Monday, January 08, 2007

Protecting Your Client Communications

We hear a lot in the consulting literature about "communications," but mostly they (me, too) are talking about the psychology of getting information from one person to another. That's a tough topic, but there's also the physical problem of getting information from one person to another. In the past week, I've been alerted to several instances where electronic communications have been corrupted or diverted. It's time to take a serious look at what's happening to your electronic messages.

Case 1. AOL Security Hacked

This is a note from one of my correspondents:

Last night was horrific. I lost my screen name. Some hacker stole it from me and no one - *NO ONE* - from AOL would help me. When the hacker got in, he changed my password, my security question, my billing. Yep, he changed it so that he would be billed. Why? Because he liked my screen name. It's XXXXXX. He wanted it. He was willing to pay for it. And he was willing to screw me over to get it.

I was on a secondary screen name at the time - one that I use when I'm online and I don't want to be distracted by e-mails and such. I got an e-mail. It was from AOL telling me that the master screen name's password was changed. I didn't change it. No one has that password but me. No one.

I immediately tried to access that name. No luck. I called AOL and suffered through repeated recordings that tried to "solve my problem" for me before sending me to a real person. No... hitting "0" didn't work. But I found out that "9" does. I talked to everyone I could.

No one would talk to me. Why not? Because I was no longer the owner of the account. I've had this account since 1996 and they would not listen. They told me that since I was not the current owner, they could not talk with me. They claimed to have no record of me at all. The guy had had control for less than an hour and they wouldn't budge because I wasn't the owner of record.

You can't imagine my frustration. Or maybe you can. I conduct *ALL* my consulting business from this screen name. Losing it would be disastrous. Hideously so. I was apoplectic. I offered to prove that I owned the account - to no avail. THEY WOULD NOT TALK TO ME.

They referred me to the Fraud department, which was closed till nine this morning. But I couldn't wait. I couldn't stand it.

I was still on my secondary e-mail and I waited till the (expletive deleted) signed on. And then I IMed him. I called him a nasty name and then started in on the questions - why? how?

He laughed. Sent me "LOL" and told me I'd just learned a lesson the hard way.

He knew I was a consultant. And I asked him how he knew.

Here's what happened: I'd put some information in my AOL profile, thinking that it was a cool way of promoting my services in case anyone was browsing. Mistake. That gave him my name. He googled me and found out what college I went to. Bingo. That gave him the answer to my security question.

He didn't even need my password to get in. He used the "password reset" option and used the security question to bypass it all. This bears repeating: HE DIDN'T NEED MY PASSWORD.

He said he collects screen names for a living and laughed at me.

All this in an IM.

And then, I asked, please. I told him that he was messing with my career. That my screen name was my lifeblood and that losing it would hurt more than he could ever imagine.

And then the hacker did what AOL refused to do. He gave me my screen name back. He gave me the new password (which I promptly changed) and the new security answer. He got suddenly chatty and started giving me hints about him and where he lives and such. Not that I believe any of it. He made my XXXXXX to a lower case xxxxxx and offered to send me the program he used to change it. I declined, telling him that the lower case "x" would be a constant reminder to me to be vigilant.

I have no idea why he did this. But he did. He said he was a hacker with a conscience. I believe it. I still hate that it happened. But I learned a lot last night, in the midst of all the angst. I have a cryptic answer to my security question now. I have all new passwords. I have NO profile on AOL now. I'm sure someone can still make the connection, but I'm taking steps to protect myself.

Jerry, can you make this into a well-worded warning and try to get it out there on your blog for other consultants?

AOL did not help me when I needed them. I called the Fraud department this morning and I ripped into them. Did they care? No.

They're the ones who forced me to set up a security question. I never wanted one. I foolishly believed that the question would come into play only *AFTER* the password was given. I was wrong.

Double check your security. Do not go through the agony I went through last night.

MORAL: 1. Don't count on AOL for security help.

2. Don't count on any ISP for security help. It's your responsibility.

3. Don't be stupid about your passwords.


Case 2. Don't Be Spoofed and Don't Be a Pfish


I receive income from Amazon for my short essays posted on their site. Yesterday, someone tried to hijack my Amazon account. If they had succeeded, they could have diverted my income directly to their bank account. Even worse, there are cases where they could post counterfeit writing under my name, which could kill my reputation.

I received an email that looked exactly as if it had come from Amazon and asking me to update my account information. Heeding previous advice, however, I did not click on the link but instead wrote directly to Amazon using their website (which I reached by typing the url myself). I received the following information and advice, which applies to all such 'update your account" messages:


Greetings from Amazon

The e-mail you received was not from Amazon.com. We are investigating the situation, and we appreciate you letting us know that you received this.

