Phishing is the practice of trying to trick people into revealing their passwords. Email is the usual medium. The emails are designed by experts and are made to look like they are being sent from a valid service or application.
At first glance, it’s hard to tell what’s real and what isn’t. In reality, it’s easy to discern real emails from phishing spam. A little education about how systems administration works and about how we fall into the trap of misguided beliefs on privacy and ownership is all you need to avoid phishing scams. You’ll never be fooled by these “Please reset your password” emails again.
HOW ACCOUNTS WORK: FACEBOOK DINNER PARTY
Facebook owns this candlestick
Here’s a little story that sort of explains computing and user accounts work.
Let’s say that the powerful and organized Facebook Family owns a house in your neighborhood. They have lots and lots of well-planned dinner parties. You don’t know them very well, but you are going to one of their parties.
The night has come, and it’s time to go to the party. You walk up to the door and knock, and the Facebook Family lets you into the house. You sit down to a nice dinner; the silverware and place settings are beautiful and the food is scrumptious. The conversation flows. Everyone has a great time. Then the night is over, and your hosts walk you to the door, then they close the door and lock it as you leave.
Now, let me ask you a few questions:
At the beginning of the night, would you have to bring keys to the Facebook house in order to get into the party? No, that would be silly. Facebook House is owned by Facebook, naturally.
When it is time to enter the Facebook House, do you have to open the door yourself? No, you’d knock on the door. Facebook owns the house and the door, so they will open the door from the inside of the house.
When dinner is over, do you take the silverware or the plates? No. You wouldn’t even be able to if you tried.
When you leave, do you tell the Facebook Family to leave, too? No. It’s their house. They stay, you go.
We all know how this basic social situation works. It isn’t too different with online services.
If a service like Facebook, MySpace, American Express, etc. runs into some sort of technical problem, they will never ask you to reset your passwords. For Facebook to ask you to reset your password is like the Facebook Family asking you for keys to the Facebook House. They’d never need to ask because they OWN THE SERVICE; they have the “keys to the kingdom.” They will reset your password from the inside if you knock on the door and ask them to. But only if you knock and ask nicely. If you have forgotten your password, then YOU can click a button and they will send your authorized email account a reset link (remember which email account you use for each service). This is how it is supposed to work. It’s like you knocking on Facebook’s door and Facebook inviting you in to the their house. That is not Facebook wandering the streets looking for you, a stranger to them, hoping you have keys to their house. It just wouldn’t happen. Facebook never gets locked out of their own house. Ever.
The service owner (which, sadly, isn’t you) can reset any password they like. In fact, they can do WHATever they want WHENever they want. It’s their house; They can serve you whatever dinner they choose. They can read your emails, they can post using your ID, they can change any information on your account that they want. Do they fool around with user accounts? No (who has the time?!). But they’ll NEVER need your help with account administration. Ever.
So, knowing that all services have access to all aspects of their service, ask yourself why they would need you to reset your password. They wouldn’t. Phishing emails prey on the innocent who don’t know better.
HOW OWNERSHIP WORKS: THEY GOT IT, YOU DON’T
You don't own these! (photo by Peter Rice)
Western culture’s views on privacy and ownership help phishing scams work. We all think that we own our accounts. We don’t. Let me repeat: We do not own our accounts.
Don’t believe that your account is your own. It isn’t. It’s Facebook’s. You don’t own the dining room chair that you sit in at the Facebook House dinner party. You don’t own the food they serve you, or the forks or knives or napkins. You have no claim to anything within the Facebook House. You can come to dinner, enjoy yourself, and go home, but you can’t take your plate home with you, because it isn’t yours.
This was the hardest thing to drill into people’s heads when I was an systems admin for a Fortune 500: The company can control, look at, search, read, take over, claim and otherwise wreak whatever havoc they desire on your email account. The company owns it; you do not. Our inherent ideas of privacy and ownership run deep, and the fact that you don’t own your email, Facebook, or any other online account is hard to swallow for most people. But it’s the truth. No legislation is ever going to change this fact. Accept it now. I’ll give you a moment for this to sink in.
