My guess is that a decent percentage of those of you reading this will have changed your password in the past 24 hours. Most of us have web-based mail, and most of us use Yahoo, Hotmail or G-Mail. And all three of those main providers have been affected by this Phishing attack which has led to thousands of passwords making their way online.
(What’s Phishing? Click here.)
The scale maybe new, but online security breaches aren’t. Many an expert will tell you ‘there’s no such thing as secure’ when it comes to anything online. And yet we still appear happy to take our chances.
I bank online, buy most things online and will regularly use a new website if it’s offering a product at a decent rate. I’d say my checks on that website go as far as seeing if the logo looks convincing, and even then a cheap logo normally gets trumped by a cheap price.
Needless to say, there are all sorts of things on my Yahoo email I wouldn’t want people to see. And yet, I carry on. I’m sure quite a few of you do as well.
Many of us are either sharing information, or placing it in insecure environments, in a way we wouldn’t away from the net. Today we want to try and understand why. Your stories and explanations are welcome.
Listen to the story explained on BBC radio
RSS feed
BBC World Have Your Say 
Phishing? What Phishing? It does not matter to me in the least. I can feel insecure only when I am stupid enough to mail something which I don’t want others to read or if I know that being (ph)ishy by someone would matter.
People can be naïve. Phishing is a form of social engineering which preys on this naïveté. Someone will see an email that claims to be from (for instance) their bank, and they don’t take the time to think that the message might not be legitimate. They later end up dealing with identity theft.
This is related to why people are so willing to hand over personal details like their social security number. They see a request with a legitimate company’s name on it, and because they respect the company, they leave it at that.
1. Con men can win, thieves can win with or without the internet.
2. We are adaptive little lemmings, always finding new machines to stick our fingers in.
Ros, the internet use you describe above is very common. I think the main reason people take risks online is the ease and immediacy. You can pay your bills, balance your checkbook, buy products, communicate with friends, research for school, entertain yourself, etc. , all in a very short amount of time, without having to leave your home, or even get dressed. We are also constantly reassured that this is “a secure” website.
All it takes is a little common sense to stay safe online. I rarely get viruses or malware by following a few simple rules. If you get an alarming or a too-good-to-be-true email, look at the address of the sender. Before buying from an online retailer, check their rating from a trusted source, or at the very least, calling their customer service telephone number first. Don’t enter sensitive information into a webpage unless you have a secure connection. I am regularly amazed by the stupid things people do online.
(Ooops!)
I think most people continue to do it for the same reason they do everything else they’ve been cautioned about – because bad things happen to other people, not them.
there are risks to everything. Just about everyone has had their car stolen or their homes broken into. You could have had valuables there. This is just an unavoidable risk of life. On the bright side, at least with online hackers, you can rest assured that they’re likely to die virgins. I bet legalized prostitution would end hacking and computer viruses as they wouldn’t have all the free time to do those hacking things.
It’s simple why I do numerous personal and business activities online. I can’t exist without it. Do I worry? No. I may try some basic procedures like not opening up zip attachments from people i don’t know. But you can’t get paranoid about it or you’ll never do anything. If someone wants your ID info (like the SS number in the US), they can get it. It’s all over the place. And credit cards? Foret it. Every store and restaurant has mine as well as Amazon. If you never want to get into an auto accident, don’t leave the house. If you never want your identity stolen, don’t get a drivers license, pay everything in cash. f you want to live, you must take risks or else live in a bubble.
I don’t see how it’s more secure to use a credit card in person than over the internet.
Sure, maybe that website isn’t that great, but what’s to stop some worker at a store or restaurant from swiping your card twice or increasing the tip? Some folks are finding that others have attached card scanners to ATM machines to pick up your information that way.
There are consumer risks everywhere. While I applaud efforts to educate people about using the internet, we need to stop holding it up as some mysterious force that cannot be understood.
If you get an e-mail asking for login or personal information, throw it out. If you need to login to an account of some sort, type out the web address yourself and login like normal.
Additionally, if folks are interested in how computer encryption systems work, and why they are considered secure, I recommend this article from HowStuffWorks:
http://www.howstuffworks.com/encryption.htm
My question to you is, why do you distinguish ‘online’ from any other aspect of life? This distinction makes no sense to me. Online is currently the ‘integration in progress’ of they way things will be. It is the new telephone, shopping mall, TV, magazine and postal service, finally made efficient. None of this has ever been truly secure, and it never will be.
