Your online security is only as good as the weakest link

By Art on October 24, 2012

Over the weekend I received an email supposedly from Microsoft Live wanting me to verify my account and provided a verification code in the email to do that. It was a simple plain text email with no images or anything so I thought that this was just a spoof email attempt. I hovered the mouse over the link to where the email is saying it would send me to see where the link would really send me and I was quite surprised to see that the link was not spoofed and it was actually the URL of Windows Live.

I thought that’s odd, why would a spoof email be sending me to the real website, maybe spoofing has evolved so I checked the source behind the email to see if there was anything hidden in their that would do some damage. Nope, everything seemed to check out. The email seemed to check out even further as a few minutes of Googling seemed to suggest that the email content was authentic and not known to be spam. Furthermore, most forum comments seemed to suggest that the email is in response to someone trying to gain access to a secure part of your Windows Live account. I must admit, my pulse rate did go up a few notches as this point as I thought that I may have been hacked and recalled recent security breeches like Mat Honan’s recent experience.

I take security very seriously and try to follow best practices with regard to personal online security. About 2 years ago I started to use an online password manager to help secure my 100’s of online username/passwords that I have. Ever since that point I have ensured that every website uses a different random password that is very strong or at least as strong as that website will allow. As an aside I do find it hard to understand why some websites will limit your password length to something quite short. I had a site the other day limiting me to just 16 characters and don’t get me started on Tesco’s 10 character password limit or Asda’s 12 character limit! Anyway, I also don’t normally allow websites to have access to other websites e.g. twitter to Facebook for example, I don’t store bank/credit details on websites unless i really trust them and I use multi-factor authentication if available.

So this apparent breech come as a bit of surprise to me. Has someone got into one of my accounts, and if so, which one? I’ve a small number of Windows Live accounts, which were all using strong passwords or so I thought. I systematically logged into each one and they all seemed to be ok, nothing appeared to be damaged or compromised in anyway which was good but something just wasn’t adding up. Incidentally I reset all my Live passwords anyway at this point just to be sure and was surprised that Microsoft themselves only allowed a 16 character password! So I went through in my mind everything that had happened that afternoon again and started to put the pieces together. It was at point I realised that I had been checking the wrong Live accounts. All of my Live accounts had different types of notifications to different email addresses/phones. I didn’t remember having a Live account with the email address that I had received the notification on. So I scratched my head a bit more and then the penny dropped after reviewing some of the Google results again. Many of these forum posts seemed to mention Xbox accounts or the forums with comments on were Xbox related. Now I had a clue and it transpires that when I created an Xbox account some 7+ years ago, I must have set it up using an email address that I had at the time and pretty (very!!) insecure password. That original sign-up process created a Live account for me, which I never really knew that I had because I had a different email address for my main Live account.

I then tried logging on to Windows Live using this email address and an insecure password that I used to use a lot a few years ago and lo and behold, I was logged on first attempt. This must be the account that the original email verification was triggered from as the notification settings against this account stacked up with what happened. Thankfully I did not have any subscriptions active on this account, nor any Microsoft points or credit/bank cards etc. stored on there either. It was a fairly empty and largely useless Live account. Even the personal details stored on the account were way out of date. A quick change of password and a silent thank you Microsoft for having this basic verification system in place pretty much wrapped things up.

Although I haven’t seen any further compromises, I’m pretty certain that someone had gained access and logged onto this account of mine using some means. Thankfully though because of my other security measures that I follow this has, I hope, eliminated any further breeches of my security (to my knowledge!). The username/password combo that was used to gain entry was one I stopped using long ago and for the past couple of years I never use the same username/password combination more than once. This whole incident was all caused by myself being careless with security a few years ago and not paying more attention to what I was creating when I first signed up to Xbox. This is my fault and I only have myself to blame really. Recently I thought I was being good with online security, but still it only took that one old forgotten/unknown account with a weak password for someone to gain access to my information. Over the years and decades we all litter the internet with accounts that we only use a small number of times then forget about, but many are probably still there and potentially active with our personal details.

Its common news at the moment that big (and small) websites are getting hacked because of the poor security measures that they have in place and the disregard that many of them have for the safety of our information. Don’t make it any easier to get compromised though by not doing the best that you can by following recommended online security practices. Believe me, although it wasn’t a pleasant Sunday afternoon for me knowing that I had been hacked, it is far less stressful securing one compromised account than it is potentially re-securing 100’s of accounts that you may or may not even remember that you have… I am already going through my important accounts and making the already long random passwords even longer!