Thursday, July 8, 2010

All About Spam: Phish Food for Thought

All About Spam is a series of blog posts about common spammer techniques. Have a question about a type of spam that you'd like to see in a future blog post? Leave a comment, or send an email to!

A phish is a type of spam designed to gain access your secure information, like login/password combinations, credit card numbers or Social Security numbers. Phishers use social engineering to get you to reveal this information -- rather than using computers to hack their way into the data store, they use tricks of human nature to get you to give it to them.

Unlike most spam, which is just annoying, phishing has a real threat. Though estimates of the final total vary, everyone agrees millions of dollars are lost by consumers each year due to phishing attacks. So, how can you protect yourself?

1. Question unsolicited emails. Obviously, if you go to your bank's website, and click the "Forgot password?" link, you should expect an email shortly. If you get an email from your bank (or Amazon, or any other organization) out of the blue, asking you to log in to your account, view it with a critical eye.

2. View links with suspicion. The number 1 method for phishers is a link that directs you to a page that looks legitimate, but isn't. The easiest way to get around this method? If your bank emails you and asks you to log in, type in the URL you know is good (or Google for it, if you don't know it), rather than using the link in the email.

3. Look for personalized information. This method isn't foolproof ("spear phishing" refers to more focused messages, attempting to get information from more specific groups -- which allows for more customized messages), but it's a good starting place. For instance, most banks will include your name when sending you a message, plus some portion of your account number. Transactional emails, like receipts, are also generally safe bets -- you can recognize, "is this something I ordered?"

4. Keep a close eye on details. Many phishing messages have somewhat obvious problems. Misspellings, poor grammar, bad addresses, colors that are slightly off, formatting that doesn't quite match the usual messages you see ... all of these should be tip-offs that something not quite right is afoot.

5. Never enter your financial information on an insecure web page. Credit card numbers, bank login credentials, account numbers and any other secure data should only be entered on secured web pages. Look for https:// URLS and a lock icon on your browser.

The most important thing to remember is, just because a message looks like it's from a legitimate organization, doesn't mean it is. The first phishing schemes revolved around a few large organizations -- AOL, Wells Fargo, Bank of America. It was easy to detect these as fakes, if you didn't have an account at one of these places. Using the same level of suspicion when dealing with emails from organizations where you do have an account could protect you from a very painful error.

Thursday, July 1, 2010

Lock it down: Good (and bad) security questions!

In order to retrieve your Pobox password, we ask you to answer (among other things) the security question you set up when you created your account. But are you using a good question? Your account is only as secure as your security question.

Pobox lets you specify the question yourself, so you don't have to use the classic "What is your mother's maiden name?" Fully 10% of Pobox customers use some variant on this question -- but research indicates it's not a very safe way to secure your account. (Neither is "What is my pet's name?", if you ever talk about or post pictures of your pet online.)

Your security question and answer can be updated at any time, so go take a look at what yours is. If you can use any question, though, how do you pick a good one?

1. The answer should be hard for someone else to find out. This is a security question, and knowing the answer to it provides access to your account. Like a good password, that means it should be hard for someone else to figure out. So, "What is my high school's mascot?" is not secure at all. "What was on the cover of my sticker book?" is much better (though using it would probably would still have let my sisters break into my account.)

2. The answer should be hard to guess. Any question where the answer is a month, a color, a day of the week, a number under 10 or basically any other limited list of answers is a bad question. "What month did I get married?" only has 12 possible answers. Same with "What color is my bedroom?" Unless you know you'll always remember the paint was called "Deep Sea Diving", guessing "blue" would only take 5 or 6 tries, max.

3. The answer shouldn't change over time. The Pobox default security question is, "What is your favorite book?" This is great for me -- my favorite book has been the same for 15 years, or as long as I've been using that as my security question! But, if your favorite book changes every few years, this might not be a good choice for you. Per question 2, "The Bible" would also be a bad answer to this question, because so many people use it. If the Bible is your favorite book, consider a different security question, or using your second favorite.

We have also had more than a few uncomfortable customer service situations over questions like, "Who is my lover?", with respondents having to go back to girlfriends 5 or 6 back to come up with the correct answer.

Another problem is that many, many customers find it difficult to answer their security question correctly. Also consider these factors when writing your question.

4. Write the question so it's easy to always give the same answer. So, "Who was my kindergarten teacher?" could be Susan Jones, Ms. Jones, or Miss Jones. "What was my kindergarten teacher's last name?" only has one answer -- Jones.

5. Give a real answer. Some customers will tell us, "Security questions aren't secure, so I just put in random letters and numbers as my answer!" That's great, if you're writing them down and keeping track of them, or using a password crypt like 1Password. But, if you just hit whatever random keys you like, and don't keep track of them, we have no way to confirm you are who you say you are. If you forget/lose your password, and need to gain access to your account, you have basically made it impossible for us to grant it to you.

So, what are some questions that are hard to find out, hard to guess, unlikely to change over time, but easy to always type the same? A good list of questions is different for everyone, but try one of these real questions on for size!

Who was your first crush? (unless the answer is "my spouse")
Who knit your baby blanket? (unless the answer is "my mom")
What was your childhood stuffed animal's name?

Another good choice is something that wouldn't mean something to someone else, but makes sense to you. So, for instance, I have a piece of furniture in my house. It's not a cabinet, it's not a table, it's not a buffet or a curio cabinet. It's something in between. So, I call it Joe. For me, "What is the furniture with a name called?" would be a good question, though you probably shouldn't use it yourself. One of the best security questions I ever saw was "Who has skinny feet?" I'm sure the person who used it could answer that question in a second, but it would be very difficult to guess if you weren't them.

Even if you're 100% positive you used an awesome security question when you created your account, go look at yours now, and make sure you know the answer. If you are using an insecure security question, change yours today. Though no one likes to believe that someone would want to crack their account, it can and does happen. Be your own best first line of defense, and make sure your security questions and passwords are strong and secure.