Most of us go swimming in the sea, some get killed by sharks, farmers in Africa go through Lions, snake bites, some loose their life, many have died from road accidents instead we are having even quicker lines, do we give up… NO. it’s a human endeavor to carry on. I do shop online but strictly from the same sites, I have done business with them and trust them. It’s quick, easy, convenient and most of all I buy stuff which are not available in local market or costs triple price. like swimming in deadly sea, swim within yellow flags. Jay
06. 10. 09
Dear Ros,
Even though people are fearful about loss of money or even life they get indulged into many acts that can damage their best interests in the form of material losses or injuries and you name it. Travelling by any motorised vehicle puts one’s life at risk even if he/she takes utmost care while driving/riding; there is no option. One has to live with and change with time. In the past when there were no motor vehicles people used to travel on animal pulled carriages or astride on them, even then they encountered many difficult situations including all those things that happen today while driving a vehicle or much worse. When people are introduced to better conveniences they do go with it despite the inherent risks embedded with the task. Using internet for banking, purchase of goods etc too is part of this convenience. Thiefs help improve the security system and they will keep on finding a way to break through the improvized mechanism and further improvements will happen and so on incessantly. Nothing to worry! Loss of money/materials, life etc will continue to happen the same as it happened since time immemorial as long as human beings are around.
I don’t people actually take “risks”. If the internet is not perceived as a potential threat then the individual does not take risks. People still drink and drive. Why? They don’t believe they’re taking a risk.
Solution? Education. People have to be educated about the risks of the internet: Accountability, longterm consequences, losses etc.
Maybe there should be a new subject in school. Media education. Just like you need to read and write, you have to learn to deal with media and information: internet, mobile phone, facebook (social networking sites). Not every new application or gadjet is a good thing. You should be able to make conscious descision.
One reason. Can you imagine life WITHOUT a PC?
Since the Net is global, it’s impossible for people to stay away from the satisfaction of communicating globally. The convenience. And the online scams that will always find a victim (no matter how many times you say change your passwords).
Hello all,
As an IT professional and an armchair psychologist, I have never ceased to be amazed how carefree the people I meet are when it comes to the internet. Because there is no personal interaction, people feel safe. face to face with a con man most people can read signs of insincerity, stress, and lying. This is why over the phone cons tend to be even more successful. The “target” is reduced to just having vocal input in order to judge ill intent. On the internet, none of those input markers are available to detect malice intent. The reader is left to “hear” the voice they want to hear and read into the exchange the attributes they want rather then the ones that are real. Identification is difficult over the internet. If you walk into a bank, you know where you are at, expect that the people behind the counter are employees of the bank you have entered, and find comfort in being able to identify the person who took your information if it should get misused. Online, there are no brick walls and real faces. One only needs to make a web page that looks like the banks web page, and a feeling of security is inferred. Add to that, the exchange of information seems harmless to most people. “Who cares if somebody gets my passwords, I will just change them.” “the chances of identity theft happening to me is so slim.”
Then don’t get me started on what parents will let their children do behind closed doors.
For me, it’s “Who cares?” I had someone buying porn with my account number years ago, but Washington Mutual has a policy so that any fraud is reimbursed, so I got provisional credit, then my money back. It’s def worth the risk!
Also, Phishing is SOOOOO easy. I have phished my friends a bunch if times, posing as “yahoo_admin_866@yahoo.com”, or something like that, and getting their passwords and messing with their myspace/facebook, etc.
-Anthony, LA, CA
@ Anthony – It’s funny you say that, a lot of people say they are not at risk because they are only trusting with people/websites they know and trust online. Obviously, according to what you said, you can’t even trust even trust your friends!
what do we do? we all have been reduced to a bunch of “lazy bums”, excuse me, but that is just the truth, quite a number of us would rather we do everything while sited in one position, we find moving short distances to run errands or carry out some transactions, as inconveniences, i’ve heard of some one who drives two blocks from their home to go buy groceries, and yes, they have reasons for doing this. i dont mean to be stereo typical, but if some of us could do our best to travel to Africa, and see the tasks an average African can accomplish each day with their own strength, then we would have a revised perspective about so many of our day to day habits.
some times we put ourselves in these risks because of our selfishness and greed, take for instance the nigerian scammers (I have nothing against nigerians, matter of fact they themselves testify to this) they send you fake emails congratulating you upon winning such and such an amount of money, and because of greed, you also fall prey to this, then when your ripped off, you expect the people you were hiding the whole thing from to come around to your rescue……
Keep this in mind. Can anything (including Obama’s supercool Blackberry) be hacked? Several experts have told me yes. You don’t need a big budget and lots of supercomputers to do it. It’s a matter of your objective, creativity. And code writing skill.