For your protection, we suggest that you never respond to requests for personal information that may be contained in suspicious e-mail. It is best to assume any e-mail that asks for personal financial information (or web site linked to from such an e-mail) is not authentic.

If you did not click on the link in the fraudulent e-mail, your account at Amazon.com is fine--there's nothing more you need to do. If you did click the link, but didn't enter any personal information (such as your login or password), the phishers will not have your Amazon.com account information.

However, please know that if you ever respond to a phishing e-mail and do enter your Amazon.com login and password (or any other personal information) on the forged web site, the phishers will have collected that information and you should take appropriate action. We recommend that you update your Amazon.com password immediately, and, if you entered financial information, you may want to contact your bank or credit card provider.

If you encounter any other uses of the Amazon.com name that you think may be fraudulent, please do not hesitate to contact us again.

Thank you for contacting Amazon.com.

WHAT IS PHISHING?

Phishing e-mails have been around for years. The term phishing comes from the use of increasingly sophisticated lures to "fish" for users' personal or financial information. In phishing, the scam artist usually sets up a spoofed a web page, which looks like the real one, but is owned and operated by the phisher.

Go to www.amazon.com/phish to read more about ways to protect yourself from phishing.


WHAT IS SPOOFING?

Spoofing, in this context, refers to a counterfeit web page or e- mail that is made to "look and feel" authentic but is actually owned and operated by someone else. It is intended to fool someone into thinking that they are connected to a trusted site, or that they have received an e-mail from a trusted source.


MORAL: Don't be so trusting. These are not people you're dealing with.


Case 3. They're Faster Than You Are


Fraudulent abusers of the internet are at work 24/7, and there are thousands of them, so one little lapse will cost you. As the Amazon warning said, by the time you notice you've been pfished or spoofed, they will already have your "secure" information, which they will sell many times over.

My SHAPE forum is subscription-only, and guarded by a password. The other day, however, we accidentally published a "clean" email address for special use, but mistakenly put it outside the protected area. In less than 24-hours, we started receiving spam on that address.

Imagine what would happen if you exposed one of your clients' email addresses or secure websites--or, heaven forbid, one of their passwords.

MORAL: One mistake, for one minute, can cost you your business.

Case 4. Watch Your Blog: They're Not Script Kiddies Playing Around


The other day, some of us started seeing strange, obscene material on Don Gray's blog. Don asked the AYE Conference hosts about this, and Dave Smith, our internet guru, gave this reply:

I took a close look at your blog. You've been hacked. Pull up http://www.donaldegray.com/tiki-view_blog.php?blogId=2 and View Source. The chunk of JavaScript at the bottom adds a hidden section that will render the links invisible to modern browsers (Some probably saw it because she's using an older browser like Lynx). Google will see the links, and will drop your site from the Google index. I'll dig up the procedure to get reinstated.

I suggest checking with the TikiWiki people to see about security updates. I recall there being an issue several months back that caused someone else I know to get hacked. Might be the same issue. You might also want to check the rest of your blog to see how widespread the damage is.


Don wrote back: I'm curious, what good does it do someone, if the primary result is dropping the site from the Google index? Script kiddies having fun?

Dave replied: This stuff isn't script kiddies. Basically, it's organized minor crime. By using automatic attack tools to hide a bunch of links for their clients, they're bumping up the "rank" of their sites on various services that aren't (yet) as aggressive as Google in culling out junk. Using automated tools is cheap; just park a laptop in a coffee shop with an open wifi, and let it rip. If you get caught, move down the street. The more sophisticated crooks rent time on large networks of compromised home windows machines. It's a huge problem. This, sadly, is why nobody who tries unfiltered or unmoderated blog comment systems survives for long in the open. I don't have comments enabled on my blog, but still see daily evidence of automated attack attempts in my server logs.

My own blogs, including this one, receive numerous spam messages every day, which I block, but some of my colleagues still have unmoderated blogs. Everything that goes up on your blog reflects on you. Just the fact that you allow it to go up there reflects on you. Yes, you can moderate posts off your blog after they're posted, but that's too late. You want your clients to read your blog, don't you? Some of them will see the posts before you are able to remove them, so stop them before they reach the site.

MORAL: Everything on your blog or your website reflects upon you. Make sure it's the reflection you want.

META-MORAL: I could go on endlessly with examples of corrupted or diverted communication, but I couldn't keep up with the new scams that appear every day. You have to be super-cautioius, and well-informed, but many consultants I know are failing in this responsibility.

Yesterday, I talked to a consultant who uses "password" for her password. When I asked her why, she said, "Yes, I know better, but it's just not a high priority." Well, maybe this is the psychology of communication after all.