New Targets

How Safe Is Your Webmail Account?

By Kim Boatman

Clay Blackham seldom used his free Hotmail account. So by the time he noticed his account had been hacked, the hacker was running up bids on Blackham’s eBay account.

“It was tied directly to my Hotmail account,” explains Blackham, partner in a public relations firm in Sandy, Utah, a Salt Lake City suburb. “All that person needed to do was click on ‘forgot password’ from eBay.” It took Blackham a couple of weeks to figure out how to reset his Hotmail password -- but far less to learn a valuable lesson or two.

Many of us are flocking to free email accounts from Yahoo, Google and other providers. These so-called “webmail’’ accounts offer the flexibility of checking your email from any computer with Internet access and the convenience of keeping the same email address even if you change Internet providers. But a recent spate of security issues has raised concerns about webmail accounts. Most famously, former Republican vice presidential candidate Sarah Palin’s webmail account was hacked during the campaign.

If you use webmail, a number of precautions can help keep your account and your information secure, say security experts. “Most people think this stuff is kind of magical, that the computer gods are making sure they’re protected,’’ says Robert Siciliano, a Boston-based identity theft expert. “The reality is you need to know what your responsibilities are to make sure you are protected.”

Here are some precautions experts recommend:

• Use strong passwords
  By now, almost all of us know we should choose a password that isn’t easily guessed. But what you might not realize, says Siciliano, is that a seemingly obscure password using just letters can be easily hacked. So-called dictionary attacks use software programs to scan all the words in the dictionary -- and combinations of words, Siciliano says. Lists of common passwords can be found on the web, as well. “Your kid’s name or your dog’s name are just not all that effective,” says Siciliano.

An alpha-numeric password -- a series of letters and numbers -- works best, say the experts. Now, here’s the tricky part. Once you create a strong password, you need to remember it. Writing it down somewhere is a recipe for trouble, say the experts. Work to make your alpha-numeric memorable in some way.

• Don’t share that password
  It sounds like basic common sense, right? However, “a large number of account compromises are simply violations of trust,’’ says Leo A. Notenboom, the long-time owner of a Seattle-area software company and the host of a free technical support website, Ask Leo! On his website, Notenboom responds to many issues related to free email accounts. “At some point, for some reason, you tell your best friend, a trusted family member or co-worker your password, and then some point later, there’s a violation of that trust,” Notenboom says. “Unfortunately, it happens more often than you’d think.”

• Reset your password
  So, you’ve gone through the trouble to set a strong password and to memorize it. Now you have to be willing to change it. “What I learned was to have a password that resets every so many days,’’ says Blackham, the victim of a hacked account. “In the case of Hotmail, you can set it up to reset every 72 days.”

• Give the wrong answer
  Palin’s hacker apparently changed her password using the security question attached to the “forgot my password” link to her email account. These days, with more of us sharing information via social networking, questions about where you attended high school or your mother’s maiden name are easily answered. “Privacy, as we know it, is dead,” says Siciliano. “Privacy is essentially an illusion.” The simple solution, say Siciliano and other experts, is to give a fake answer to these sorts of questions. Of course, you’ll want to give a fake answer you can remember.

• Protect personal information
  Understand that the content of your emails might not be encrypted, or protected in such a way that someone who intercepts your email wouldn’t understand the content. “Communicate whatever data you choose knowing there is inherent risk involved,” advises Siciliano. Want to know if your communication is secure? Look for https in the web address. If you use Gmail, you can log in using an https address. The downside is that Gmail works slower using the encrypted log in.

• Back up critical info
  Free web-based email services are generally responsive when a problem that affects many users develops, say the expert. But don’t expect much in the way of customer service for your individual issues, says Notenboom. “There’s the expectation that the account will always be there, and that if something goes wrong, there’ll be someone or some way to resolve the issue,” he says. Email and contacts can be lost on occasion. “When this happens, more often than not, there’s nowhere to turn to recover the information,” Notenboom says. An email service for which you pay is likely to be more responsive, he says.

Don’t rely on your free account as the sole repository of critical information. Notenboom once heard from a graduate student who had kept his master’s thesis on his Hotmail account. “When he lost his account, for reasons which were never clear, he lost all of his work,” says Notenboom. “Years of research gone in an instant. Something as simple as a backup of the document or the account would have saved him his degree.

“I hear regularly from people who’ve lost treasured messages, contacts, photos and more due to issues around their free email accounts.”

You may utilize free email accounts and other web-based technologies for the sake of convenience. But it’s important to monitor your critical information, says Siciliano. Keep watch on your credit card statement, monitor your credit reports and regularly run anti-virus software on your computer -- and keep the software updated, advises Siciliano. “Ultimately, you need to make sure you are not the path of least resistance,” he says.