I Get Spam: Threats


Someone who cares about bitcoin more than I do checked the transaction history for the bitcoin wallet provided by the “hacker gang” and it doesn’t look like they have collected any bitcoin with this scam.

I’ve gotten dozens of these in the last few weeks. Since I use accounts and passwords as watermarks, I could tell which websites’ user databases appear to have gone walkabout. But, in order to do that, I’d have to care a lot more than I do.

A typical user, who has one password for ten sites, might fall for this. What they’re doing is using the contact email address and password, assuming that I’d have the same password on my contact email address (mjr@ranum.com) as on the site account. In this case I can tell it’s a throwaway site because I used another account name off the top of my head as a password. A “throwaway site” in my mind is one of those annoying sites with a “you must have an account in order to access this document” signup-wall or something like that. I don’t care if the account gets hacked (that’s the site’s problem for forcing people to sign up to their stupid site!) because the credential has absolutely no value elsewhere.

Just a recap on the rules of passwords for websites:

  • If it’s a garbage site, go ahead and use your cat’s name as a password
  • If it’s a worthwhile site but has no financial ramifications for you, use a randomly chosen 16-character password (save the password in your password vault)
  • If it’s a financial site use a randomly chosen 16-character password and keep the password written down on paper in an envelope in your desk at home, and do NOT log into the site from mobile devices
  • If it’s where your life savings are kept, do not access it online, period. And request that online transactions be blocked or put in an ACH limit of $1 just in case someone manages to spoof the sign-up process for you

The last point is problematic. There are some banks/brokerages that will automatically populate your account with an online access account with a horribly weak default password. You need to make sure your life savings are not kept in such an account – I used to use a small-town bank specifically because they did not offer online banking when I signed up. A couple years later they started offering online banking and sure enough, the set-up password was my social security number. I signed up using a randomly-chosen large password that I didn’t even bother to remember, then stormed into the lobby to put every possible block and control on transfers that was possible.

The state of online transaction security is unbelievably bad.

Comments

  1. kestrel says

    Great password tips, thanks… Always good to be reminded!

    “A timer will start once you read this message.” Is that even possible? And how would anyone know you read it? That always seems like a ridiculous claim to me.

  2. komarov says

    Sorry, I simply cannot get over the inconvenience surrounding bitcoin blackmail. If you have to tell your victim how to get hold of the currency you’re extorting, or worse tell them how to find out for themselves, you’re bound to lose their interest. Especially now after decades of online convenience. If I have to do anything more complicated than stuff some money in a paper bag and leave it in the park you can count me out. I’ll make just make some new personal data and have someone with a better customer service steal it. Besides, whatever you’re charging, rebuilding my encrypted device – if that’s your racket – is bound to be cheaper than that.

    And then there’s this:

    I guarantee that after that , we’ll erase all your “data”

    If there are blackmail manuals they probably point out, in very large print, that under no circumstances should you remind your victim that you’re holding all the cards and that they have no reason to trust your word at all. Most will figure this out for themselves but that’s still quite different from hearing it from you. “Would I lie to you even as I’m stealing from you? Would I?”

    Besides, in this day and age I’d have to ask: Who doesn’t have my personal data?* With the new laws in the EU every time I visit a new website I now get to pick and choose my cookies and there are a lot of them. The nice pages have a big “functional cookies only” button. The clearly not so nice websites have links to other pages buried in miles of text for maximum intransparency. Clearly my browsing habits must be monitored at all costs, and clearly everyone has been doing so at their leisure. The only noticeable effect I’ve ever noticed was the “targeted advertising” advertising stuff I already bought the week before.

    *Well, me, obviously. But at least I could legally request a copy from various sites were I even remotely interested/-ing.

  3. Curt Sampson says

    Don’t forget an even more important rule about passwords for websites: if TOTP (that six-digit thing that changes every 30 seconds used by Google Authenticator, Authy, and lots of other systems) is available, use it. (Authy makes it easy to keep lots of these different codes and sync them across several devices to guard against device failure or loss.) And as a bonus, once you’re using that the password itself becomes a lot less important; you can use something memorable if that makes things more convenient.

    And don’t use SMS. You may have to go to extra effort to turn off anything that would allow account “recovery” via SMS even if you don’t normally use it for additional authentication at login. Your phone number is one of the easier things to steal, and you may not even notice when it happens because it can be done without going anywhere near your phone.

  4. Owlmirror says

    In this case I can tell it’s a throwaway site because I used another account name off the top of my head as a password. A “throwaway site” in my mind is one of those annoying sites with a “you must have an account in order to access this document” signup-wall or something like that. I don’t care if the account gets hacked (that’s the site’s problem for forcing people to sign up to their stupid site!) because the credential has absolutely no value elsewhere.

