A big technology-related blog here in the Philippines is called YugaTech. Perhaps it is the biggest tech blog in the Philippines. The owner of the site is a fellow named Abe Olandres, a person that I have met before and would call a friend, although we don’t really stay in touch. He is a busy guy, and so am I.
This morning, I went to his site and was catching up on his blog articles which I had missed. Two particular articles caught my eye and I read them.
In the first article, entitled “Disputing unauthorized transactions on Paypal,” Abe tells about his recent experience with his Paypal account being hacked. Somebody broke into his account by first hacking one of Abe’s e-mail accounts, changing the password on the e-mail account and then using his access to that e-mail to gain access to, and steal money from Abe’s Paypal account. Abe went through all kinds of run around getting his money back and securing his Paypal account. In the end, he was able to take care of it, though, albeit there was a lot of hassle.
Next, I read another related article from Abe entitled “Using 2-Step Verification with GMail.” In this article, Abe goes further into the Paypal ordeal, and how he found out that he was incorrect on how the hacker gained access to his Paypal… they actually accessed it through his Gmail account rather than the other e-mail that he had originally suspected. In this second article, though, Abe speculates on just how the hacker was able to access his accounts in the first place, and it sort of raised my eyebrow. Here is what Abe said:
I really don’t know how my GMail was compromised but it could be one of several possible ways:
- I’ve lost an iPhone 3G, Nexus One andiPhone 4 in the last 12 months and it’s possible its been sold to the grey market with my GMail account still logged in.
- Public terminal. I remember going to a net cafe last week to have my ID and Passport scanned and emailed. I remember shutting down the browser but could not remember if I explicitly logged out.
- WiFi Sniffing. This is rare but still possible — my account could have been sniffed over free public WiFi. I even bring my SmartBro Share-It around and leave it without any password so others can use it too (I like to share my net connection). I’m now locking my WiFi.
- At least 3 of my staff also have access to my GMail account so that’s a huge security hole there as well. I trust them but it’s possible they’re not very careful when they need to access my account online.
Firstly, I think that the possibility of WiFi Sniffing is very, very remote. I would assume that Abe must be using security on his WiFi network, so I just don’t believe that is the culprit that allowed a hacker to get his passwords.
So, what raised my eyebrow? Let’s see:
- Abe clearly states that he lost several phones over the past year. The phones had his passwords so that he could access the various sites that he needed. In my opinion, this is very dangerous. If you lose a computer or phone that holds passwords/access to important sites that should remain secure, the first thing you need to do is immediately change your passwords. Passwords should be strong (most of my passwords are around 30 characters long), and should also be changed on a fairly regular basis. In my opinion, passwords should be changed a minimum of once per year, and preferably more often than that. If you have a security breach, like a lost phone, the passwords should be changed immediately.
- Oh my goodness. Abe used a public terminal to access his G-Mail account, and can’t remember if he logged out? Abe, I consider you a friend, but I have to say that this is a major mistake. I avoid public terminals as much as possible, and if I am forced to use a public terminal, I am sure not to save my password, and to log out.
- If you have employees or others who have a legitimate need to access your account, in many cases you can issue them separate login credentials for the account. If this is not possible, changing passwords regularly, as mentioned above, will also help combat this problem. For sure, if the employee quits or is terminated for any reason, change all passwords that they know. Also, making passwords very long makes it hard for them to memorize it. Yes, they can write it down, or e-mail it to themselves, but it is still somewhat of a safety measure.
For me, I have a cellular phone that is capable of accessing the Internet (don’t we all these days?), but I do not do Internet access on my cell phone. This is one of the reasons why. Cellphones are easily lost or stolen. Probably most of us have lost a cell phone at some point in the past. If the phone holds security data, then everything online is breached or potentially breached. So, it’s important to decide… do you really need access to the net when you go to the grocery store? I have decided that I don’t. In fact, when I go out of the house, I consider that a nice break from the Net, since I am online so many hours per day already.
Abe, I wish you the best. I hope that your security issues are behind you. Always be safe!
Good and helpful article!
Thank you, Luanne!
erad about this in his site. makes you think twice about paypal security. although it’s not entirely a paypal concern, half of it is because of his email account. am i right Bob?
Yeah, you are really right, Cathy. I don’t think it’s a Paypal problem at all. It’s lax security on the part of the Papyal account holder. Keep a good strong password, and make sure that it is not known or accessible to others, and there should be no problem. I’ve had a paypal account since the mid-90’s when they first went into business, and I’ve never been hacked.
Bob, 30 character password? Where do you store that data? I could not fathom remembering anything that long. Unless you mix all your close to heart family names, birthdates etc in order to reach 30 characters?
JC – I would never use anything like names, birthdays or anything of the sort for passwords. That is very insecure. All of my passwords (dozens, possibly over 100 of them) are computer generated strong passwords that consist of random numbers, capital letters, lower case letters and punctuation. I use a program called KeePass to generate and manage my passwords. I am as close to 100% certain as I could be that I will never have a password hacked.
…… NO COMMENT….. because I’ve never known no way of keeping these things until now!! So many, years… i’ve placed usernames/passwords on a document file and name it so that i am the only one who can recognize it and store it in the most erm.. anyway.. wow. another thing i can learn from you!!! i’m currently checking that out…
Give Keepass a try, JC, I think you’ll like it. I’ve been using it for a couple of years now, and have always been happy with it. I used to use one single password for all of my sites, and I got hacked on one unimportant site. When that happened, I decided to get serious about passwords. I don’t use the same password on more than one site now, and use very strong passwords on all sites. I think that if you do that, you’ll never be sorry! Good luck to you.
If your actriles are always this helpful, “I’ll be back.”
Thank you, Teige.
Hi, Bob, Yes. I”m seriously thinking of how I can make it work for me. There 4 computers that I access and I don’t trust USB—as I tend to loose them. currently non-important websites, I have 1 generic password. Important websites, I got few more passwords and are all differnt passwords that I can remember… so I can access them from different computers…
basically i’m just working out, if i really need to access important sites readily or can it wait until i get to my own erm dedicated machine… basically i got few computers.. working for different purposes…
Hi, Bob! Thank you again for the software! I am basically if you like… hook on it! I didnt’ know how much websites and passwords I got kept.. and now they are organized… thank you again!
Hi JC – That’s great news, my friend! I’m glad that you like it and find it useful!