Chapter 4

Keeping You and Your Business Secure Online

IN THIS CHAPTER

Fighting spam and scams

Choosing a good secret question and password

Reporting hijacked accounts to eBay

Online security is something everybody worries about, but few people do anything about it. When people’s accounts are hacked, they whine and moan about online security, but they don’t give a moment’s thought as to why using a user ID as a password (tell me you didn’t do that) wasn’t the best choice.

Even if you avoid such classic blunders, you have to keep your wits about you online. Sad to say, some people out there are trying to dupe you; it’s time to take charge of our own security and fight back in the best ways we can. Some phishing scams pretend to be from eBay, PayPal, Citibank, and others — and try to bilk you out of your personal information. I show you a fairly foolproof way to recognize those. I also show you how spammers get your email address. Even if you never give it out, they have ways of getting it from you. In this chapter, I hope to teach you how to be a little more savvy about which emails you open — and how to fight back.

Staying Away from Spam

I used to spend at least an hour every day cleaning spam out of my daily emails; but no longer. Read on to see how I’ve cut my spam-scanning time!

Spam is sneaky, and antispam software can cause you to lose email that you need because it seems that the word eBay is a favorite of spammers. I want news on eBay, but I don’t want to get those make-a-fortune-on-eBay emails.

I also would rather not hear from Mr. Felix Kamala, son of the late Mr. A.Y. Kamala. It seems his family lost millions in Zimbabwe to a scammer in the government, and he wants me to help him get his secret stash of “Fifteen million five hundred thousand united state dollars.” He was going to give me 20 percent just for helping him — how thoughtful! (In case you didn’t know, this email is part of what the FBI calls the Nigerian email scam — also called the 419 scam — named after the African penal code violated with this crime.)

Know that most email providers, your ISP, and the free providers install spam filters so we are not quite as exposed as much as we were in the past. I have found that the free providers actually do a better job than one might expect.

Figure 4-1 is an example of such a message found in my Gmail spam filter.

FIGURE 4-1: The classic 419 scam is still circulating.

Keeping your email address quiet

Have you ever signed up for anything on the Internet? Before you signed up, did you check to see whether the site had a posted privacy-policy page? Did you notice a tiny check box surreptitiously placed at the bottom of the page that says you agree to receive emails from the site? You probably didn’t.

After you type your name in a box on the Internet agreeing to accept email, expect to receive a lot of mail. Check any site for a Privacy Policy and read how they treat email addresses. Many sites openly admit that they share your address. You are now an opt-in customer. Opt in means that you asked to be on a list, and a site with a loose Privacy Policy can even sell your address to spammers.

Take a look at Figure 4-2. It’s a description from an eBay listing for a CD containing 14,000,000 email addresses. Yes, you can buy access to all those potential suckers for only $7.00.

FIGURE 4-2: A tempting offer to violate people’s privacy.

Just opening your email and loading images can give you away as well. Spammers will often make up return email addresses to mask their true locations (as you can tell by some of the “From” addresses). If you open and view their email, the email sends a notice to the spammers’ server, and then they know that the email address is valid. This practice can also be masked in the HTML to occur when the email consists of merely a picture — when it goes back to grab the picture for your email, it reports that your email address is good.

Recognizing Scams and Phishing

Much of the spam you get can be recognized by the subject line. I used to check my email after I downloaded it to my computer. That’s a dangerous procedure, though, considering that some emails do their real job by delivering malware that’s set up to self-install if the attachment — or even the email itself — is opened.

I now use Gmail with its very effective spam filters. Since not everyone uses Gmail (I recommend you do), you can also forward email from another email account to a Gmail address to take advantage of their advanced security. Let me take you through some steps to maintain your security.

It may seem you’ve received an email from PayPal. They say your account needs to be renewed? Oh my! You certainly don’t want to lose access to your PayPal account — which, by the way, does not expire.

Or how about an email, supposedly from PayPal, that says:

• We recently reviewed your account and suspect that your PayPal account may have been accessed by an unauthorized third party. Protecting the security of your account and of the PayPal network is our primary concern. Therefore, as a preventative measure, we have temporarily limited access to sensitive PayPal account features.
• Click below in order to regain access to your account:

Uh-huh. Right. As in, STOP RIGHT THERE!