I think plenty can imagine life without a PC. But it is hard for younger people to imagine. Remember, 40 years ago, in an office, an executive just had a desk and a telephone, no computer. I wonder how they even had work to get done, but people got along without computers for thousands of years.
@ Anthony – It’s funny you say that, a lot of people say they are not at risk because they are only trust people/websites they know online. Obviously, according to what you said, you can’t even trust even trust your friends! Sorry, my previous comment had so many typos, my mind is fried today. Hopefully you won’t post it, post this one instead!
@ Patti
Well, in these cases, they didn’t even know it was me. And it wasn’t any crazy coding or program tricks. It was knowing HOW to ask for important information. It’s about knowing how humans think.
And I did it to play jokes, like changing their orientation on social networking sites to “homosexual” or blogging about a fake pap smear that went wrong. All in fun, no identity theft or anything. 🙂
-Anthony, LA, CA
we all trust everybody too much these days .if we could only adopt a professional attitude to the internet as we do to our bosses then the web would be a safer place.TRUST NOBODY!!
the only people at risk are usually the gullible, and naive and in some (or most) cases the ignorant. usually keeping a low profile be it on social networking sites or avoid clicking dubious links on our ever dependable email services will always get you less unwanted attention.
I don’t think we are necessarily lazy or greedy (at least not all of us). I think there are just so many things to do, that anything that helps you save a little bit of time is a big asset, and you are going to want to use it. In that way, the risks we take online, contrary to being born out of laziness, are actually due to being over-extended and trying to get as much done as possible.
and like the BBC story (http://news.bbc.co.uk/2/hi/technology/8292928.stm) says, education is key. the big three (microsoft, yahoo and gmail) need to educate thier customers about these risks.
Actually, user education is currently the best way, but it is very ineffective and expensive. What is needed is a central standardized authentication system. This is in the works. It amounts to a national or global ID system. It is currently in the works on many levels. It is developing in the same way, to work with, the cashless money system that is developing. Credit cards are the first step.
I couldn’t survive without the convenience of online access to banking and some shopping. I get most of my bills sent electronically to the bank to pay online because I felt it was safer than having someone take my bills out of my mailbox. I would certainly not use public domain email (hotmail, gmail etc) to purchase or access my bank accounts – but I guess the reality is that you can’t be 100% safe from online fraud. I don’t click on links from any emails – even from my bank – if I get a notification, I access my account directly.
Any fraud from my credit cards has happened because of theft from shops where I have made purchases. The challenge is there is always someone looking to make a fast buck by taking someone else’s money.
The internet is a boon. Ease and immediacy are the positive points. There is no question about that. But there needs to be wider security as identity theft is becoming more common. Confidential information is being compromised as hackers use more sophisticated methods to target hotmail, yahoo and g-mail accounts. People should be more careful and should change their passwords regularly. Otherwise unscrupulous hackers will continue to have a field-day at the expense of unsuspecting computer users;
@ Thomas
It’s not that people are too trusting these days, it’s that the “bad guys” are smarter and more creative.
-Anthony, LA, CA
I think, p’ple do take risks because we don’t know that the responce will be that “nasty.” Some of us in the developing world have just started, accessing the net resently and not so many know the etiquet of computers.
I am a cyber commuter whose employer lives two thousand miles away. I have never met her, but I am always promptly paid–online, no less. Although I exercise extreme caution about passwords, I am well aware that I, like so many people whose jobs require a computer, remain very vulnerable to all sorts of hacking/phishing schemes. Still, nothing beats being able to work from home–among other perks, it allows me to listen to WHYS during the well-earned lunch hour I choose for myself. Yes, there are many risks out there, but a little common sense can at least minimize them.