…
OK. Ready? Now that you’ve accepted the hard truth, you’ll be safer in the long run. Why? Because you will recognize phishing attempts for what they are: well-designed tricks meant to prey on your deep-set cultural notions of privacy and ownership. If you realize that services don’t need your help in administering accounts because you, in fact, don’t own the account (the service does), you will be less likely to fall for the onslaught of phishing emails coming down the pike. You’ll realize that the email must be a fake attempt by scammers who aren’t the owner of the service (because if they WERE the owner, they’d wait for you to knock on the door before they opened it).
——-
Below is the example of phishing I received today. I knew it was fake because:
1. Facebook doesn’t need my help in changing my password.
2. I didn’t ask Facebook to change my password.
3. The email was sent to the wrong email address. I use a different one for Facebook.
4. It has a zip file attachment. No way should any password reset emails (even the ones I initiate by asking the service to reset my password) should have an attachment. Only a link.
5. It’s super generic. It doesn’t address me by name, not first and last, not any. Just “Dear Facebook user.”
6. If a service contains it’s own messaging system, the service will use that messaging system first. (i.e., Facebook would just send an in-Facebook email for any announcements, etc.).
Here’s the email:
From: password@facebook.com (Facebook Security)
Subject: Facebook Password Reset Confirmation! Customer Message.
Date: February 8, 2010 10:05:38 AM EST
To: christine@purplecar.net
Dear user of facebook,
Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.
Thanks,
Your Facebook.
(attached file: Facebook_password_37413.zip ZIP archive 36.7 KB)
——
WHAT TO DO IF YOU’VE FALLEN FOR A PHISHING EMAIL:
1. Try to reset those passwords that you gave up immediately. Go to the service (e.g. Facebook) right away and click on the password reset button.
2. Change the password on your email.
3. Change the password on your financial accounts, if it was the same password (hopefully NOT!)
4. Consider requesting a credit report if your passwords to your accounts were the same, or if you suspect that the scammers have gotten a hold of your financial or other important private information.
5. Contact the customer service departments of all of the accounts that have the same password that you gave up to the phishing attempt.
6. Stay alert and wait to see if anything odd happens in your account over the next several weeks.
Employers are vetting out applicants online. The new adage is “Google them.” Some employers are stepping over the line of a simple web search to asking for an applicant’s password to social networking sites such as Facebook, Twitter, and Myspace. This may seem like prudent vetting practice, but in fact it’s more troublesome and legally dangerous than it is worth.
After an uproar over privacy laws on the Internet, a Montana city government retracted their policy of asking for applicants’ private passwords for social networking sites. Personally, I think Montana was fortunate it was an uproar on the internet and not an EEOC lawsuit that caused them to rethink their policy. Collecting a mere applicant’s or even an employee’s privacy credentials is not only legally dangerous, but unnecessary.
Let’s think through the logic of this. Say an employer, “BigCompany,” wants to vet potential 17-year-old intern, “Sarah Genius;” they want to ensure she conducts herself in a manner that is becoming to BigCompany. BigCompany’s Human Resources staff, namely low-on-the-totem-pole tech “Pete BadApple,” conducts a simple web search and views what the public can see online about her.
Pete BadApple fancies himself an expert internet searcher. He finds every group Sarah Genius had ever briefly been a member of, every update she posted on MySpace, and every forum she ever lurked on. This is all just public information. Pete BadApple makes a note that Sarah Genius suffers from diabetes and kidney problems (information he assumes based on her group memberships). Pete BadApple uses Sarah’s passwords to log in as Sarah on Facebook. He concludes that Sarah is African-American, based on her family and friend connections. Pete BadApple had met Sarah Genius during the interview process (and found her to be quite cute, actually), and this information is jarring to him.
