October 17, 2010

Life Online: Fraud, Security, Trust, Passwords and Paranoia

Occam's Razor has an intriguing two parter, penned over the last week, about how deceitful people are mining Facebook for your personal data, taking advantage of open networking and random connections to possibly use what they discover, via your open door policy, in nefarious ways. The gist of the articles? Be extremely careful who you connect to, and say no to strangers. (See: Friending Strangers On Fakebook and its follow-up: The Cindy In Your Town)

This approach, as smart as it sounds after reading both pieces, runs contrary to one of the more widely held positions in social media, that the friend connection around the corner could be the one you most want to know. Take Thomas Power's comments on limited networks being 'flawed' as a great example of someone who believes in making as many connections as possible on all networks. Many of us do this. That's one reason why there are autofollow scripts for Twitter, and why many people complain about Facebook only allowing 5,000 friends, when it's unlikely you care about their every coming and going.

I've long taken an extremely trusting approach to the Web. I chose to accept all friend connections in Facebook quite a while ago because I don't want to dictate where people want to find my stuff. If they are more comfortable in Facebook or Twitter or Google Buzz or anywhere else, that data should be there. I've taken to using Foursquare for location, and I share many of my purchases via Blippy. I even have made real photos of my own kids as part of my presence online. There are few secrets.

Some might think this approach stupid - an inevitable march toward a mistake waiting to happen that puts my data, my money or my family in jeopardy. Finally, late this summer, something did happen, but not for the above reasons - try as I might to link them.

The first sign something was wrong was when I received an e-mail from Amazon.com that shut my account outright. You might remember my post on the issue: "To Protect Me, Amazon Has Decided to Kill Me". I had hoped it was a red herring, an oddity that was not to be repeated. But it was just the beginning of a data tug of war that made me somewhat nervous, but mostly frustrated.

At first, only Amazon was impacted, but the very next day, I got another odd order, from Zappos, saying a set of steak knives I had ordered was on its way. I canceled it immediately, and thought that maybe Amazon and Zappos' shared corporate control indicated a database surprise. They told me this was not the case. Then, as I was on the phone with Zappos, discussing the issue, I got an e-mail from TurboTax, saying I had requested the User ID associated with my e-mail.

Nice Try Getting Back Into My E-mail, Jerk

That's a big no. Of course not. So I sighed in defeat, and immediately started changing my passwords everywhere I could think of - starting with TurboTax, a mere 2 minutes later. Like most people, I have a small set of passwords I use for most accounts. I had been careful enough to change it up for the most financially impactful sites, but my most commonly used password hadn't been changed since I first started using it in college - back in 1996.

A few hours later, I got a note from Apple saying too many attempts had been made to answer my security questions on my e-mail account, and therefore, the password could not be changed. This told me that for some time, the hacker had access to my e-mail account, and had correctly guessed my password worked on other sites (like Amazon). When I changed it, I had effectively locked them out. But there was one place I hadn't looked yet, an obvious place... a commerce site directly linked to my Apple account.

I logged into the Apple Store (with my new password) and saw the joker had successfully ordered a Mac laptop and a Canon camera, both shipped overnight by FedEx, using my account. The total damage was just over $2,000. The thief had used my first and last name, and my cell phone number, but not any of my credit cards. In fact, the shipments were even sent to Sunnyvale, the same city where I live, but obviously not to me.

I Hope The Thief Enjoys His Laptop

After setting a fraud alert on my credit cards, I checked all activity on said cards practically every few hours for weeks, and saw no change. My credit score didn't get impacted, and I never heard from the thief again. I called Apple to have them check into a MobileMe breach, and they put a watch on my account. I reported the issue to the FBI's hotline, only to get a form letter saying they probably wouldn't follow up. Even a call to the local Sunnyvale police came up empty, when they said the defrauded merchant had to be a Sunnyvale shop to get any help.

As you can guess, this was completely frustrating. I still have no idea how my e-mail address was compromised, or how the thief got hold of my commonly-used password, which they then leveraged to get into other accounts. The good news is that my identity wasn't truly coopted, and no charges ever hit me directly. But it certainly put some mud on my otherwise clean view of the world.

So think about how we are sharing and possibly oversharing? Our social updates from mobile phones can now track our location down within a few feet. Is that not valuable to people who want to know where we live and where we go? Do we need to give people an extra boost to find data that doesn't belong to them? I believe strongly in trusting people and getting my data on the Web, and am happy to know that none of my use of these networks set the would-be disaster in motion. But Occam's Razor is onto something as well. Are we doomed if we are careful and doomed if we are not?

I don't mind the lesson on keeping my passwords hard to crack and change them often, but should I raise my paranoia meter thanks to this experience?