Take a good look at the email you have received. Who is it addressed to? When PayPal sends you an email, the opening line says “Dear (your registered name).” In my case, a real email from PayPal read, “Dear Collier Company.” Spam emails are usually more generic, addressed to “Dear Valued User” or “Dear youremailaddress.com.” PayPal will never address an email to your email address.

Take a look at this email, purportedly from eBay, in Figure 4-3. Notice the eBay return address; I don’t think that’s quite right.

FIGURE 4-3: This email is addressed to my email address, not my customer account ID.

Responding to these emails is tantamount to giving away your information to a stranger. Don’t do it. I did some very careful investigating so I could show you how the scam works. Please read about what I found, but please read this first:

If you suspect a message is spam, just delete it.

In Gmail, you can click the arrow at the top right of the email return address. In a drop-down menu, as shown in Figure 4-4, you will see several options.

FIGURE 4-4: Gmail options for dealing with emails.

To confirm whether the email is real, click Show Original. At the top of the original, you get a short synopsis of the email. Note that in Figure 4-5 the return email address for eBay is not eBay.com.

FIGURE 4-5: This email is not from eBay.

Below the synopsis will be the code for the email, which can also be used to confirm your suspicions. I scrolled to the bottom, finding the line that said Sign in now (followed by a URL, as shown in Figure 4-6).

FIGURE 4-6: If you click Sign In Now you will be redirected to the scammer’s website.

Take a good long look at the link, and at the URL embedded in the email. Look just before it in the source code and you can see that the link really redirects whoever clicks it to http://i327.angjrmob.us/b/b1cef52c7ec85611cd6b775beb884baa.h=tml?c=3D59001 — not to the eBay secure URL! Liar, liar, pants afire.

When it comes to the authentic PayPal website URL, it begins with https, not http. The s in https stands for secure.

If you want to find out for sure whether your PayPal or eBay (or bank account) account has a problem, or whether you actually should view a recent charge, play it safe: Close the email, go directly to the real site, and log in at the real URL. If your account does have a problem, you'll know right away.

Fighting Back!

There’s quite a bit that you can do to help stop spam. According to Federal law, every email should have an Unsubscribe link that does not require you to enter your email address to stop getting the sender’s emails. Sound good? Well, there’s a nasty catch. Read on.

Often the link that says, “Click here to have your name removed from the list” goes directly to a site where the spammers actually collect emails from people and then exploit them. Have you ever clicked one of those? I have. I found out that those links are the gold standard for collecting valid email addresses! If you respond to the spam in any way, shape, or form, they know they’ve reached a valid address — and watch the spam (or worse) to your mailbox increase. In the case of Gmail, you can just click to report Spam or Phishing. That’s all you need to do.

When signing up for some sort of newsletter with an organization you’re new to or unsure of, use an anonymous Yahoo!, Gmail, Hotmail, or Live address. It’s easy enough to sign up for one, and if spammers get hold of that address, they will not be privy to your private address.

Also, no matter how curious you are about enlarging certain parts of your anatomy, don’t even open the emails you receive on those topics. And certainly don’t respond.

Last, report spammers. Several legitimate sites take reports and forward them to the appropriate authorities. Don’t bother trying to forward the spam to the sender’s ISP. These days they’re mostly forged with aliases, and all you’ll do is succeed in clogging up the email system. Here are a couple of places you can go to report spammers:

• Federal Trade Commission: Yes, your tax dollars are at work. The FTC would like you to forward unwanted or deceptive messages to spam@uce.gov; and you can find details at

  www.consumer.ftc.gov/articles/0038-spam

  There the message becomes available to law enforcement (especially vital if the email is trying to get your personal information).

• SpamCop.net: This outfit’s been around since 1998 and reports spam emails to ISPs and mailers. A Report Spam tab appears on the home page (www.spamcop.net) and these folks work hard to get spammers out of the loop.