Still, Pete BadApple continues on, looking through Sarah Genius’s friend lists. Lo and behold, Pete finds that Sarah is a cousin of Huge MovieStar. Huge MovieStar has a private profile and is connected only to friends and family that also have private profiles. They are a tight-knit group and protect Huge MovieStar’s privacy fiercely. Well, Pete BadApple is logged in as Huge MovieStar’s cousin, Sarah Genius, so Pete can thumb through Huge MovieStar’s updates. He finds that Huge MovieStar, who is all over the headlines for being tapped to star as the Next Indiana Spider-Terminator, was newly diagnosed with Leukemia. The headlines have no idea about this, and the movie studio would certainly withdraw the offer if they knew. Pete BadApple is a little short on cash this month, so he calls and sells the story to a tabloid, sending screen shots as proof. Pete BadApple finishes his vetting process of Sarah Genius and emails his report to his boss, and then forwards a copy to his friend, adding pictures of Sarah Genius in a topless bikini, captioning the pictures with “Can you believe this chick is Black? She’s totally hot anyway!”
Lo and behold, somehow Pete BadApple’s report and email wind up in the hands of an EEOC lawyer and the local and federal law authorities that investigate child pornography. BigCompany now has a Big Problem.
Even if Pete BadApple was Pete GoodApple, the mere public web search may have brought up information that although public, should not be part of the vetting process. Pete BadApple should not have included Sarah Genius’s medical-condition support group memberships in his report. This information violates the law. The other concern is that every company has a Pete BadApple. Even Pete GoodApple can “turn bad” when faced with potentially money-making information about an applicant. Why put your employees in that situation and your company at risk?
Nowhere in this process should private interactions come into public view. When you vet a person’s background, you should worry only about what the public can see about that person. Of course, password protection and site security aren’t foolproof and one day private information may become public (although this is a very rare occurrence); we can understand why BigCompany wants to make sure Sarah Genius isn’t a closet freak. But just because the Internet makes it more possible than ever to vet out a person’s background, it doesn’t mean an employer should. Employers got along just fine before Facebook. BigCompany can better predict Sarah’s future performance by looking at her past performance than they can aptly predict her performance based on her private web page. In fact, Sarah’s private web persona is most likely very different than her work or everyday persona. If employers make assumptions based on the content of Facebook Walls, they will be likely passing up qualified candidate after qualified candidate (this is especially true when the hiring manager is a Boomer and the applicant is from Gen X or Y).
An applicant’s privacy is better left intact. If you are an employer, rely on the old-fashioned vetting methods like a credit check and recommendations, and add a regular web search of public pages. Ignore memberships in any public support groups or forums. Keep your company free of legal and civil complications.
What do you think? Have you run into a situation at work where someone’s online privacy was violated? Heard of any lawsuits about this type of thing? Let’s discuss in the comments.
Speaker: Christine Cavalier (purplecar.net / @purplecar)
Title: “How 2 Talk 2 Aliens”
Date: March 19, 2009
Conference: “Social Media Jungle: New York City” #smjnyc
Recorded By: Bill Cammack
A “meme” is a little chain-letter-like game that people send around the internet. You may have heard of Facebook’s latest meme “25 Things” (that was started by users, not the Facebook staff).
Ever wonder how these memes begin?
Let’s use the 100 Book meme that is hitting Facebook this week. It’s a good study on how memes get started, how they change over time, and how they grow.
I just caught this from FriendFeed user Mark Dykeman:
“This is one of those Facebook memes that keeps circling around the universe. I answered it on Facebook, but since some of you might not have access to my Facebook account, I thought I’d post the results here.
‘The BBC believes the majority of people will have only read 6 of the 100 books here.
Go to your profile, choose notes, post a new note – copy and edit.
Instructions: Look at the list and put an ‘x’ after those you have read.’”
Mark goes ahead and checks off the books he’s read on the list. It’s more than 6. The list is below, but hang here with me for a second.
