It was about 11:30 PM and I was about to turn off the computer when three emails from eBay popped up in my inbox.
‘You’ve received a question about your eBay item, Nokia N95…’, the subject line said.
Curious. I wasn’t bidding on a Nokia N95. I clicked on the email and found that it was spam. Strangely, it looked like I was the one sending spam to the seller of the Nokia N95. If you send a message through eBay, you get a copy of it in your email. This piece of spam was signed in my name.
I’ve gotten spam emails through eBay before and have ‘spoof@ebay…’ in my address book so that I can forward it to them. I was going to do just that when suddenly, another dozen of these emails arrived in my inbox, all with different subject lines. A second later, there were another dozen, and another.
Puzzled, I visited eBay’s website to get a help contact. I was very pleased to find that eBay has a ‘live help’ feature. So I clicked on ‘live help’ and in a few seconds, was talking to Melvin.
I told Melvin that there were now 50 spam emails in my inbox and they looked as if I had sent them to others. Melvin agreed that it was strange and asked me to forward the emails to him. I logged off the chat and went to forward two of the emails.
Then it suddenly went crazy.
New emails arrived, saying, ‘You Won eBay Item: NOKIA E90 COMUNICATOR’ and ‘You Won eBay Item: Apple iPhone 8Gb’. Now I was buying items? Were these fake emails too?
In a panic, I logged into my eBay account and was confronted with a bill for tens of thousands of dollars. It looked as if someone had hacked into my account and was wreaking havoc by sending spam, bidding in auctions and buying what was immediately available.
Thankfully, Melvin was still on the live chat. He switched me to Stan, an account security person. Stan read through my chat history with Melvin and hopped into my account to see what was going on. I waited at my computer, fingers poised on the keys. In the mean time, more emails arrived, congratulating me for additional purchases.
After five minutes, Stan typed, ‘There does seem to be an unusual pattern of activity in the purchases.’ He also discovered the spam emails in my ‘sent messages’. He and Denise (who showed up in the chat session later) helped me remove all my bids and purchases, and sent emails to the sellers to tell them that I wasn’t responsible for the bids. They also emailed the spam recipients.
‘This will help reduce the number of enquiries you might get.’ Yes, indeed, there are some people who do reply to spam (despite Stan and Denise’s precautions, one person did end up asking me about the iPhone I was supposedly peddling).
Stan reset my eBay account and I had to change both my email and eBay passwords. It was all over in an hour.
I wonder how this had happened? Stan suggested that I had clicked a link on a spoof email, then logged into a fake eBay website. I don’t think this is what happened. I haven’t logged into my eBay account for more than a month. I’m also very careful about fake emails.
I think it’s more likely that they had guessed my password. It was a fairly simple one. Maybe they had plugged a computer dictionary in and tried out the more obvious combinations.
I have come out of this incident with two things: one, a new passion for passwords with upper and lower case letters, numbers and punctuation characters; and secondly, satisfaction and pleasure at eBay’s efforts to help people out as soon as they have a problem.
My password strategy is to use a one-way function based on the name of the service. This way you can have very strong passwords that are different for all services, but you only have to remember the function, not individual passwords. In theory it could be very secure, but actually I use a very weak hash function because I need to be able to calculate it in my head.
Internet passwords in general are a nightmare. Sometimes the first thing a service will do after you sign up is send you an e-mail containing your password, which is ridiculous! They shouldn’t even know your password, let alone send it across the world in such a way that everyone between you and them can read it.
That’s a really good idea, rohan!
I love Rohan’s idea too!
Are there are any good one-way functions that you can calculate in your head? I thought the ones used for real cryptographic purposes are much too difficult? (Hence, I wonder if they are truly one-way.) Of course, you don’t need something so complicated for this purpose, and I guess it doesn’t even need to be one-way.
Just for the benefit those who don’t know much about password handling and hash functions: a hash (‘one-way’) function is a mathematical operation that is easy to calculate but extremely difficult (computationally intensive) to undo. The way a password is stored on unix computer systems is that your password is first ‘hashed’ (that is, you put it through the hash function) and the ‘hash’ (the result) is stored in a special file. When you need to log in, you type in your password, the computer hashes it and compares it to the pre-stored hash. The idea is that your actual password is never stored anywhere, so that if someone manages to see the password file they cannot do anything with it. All good password handling should be done in this way. Hence Rohan’s comment that internet services should not even know your password, since they should only store its hash.
Want to know how crazy the internet login/password situation truly is? In the past year, I have used SEVENTY (probably more) different internet-related login/password combinations. In addition to the seventy, I have deleted accounts for eight internet services.