Keeping Your Password (and Accounts) Secure

When was the last time you changed your passwords? I mean the whole enchilada: eBay, PayPal, your online bank account? Hey, I’m not the keeper of the shoulds, but you should change your critical passwords every 30 days — rain or shine. That’s not just me saying that. It’s all the security experts who know this kind of stuff. The world is full of bad-deed-doers just waiting to get their hands on your personal information. Password theft can lead to your bank account being emptied, your credit cards being pushed to the max, and worst of all, someone unsavory out there posing as you.

You’ve probably seen commercials on TV poking fun at the very real problem of identity theft. If you ask around your circle of friends, no doubt you’ll find someone who knows someone who’s been in this pickle. It can take years to undo the damage caused by identity theft, so a better plan is to stay vigilant and protect yourself from becoming a victim. It can also take a lot of money — a post on Bankrate.com says “a recent study from Javelin Strategy & Research, fraudsters stole $16 billion from 12.7 million U.S. consumers in 2014, with a new identity fraud victim popping up about every two seconds.”

In this section, I give you some tips for selecting good passwords and other personal security information. I also show you the type of passwords to stay away from and what to do if (heaven forbid!) your personal information is compromised.

Reporting hijacked accounts

If someone gets hold of your personal information, the most important thing to do is report it immediately. If you see any items that aren’t yours on the Bids/Offers or the Selling area of your My eBay page, it’s time to make a report — and fast!

Okay, you know that something hinky is going on with your eBay account because you never placed a bid on the Britney Spears stage-worn T-shirt. (Did you? Let’s say you didn’t.) And you can’t imagine that your spouse did, either (but double-check just to be sure). Here’s what to do immediately:

• Change your personal email account password with your ISP or email provider. Go to their home page and look for an area called Member Center, settings, or something similar. In this area, access your personal account information — probably through a link called something like My Account. You should be able to change your password there.
• Change the email account password on your home computer. Don’t forget to change the password on your computer’s email software as well (Outlook, Firefox, and the like), so you can continue to download your email from the server.

Perhaps you discover that your private information has been compromised when you suddenly can’t log in to your eBay or PayPal account. If this happens on eBay, follow these steps to request a new password:

1. Go to the eBay Sign In page.

   Don’t type your password. You just tried that and it doesn’t work.

2. If you have your mobile number registered to your eBay account, click the Text a temporary password link, as shown in Figure 4-7.

   If you have a land or office line registered to your eBay account, click the Forgot your password link. Doing this takes you to a page where you’re prompted to type in your user ID or registered email address. Those silly security questions that you answered when you registered for eBay become very important now.

3. Alternatively, you can use your PayPal login credentials to change your eBay password.

FIGURE 4-7: The Text a temporary password link on the Sign In page.

Choosing a good secret question

If you read the harrowing procedure in this chapter’s “Act quickly but don’t freak out” sidebar, you know that having someone sabotage your eBay account is something you never want to go through. But if your secret question is easy to figure out, someone with bad intentions can wreak havoc on your account even more easily.

Your password is only as secure as the secret question, so don’t relate your password and secret question to each other in any way. For example, do not make your secret question a clue to your password — and especially don’t make your password answer the secret question. Better yet, think of your secret question as a separate, auxiliary security device for your account.

ACT QUICKLY BUT DON’T FREAK OUT

If you can’t seem to get a new password for your eBay account, and you’re unsuccessful at contacting eBay, there’s still hope. Remain calm, follow these steps, and take notes as you go:

1. Scroll all the way to the bottom, and on the left side of the page you will see a light-colored tab labeled Legal & more. Click there and links to all eBay interior pages appear (see the figure).

   Alternatively, you can go to any eBay item page (or any page on the site) and find a link at the very bottom to the Security Center. Whichever set of links you go to, click the link to the Security Center.

   

2. When you get to the Security Center, find the Report a Concern category.
3. Under the Report a Concern headline, click Report an Account Theft.

   

4. On the following page, find the boldface headline that reads If you can't sign in, contact us immediately. Click the link to contact eBay immediately.

   The page that appears has a link you can use to call eBay.

5. Click the Call us link (they are on duty 24/7).

   You will be presented with a number to call and a customer service representative will help you sort things out.