It has to make you think really.. what kind of a dud system is this internet thing? When you do think about it, technology (and the consipracy of software companies) means that unless you are really obstinate, you will hang onto your old PC system until it absolutely will not function and then grudgingly upgrade. Even then, a new PC will have to have patches and upgrades installed to get it to work reasonably well. If you bought cars as unreliable, those companies would have folded years ago, but we put up with PCs and their inefficiencies and problems. We rely on computers so much for work, information, for contact and socialising as well as entertainment yet the systems themselves and the internet are frought with problems. It is openly abused by criminals and gangs who operate with pretty much impunity, nothing is secure and your system (and yourself) are open to outside abuse and control. Despite superficial attempts and efforts it is just not a secure tool, but still a major tool across the globe. Why is this so and why can it not be improved and made to work, properly, efficiently and safely?
You are assuming many old ideas that most people hold. PCs are going way. Separate operating systems and applications with all their upgrades are going away. To some degree, the replacements are already here. Look at the 3G devices, you can hardly call them a phone anymore. Also look at the the many Google features such as Docs that work on 3G. No more Micro$lop.
If you need a ‘computer’ feel, get a Bluetooth dock box to connect to your HDTV and a wireless keyboard and mouse. Okay, the docking box is not quite here yet, but it will be soon.
We don’t have a choice to live off-line in today’s technology driven world. It’s virtually impossible to buy any entertainment or travel tickets in person or on the phone and if it is an option you must pay a higher service fee and wait in queue for an hour. At airports you cannot even check in with an agent anymore, you must use their computer kiosk and swipe your credit card.
Even banks prefer for customer to do their banking online. I stepped into a bank the other day to request a simple transfer between my accounts and was directed to the computers set up for customers to go online and do this inside the bank.
No, we do care, but we take the risk because we must.
In reading many of the comments people talk about naiveté in what users online, or user should be careful with what links they click on. While that is true in many cases there is much more than that.
I am a computer scientist by education and trade and know about much ot the “”internals” that go on behind the scenes. Data is collected while users are told that no identifiable data is collected, it is just used in aggregate form. One problem is that at any time the data collected can be “switched” to be identifiable. Many websites default to “opt-in” when you register instead of having users intentionally opt-in.
Another thing is many websites are now tracking usage, such as how long users spend on any page, when a page is re-viewed (such as with the “back” button in the browser) and other usage data. The only way I have found to disable this is by installing a Firefox extension called “Ghostery”. Of course the only way one would know to install this to disable the data collection is to know the data is being collected in the first place. And there is nothing for the average user to see that would indicate this data is being collected.
What I’m saying is no matter what the average user tries to do to protect themselves there is so much that happens behind the scenes that most people don’t disable, because they don’t even know it is there.
I could easily write more, but for space considerations I’ll stop here.
–Robert
San Diego, CA, USA
I follow a few basic rules~
Only buy from businesses or individuals who use PayPal.
Keep serious money – like savings accounts – only accessible off-line.
NEVER open e-mails from unknown senders.
NEVER close suspicious pop-ups by clicking on the X or “DECLINE” button – always use the Task Manager instead.
Have a reliable spyware program and USE it regularly.
Take the computer genie back in the bottle. We will write our letters as our fathers did. Let’s use the post office.
We live on a farm, have banks in three states, and use the internet for information and communication with family and my elderly parents. Due to the long distances from everything, the internet is invaluable to me for all kinds of activities that, if I lived in town, I would have had driven from place to place to accomplish. I am VERY careful not to open emails from sources that I don’t recognize and never give out sensitive information. Just as the saying goes, “Buyer beware!”, those who use the internet must constantly be on guard.
Are there any websites that help you check if a website is legitimate and safe to share your personal information with?
What’s the best software tool to let you trace where a hacker is?
As for in person banking, with the way my account is set up, I actually get charged if I use a bank teller instead of the cash machine, so they really want to encourage people to not come in, and it’s nice to avoid the lines, but there are security risks of using the cash machines, such as people modifying them to scan your card number and pincodes…
Actually, I think using physical mail is less secure than email in many cases – when account information or checks are sent in postal mail it can be stolen along the way, especially in the US where most mail is left in unlocked boxes by the street.
Really good service to detect phishing attack is http://www.opendns.com. Many corporations, schools and public organizations using this service.
