Monday, April 29, 2013

Recovering access to accounts

What should you do when your account has been hijacked? And what should you do after you recover it?

Before regaining control

Check your computer for viruses. On Windows, you can install and run Microsoft Security Essentials for free. Malware is a common way for people to lose access to their accounts, but it’s not the only way.

Make sure your computer is configured to install updates automatically. Having an up-to-date system makes it harder for people to access your computer.

Regaining control

Instructions are available for:


After regaining control

Read my post about securing your online accounts. Use unique passwords everywhere, make them difficult to guess (even for a computer with a dictionary, knowledge of you, and lots of time), and use multifactor authentication where possible.

Securing your online accounts

Web sites get hacked, email addresses and clues to the passwords (or worse, the actual passwords) are stolen, and some accounts are hijacked. Multifactor authentication makes it much harder for someone to hijack your account by requiring multiple bits of information such as “things you know” (such as passwords) and “things you have” (like a mobile phone). I recommend enabling it wherever you can.

Losing control of accounts: Inconvenient to extremely painful

There have been multiple public accounts of people losing access to their accounts through hijacking. I’ve also known people personally who have had personal email accounts hijacked. Each time it’s at best inconvenient, at worst, an extremely painful lesson in security and backing up.

If you’re lucky, all that happens is the attacker sends some spam from your account. However, all too often, the attacker will delete contacts, old emails, and even attempt to get into other online accounts through password recovery systems. They’ll change account recovery information to make it harder for you yourself to regain control. Sometimes they’ll change other settings in your account to make it easier for them to get back in.

If you enable multifactor authentication, which also goes by names like “two-step verification”, everywhere you can, you make it significantly harder for an attacker to take over your account. It’s a great way to secure your accounts.

Setting up multifactor authentication for multiple services

Install an authenticator app on your smartphone

If you have iOS, Android, or Blackberry, you can install Google Authenticator. If you have Windows Phone 7, you can install Authenticator. If you have another type of phone, you can have many of the services discussed below text you codes.

Facebook, Google, and Microsoft

Facebook, Google (including Gmail), and Microsoft (Hotmail, Outlook.com, Xbox LIVE, etc.) are relatively convenient to set up. PCWorld has an excellent article with step-by-step instructions for setting up multifactor authentication with each.

I recommend following the article’s instructions for setting up Facebook to use an authenticating app other than the Facebook app itself; I find it more convenient to generate codes in as few places as possible. You’ll find those instructions in the paragraph that begins, “Simply start the Code Generator setup process …”

Dropbox

Follow the Dropbox instructions. The section called “Use a mobile app” contains instructions specific to several authenticator apps.

LastPass

Follow the LastPass instructions for Google Authenticator. The instructions are specific to Google Authenticator, but you may have success trying another kind of authenticator app.

They also have a variety of other options for multifactor authentication. Be careful with that link – pressing any key tends to change what’s displayed, and you may have to refresh the page.

Apple

Follow Apple’s instructions. They send the code to your device using SMS.

Yahoo!

Follow Yahoo’s instructions. They send the code to your device using SMS.

Problems with multifactor authentication

One problem with multifactor authentication is that whenever you attempt to log in from a new device, you’ll likely have to enter in the extra code. That can be somewhat tedious, especially when you need to log into a number of apps at once (such as when you are setting up a new phone).

Another problem is with apps that use an account on one of the services but doesn’t support multifactor authentication. For example, if you want to configure the iOS Mail and Calendar apps to access Gmail and Google Calendar, you’ll have to create an application-specific password. These get around the multifactor authentication hurdle by automatically generating passwords you type in once and never remember. If one of these is stolen, your account could still be somewhat compromised, but services make it difficult or impossible to access various portions of your account with these types of passwords. You can revoke these application-specific passwords at any time.

Related note: Handling many passwords

The vast majority of sites do not offer multifactor authentication, and the sheer number of passwords you may need to remember can be staggering. However, this is no excuse for reusing passwords on multiple sites. It’s only a matter of time before it creates a major headache for you.

If you use, say, “MyPassword123!” (a terrible password that can be easily guessed using modern password-cracking software) on Site1, Site2, and Site3, all it takes is for one of those sites to be hacked, and you could be in trouble. Your accounts on all three sites could be compromised.

If you need to come up with a password that must have a number in it, don’t just append a number at the end. The same goes for symbols – lots of people just add a number and punctuation to the end of their password and call it a day. (I’m guilty of this myself. At a previous job, I simply incremented the number at the end of my password when I was required to change it. Shameful.)

You can come up with new ways of devising passwords. Using concatenated words, abbreviations of uncommon phrases, intentionally misspelling things, etc. can all be used to increase the effectiveness of your passwords.

Consider using something like LastPass (with Google Authenticator enabled, of course). Such services can store your passwords for you in an encrypted form they themselves can’t access.

Edit 2013/04/29: Updating your account recovery information

Web sites have a variety of options for recovering access to an account. Be sure to update this information for at least the most important sites (email, social, banking, etc.) so if you ever have issues, you can get access to your accounts back.