Phishing is the practice of trying to trick people into revealing their passwords. Email is the usual medium. The emails are designed by experts and are made to look like they are being sent from a valid service or application.
At first glance, it’s hard to tell what’s real and what isn’t. In reality, it’s easy to discern real emails from phishing spam. A little education about how systems administration works and about how we fall into the trap of misguided beliefs on privacy and ownership is all you need to avoid phishing scams. You’ll never be fooled by these “Please reset your password” emails again.
HOW ACCOUNTS WORK: FACEBOOK DINNER PARTY
Here’s a little story that sort of explains computing and user accounts work.
Let’s say that the powerful and organized Facebook Family owns a house in your neighborhood. They have lots and lots of well-planned dinner parties. You don’t know them very well, but you are going to one of their parties.
The night has come, and it’s time to go to the party. You walk up to the door and knock, and the Facebook Family lets you into the house. You sit down to a nice dinner; the silverware and place settings are beautiful and the food is scrumptious. The conversation flows. Everyone has a great time. Then the night is over, and your hosts walk you to the door, then they close the door and lock it as you leave.
Now, let me ask you a few questions:
At the beginning of the night, would you have to bring keys to the Facebook house in order to get into the party? No, that would be silly. Facebook House is owned by Facebook, naturally.
When it is time to enter the Facebook House, do you have to open the door yourself? No, you’d knock on the door. Facebook owns the house and the door, so they will open the door from the inside of the house.
When dinner is over, do you take the silverware or the plates? No. You wouldn’t even be able to if you tried.
When you leave, do you tell the Facebook Family to leave, too? No. It’s their house. They stay, you go.
We all know how this basic social situation works. It isn’t too different with online services.
If a service like Facebook, MySpace, American Express, etc. runs into some sort of technical problem, they will never ask you to reset your passwords. For Facebook to ask you to reset your password is like the Facebook Family asking you for keys to the Facebook House. They’d never need to ask because they OWN THE SERVICE; they have the “keys to the kingdom.” They will reset your password from the inside if you knock on the door and ask them to. But only if you knock and ask nicely. If you have forgotten your password, then YOU can click a button and they will send your authorized email account a reset link (remember which email account you use for each service). This is how it is supposed to work. It’s like you knocking on Facebook’s door and Facebook inviting you in to the their house. That is not Facebook wandering the streets looking for you, a stranger to them, hoping you have keys to their house. It just wouldn’t happen. Facebook never gets locked out of their own house. Ever.
The service owner (which, sadly, isn’t you) can reset any password they like. In fact, they can do WHATever they want WHENever they want. It’s their house; They can serve you whatever dinner they choose. They can read your emails, they can post using your ID, they can change any information on your account that they want. Do they fool around with user accounts? No (who has the time?!). But they’ll NEVER need your help with account administration. Ever.
So, knowing that all services have access to all aspects of their service, ask yourself why they would need you to reset your password. They wouldn’t. Phishing emails prey on the innocent who don’t know better.
HOW OWNERSHIP WORKS: THEY GOT IT, YOU DON’T
Western culture’s views on privacy and ownership help phishing scams work. We all think that we own our accounts. We don’t. Let me repeat: We do not own our accounts.
Don’t believe that your account is your own. It isn’t. It’s Facebook’s. You don’t own the dining room chair that you sit in at the Facebook House dinner party. You don’t own the food they serve you, or the forks or knives or napkins. You have no claim to anything within the Facebook House. You can come to dinner, enjoy yourself, and go home, but you can’t take your plate home with you, because it isn’t yours.
This was the hardest thing to drill into people’s heads when I was an systems admin for a Fortune 500: The company can control, look at, search, read, take over, claim and otherwise wreak whatever havoc they desire on your email account. The company owns it; you do not. Our inherent ideas of privacy and ownership run deep, and the fact that you don’t own your email, Facebook, or any other online account is hard to swallow for most people. But it’s the truth. No legislation is ever going to change this fact. Accept it now. I’ll give you a moment for this to sink in.
OK. Ready? Now that you’ve accepted the hard truth, you’ll be safer in the long run. Why? Because you will recognize phishing attempts for what they are: well-designed tricks meant to prey on your deep-set cultural notions of privacy and ownership. If you realize that services don’t need your help in administering accounts because you, in fact, don’t own the account (the service does), you will be less likely to fall for the onslaught of phishing emails coming down the pike. You’ll realize that the email must be a fake attempt by scammers who aren’t the owner of the service (because if they WERE the owner, they’d wait for you to knock on the door before they opened it).
Below is the example of phishing I received today. I knew it was fake because:
1. Facebook doesn’t need my help in changing my password.
2. I didn’t ask Facebook to change my password.
3. The email was sent to the wrong email address. I use a different one for Facebook.
4. It has a zip file attachment. No way should any password reset emails (even the ones I initiate by asking the service to reset my password) should have an attachment. Only a link.
5. It’s super generic. It doesn’t address me by name, not first and last, not any. Just “Dear Facebook user.”
6. If a service contains it’s own messaging system, the service will use that messaging system first. (i.e., Facebook would just send an in-Facebook email for any announcements, etc.).
Here’s the email:
From: password [at] facebook [dot] com (Facebook Security)
Subject: Facebook Password Reset Confirmation! Customer Message.
Date: February 8, 2010 10:05:38 AM EST
To: christine [at] purplecar [dot] net
Dear user of facebook,
Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.
(attached file: Facebook_password_37413.zip ZIP archive 36.7 KB)
WHAT TO DO IF YOU’VE FALLEN FOR A PHISHING EMAIL:
1. Try to reset those passwords that you gave up immediately. Go to the service (e.g. Facebook) right away and click on the password reset button.
2. Change the password on your email.
3. Change the password on your financial accounts, if it was the same password (hopefully NOT!)
4. Consider requesting a credit report if your passwords to your accounts were the same, or if you suspect that the scammers have gotten a hold of your financial or other important private information.
5. Contact the customer service departments of all of the accounts that have the same password that you gave up to the phishing attempt.
6. Stay alert and wait to see if anything odd happens in your account over the next several weeks.
Stay safe, everyone!
Please put your rants in the comments. 🙂
-Christine Cavalier, PurpleCar
Christine [at] purplecar [dot] net