The other night while I was sleeping all snuggled under the covers, I think the Elves were at work. I woke at 4 am to find that my msn e-mail account sent an e-mail with weight-loss information to my Contact List. Oh, and the Elves did not discriminate, they sent the e-mail to both professional and personal contacts. That was thoughtful of them, don’t you think.
This is the first time I’ve had this happen so I can now fully empathize with everyone who has experienced the pleasure of having their e-mail account hijacked. For those of you who have had this experience, I’m sure you can agree that it such a glorious feeling to look in your sent items and find an e-mail that was sent to your entire Contact list with a nice spam message or better yet, a virus. Additionally, the experience is even better when you work in technology. Now how out of touch does that make you look? Surely, you who work in technology should know better. Would I trust you with my technology needs when you don’t seem to be able to control your e-mail account, hmm, maybe not.
So how does this happen? I think there are several possible ways so I’ll explore a few.
Today, after opening my e-mail account from my browser, I took a closer look at a few things. One thing I noticed was that the URL began with http rather than https. This indicates that I am viewing information that is not encrypted. Having said that, I guess it is possible that when I am viewing my inbox, packets of information are not being sent between my machine and the server, but that would mean that my e-mail program through the Web browser behaves different than other sites viewed over the Internet. I tend to think that is not the case, although possible. Even if my login and password information are not sent while viewing my e-mail, the e-mail messages themselves are not encrypted so if those packets of information are being passed around, at a minimum, someone can sniff through that data. I hadn’t previously bothered to look at the URL as I always assumed the connection was secure and data was encrypted.
Also, I recently had a friend whose e-mail account was compromised and when I researched her issue, I found that the Hotmail login page she used was also not encrypted (http instead of https) so be careful when you sign into a Hotmail account by selecting the Hotmail link from MSN.com, your MSN.com homepage, or other access point. When you select the link and are redirected to the login page, check the URL to see if it is http or https. If it is http, you should see a small option under your login ID and Password that asks you if you prefer to use a secure connection to login. You must select that option otherwise you are passing your Login and Password over an unsecure connection. You should also see an option to ‘always’ use the secure connection. I recommend selecting both if available. When you do, you will be redirected to an encrypted page (https) that you can use to login and you shouldn’t encounter the unencrypted login page again. Here’s a nice brief article that explains this in a little more detail.
Why Hotmail gives users the option to login from an unencrypted site, I’m not sure, but there is probably a reason such as accommodating some requirement of some country or some other reason. Regardless of the reason, don’t use the option.
Of course, signing into your e-mail account through an unencrypted page is not the only way your login credentials can become compromised. There are several possible scenarios such as, using your Windows Live or Hotmail password for other website logins, your computer is compromised by a virus, you’re tricked into submitted your credentials to a phishing program, login information is potentially sent unencrypted through any number of programs or applications you use and integrate like Facebook, Twitter, Digsby, LinkedIn, using an unsecured wireless connection, etc.
Yes, there are many ways that unscrupulous people can gain access to the tools we use everyday so about all we can do is to continue to try and be vigilant regarding the sites we visit, the information we share on sites, how and when we enter sensitive information like logins and passwords, make a habit of not opening suspicious e-mail and the list goes on…
I’ll probably never know how my account was compromised so I’ll change my password, send my apology e-mail to my Contact List, blog a little about how easy it appears to gain access to these types of accounts, continue my efforts to minimize my risk of having this happen again and hope for the best.
I wish everyone secure travels throughout the world wide web.