    Is there a reason not to use mailinator for this sort of thing?

  5. says

    If it’s a financial site use a randomly chosen 16-character password and keep the password written down on paper in an envelope in your desk at home, and do NOT log into the site from mobile devices

    What’s a “financial site”? I assume that here you are saying that I shouldn’t keep my PayPal password in LastPass. OK, but what about all the online shops, are they “financial sites” too? Some online shops request me to type my credit card data each time I’m making a purchase. Even if I have already bought stuff from some online shop many times before, I will have to type my data once again. I assume that these kinds of online shops don’t store my data. If my account gets hacked, it won’t hurt me, right? Or am I being optimistic? Then there are also some other online shops that store my credit card data. I can buy stuff from eBay or Amazon without having to provide them with my data that’s needed so that I can pay for my purchase. They already have all my credit card data stored on their servers from back when I made previous purchases.

    Anyway, my question is, which financial sites are worth worrying about? After all, storing a password in LastPass is more convenient than having it written on a piece of paper.

    By the way, that threat e-mail you got was pretty interesting. It provides social commentary and highlights some things that, in my opinion, are very wrong with our society.

    We saw and recorded your doings on porn websites. Your tastes are so weird, you know. . .

    What does “weird” even mean? Does having a “weird taste in porn” mean that you like things that differ from what the statistical majority of human beings seem to like? If so, then does that make my fetish for long-haired men weird? Me having a preference for specific haircuts might be unusual, but is it weird? But there’s also the implication that there’s something bad and shameful about having weird tastes. Why should it be so? Why do some people think that it’s bad for humans to have different preferences when it comes to sex?

    Moreover, if somebody hacked my computer, my porn browsing habits would be the last thing I’d worry about. I’d worry about things like my credit card data or my PayPal password. But my sex life, that’s not even a secret. If somebody wanted to know about my sex life or my porn preferences, they could just ask, I’d answer.* It’s silly that we live in the kind of society where people fear others finding out what porn they like.

    I think you are not interested to show this video to your. . . intimate one. . .

    This is just so sad. Instead of fearing that your sex partner might find out about your porn preferences, it makes much more sense to just tell them, have fun, and maybe also watch some porn together. It can be fun.


    * I have dodged this question exactly once in my life. While studying in Germany, I took a course about literary depictions of foreign cultures. Basically, it was about how during the height of colonialism white European novelists and poets depicted Asian, African, etc. people and their cultures. Hint: it was ugly. In that course our professor allowed each of the students to pick a book they wanted to analyze for their final exam. I chose Le Jardin des supplices by Octave Mirbeau. My professor pointed out that this was an unusual choice and asked me why I picked this book. Giving an honest answer would have required me to give some details about my own sexual preferences and interests. I felt like saying this stuff to a university professor in the middle of a graded exam was inappropriate, so I dodged the question, and instead I said that the book seemed interesting for me (I wasn’t lying about this, I really perceived this book as interesting). At this point my literature professor made a remark about how humans seem to perceive literary depictions of torture as interesting.

  6. says

    komarov @#4

    With the new laws in the EU every time I visit a new website I now get to pick and choose my cookies and there are a lot of them. The nice pages have a big “functional cookies only” button. The clearly not so nice websites have links to other pages buried in miles of text for maximum intransparency.

    Hmm, that’s weird. I’m from the EU, and most of the websites I visit behave differently. When I open some new website I haven’t visited before, my monitor screen gets covered with a huge sign that requests me to accept all their cookies. Until I click that I accept them, I cannot access or use the webpage. The choice I’m being given is to either accept all the cookies or to leave the webpage.

  7. jazzlet says

    Leva websites seem to vary, I’ve come across both of the things komarov mentions as well as the ‘tick this or you can’t access our site’ that you mention.

  8. komarov says

    Yes, I see different approaches to cookie selection, too. I’ve seen the screen-fillers or superimposed boxes of all sizes, including many you can just read around without ever accepting or declining anything. With the new laws there’s usually a link embedded in those notices, e.g. “cookie policy” is a common one, which takes you to

    a) a compact and convenient interface to disable unneccessary cookies or
    b) a text wall with either the same settings at the end or further links placed virtually anywhere

    In the latter case of b) I assume you have to click through further to each site (e.g. facebook or “service providers” I’ve never heard of before) and disable their specific cookies individually. Frankly, I’ve never had the patience to find out. On the nice websites there are sometimes dozens of “optional” cookies listed (e.g. for advertising) each from a different service. I assume the pages that don’t make it this simple to disable cookies use just as many and I don’t feel like spending half an hour disabling cookies just so I can read some article.
    The deliberate obtuseness in this approach is so blantant that even I can take the hint: ccookies or get out. And fair enough, I’ll just get out.

