A week ago today I came home to find a strange email from amazon, informing me that my password had been changed fourteen minutes before. I logged on to amazon and changed it back, then called their customer service. They told me that nobody could change my password without access to my email account. But then the representative mused, "Well, we are doing a software upgrade, and it's possible our system tossed that out by mistake." I took his word for it--after all, I could see all the emails in my box, how could anybody else have them? For twelve hours I did nothing.
The next morning, I received no emails. I logged on to my email account and changed my password, but another two hours went by and I still received no emails. I relogged and investigated further. My emails were being forwarded to a server that, when I followed the url, claimed to be "under construction." The name listed there led to me a myspace page about a former Boston art student now living in Bulgaria.
For twelve hours, someone else had received all my emails. I wondered what those would be --mostly political emails or alerts from Huffington Post or Salon, I figured. But as I scrolled through my box, I saw some other more sensitive emails, particularly one from PayPal. I logged on to PayPal, at the same time realizing that my logon and password for PayPal were exactly the same as my logon and password for my email. Sure enough, someone was attempting to charge $7,400 to a construction company in New York. PayPal had flagged it as suspicious, and when I called them, they immediately forwarded the whole thing to their fraud department. I canceled my Visa and changed my PayPal password.
Comcast has a great little IE toolbar that offers a spyware scan. I downloaded that, ran the program, and discovered a trojan on my machine. I do not know how it got there. I never open email attachments or run suspicious programs, and yet, there it was. I changed all my passwords a second time.
Amazon then emailed me. Someone had attempted to use my account, they announced, and so my account was frozen until I called.
I scrolled through my inbox. Now every email seemed threatening. Land's End, King Arthur Flour, even iTunes--any of those could have given the criminal a chance to charge things to my credit card in those twelve hours when I was off guard. In fact, he had changed my iTunes password on me, but since I had canceled my Visa he was unable to do anything with it. I felt as if I were always just behind him, like a mother behind a naughtly child, grabbing his hands just before he tried to steal a candy bar at the market.
By the end of the week, I felt I could finally relax, even though amazon dragged its feet getting my account back in order. Still, I knew it was impossible for him to do anything there. I continue to check the "last five purchases" on my Mastercard every day just in case.
Today, I got an email from eBay. I'd forgotten about eBay; I never use eBay. But the thief had been able to pretend he'd forgotten his logon and password, and, with access to my email, managed to get into my account. To their credit, eBay marked his activity as suspicious, and froze my account. (I asked how they knew he wasn't me, but they said that information was proprietary.)
Overall, I am very impressed with the security of the big online companies, especially PayPal and eBay. I feel that they were on my side, protecting me when I didn't even know my security had been violated. Even so, I know that he was able to access my birthday through at least one of these sites, and with my address, email address, and birthday, I wonder what other damage he could do.
My recommendations to others would be as follows: Have not one but several spyware programs installed on your machine. Run them every day. Change your passwords regularly, and keep a different password for every site (yes, that involves keeping a list in your desk drawer). At the slightest whiff of anything suspicious, cancel your credit card and have your bank issue a new one. Keep track of your accounts at various web sites--I find I can't even remember all the sites where I have a credit card number on file, or what my passwords are for those sites.
I was lucky to catch this guy after twelve hours, and I have been lucky so far in terms of stopping his fraud. However, I do not feel safe. I worry that there is something I missed, something yet to occur. Please do not let this happen to you.
- Helen Mazarakis (the one who lives in Malden)
Wednesday, April 30, 2008
Subscribe to:
Post Comments (Atom)
1 comment:
Just like one should not use the same key and lock for one's car as one's house, email passwords should be similarly unique.
I keep a notepad file of about 30+ websites with a description of userids and passwords used. I typically rotate about 5 passwords among all of my common sites; and have used the same password for my email address for years without a problem. As none of my passwords are real words and use a combination of letters and numbers, they are unbreakable.
Post a Comment