I can’t even remember the last time I went a week without seeing at least two or three posts in one of the many forums I frequent about a “hacked” email or game account, that has led to all sorts of problems for the person. And it is a problem. If you have spent $500 buying games on your Steam account, and someone takes over and kicks you out, then in addition to losing your account and your games, you have also lost your money. It would be a very unpleasant situation to be in.
It becomes all the more unpleasant the moment you realize just how easy it would have been to avoid it, and that it’s indirectly your own fault that this happened because you simply weren’t careful enough. Even worse, now that you know how easy it was to prevent it from happening, you feel like an idiot.
If you do know already, this blog is not for you. This is for everyone who wants to know the basics of how to keep their accounts safe, so phishers and scammers can’t get to them.
I’m going to assume, for the sake of argument, that you already know all about how to keep your PC safe from virus, spyware, and all other nasty kinds of malware that is a constant threat to us. If you don’t, read this guide first, and come back and read my blog later.
I’m also going to assume that you practice safe surfing, in every sense of the word. (Though I might post blogs about that and PC security some time in the future as well.)
Note: I’ll be using Steam as an example throughout the blog, since most PC gamers have an account with them and they are a well known service, but these basic principles applies to any online account you have, be it with Amazon, Gmail, Gamespot, PayPal, or anyone else.
PICK A GOOD PASSWORD
The passwords you pick for your accounts should not be real words, and should not be easy to guess for anyone who knows you. The reason you don’t want real words is because the bots that try to crack passwords have several dictionaries they go through, trying the words in them out one by one. It is also based around something other than your child’s name or birthday, your workplace, your wife’s maiden name, or any other information that is easy for you to remember because it’s important to you personally.
A few months ago, a friend brought me a laptop with a serious virus infection, and ask me to help her fix it. Of course I agreed to help, told her I would need to keep it for a week, and got started the same evening. When I booted it up, the log-on screen prompted me for a password. I typed in random gibberish, read the hint, thought for a moment, and got the password right on the first guess.
That is not a good password. It was a real word, all lower-case, and anyone who has known her for five minutes can guess it based on the hint. I really hope she picked a better password for her Facebook account than for her laptop.
A strong password has both upper case and lower case letters, is composed of a a mixture of letters and numbers, and can’t be found in a dictionary. It is also unique. If someone does get hold of the password to your Sony Online account, and you’ve used the same one on three other accounts, you have now lost all four accounts instead of just one. Never recycle your passwords!
VERIFY YOUR EMAIL
Every online service and every MMO will send you an email when you register and ask you to verify that email address. Always, always, always do that. Once an email is verified as yours, the service or game can and will let you retrieve a lost password to that email address. Most of them will also send you an email when the password on your account is changed, which is the first thing a hacker will do, to keep you from accessing your account and take it back.
To skip this vital first step is the equivalent of not wanting to lock your car when you leave it alone in a bad neighborhood, because it’s just too much of a hassle… and then be surprised to find it was stolen. Your friends who have been in that neighborhood before will laugh at you for making the thief’s job easier, and I’m sure you can imagine what your insurance company would say when they found out you didn’t think it was necessary to take basic precautions to secure your property.
Verify your email address. Seriously, it’s easy and takes all of five seconds, and it will make all the difference the day someone else takes over your account.
TRUST NO ONE
To be honest, this applies to everything on the internet, but even more with accounts where you have credit cards of personal information. Amazon keeps credit cards on file. So does Newegg, so does PayPal, and so do Steam and the company providing your MMORPG fix. Guard the log-in information for all your online accounts with the ferocity of a starving dog protecting a slab of raw meat. In this particular and very narrow niche of your life, you should be be utterly and completely paranoid to the point of needing tin foil hats and avoiding sunlight. It’s okay. In fact, it’s encouraged.
The basic point and bottom line is this: Never, ever, EVER give out your log-in information to anyone.
Imagine the following situation: You are at your bank, waiting in line to get up to the teller, when a random stranger walks up to you and explains that in order to prove that you’re a customer of the bank and qualified to get customer service here, you need to give him all your bank account information. Would you do that?
Of course not, you’re smarter than that.
The reason for why you shouldn’t give someone your log-in information in a game chat is the exact same as with the bank: If they’re genuine, they don’t need it. Your bank can pull up all your account information without needing your PIN or your social security number. All they need is for you to prove to them that you are who you say you are, and they can get to everything they need. Steam works the same way.
At the bank, you prove your identity by showing them a picture ID. With Steam or any other online service, you do it by contacting them from your verified email address. Remember I said it was important to verify your email address? This would be why.
DON’T ACCEPT CANDY FROM STRANGERS
The by far most common way people to lose their accounts is by willingly giving them away.
And this is how it happens:
The account stealer logs in to the game. They post links, either in the main chat or in whispers/tells, with offers of free gold, items, or free games. What exactly they offer tends to vary from service to service, but is usually adjusted to be appealing to the ones logged into this particular service or game. An unsuspecting victim becomes interested and clicks on the link that is offering, for example, a free Steam game. The link takes the to a page where, in order to claim the free game, they need to log in to their account to register the game in the Steam library. If you’re a smart person you stop at this point, and go to the official Steam website to get the game there instead.
However, if you’re a naive and greedy person, you enter your log in information, and your user name and password are recorded by the scam website. Your log in information is now in someone else’s hands, and by the time you have finished reading this sentence, so is your Steam account.
Even the smart person mentioned above could lose their account, just from clicking on the link; sometimes just visiting a website is all it takes. They have scripts for these things, you know.
The lesson you should learn from the above little story is simply this: Any time someone sends you a link in a game chat, you should ignore it. Never click on anything. It doesn’t matter who the link is from, if it offers you something for nothing, then it’s a trap. Trust no one, remember?
IF YOU FORGET EVERYTHING ELSE YOU JUST READ, AT LEAST REMEMBER THIS:
It doesn’t matter how good your security suite is, if your password is easy to guess on the first try, if you give it out to someone who looks official, or if you type it into a shady website. The reason these account thieves don’t bother trying to hack their way through your firewall or by-pass your antivirus is because they know that the weakest link in your computer security is you, by a very large margin. They know that its much easier to trick you into giving them what they want than to try and take it from you, and they know that most of the time, you’ll end up giving you the information they ask for.
One more thing: Remember I said this applies to all your online accounts? That’s because you’ve probably used the same email address for all of them.
If a scammer gets to your IGN account information, they now have a valid email account along with enough personal information that they can get the account passwords and security questions for everything else. Once a person has your email account information, they can get to everything. Re-read that last sentence, and take a moment to fully realize the consequences of a stranger having full control over your primary email account. The one all your password retrieval emails go to, from Amazon, from PayPal… from your bank.
Trust no one. If you just remember that, you’re off to a good start.