This fall, more than 20,000 stolen usernames and passwords for such Webmail providers as AOL, Gmail, Hotmail, and Yahoo appeared on Pastebin.com, a programmer's Website. Dixon removed the stolen info, which Microsoft and some security researchers theorize was gathered through phishing attacks. The Webmaster, Paul Dixon, wrote that "for reasons unknown," some "miscreants" posted the data on his site. A researcher at ScanSafe argues that the data may have come from password-stealing malware, not phishing.
They also want access to your Webmail. Either way, crooks clearly aren't after only bank accounts and other financial log-ins. But why? After her Hotmail account was hacked, every message she sent included an unwelcome advertisement. A friend of mine was recently hit by a scam, and her experience helps answer that question.
Crooks have also begun using stolen Webmail and Facebook accounts to send pleas supposedly from a victim to friends or contacts. Don't Pass the Password To guard against password thieves, I use LastPass. Some bogus messages claim the sender is stranded overseas and needs an urgent wire transfer of funds. The tool offers a free password-managing add-on for Firefox on Windows, Linux, or Mac OS X; Internet Explorer on Windows; and Safari on Mac OS X. An add-on for Google Chrome is under development. And because you don't type your password, keylogger malware can't capture your keystrokes and nab your password. LastPass fills in your username and password for verified sites that match a real URL; phishing scams that use similar but fake Web addresses won't deceive it.
Other apps, like Password Hash, offer similarly worthwhile protection, but LastPass stores all of your data on its servers (using 256-bit AES encryption) as well as on your PC. Since the company never has the software decryption key or your password, nobody at LastPass can get to your info. Even without the add-on, you can log in to LastPass's site to get to your information. Because your data is stored centrally, you can use the add-on with any browser, log in with your LastPass master account info, and access all of your passwords. That means you should create a fairly complex master password for the LastPass site, but it also means you have a de facto backup if your PC goes kaput. For instance, it normally keeps you logged in to your LastPass account for two weeks, even if you close and re-open the browser; to prevent someone from sitting at your desk and accessing your accounts, click Preferences and check Automatically logoff after idle. Instant Entry The handy add-on can automatically log you in to sites and can fill in forms, but for better security you should change some of its default settings.
I set mine to log off my LastPass account after an hour. You can enable this when the add-on automatically asks if you want to save a newly entered password. It's also smart to require a password reprompt for sensitive accounts; the app will ask for your master password before filling in the username and password, even if you're already logged in. LastPass offers applications for the iPhone, BlackBerry and other mobile devices, too, but those will cost you $12 per year.
0 comments:
Post a Comment