Recently, a Nigerian scammer gained access to my mother’s free email account. Perhaps he guessed her password, or easier still, her secret question. Masquerading as my mother (identity theft!), he then tried to get money from people in her address book (see email transcript below). Seems like an effective scam, judging by the number of people who were ready to wire the money to Nigeria!
In any case, the scammer had completely taken over her account, and all our attempts to regain access were fruitless. Of course, the scammer had already changed the security question, so we were unable to complete the automated procedure to regain access. And what are the admins to do anyway? How does one prove rightful ownership of a hijacked account when the hijacker has gone ahead and changed all the profile information?
Long story short, you might wake up one morning, only to find that you’ve lost access to all your stored messages and online address book. I suspect that many folks don’t make local backups of their email folders because they trust the (free) online services to have reliable storage, and believe that their passwords are safe. But even the smartest of folks can have their passwords phished. A colleague of mine, a security researcher, was tricked into revealing his password by way of a link that was injected into his ongoing instant-messaging chat window! He too lost access to his email account. You can never be too safe. (Update: I too got phished in a moment of weakness. Sigh. Luckily I realized this immediately, and changed my password before I lost all access to my account).
I think we should all give this scenario a moment’s thought. What would you do if one of your online accounts was hijacked? Is there a fail-safe procedure to regain access? Personally, I’d rather stick to my university email account, because my trusty sysadmin can restore access if needed. But what if your online bank account was hijacked? Will your bank refund any money siphoned out of your account? What’s the fine print on their “money back guarantee”?
Links
Here’s a resource by Carnegie Mellon University to get you started:
http://www.mysecurecyberspace.com/encyclopedia/index/account-hijacking.html
Here’s an interesting podcast about identity theft in general (The featured guest is Frank Abagnale, for those of you familiar with the film Catch Me If You Can.):
http://www.wnyc.org/shows/bl/episodes/2008/04/24#segment97397
Email transcript
Please i am in a hurry writing this mail, I’m presently in Nigeria for an Educational program and i have gotten myself stranded here please could you help me with $3,500 and i will return it as soon as i return.Please i wait to hear from you soon as to send you the information on how to send the money through Western Union or Money Gram,Please keep this between us until i return. i will like you to reply in English Because i am sending this mail from a near by city library here and it only shows mail written in English..
I wait to hear from you soon.
Regards,
Posted by Apu Kapadia 
