April 3, 2009 By Mark Kemmerle
Used with permission from the Maine Office of Information Technology
This month's security item is an e-mail that was sent to us by a Maine OIT employee. The employee gave permission to reprint the e-mail, but ask that we not reveal the identity of the contributor. This is a true story of something that happened to a Maine citizen, an IT professional, and someone who knew the basic security principles of password protection. It serves as a good lesson for us all that no matter how careful we think we are being, it only takes one small mistake for things to unravel quickly.
Our co-worker's story:
"I think that a lot of people don't take it serious when they are told to use a different password for everything and people like me assume they are really careful and nothing will happen to them."
Often times in my hotmail account I get a "phishing" e-mail that contains a fake PayPal link and since I know better I simply hit forward and send it on to the PayPal security team. On March 9, 2009 I received one, and because I haven't used PayPal since September of last year I didn't read it and just forwarded it to them. On March 10, 2009 I received an e-mail from PayPal stating my account had been changed to limited access in the subject line so I read it and it was limited because they believed a third party had accessed my account. They didn't state in the e-mail that there had been any transactions so I shrugged it off and figured I'd log into my PayPal and cancel the account as I don't use it anymore. To my surprise when I logged in there was a transaction there for over 400 GBP which translated into $645.59 USD. In addition, the hacker had changed my address to an address in Lithuania. I then logged into my bank account and the money was gone. I obviously was very upset as I am a single income supporting my family and things are tight (as they are for everyone). I called my bank and filed a claim and called PayPal and did the same thing.
You may use or reference this story with attribution and a link to