If you’ve been on campus more than a few months, you’ve probably received some phishing attack where the bad guy tries to convince you to send him your userid, password, and maybe more like your birthdate, often under the guise of cancelling your UWaterloo computer account if you don’t.
For the record, you will never be asked to submit your password in an Email. IT staff don’t need it for most things you ask them to do. And if we do need it, perhaps to debug a problem you are having, one of us would be sitting at the computer with you.
But what, you may ask, does my password give bad guys?
Overwhelmingly, it supplies them with an account from a trusted system that can rapidly send their spam. We throttle it back after a few minutes, but they can get a good number of free spams off, and someone will read that spam and buy some product from them, and they will make a bit of money.
Another gem on your account is the list of Email correspondents. They have a list of people they can Email, and probably those people will read that Email if it comes from your account.
If you are like many people, your password also works on Ebay, PayPal, FaceBook, etc. There they can clean out your accounts or advertise a product. In particular, FaceBook lets them target your friends with ads.
At UW, like many institutions, we have a Virtual Private Network or VPN which can be used to grant any remote machine network access as though it were physically located on campus. Your userid/password pair is enough to gain access. The VPN lets you do dastardly things on campus.
One of the growing threats is impersonation of campus people in order to steal online resources like online journals. The University spends 4.5 million per year on electronic journals. Your userid may be sold on sites just for your library access. It may surprise you that there is a world market for this.
Your birthday can be enough to get access to other resources. And also the bad guys can use your payroll information (accessible here with your password) to get your social insurance number. This can be used for full scale identity theft.
Many people store important information on computers, either directly in files, or unknowingly in their browser cache. If someone were to snoop, he might find bank accounts and other data, however this is not yet as common as some of the other abuses.
Today many homeowner insurance policies will include identity theft protection. It actually is a real risk in this age. It won’t remove the frustration you feel, but it greatly reduces the risk of losing all you have worked for over the years.
Have safe computing.
Erick
