Archive
Yahoo! Mail security issues.
I’m seeing a lot of issues with Yahoo Mail accounts being compromised, so I’m posting my notes here and will update as I understand the problem better. An example is when you get e-mail from friends with a single, SPAM URL in the message and it’s sent to 10-15 people (in alpha order) from their Yahoo! Contacts.
I suggest that you NOT check the box ‘keep me signed in’ when you log into Yahoo Mail (highlighted in red rectangle on screen shot below). From what I can tell, some web sites with malicious content take advantage of cached Yahoo credentials and send mail with these SPAM links to everyone in your Yahoo contact list.
I also recommend using “two factor authentication” wherever possible. Two factor authentication uses something you know (your password) with something you have (phone number, cell phone). When accessing a web site, you enter your password (something you know), and then are prompted to enter a code sent to your phone (voice), or your cell (text), which are things you possess. This is used when resetting passwords on your bank or credit card web sites.
Another option is to consider moving to Google Mail which appears to be more secure, and I know from testing that Google’s two factor authentication is quite comprehensive and I use an Android app on my cell phone to generate a code.
Yahoo login – do not
Yahoo Two factor authentication reference links
http://lifehacker.com/5938565/heres-everywhere-you-should-enable-two+factor-authentication-right-now
UPDATE: Google “advanced sign-in security”
When you bump into people at a funeral discussing e-mail security problems, you know it’s a mainstream issue. A woman we were chatting with just spent the better part of two weeks restoring access to her MSN account after she received a variation of the “Mugged in London” scam. The result was someone hijacked her account and she had to work through MSN to restore access.
Just like Facebook’s support for SSL, using two factor security for Google is something everyone needs to implement.
The process is detailed on The Official Google Blog – Advanced sign-in security for your Google account.
The process is called 2-step verification – this allows you to link your account to your mobile phone, a Mobile application (Google Authenticator on the Android), and printable backup codes that you can keep in your wallet. In addition, you can have application-specific passwords to supposed access on your smartphone.
If you’re running Google Apps on your smartphone, I recommend doing this all at once – it will eliminate password prompts and confusion later.
The process also provides a summary of Connected Sites, Apps, and Services that have access to your Google Account. In my case, this includes paulbegley.com access to Blogger, pulsememe.com (Google Reader), google.com (Google Calendar), and tweetdeck (Google Buzz). I had forgotten about setting up Pulse access to my RSS feeds on Google Reader, but it was a good reminder.
You can revoke or renew access at any time using the 2-step verification process.
UPDATE: Note that once you enable advanced sign-in security, you may need to generate a new password for third party applications. I ran into this with Feeddemon, but it was a simple fix:
- In Google, sign in and go to My Account.
- Click on Using 2-step verification
- Go to Application-specific passwords
- In the section “Generate new application-specific password”, enter the name of the application (Feeddemon for my example), and click “Generate Password”
- A unique password will be generated containing four four character, alpha-numeric characters. Paste this into the password prompt for your application, and you will be authenticated.