Before you get your feathers ruffled about the audacity and snobbery of the BBC, let’s take a better look at this.
I looked for the origin of the meme by checking urban-myth-busting site Snopes and the BBC website. Snopes had nothing about how the BBC supposedly claimed that most people will have read only 6 books on the entire list. Snopes usually catches rumors quickly, but they don’t necessarily investigate every silly Facebook meme. Personally, I doubt the BBC would have said that, but let’s be honest: They’ve said worse.
On the BBC site I found no quotes, articles, or any mention whatsoever about the 6 book number; I did find the BBC’s BIG READ list where they list 100 books and they ask UK’ers to vote on their favorites. Both the list from the Facebook meme and the BBC’s Big Read list look similar. Could they be the same list?
So I stuck them in a spreadsheet and compared. 63 of the books are shared; 37 of the books are not.
Here is the shared list (click to embiggen):
63 FB List titles on left, 63 BBC List titles on right. This list contains exactly the same books, with titles edited.
You’ll notice some of the book titles are written slightly differently, which implies more editing by the clever meme maker (who’ll we’ll refer to as the Facebook Meme Maker -FMM) that adjusted the original BBC list. (With the Facebook Meme’s “Harry Potter Series” entry, I just used the first Harry Potter book. Same with “The Faraway Tree Collection.” In a list of 100 books, it’s confusing to reference a series.)
So this table (click on it then zoom in to see better) contains the 63 shared titles. That means 37 titles were deleted and new ones added by the Facebook Meme Maker.
Here are the remaining 37 titles from the Facebook meme next to the original 37 from BBC list (click to embiggen):
37 FB List titles on left, 37 BBC List titles on right. The lists don't share titles.
Seems like FMM preferred more American authors and books that were later adapted into successful movies. Maybe FMM heard some rumor that the BBC was dissing American authors and readers and felt like putting some of her/his own favorites on the list. Who knows?
But this meme has some of the great signs of a viral commodity:
1. The meme’s subject is elitist in that it says something about the user’s level of intelligence. (“What? You haven’t read War and Peace?!) This fosters (usually friendly) competition amongst friends.
2. The meme has a whiff of injustice that stirs up indignance. (“How DARE the BBC say that?! GIMME THAT LIST!”)
3. Filling out / answering the meme doesn’t take much time. “Put an X by the books you’ve read.”
4. 100 books is perfect. A nice, big milestone number. “16 Things” (which I filled out) didn’t take off on Facebook but “25 Things” did. People gravitate toward milestone, lucky, and zero-ending numbers in this culture. No-one will look at an “82 Books You Need to Read” list. “100″ grabs everyone’s attention.
The FMM probably saw the BBC list and wondered how many of the books she/he had actually read. Out of curiosity, the FMM checked off which book titles were familiar. Perhaps when the number of recognized titles were low, the FMM decided to add the ones she/he did in fact read. What followed was an email or two, with bragging evidence attached, of course, to a few dozen friends on Facebook. Voila! A meme is born.
People who successfully ignore memes will be sucked into this one for the false academic quality of it. It’s about traditional literacy; We all take the “How Well Read Are You?” measurement quite seriously.
I myself am trying to work on being better read. With all the hype about how the internet and tv are melting our brains, this meme is a zinger. It feeds all the fear surrounding the changes in our culture. It will most likely take off and get so big that Snopes will have to post on it.
Now you know how memes like this start. And you also know why I’m not going to be sucked in. It’s a hoax created by a smart FMM who blended some pop culture news story from half-way across the world into a pride-ruffling insult that must be disproven immediately by the educated American masses. Have fun with it if you like, but please don’t spread the indignant attitude. Reading itself should be a positive and inclusive activity.
Skeletons in my closet: To Friend or Not to Friend the Ex.
The other shoe dropped for me last week.
One shoe: The internet.
Other shoe: The past.