I’m a dinosaur, but a smart one. I do not buy things via the internet and I do not so much as check my bank balance online. There is no was I will put my credit card number, or bank account numbers out online. I have one email address I use to communicate with family and a few friends, and if I receive anything from someone I do not know it is deleted without opening. A second email address is used for anything else – like here on WHYS.
Last year I was working with a reputable wedding ring company that received most of their customers through “spam” emails. The emails were sent to addresses bought from bridal show registries.
I was repeatedly shocked at how successful this kind of marketing was and how many customers would pay deposits without even meeting the jewelers first. As skeptical as I am of spam emails, I feel like it is a very powerful tool for small companies to acquire new customers. Though I think common sense and scam prevention tactics are great for people to learn, I don’t think that all email advertisements should be assumed to be a scam.
Thank you
I bought a professional version of a computer Operating System solely so that I could set a Supervisor Password and so eliminate any access from anyone besides myself.
But Earthlink does not allow that, Earthlink demands that they have Supervisor level access whenever I log on. So Earthlink makes sure that my computer is insecure when I access the internet. It was a waste of my time and money to try and make my computer secure with a Professional Supervisor level password.
Sheesh. It doesn’t even help to try.
You need a ‘no feature’ ISP. All these features are security holes. The core of secure networking was established in the late 1970s and have not changed. If you find an ISP that offers a basic connection and more, do not install the features. Never use an ISP that requires you install anything.
It is common that the ISP will provide software to make all the correct settings for those that don’t know how. It is hard to know if they are installing more or not. All you can do is ask.
It doesn’t seem to make sense to even buy a car online. How can you know the car is in good running order without test driving it? I would never, even if worried about scamming online, even consider buying a car without physically seeing it and inspecting it and driving it.
Speaking as a young person who has been online since I was 10 years old with most of my peers, I would add to the discussion that my generation learned about these issues by taking risks many of our parents didn’t understand at the time, such as making friends in chatrooms. It is as natural for us to engage a/friends online as much as in person. We grew up doing so. Yeah, it’s absolutely a risk but it is how my generation relates with one another. I take equal precautions with people I meet online & in person. We earn trust through consistency.
I think a huge part of this is the generational divide. I am in my young 20’s and use the internet for everything and have never had an issue, but my mother and grandmother have both had their identity stolen from engaging in unsafe online practices, the older generations are many times ignorant to online issues. I feel as more generations grow up with the internet the internet will become more safe.
hi, i had a strange experience as well with hotmail..my password was stolen and the person who stole it had been speaking to my close relatives and sending disturbing sexual comments. I was horrified..i’ve never given personal info online since
I use to use facebook and myspace, but after seeing how much information people put on this account I eased my digital footprint. It not only these sites it the profiles people on their e-mail accounts. My junk mail and other issues have drop off a great deal when I eased my digital footprint. If some wants to know something about me I make sure, I know who is asking.
While I was using Peter Nortons internet security software (Symantec) someone from online sabotaged my CD drive so that it won’t write my Quicken backups. I thought the drive had failed so I bought a new drive, which worked fine until the first time I went online and the new drive was also sabotaged. So I no longer trust internet security software. Earthlink requires you to buy and run it but it doesn’t work worth a darn, it is just a cash cow, in my opinion..
Actually, they changed a setting in the OS registry. The drives were not actually affected. Have some else try the drive on their computer to prove this. You need to disable the service in the OS that allows remote manipulation of the registry. PCs are not for beginners.
Security on-line is very similar to that in the real world. I don’t reply to phishing messages, and I also don’t park my car with the doors unlocked, the keys in the ignition, and the engine running.
If someone is determined to break into MY security on-line or into MY house, I’m certain they could do it. However, if someone is just looking for an easy target, I try not to present one, so they’ll move on to someone or somewhere else.
Since it seems this show is giving out very basic internet usage safety information I think it’s really important to note that an e-mail can easily be sent using forged headers. Forged headers can make a message appear to be sent from anyone: your bank, your mother, the President of the United States. If you click “reply” to a message sent with forged headers, the spammer will not get your message; but often the spammer’s intention is to get you to click a link that takes you to a phishing site or a compromised site that will try to install malware on your computer. So looking at the sender’s e-mail is never a sufficient protection: the best thing to do is to never click a link in an e-mail unless it’s a message you were expecting.
