Government Technology

Phishing for Passwords



April 3, 2009 By

Used with permission from the Maine Office of Information Technology

This month's security item is an e-mail that was sent to us by a Maine OIT employee. The employee gave permission to reprint the e-mail, but ask that we not reveal the identity of the contributor. This is a true story of something that happened to a Maine citizen, an IT professional, and someone who knew the basic security principles of password protection. It serves as a good lesson for us all that no matter how careful we think we are being, it only takes one small mistake for things to unravel quickly.

Our co-worker's story:

"I think that a lot of people don't take it serious when they are told to use a different password for everything and people like me assume they are really careful and nothing will happen to them."

Often times in my hotmail account I get a "phishing" e-mail that contains a fake PayPal link and since I know better I simply hit forward and send it on to the PayPal security team. On March 9, 2009 I received one, and because I haven't used PayPal since September of last year I didn't read it and just forwarded it to them. On March 10, 2009 I received an e-mail from PayPal stating my account had been changed to limited access in the subject line so I read it and it was limited because they believed a third party had accessed my account. They didn't state in the e-mail that there had been any transactions so I shrugged it off and figured I'd log into my PayPal and cancel the account as I don't use it anymore. To my surprise when I logged in there was a transaction there for over 400 GBP which translated into $645.59 USD. In addition, the hacker had changed my address to an address in Lithuania. I then logged into my bank account and the money was gone. I obviously was very upset as I am a single income supporting my family and things are tight (as they are for everyone). I called my bank and filed a claim and called PayPal and did the same thing.

I've since received credit from my bank though the claim is still open but I know that it will be resolved in another week once the investigation is complete. We have figured out this happened because when I recently changed my hotmail password I apparently used the same password I had for PayPal. At the time I didn't even think about it because I hadn't used PayPal for so long. When either I or my fiancé accessed the e-mail from some place other than home, the hotmail account was jeopardized by either key-logging or some other method. They then tried the password for all the accounts I had listed in a folder in my email and gained access. Since this incident I have changed passwords for everything and kept them each unique. I honestly believed that as careful as I am this would never happen to me but it did. Aside from the stress and dealing with getting it cleared up (affidavits, countless long phone calls, new bank account, checks, debit cards, new e-mail address, notifying all accounts of new e-mail, etc.) the whole situation leaves one feeling very violated. It is not something I want to experience again.

Change passwords often, keep them each unique. Always monitor your accounts! Be very cautious about where you are accessing e-mail and financial accounts from. Computers with public access are a high risk.

"I hope this helps someone!"


| More

Comments

Anonymous    |    Commented April 14, 2009

The very same thing happen to me

Anonymous    |    Commented April 14, 2009

The very same thing happen to me

Anonymous    |    Commented April 14, 2009

The very same thing happen to me

PK1048    |    Commented April 15, 2009

This individual thought he was being careful ??? From what I have seen, the vast majority of people (IT staff or not) who think they are being careful really aren't educated or informed enough to behave in a truly careful manner. Unsafe actions taken: 1) Access a Hotmail (or any other) email account from a public terminal. Public Internet terminals are not to be trusted. 2) Using the same password for a FINANCE account and *any* other account. I use the same password for a number of online accounts, but I really don't care if my Newegg account is cracked, there is no credit card, PayPal, or any financial information tired to it. 3) Associating a PayPal account with a bank account with more than a trivial (or sufficient for your Pay Pal transactions) amount of money in it. Maybe I'm paranoid, but the bank account tied to my PayPal account has less than $50 in it.

PK1048    |    Commented April 15, 2009

This individual thought he was being careful ??? From what I have seen, the vast majority of people (IT staff or not) who think they are being careful really aren't educated or informed enough to behave in a truly careful manner. Unsafe actions taken: 1) Access a Hotmail (or any other) email account from a public terminal. Public Internet terminals are not to be trusted. 2) Using the same password for a FINANCE account and *any* other account. I use the same password for a number of online accounts, but I really don't care if my Newegg account is cracked, there is no credit card, PayPal, or any financial information tired to it. 3) Associating a PayPal account with a bank account with more than a trivial (or sufficient for your Pay Pal transactions) amount of money in it. Maybe I'm paranoid, but the bank account tied to my PayPal account has less than $50 in it.

PK1048    |    Commented April 15, 2009

This individual thought he was being careful ??? From what I have seen, the vast majority of people (IT staff or not) who think they are being careful really aren't educated or informed enough to behave in a truly careful manner. Unsafe actions taken: 1) Access a Hotmail (or any other) email account from a public terminal. Public Internet terminals are not to be trusted. 2) Using the same password for a FINANCE account and *any* other account. I use the same password for a number of online accounts, but I really don't care if my Newegg account is cracked, there is no credit card, PayPal, or any financial information tired to it. 3) Associating a PayPal account with a bank account with more than a trivial (or sufficient for your Pay Pal transactions) amount of money in it. Maybe I'm paranoid, but the bank account tied to my PayPal account has less than $50 in it.


Add Your Comment

You are solely responsible for the content of your comments. We reserve the right to remove comments that are considered profane, vulgar, obscene, factually inaccurate, off-topic, or considered a personal attack.

In Our Library

White Papers | Exclusives Reports | Webinar Archives | Best Practices and Case Studies
Maintain Your IT Budget with Consistent Compliance Practices
Between the demands of meeting federal IT compliance mandates, increasing cybersecurity threats, and ever-shrinking budgets, it’s not uncommon for routine maintenance tasks to slip among state and local government IT departments. If it’s been months, or even only days, since you have maintained your systems, your agency may not be prepared for a compliance audit—and that could have severe financial consequences. Regardless of your mission, consistent systems keep your data secure, your age
Best Practice Guide for Cloud and As-A-Service Procurements
While technology service options for government continue to evolve, procurement processes and policies have remained firmly rooted in practices that are no longer effective. This guide, built upon the collaborative work of state and local government and industry executives, outlines and explains the changes needed for more flexible and agile procurement processes.
Fresh Ideas In Online Security for Public Safety Organizations
Lesley Carhart, Senior Information Security Specialist at Motorola Solutions, knows that online and computer security are more challenging than ever. Personal smartphones, removable devices like USB storage drives, and social media have a significant impact on security. In “Fresh Ideas in Online Security for Public Safely Organizations,” Lesley provides recommendations to improve your online security against threats from social networks, removable devices, weak passwords and digital photos.
View All

Featured Papers