  9. says

    Owlmirror@#6:
    Is there a reason not to use mailinator for this sort of thing?

    That’s a good option.

    If you own a domain it’s easy enough to drop an alias in and leave it there in case you ever need the account again. I used to occasionally use that horrible Boingo airport wifi thing, which always wanted to do an account set-up each time, so I think they probably have 60 or more accounts of mine, most of which had a pointer to boingo@ranum.com which I eventually set to reject in the mailer – that way when they spam you and get the reject in the SMTP transaction they usually decide the address is no longer valid, and delete it.

    Many sites now do a “confirmation email” which forces you to get your email and then follow a link to activate your account. I remember the free WiFi at Frankfurt Airport used to do that — uh, how am I supposed to get my email if you won’t activate the WiFi without my being able to WiFi over to my email server and get the email? T-Mobile, for the win! The confirmation emails don’t actually help do anything for your security or the reliability of the service – they just exist for marketing purposes, so they know they have a real person on the hook. If you own a domain you can unset the forwarder to president@whitehouse.gov long enough to get the confirm message, then put the forwarder back after you have the link.

  10. says

    Curt Sampson@#5:
    And don’t use SMS

    Generally, I agree, but it should be guided by your risk tolerance for the account. I use SMS check for accounts like Amazon and Ebay where they have my credit card, and I have credit card protections in place (Don’t do this with a debit card!)

    That’s probably another point I should have mentioned: don’t ever expose a debit card to the internet, at all, ever, no how. If your debit card is compromised and someone spends $5,000 on it, you’re liable for the $5,000. With a credit card there are some mandatory protections that cap your liability at $50. That’s why credit card companies are more careful about fraud detection. And we all need to keep an eye on the asshole republicans, who will probably destroy all credit card protections, if they think of it. Because consumers must be screwed as hard as possible whenever possible.

  11. says

    Ieva Skrebele:
    What’s a “financial site”? I assume that here you are saying that I shouldn’t keep my PayPal password in LastPass. OK, but what about all the online shops, are they “financial sites” too?

    I’m talking about stock brokerage accounts, retirement savings, investment portfolio accounts.

    There are people who manage their stock portfolios online, which is (in my opinion) a bad idea. For that purpose, if you absolutely must, buy a special laptop or tablet that you only use for stock trading, which is locked down so that all you can run is a browser, and the browser has script blocking against everything else – and don’t ever take it out of your home and don’t put the password for it on the internet.

    If I’m not willing to lose it, it doesn’t go online.

  12. says

    What does “weird” even mean? Does having a “weird taste in porn” mean that you like things that differ from what the statistical majority of human beings seem to like?

    They are probably hoping to stumble across (and terrify) someone who is into kid-porn, hoping they’ll freak out and not think things through.

  13. John Morales says

    I got one of those, in my own junk email account.

    I laughed to myself, deleted it, and thought no more about it.

    (Obviously, nothing happened to me)

  14. EigenSprocketUK says

    How did that bit of spam even get into your public-facing mjr account? Surely it came from someone else’s mail server, so it’s immediately obvious it didn’t come from your server, which should be the only genuine source for mjr @ ranum.etc

  15. says

    EigenSprocketUK@#18:
    How did that bit of spam even get into your public-facing mjr account? Surely it came from someone else’s mail server, so it’s immediately obvious it didn’t come from your server, which should be the only genuine source for mjr @ ranum.etc

    Yes, normally I’d have my systems configured to “reject anything inbound that claims to come from me” except I’m hosting on a big shared server and I have no control over the setup of the various services.

    I run a bayesian anti-spam filter on my inbox (I use Thunderbird) and it works remarkably well once it’s had a chance to train for a new spam thread (e.g.: currently I am supposed to be very concerned about toenail fungus) – in order to find these gems I look in my junk-box, which is a great source of unintentional surrealism.

  16. Raucous Indignation says

    You make me so nauseous with this information that I want to throw up sometimes.

  17. says

    @Marcus

    I just got one! To a secondary email with a claimed password… man, it’s been YEARS since I used that format, I didn’t think there was even anything out there that still had it.

  18. says

    abbeycadabra@#21:
    The internet never forgets!

    I suspect that some sites’ user databases were compromised long ago, and whoever’s doing it just now got their hands on the databases and has been running crack-o-matic dictionary attacks on them.