A big technology-related blog here in the Philippines is called YugaTech. Perhaps it is the biggest tech blog in the Philippines. The owner of the site is a fellow named Abe Olandres, a person that I have met before and would call a friend, although we don’t really stay in touch. He is a busy guy, and so am I.
This morning, I went to his site and was catching up on his blog articles which I had missed. Two particular articles caught my eye and I read them.
In the first article, entitled “Disputing unauthorized transactions on Paypal,” Abe tells about his recent experience with his Paypal account being hacked. Somebody broke into his account by first hacking one of Abe’s e-mail accounts, changing the password on the e-mail account and then using his access to that e-mail to gain access to, and steal money from Abe’s Paypal account. Abe went through all kinds of run around getting his money back and securing his Paypal account. In the end, he was able to take care of it, though, albeit there was a lot of hassle.
Next, I read another related article from Abe entitled “Using 2-Step Verification with GMail.” In this article, Abe goes further into the Paypal ordeal, and how he found out that he was incorrect on how the hacker gained access to his Paypal… they actually accessed it through his Gmail account rather than the other e-mail that he had originally suspected. In this second article, though, Abe speculates on just how the hacker was able to access his accounts in the first place, and it sort of raised my eyebrow. Here is what Abe said:
I really don’t know how my GMail was compromised but it could be one of several possible ways:
- I’ve lost an iPhone 3G, Nexus One andiPhone 4 in the last 12 months and it’s possible its been sold to the grey market with my GMail account still logged in.
- Public terminal. I remember going to a net cafe last week to have my ID and Passport scanned and emailed. I remember shutting down the browser but could not remember if I explicitly logged out.
- WiFi Sniffing. This is rare but still possible — my account could have been sniffed over free public WiFi. I even bring my SmartBro Share-It around and leave it without any password so others can use it too (I like to share my net connection). I’m now locking my WiFi.
- At least 3 of my staff also have access to my GMail account so that’s a huge security hole there as well. I trust them but it’s possible they’re not very careful when they need to access my account online.
Firstly, I think that the possibility of WiFi Sniffing is very, very remote. I would assume that Abe must be using security on his WiFi network, so I just don’t believe that is the culprit that allowed a hacker to get his passwords.
So, what raised my eyebrow? Let’s see:
- Abe clearly states that he lost several phones over the past year. The phones had his passwords so that he could access the various sites that he needed. In my opinion, this is very dangerous. If you lose a computer or phone that holds passwords/access to important sites that should remain secure, the first thing you need to do is immediately change your passwords. Passwords should be strong (most of my passwords are around 30 characters long), and should also be changed on a fairly regular basis. In my opinion, passwords should be changed a minimum of once per year, and preferably more often than that. If you have a security breach, like a lost phone, the passwords should be changed immediately.
- Oh my goodness. Abe used a public terminal to access his G-Mail account, and can’t remember if he logged out? Abe, I consider you a friend, but I have to say that this is a major mistake. I avoid public terminals as much as possible, and if I am forced to use a public terminal, I am sure not to save my password, and to log out.
- If you have employees or others who have a legitimate need to access your account, in many cases you can issue them separate login credentials for the account. If this is not possible, changing passwords regularly, as mentioned above, will also help combat this problem. For sure, if the employee quits or is terminated for any reason, change all passwords that they know. Also, making passwords very long makes it hard for them to memorize it. Yes, they can write it down, or e-mail it to themselves, but it is still somewhat of a safety measure.
For me, I have a cellular phone that is capable of accessing the Internet (don’t we all these days?), but I do not do Internet access on my cell phone. This is one of the reasons why. Cellphones are easily lost or stolen. Probably most of us have lost a cell phone at some point in the past. If the phone holds security data, then everything online is breached or potentially breached. So, it’s important to decide… do you really need access to the net when you go to the grocery store? I have decided that I don’t. In fact, when I go out of the house, I consider that a nice break from the Net, since I am online so many hours per day already.
Abe, I wish you the best. I hope that your security issues are behind you. Always be safe!