Don’t be smug. You think you’re ungoogleable? You think it won’t happen to you? It will. Skeletons have broadband access in your closet. Prepare yourselves.
I’m going to tell you the story knowing full well that the person I mention, my ex-boyfriend, will probably be reading this. Normally, I am quite polite. I’d steer quite clear of this breach of privacy, but the situation is more and more common and we could all use some help. We need to sit down and talk about this.
So, in the interest of science and all life digital, I will tell you the story.
My ex-boyfriend found me online.
We’re not talking the ex from gradeschool, the cute one with the first kiss behind the willow tree on the playground, in the breezy shade from the summer sun. (That ex friended me too, and that’s cool).
No. We’re talking the person that I thought I was going to marry. A college love. Serious. Meaningful. Heartbreaking. The mess you never ever want to see your children go through. The Break-Up of the Century. That was over 15 years ago. This Ex and I didn’t end well. There was no contact and no closure. I was OK with this.
(I wrote this as a sample blog post back in March of 2008 for a potential blogging gig. Don’t know if they ever published it – which they didn’t have permission to do – but here it is. You can see some much better and funnier posts on the same subject by googling ‘weird facebook groups‘)
Facebook groups provide hours of web-surfing entertainment. Here are 5 Weird (but active) Facebook groups you will probably never surf into without the help of an internet sherpa. There are a lot of hilariously titled groups on Facebook, but these 5 have activity, have real life members, and are relatively esoteric:
PHILLIP ZIMBARDO- HE KNOWS WHERE YOU LIVE. This is just one example of the 12 Facebook groups that center around infamous Stanford Prison Experiment psychologist Phillip Zimbardo. For those of us who aren’t familiar, the 1971 Stanford Prison study turned squeaky clean undergraduates into ruthless animals in a matter of hours. Dr. Zimbardo seems to still have his die hard fans!
“I’m a Bostonian and I’ve seen the guy on the bike who makes the siren noise” The title alone is enough to make you click through. Although the ‘sightings’ timeline hasn’t been updated since 2007, the discussion boards are still active. What’s great about this group is that its Facebook category is Sports & Recreation. ‘Boston Broken Toe Avoidance’ will be a a ratified Olympic sport by 2016.
Weird Instrument Lovers Know what mellotrons and duduks are? Do you play watermelons? Bubblewrap? How about bowed psaltry, mbiras, or a vibraslap? No? Then no tibetan signal horn soup for you.
I Tend To Fart In Public. Listed under Philanthropic Organizations, this group is worth looking up just for the first video posted on its page. Here’s the description: “This is a group for sharing horror stories about farting in a socially unacceptable setting. It’s happened to all of us and we could all use a safe place to talk about it.”
World Pet Memorial Day (Canada) “This group helps raise awareness of World Pet Memorial Day in a safe and respectful manner” says the description. There is an unsafe way to let people know about dead pets? And there are other chapters?
SUMMARY: Adam Slaney warning (or the latest one about “Richard Peel” or “ASHLEY MARC JAMES” or “”CHRISTOPHER BUTTERFIELD” or “Simon Ashton” on FaceBook) is fake.
Social media has great potential, both good and bad. It can find you help in a hurry or cause you tons of frustration. Today I had to do some investigation to determine if Facebook was the unsuspecting abettor in a “denial of service” (DoS) social network attack.
We geeks recognize a DoS attack when hackers send so many requests to a page (or so many emails, etc.), that it crashes the server, putting your website out of commission until your security team can combat the offending spam. Another DoS attack, often categorized under ‘cyberbullying’ (or, what I like to call Social Network Abuse), can be waged by one user with a way to reach many on-line contacts.
Tags: account, administration, email, facebook, gave up passwords, help, how to avoid, ownership, password, phishing, privacy, reset, reset my password, scam, scammed, trick, what do I do, who owns my email account 
The other shoe dropped for me last week.
Entries (RSS)