Network News

X My Profile
View More Activity

Your Money or Your E-mail

If someone broke into your free Web mail account, reset your password and issued a $100 ransom demand, would you pay up? The answer might depend on how careless you've been with your passwords, and how many e-commerce sites you have registered to that address.

New York resident Jesse Sklar, 32, found himself in just that predicament. The first signs of trouble started on Monday, when he tried unsuccessfully to log into his Hotmail inbox. He registered that account nearly a decade ago, and no longer had access to his "backup" e-mail account, which was the one he provided as the place to send future requests to reset his password. "It also asked me for the answer to some security question that I picked like 10 years ago but can't remember now."

Then, this morning, all of the friends on his Hotmail contacts lists -- even some he hadn't spoken to in years -- received an e-mail (apparently sent by him) with the simple question: "you want your email? yes or no?"

Annoyed, Sklar replied back: "Yes, I want my e-mail. Who are you?"

"100 $ via paypal," was the only reply.

Sklar realized he was in trouble. He had used both his Hotmail address and password to register at multiple sites, including Amazon.com, iTunes.com, and Ticketmaster.com. Thinking quickly, he registered for a Gmail.com account, then logged into each of the e-commerce accounts and changed the e-mail address for each.

Sklar says he has no intention of paying the ransom, and that he just wants the account shut down. Microsoft's support Web site says users can accomplish this simply by not logging into their Hotmail accounts for 30 days, which automatically suspends the mailbox. But what about the extortionist?

"It's not like I'm after this guy, I really just want my Hotmail account shut down," Sklar said. "I don't plan on using it anymore, but who knows about this guy?"

I think there are a couple of important takeaways from this story. One, do not use the same password for your e-mail address at other sites, even non-commercial Web sites. If you do, and that random site's database gets hacked, there is a decent chance the attackers may try your credentials at the login page of the free Web mail provider named in your e-mail address. Also, if you choose to register e-commerce sites to a free Webmail account, it might not be a bad idea to keep a master list of which sites you have registered to that account.

If you have trouble picking good passwords or remembering them, check out Password Safe, an excellent free software tool that "allows you to have a different password for all the different programs and Web sites that you deal with, without actually having to remember all those usernames and passwords."

Update, 5:04 p.m. ET: In a weird twist, it looks like the extortionist in this scam asked Sklar to send the donation via Paypalll.tk, a scam PayPal phishing site that currently resolves to "paypallll.ifrance.com". Neither anti-phishing filters in Firefox or Internet Explorer 7 detect this as a phishing Web site. So it looks like the perpetrators of this scam are actually after more than $100.

Update, Sept. 25, 2007, 11:19 a.m. ET: Sklar e-mailed me yesterday to say that Microsoft had helped him reset his password and regain control of his Hotmail account.

By Brian Krebs  |  September 20, 2007; 4:24 PM ET
Categories:  From the Bunker  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: TransUnion to Offer Credit Freeze In All U.S. States
Next: Is Cyber Crime Really the FBI's No. 3 Priority?

Comments

Password Safe looks pretty good, but what about for Mac users? Any experience with the "Password Gorilla" program noted on the Password Safe website?

Posted by: jp | September 20, 2007 4:48 PM | Report abuse

Thank you for posting this, Brian. I'm Jesse Sklar, the subject of this post. Just a slight clarification - the e-mail that got sent to my friends was a strange "check out my site...give me money" e-mail. The "you want your e-mail? yes or no?" e-mail was sent just to me after I replied to the first e-mail.

Posted by: Jesse | September 20, 2007 4:53 PM | Report abuse

This is why you should never have an important email address with any place that you can't call when you have a problem. I use (and dispose of) many hotmail/yahoo addresses but my "real" email is with an ISP who I can call if I ever have a problem (and it's a *small* ISP, so they'll even talk to me!).

Posted by: King A | September 20, 2007 5:01 PM | Report abuse

Here's another free, but cross-platform password manager...

http://keepass.info

Posted by: Colby Makowsky | September 20, 2007 5:20 PM | Report abuse

KeePass is a really nice program, I just wish that they would port RoboForm to Linux. :/

Posted by: DOUGman | September 20, 2007 9:53 PM | Report abuse

I use PasswordSafe for Windows, and PasswordSafe SWT for Mac OSX (they use the same database, but the interface for Mac isn't quite as nice).

I've got 149 passwords I currently have to manage (two-thirds are work related) so I *have* to have a tool for them).

I'll be checking out KeePass, thanks.

Posted by: Chris | September 21, 2007 10:32 AM | Report abuse

On the Mac, one can also use Apples' built in Keychain system with Safari and some other programs. The third party products 1Passwrd and Web Confidential are very nice password management programs that work with most of the browsers for the Mac.

They each have their pros and cons. WC uses Blowfish encryption and allows for a very long master key. 1P uses the Mac's Keychain services and thus uses Triple-DES encryption and supports syncing passwords across machines via the .Mac service of Apple. WC and 1P have a Palm client. WC has a Windows client also.

See http://www.1passwrd.com and http://www.web-confidential.com for details.

Posted by: Joe | September 21, 2007 12:49 PM | Report abuse

I use RoboForm for a year now. It is fantastic and actaully works.

The only (tiny) annoyance is that you cannot "lock" an account -- ie. tell RoboForm that this password does not change. RoboForm always offers you to save the password which it filled in (if the page is different from the original one, but still meets its "fill-in" rules). I raised that point to the RoboForm team -- so it might change someday.

Posted by: Wojtek | September 24, 2007 7:29 AM | Report abuse

On my Mac, I use Safe Sphere. It provides great protection and offers different levels of security and comes in a standard version and a professional one. The encryption is awesome and explanations are grand.

Posted by: umm.huh | September 24, 2007 1:38 PM | Report abuse

Wow..Nice post. I'm going to link to this post on my blog. Thanks a lot...

Posted by: Chuang Computer Tips | September 25, 2007 3:06 AM | Report abuse

I have an easy password program: It's called a 3x5 index card. It's not particularly secure, but neither would one of the password vaults be if someone discovered your master password. At least this one's unhackable.

Posted by: Simple Password | September 26, 2007 8:57 PM | Report abuse

Another way to have a UNIQUE password at every site is to base your password on the domain of that site and then add a standard pin or other such easily remembered alpha/numeric combination going up to at least 8 characters.

For example, on a www.washingtonpost.com account you could have wash1234 as a password or wash1@34 (Consistently shifting the one of the last four of your pin for added security)

Not only does this make it hard to crack, but it eliminates the use of a "password" program (The security of which I question)

Posted by: George | September 27, 2007 8:16 AM | Report abuse

@George - your password suggestion is very easy to crack. I've seen brute force hacks of such passwords in seconds.

Posted by: Matthew | September 27, 2007 9:43 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company