Security & Privacy

An article on Macworld discusses how phishers are using Facebook as a source of passwords, which, in many cases, can allow them to steal users’ identities on other web sites. This all starts with the usual phishing attack: a hacked Facebook account sends links to friends, and these users see what looks like a real log-in page. When a user enters their name and password, the phishers have valuable information that may be useful for more than just a Facebook account.

Many computer users have a single password for all their online activities, including sites such as Facebook, e-commerce sites, and their banks. In this case, grabbing that password – and being able to link it to a user via their Facebook info – is like having a key to all their identity information.

There are two lessons to be learned here. First, always check the URLs of “login” pages. Even if they look real – and, heck, anyone can copy the HTML code and graphics from a web page and make a copy – the URL should tell you something about whether the page is real. If you have any doubt, type in the URL of the site you want to log into (such as www.facebook.com) then click the Login link on that page.

Second, don’t use a single password for all your accounts. Make up a number of passwords, and don’t use your pet’s name, your kid’s name, or anything else that people can find on public web sites about you. Here’s a suggestion: make a password using two words and a number. If you’re a fan of, say, Lost, why not use something like ben108locke? You could even alternate capital letters: BeN108lOcKe to make it even sneakier. It’s hard to figure out, does not appear in any dictionary, yet it’s probably very easy to remember if you’re a Lost fan. Then, make a new password for your bank site: how about sawyer23kate? And for e-commerce sites? Try island42widmore. Security through obscurity is your friend.