“You have a secret that can ruin your life.”
That’s how Mat Honan opens his article in this month’s Wired magazine: Kill the Password: Why a String of Characters Can’t Protect Us Anymore. Please set aside 15 or 20 minutes to read that article. Save it to Instapaper, print it out, whatever. Finish it before you go to sleep tonight. The article is that important.
The key point I want you to take away from the article is that it can happen to you.
I think someone tried to hack my life a bit in the last couple of weeks. Not as bad as what Mat Honan went through, but enough to put me on hyper alert.
Incident One: About a week ago I received a notice from American Express that the company had detected some questionable activity on one of my accounts. Specifically, it appeared someone tried to use my wife’s card to try to purchase some crap. I spoke with Amex, got it taken care of, and that should have been the end of it.
Incident Two: Over the weekend, I received a notice from another credit card company that again someone tried to use the card in my wife’s name to purchase some junk. One of the attempted transactions was a purchase at a company that also showed up on the Amex fraud alert. Interesting. The company, Skinit.com (I won’t give them a link), makes iPhone cases. It’s a small company, so the fact that it showed up twice in attempted fraudulent transactions makes me think it was the same person. How that individual got two credit cards for our household is unknown, but I don’t like it.
Incident Three: I received an email from Twitter dated last Wednesday so I could reset my password. Someone tried to reset my Twitter password. I know I didn’t try to reset it because I was completely off the grid on Wednesday. The email might be a phishing attempt, but maybe not.
I don’t want to seem paranoid, but I’m reminded of something Ian Fleming wrote in Goldfinger:
Mr Bond, they have a saying in Chicago: ‘Once is happenstance. Twice is coincidence. The third time it’s enemy action’.
Yes, two of the incidents were financial fraud attempts and the third looks like a hacking attempt. The odds are good that the same person who tried credit card fraud is not the same person who tried to reset my Twitter password. Nevertheless, how many wakeup calls do I need?
More importantly, will you look at what’s happened to a low-profile lawyer and conclude you need to act before something bad happens to you? Will you also look at what happened to Mat Honan and realize you’re not immune?
First thing I’m going to do is a massive password reset on every web site and service I can think of. I’ve already removed all credit cards stored at Amazon.com. I’m using double authentication for Google Mail and Dropbox. I’m also setting up a “password reset-only” email address per the suggestion in the Wired article. And I’m going to be a little more paranoid from here on. As a witness in a trial I worked on once remarked, “Just because you’re paranoid doesn’t mean they’re not out to get you.”