Friday, November 6, 2015

What happens when your online accounts are compromised?

Well, the first immediate thing I tried was to call IT helpdesk. Alas, I had no contact number readily available to call them.
When I did find out the contact number via GOOGLE, the Helpdesk was only available during office hours! That took me by surprise. Does it mean that our accounts shouldn’t be compromised after office hours and especially on weekends, else we are at the mercy of hackers? Fortunately, most servers will have their own workable “compromised account detector” and without fail, most compromised accounts will be inactivated.
Now, what about other online accounts such as Facebook and email services? Have we got the solution to a potential problem of having these accounts hacked/hijacked?
  • Facebook. If your account is believed to be compromised, be sure that you have internet access. You can go to Report Compromised Account.
  • Yahoo account. Go to Yahoo! Password Helper. Then select “My account may have been compromised”. Follow the instructions. Note that Yahoo adopted 2FA and had special security feature for different apps in smart phone.
  • Google account. Go to Account recovery form. Then select “I’m having other problems signing in”. Follow the instructions. Google had also adopted 2FA.
  • Banks. All have adopted 2FA.
  • Paypal. I am not comfortable with lack of 2FA feature here. Anyway, if account is hijacked, go to Can’t log in. Choice the right option and continue. If you prefer call, then the number is +6565104650 (weekday from 8 am to 10 pm while weekends from 9 am to 6 pm). Paypal had not adopted 2FA.
  • Online shops. Not so dangerous as payment is normally via credit card or paypal UNLESS you reuse the same password everywhere.
  • Twitter. If your account has been hijacked (i.e. password deliberately changed), then request a password reset to retrieve your account. New password will be sent to your email address, unless that information is also altered. See help page. You can go to Support for hacked account. I think Twitter and other service providers will anticipate that sometimes password reset is impossible especially when information pertaining to email and contact could also have been altered by the hackers (a case study). In that case, personally contacting the help support team will be needed but validating your ownership will require competency of the service provider.
Most of the online accounts in Singapore, especially government services are adopting a two-factor authentication (2FA) type of login. This is way better than having to demand users to frequently change passwords every 6 months! Password is way too obsolete because it can be guessed by automated login attempts using differing permutation of characters. The only exception is when login is made extra difficult for supercomputers to figure out, e.g. answer simple question about random archived Google Images that only HUMAN can do, else wait for 10 min before attempting next login. That will surely take ages to figure out.
I dread to think that my company would have a one password to access all staffs’ information. That would be disastrous because personal information, contacts, emails, records and whatnot will be accessible by just one compromised password! I think a good practice should be to segregate services into separate services with sensitive information having a much more difficult requirement to access, e.g. 2FA or via assigned safe IP addresses (well, at least the IP address should be from Singapore and not somewhere in Ghana).
Another way hackers can gain into our accounts is by exploiting the reporting account compromised. It happened when Paypal and GoDaddy played a part in helping a hacker take control of GoDaddy account. First, call Paypal agent to get the last four digits (seems like no harm) of credit card (note that the Paypal agent is human who has access to all your sensitive information; so when he/she errs, that will allow the hacker to gain and you to lose). The hacker called GoDaddy and said that he can only remember the last four digits of the credit card, and voila! instant gain of access to the account. Both Paypal and GoDaddy erred in human factor!
A word of advice would be to shun away email providers that have bad security feature. Don’t keep credit card detail with half-baked service providers that don’t have 2FA feature.

No comments:

Post a Comment