or Uncommon Sense was a Common Virtue
A recent post on
Codinghorror.com having to do with misuse of data (appropriating user name and passwords) caught 
my interest. In this case, a developer was offering a free piece of software to archive a user’s GMail account on to the user’s computer. By doing this, one could access one’s GMail offline OR restore GMail if somehow one’s mail was lost. The person using this software had to supply their username and password so the program could download the email which makes sense. This is no different than setting up any email reader. Unfortunately for the user, the developer of the software put in his code a means to forward the user name and password to his own GMail account. It turns out over 1700 people had unwittingly given this user their email account password and username The software’s name is G-Archiver.
This falls within one of the simple tenets of social engineering. Offer something free (even if relatively useless) and people will give away personal information (user names, passwords, email and physical addresses, etc.) Even more ironic is that by using normal email clients from reputable open source shops or software firms, one could download their GMail easily. In other words, this software that was downloaded for no cost provided no real value but preyed on users’ ignorance of what else may be available.
This also highlights a danger in Freeware/Shareware/etc. Without knowing what company you are buying from, one may never know what you are getting into. Freeware/Shareware from well known sources may help and, of course, buying software from well known companies may work as well. Neither immunizes one from people misusing personal information, but at least there may be some legal recourse or the company/group may have self-interest in protecting their reputation (and your data by extension). Finally, a lot of people use similar usernames and passwords for their email account and other systems. For those that haven’t thought about this, keep in mind that once someone has your email username and password, it may be very easy to access all your other accounts.For example - you receive a monthly banking account reminder in your email to
www.mybank.com. The person with access to your email account can now go to
www.mybank.com and log in, trying the same username and password you use for your email access. If it works, on the bank site, they can get your bank account number and even authorise transactions. For those users that think their bank account number is hidden (many websites only show the last 4 digits), just pull up your paper statement or a check image….If you think you’re safe because your password is different, all they need to do is have the user name (or in some cases even email address), click on forgotten password and the password is emailed to your account that they already have accessed!Lesson - never use your email address/user name or password for other accounts and make sure you know when you are giving your username and password. If you’re doing that right now, you may want to consider changing your ways…. Thoughts?
This entry was posted
on Monday, March 10th, 2008 at 5:42 pm and is filed under Basic Security, General, Technology.
You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.