When paranoia isn’t enough

I saw earlier this month a Javelin Strategy & Research study that found the number of identity fraud victims increased 22 percent last year — to 9.9 million adults in the United States over the year before. But it wasn’t till I read in his TechBite newsletter that Steve Bass’ PayPal account had been hacked that I paid attention.

“The e-mail from PayPal said I’d sent $400 to a gaming firm in Germany. It’s a dopey phishing expedition, I thought, and authentic-looking, for sure, but nothing to worry about,” he says in the newsletter. “The trouble was that when I logged on to PayPal, I really did have a $400 withdrawal. It was clear that someone had my password.”

[ There’s more than one way to get fleeced; see earlier Gripe Line posts “Why you care about insurance fraud” and “The toner phoner scam” for tips on avoiding today’s tricksters. ]

I’ve worked with Steve Bass — off and on — for years. He wrote the Home Office column for PC World for decades, and I was his editor from some of that time. He is — easily — the most paranoid geek I know. He says it himself in his newsletter: “I see myself as suspicious — verging on paranoid — when it comes to phishing e-mails. What better prize than bragging rights to hacking a PC World guy, right? So I’m as vigilant as my dog is when I try to get her to take a pill wrapped in peanut butter.”

OK, I know Steve. He isn’t just bordering on suspicious — he expects disaster. This is a guy who keeps a mirror of his hard drive at a neighbor’s house in case he goes out for coffee and comes home to find his house is gone — that way, he can still meet his deadlines. He is the least likely guy I know to fall for a phishing scam or to let anyone socially engineer him out of a password. And he is too smart to use a password that could be easily cracked.

Was he slipping? I called him.

“I almost clicked on a link in a phishing e-mail a while back,” he admits, the same old Steve. “It was from my ISP and it was in the middle of a dispute I was having with them. But something about following the link bothered me. I didn’t do it.” While this near-fail incident was clearly still troubling him, almost clicking a link is certainly not giving away a password.

PayPal insists he must have surrendered his password somehow, though the company quickly reversed the charge and is investigating. But Steve can’t think of how anyone could have gotten that password out of him, and he has given it considerable thought. First of all, the password was not an easy one to crack. “I would never use a dictionary word,” he says. “Those can be cracked in about 10 seconds using free software. (I’ve tried it.) I used four numbers, a symbol, and three letters,” he says. “And I am so scrupulous about phishing scams and giving out information that there is no way in the world anyone got this password from me.” There is probably no way he will know how his password got loose, but the incident has made him even more paranoid.

“I get a lot of mail because of the newsletter,” Steve says. “One guy wrote to me after this issue went out to tell me that the exact same thing happened to him in May: The same German gaming company, the same charge. PayPal reversed his charges so quickly that he is wondering if it might be an inside job.” I could hear the suspicion in Steve’s voice, too.

Steve has since changed all his important passwords to 14-digit computer-generated ones and never uses the same password for more than one account. He creates them with RoboForm, too paranoid to use a Web-based password generator or anything he can come up with on his own. His dog is equally careful about peanut butter offered too easily.

Got gripes? Send them to christina_tynan-wood@infoworld.com.