RSS Feed Print
Posted: Friday, December 2, 2011 4:30 PM
Joined: 02/05/2008
Posts: 392

Dockwalk magazine’s column, Worst Case Scenario by Kelly Sanford, highlights a hypothetical situation that captains may experience and offers advice from experts on how to handle it. The December 2011 column recounts the story of a captain who's email was hacked and identity security was compromised.

 For Capt. Phil, the timing was as bad as it could be. Unbeknownst to him, his email address had been hijacked while he was in the middle of a transatlantic crossing. During his time at sea, someone had been sending everyone in his contact list an email claiming he was traveling abroad (likely a coincidental claim) and desperately needed a $5,000 loan to get out of a jam.

When friends sent an email to Phil’s address to discuss the odd request, replies came from the hijacker who had total control of Phil’s account and persisted with pleas for money. The first indication Phil had that something was amiss was when he used the satphone to check his personal voicemail, which had been flooded with concerned phone calls.

For seven days, the unknown hacker assumed Phil’s identity and in that time managed to shut Phil out of his own account while tenaciously soliciting money from Phil’s contacts and going on shopping sprees using websites in Phil’s inbox, which regrettably used the same password as Phil’s email account. Although Phil eventually was able to regain control of his accounts, the process was long, painful and embarrassing. Email hijacking has become an invasive crime, so knowing what you can do to prevent it and what you’ll have to do to fix it if it happens to you is essential.

How It Happens
There are a number of ways hackers get access to personal accounts, but the ultimate vulnerability is typically linked to user behavior. Although it sometimes is nice to get off the boat and use an Internet café or other public computer to check email, this can be very dangerous. Your email and password can be stolen by spying, by hackers capable of manipulating computer strokes, through spyware/malware or by you accidentally forgetting to log out. For this reason, experts advise against checking email on any public computer and making sure you keep the anti-virus software current on your personal computer.

Spamming is another way hijackers dupe Internet users into disclosing account information. Never open email from unknown senders or reply to IMs or Skype calls from unknown individuals. Beware of Internet offers promising deals too good to be true, especially those that ask for any personal information — particularly passwords or identity numbers. And don’t post your email address publicly anywhere online.

Another common reason your account gets hacked is due to a weak password. If you’re using p-a-s-s-w-o-r-d, 1-2-3-4-5-6-7-8, a-b-c-1-2-3 or your name as your password, you are asking for big trouble, or as PC Magazine wrote, “you may as well hand over your wallet or purse to the first person you see on the street.” Consider developing a password code system, which uses letters and numbers, so you always have a unique password for every site you use. For example, alternately use the first three numbers of your grandmother’s postal code and the last two letters in the website name followed by the first. So if your grandmother lives in Auckland, New Zealand, (postal code 1023) and you’re setting up an Amazon password, your password would be 1-o-0-n-2-a; iTunes would be 1-e-0-s-2-i.

Regaining Control
If you’re able to log on to your email, then regaining control may be as easy as changing your settings and password, but typically the best remedy is to do away with the compromised account and start with a new one. Before you begin retaking control, it’s important that you make sure your computer is current with the latest anti-virus/malware software or all of your revisions may be sent to the hijacker as well.

Contact everyone on your list, and let them know that you have been hacked and advise them not to send any money or personal information to anyone claiming to be you. Let your contacts know that you have set up a new account and be sure to shut down the old one to lock out the hijacker. Gently remind your contacts to double check the status of their own anti-virus/malware defenses if they opened the hijacker’s email.

If you have been shut out of your account, each email service will have its own way of determining whether you are the hijacked or the hijacker. Be prepared with essential information. When you reset your account, you can up the ante on protecting yourself by setting up a second account, which will be notified any time there are revisions or attempted revisions to your account.

Show Me the Money
The absolute worst for Capt. Phil was that the hijacker was able to spend his money on websites Phil previously had used. If you shop online, be sure to use a different password for each website account and add a layer of protection by declining the convenience option of storing payment information. Many major credit cards have some protection for fraudulent charges, but many debit cards do not, so the financial risk of using a debit card to shop online is higher. Fortunately for Phil, his credit card company had detected the erroneous charges and he was able to cancel that card.

“I kick myself, and there isn’t a day that goes by that I don’t wonder what else [the hijacker] might do after reading all my email,” Phil says. “I knew the risks were there; I really meant to be more careful. But you know, you’re moving all the time; you get busy with other things. Using the computer is so easy. I never realized just how ‘out there’ I was. Needless to say, I do things very differently now.”

Posted: Friday, December 2, 2011 7:33 PM
Sorry but the password selection idea is about as secure as having you email address as your password. Let's have a code which once rolled, which would only take two sites before it was apparent, and it applies to every site you've touched.... errrrrr, no. Standard high end password security; upper case, lower case, numbers and special characters, two of each character type. Yes it's a bitch but the way to remember it is a story.... "I have a 12 chest and a D cup!" results in "Iha12c&aDc!". It's easy to remember, and virtually unbreakable. Individual passwords for each site will sometimes be preached (e.g. this article) but are a bad idea because you never remember them all and eventually write them down or come up with a consistent formula. If you have a photographic memory then go for it. Multi-function passwords are easier. The way I work; one password for Dockwalk, Facebook, email, etc... identity security, one for Amazom, Ebay, etc... financial security, and one for bank accounts, financials... bankruptcy security. Passwords are changed, once a year for identity security, once every 3 months for financial security, once a month for bankruptcy security (choose a book you have and use a paragraph to create your password "story"). Remember you're not fighting a person here, you're fighting a computer (the people who crack passwords are using a computer to do it, not manually typing in each guess), so any logic you use can be defeated. To give you an idea of the simplest password hack, dictionaries, which are just possible password lists, see ,for an example of how bizarre the passwords are in the dictionaries. That's the simple ones. The average user (if any of this is informative, then that's you) is basically taking a wet tea towel to a international nuclear war when it comes to internet security. Do everything you can to stay under the radar. If you use an internet cafe then disregard all of the above, it's game over. Yes I use them, only on with my "identity theft" sites and password is changed as soon as I get back to my computer. Yes, it is anal retentiveness, try getting rolled once and see how you do. It's not difficult, it's just a matter of building habits.