Scam of the day – February 7, 2016 – 20 million accounts hacked on Alibaba’s Taobao shopping website

Alibaba is the biggest online shopping website in China and perhaps the world.  Hundreds of millions of people use its three main websites, which, of course, makes it a target for hackers. Recently, Alibaba revealed that 20.59 million accounts of Alibaba’s Taobao e-commerce shopping site were accessed by hackers.  The hacking was not due to a failure of the security of Alibaba, but rather, as I wrote about in the Scam of the day for February 3rd in which I discussed the hacking of online income tax preparer TaxAct, through the use of user names and passwords stolen from other websites. In the case of Taobao, the hackers used a  black market database of the user names and passwords of 99 million people and found that 20.59 million of the user names and passwords used on other hacked websites were also used on Taobao.  Alibaba said it managed to identify and block much of the unauthorized access to its customers accounts and Chinese law enforcement have already arrested twenty-five people in regard to the cyberattack.

TIPS

Whether you are a user of Taobao or not, the lesson is clear that you should have unique user names and passwords for all of your online accounts.  It is not that difficult to do.   The failure of people to protect themselves by using unique, distinct passwords for each of their accounts substantially contributes to their risk of identity theft.  Passwords should be complex so they cannot be broken by simple brute force attacks that use millions of guessable combinations such as any word in the dictionary or such common passwords as 123456.  One good way to pick a complex password is to pick a phrase, such as “I Don’t like passwords” and turn it into the basis for a password by making it IDon’tLikePasswords.  This password is already complex in that it has words and a symbol.  Now add a couple of symbols at the end of the password so it may read IDon’tLikePasswords!!! and you have an easy to remember, but strong password.  Now you can just adapt it for each of your online accounts with a few letters to identify the account.  Thus, your Amazon password can be IDon’tLikePasswords!!!Ama and you have a strong, but easy to remember password.

In addition, whenever you can use dual factor authentication, you should take the opportunity to do so. With dual factor authentication, you receive a one time code by way of your smartphone each time you go to your online account.  Although this may seem like an inconvenience.  It is extremely useful and not terribly time consuming.

Steve Weisman’s latest Bankrate.com column

Here is a link to my column for Bankrate.com entitled “How identity thieves target your password.”  In this column I provide information about how to choose a strong password that is easy to remember.

http://www.bankrate.com/financing/identity-protection/how-id-thieves-target-your-password/

Scam of the day – September 21, 2015 – Dangerous new development in Ashley Madison hacking

By now everyone is aware of the major data breach at the Ashley Madison, the dating site for married people seeking to have an affair, in August the hackers followed through with their threat and released 9.7 gigabytes of the stolen data including email addresses, credit card transaction details, partial credit card numbers, addresses and even dating profiles.  Now a new and potentially dangerous development has been uncovered by the hacking group known as CynoSure Prime which discovered vulnerabilities in the password security algorithms used by Ashley Madison that put the passwords of 11.7 million users of Ashley Madison in danger of being hacked.  Ashley Madison switched over to a secure encryption program for protecting passwords in 2012, however, anyone who used Ashley Madison prior to June 14, 2012 continued to have their passwords protected by the weaker and more hackable security program used at that time.  Particularly, because many people use the same password for all of their accounts including online banking, those early users of Ashley Madison are in extreme danger of identity theft by hackers who can readily discover their passwords and use them to gain access to the online accounts of the early Ashley Madison users.

TIPS

The lesson here for early users of Ashley Madison is to change their passwords to all of their accounts as soon as possible.  The lesson to the rest of us is to remember that you should always have a distinct and unique password for each of your online accounts.  It should be a complex password so that it cannot be broken by simple brute force attacks that use millions of guessable combinations such as any word in the dictionary or such common passwords as 123456.  One good way to pick a complex password is to pick a phrase, such as “I Don’t like passwords” and turn it into the basis for a password by making it IDon’tLikePasswords.  This password is already complex in that it has words and a symbol.  Now add a couple of symbols at the end of the password so it may read IDon’tLikePasswords!!! and you have an easy to remember, but strong password.  Now you can just adapt it for each of your online accounts with a few letters to identify the account.  Thus, your Amazon password can be IDon’tLikePasswords!!!Ama and you have a strong, but easy to remember password.