Here are some tips for setting a secure secret question:

• Never use your mother’s maiden name. That is most likely the secret that your bank uses as your challenge question. (They usually ask when you open the account.) So that is definitely out — you don’t want to give anybody that word.
• Select a question and provide a creative answer:
  • What is your pet’s name? Give an answer such as Ralph the Rhino or Graak the Pterodactyl or something a bit more wildly creative. Don’t give your actual pet’s name (or species). Anyone who knows you is likely to know your pet’s name.
  • What street did you grow up on? Name an unusual landmark from your hometown. Don’t use a street name.
  • What is the name of your first school? Make up a good one — perhaps Elementary Penguin Academy? School of Hard Knox?
  • What is your father’s middle name? Make up a goodie or skip it.
  • What is your school’s mascot? There’s a lot of creativity that can go on here. How about red-and-white-striped zebra? Pink elephant?

Your bylaws for selecting answers to a secret question are two: Be creative, and be sure you remember the darned thing! (And here’s one more: Don’t use any of the examples I just used. Make up your own.)

Avoiding easily hacked passwords

Poorly chosen passwords are the number-one loophole for hackers. If you think that hackers are just a small group of hypercaffeinated teenagers, think again. It’s now also the domain of small- and big-time crooks who hack into an account, spend a few thousand dollars that belong to someone else, and move on.

I searched Google for hacking software and came up with over 2 million matches. Many of these websites offer an arsenal of free hacking tools. They also provide step-by-step instructions for beginners on how to crack passwords. The Internet can be its own worst enemy.

Here are some industrial-strength tips for setting a secure password:

• Number of characters: Compose your password of more than eight characters.
• Case sensitivity: Because passwords are case-sensitive, take advantage of the feature. Mix lowercase and uppercase in your passwords.
• Letters, numbers, and symbols: Combine these to make your passwords harder to crack.
• Proper words: Don’t use proper words that appear in the dictionary. Think of the title of your favorite book. Make your password the first two letters of each word with numbers in the middle (not sequential).

STAY SMART: DON’T BE A MAKE-IT-EASY!

Any beginning hacker (or tech-smart teenager) can figure out your password if it falls into the following categories. Don’t use ’em! They are pathetically easy!

• The obvious: The word Password. D’oh!
• Birthdays: Don’t use your birthday, your friend’s birthday, or John F. Kennedy’s birthday. Not only are these dates common knowledge, but so is this truism: A series of numbers is easy to crack.
• Names: Don’t use your first name, last name, your dog’s name, or anyone’s name. Again, it’s common knowledge and easy to find out. (Most people know my husband’s name; it’s been in many of my books!)
• Contact numbers: Nix on any Social Security Number (if they get hold of that one — watch out!), phone numbers, your email address, or street address. For classic phone-book information, try sites like Spokeo (http://www.spokeo.com/), pipl (https://pipl.com/), or PeekYou (http://www.peekyou.com/).
• Any of the lousy (easily cracked and most frequently used) passwords in the table: The words in this table have been gleaned from password dictionaries available from hackers. Note that this is not a complete list by any means; there are thousands of common (lousy) passwords, and “unprintable” ones are a lot more common than you may think. If you really care to scare yourself, Google the phrase common passwords.

!@#$%	!@#$%^&	!@#$%^&*(	0	0000	00000000	0007
007	01234	123456	02468	24680	1	1101
111	11111	111111	1234	12345	1234qwer	123abc
123go	12	131313	212	310	2003	2004
54321	654321	888888	a	aaa	abc	abc123
action	absolut	access	admin	admin123	access	administrator
alpha	asdf	animal	biteme	computer	eBay	enable
foobar	home	Internet	login	love	mypass	mypc
owner	pass	password	passwrd	papa	peace	penny
pepsi	qwerty	secret	superman	temp	temp123	test
test123	whatever	whatnot	winter	windows	xp	xxx
yoda	mypc123	powerseller	sexy

It should go without saying, but what the heck: Don’t use any of the sample passwords shown here. It’s safe to say that lots of people will be reading this book, and anything seen by lots of people isn’t secret. (I know you know that, but still.)