Passwords
Password Tips and Tricks
Password Protection
Password Mugging
Computer Security
E-mail Safety
Kids and Computers
Shopping Online
Retailers
All About Warranties

Using HTTPS For Secure Login and Payment Online

Making online accounts is useful and fun, but doesn't mean much if someone can capture your login information and use it against you. Make sure to use this simple trick to prevent that from happening.

[Click for full description]

Data Abuse

Learn how your data is taken from you and used against you by large companies for their own benefit.

[Click for full description]

Bad Passwords

To understand what makes good passwords, first check out some of the worst passwords out there and what makes them so bad.

[Click for full description]

Password Tips and Tricks

It's impossible to expect someone to make good passwords by just giving them some rules. There are tricks that make your passwords secure and easy for you all at the same time.

[Click for full description]

Password Protection

It's really a skill to come up with secure passwords that you can remember. Once you've learned how, remember that it doesn't matter how good you are if you don't protect your password properly.

[Click for full description]

Password Mugging

A disturbing new practice among websites and services is where they ask you for your user name and password to other sites. I call this "Password Mugging"

[Click for full description]