Because I get much less SPAM on my .mac mail account than my friends and relatives who use other servers, I feel a bit more comfortable sharing personal information via email. Is this false confidence?
I think that the internet has made certain everyday tasks like banking, shopping, and communicating with friends so convenient that we don’t want to take the time to analyze whether a website or email is legitimate. Our lives have become so fast paced that we have lost the habit of slowing down and using caution the way we used to.
This entire discussion is barely news worthy. When I was in 6th grade phishing, cracking and hacking was like a game that I would play with online friends. Anyone can use a program designed to test thousands of usernames and passwords per minute and in a single day one computer running one of these programs could return hundreds if not thousands of accounts and log them to a text file for later use for whatever. Do this for a month or use 30 computers for a day and you have today’s news.
Now take those 30,000 accounts and use them to phish and you can easily double or triple your numbers.
What KIDS and other people do with the thousands of accounts is a moral decision. For some it’s just a game…for others it’s more malicious.
This isn’t the early 90s, this shouldn’t be news to anyone.
Why the shock? Weve always known that this can and will continue to happen.Do send sensitive info on line!If you do, well you will have to accept this will happen.Please wake up people, the net will never be safe.
Henry
Zamia
I recently received an email from a certain enstranged and desperate girl who reports herself as a refugee and needed my help. What struck me most was her determination and ‘concent’ to having fallen in love with me. This isn’t the first. My advice is, we should spam, and delete immediately such trash messages.
Yes, i find myself willing to share my personal details online, that i would normally not share anywhere else. The internet is such a wonderful thing, we are just but addicts. I guess i understand why smokers are willing to risk everything just to get a stick of cigarette.
IM listening to the live discussion on radio, and im just so shocked at how naieve some people are! I guess for as long as we have people like this, it will always be possible for these hackers to rip them off.Thanks to them it will continue to be a “profitable” business for these Phishers.Its just the same as those people you see walking arround with the wallets clearly visible, they are soon parted with their money.
How can we find out the source of an e-mail? Is there a way we can track a mail to its source through the IP address it came from?
Angazi, Uganda
My brother fell into this trap.He tried to log in to his Yahoo mailbox,and got this request to change his password.From then on he couldn’t access his mailbox.Then after a few days people in his address book received E-mails asking them to send him money…that he is stuck in abroad.
Luckily he got to send a warning E-mail to his friends that his mailbox had been hacked,and that any Email appering to come from him asking for money was a hoax!
I guess it’s important to learn that not everything on the internet is genuine.
Edita,
Kenya
A few tips:
As a general rule, never click on a link in an e-mail from someone you don’t know or that you weren’t expecting.
Any reputable company, bank or whatever, if they need information, will ask you to log in to the page you should already have saved in your bookmarks. Nothing is 100% secure, but clicking on links in e-mails from bogus sources is the easiest way to reward a crook.
Also, TURN OFF images & html for e-mail sources that are not in your address book, as well as automatic replies. If all you can see is a white square, then it’s not worth looking at anyway.
Do your friends a favour when you mail them and turn OFF images, picture signatures etc. from your e-mail provider. Otherwise you may well just be helping them to spam your friends too.
You have the right to remain anonymous. Use pseudonyms for all social networking short of your bank or the IR (even when they require your “real name” – of COURSE they want your real name!).
Try googling your name (+ specific info such as home town) to see how much of you is “out there” already.
I’ve gotten a lot of variations on the Nigerian bank scam. But after the third time I wrote back and said, if you REALLY want to scam me, could you at least show some creativity in your content?
Banking online is actually pretty secure, In fact I’d say chances are bigger that you get mugged on the street than that you get robbed by hackers.
Same goes for etailers, just buy from sites that are recommended and used by people on recommended forums.
And how hard is it not to click on websites that your browser or google warn you about or not to respond to random emails from people you don’t know?
The web isn’t as dangerous as it’s made out to be, that is, if you use common sense while surfing it, lots of people seem to forget about common sense when they’re on the web (just read a random discussion on youtube if you want proof.)
In the end everyone last one of the victims of this latest phishing attack responded to a suspicious email or clicked on some shady link that offered them money or some obscure, semi-legal form of pr0n, I really can’t get myself to feel bad for those morons.
good post. thanks boss