October 11, 2005

  • Security Alert - Category: Identity Theft

    It has been brought
    to my attention that there now exist certain websites that claim to
    check if your instant messaging buddies (on MSN Messenger, ICQ, Yahoo!,
    or other similar services) have blocked you, put you on an ignore list,
    or altogether deleted you from their contact list.

    Things to keep in mind:

    • These websites are usually not official, in that they are neither
      operated nor endorsed by the company providing the instant messaging
      service.
    • These websites also typically require you to submit your
      log-in information (username and password) so they can perform an
      automated check on your contact list.
    • To assure you, these websites include a statement on their
      website that the log-in information is not disclosed to a third party
      and is immediately removed from their computer after the automated
      check.

    My advice: Don't
    trust them! Don't give out your log-in information to a total stranger!
    If you have already given out your log-in information this way, change
    your password immediately!

    Reasons:

    • Often, your log-in information also gives access to your e-mail
      account, not only to your instant messaging contact list, as is the
      case with MSN Messenger and Yahoo!. This implies several things:
      • They can pretend to be you and spam the people on your contact list and in your address book.
      • If your e-mail account contains sensitive information such as
        e-mail messages with log-in information to other services (e.g. online
        banking, credit card number, eBay/PayPal account information), you are
        in deep trouble.
    • Bad guys typically tell you they won't do bad things to you.
    • The communication with those websites is usually not secure.
      In other words, somebody else (not the website) with enough motivation
      and technical skill can eavesdrop on you and get your account
      information. So if anything bad happens to you, the website can easily
      claim innocence by saying that it must be some other bad guy who
      eavesdropped on the conversation.
    • The websites typically do not contain enough information for
      you to physically contact them (i.e. company name, business
      registration number, mail address, with street number, street name,
      city, state or province, country, zip/postal code). So if anything bad
      happens to you, you'll have a hard time looking for them in order to
      sue them. It is possible, however, to retrieve this information through
      your country's official Internet domain name registration body, but it
      is a relatively unknown and technical method/process. Even if at the
      end, you do find their physical mail address or business registration
      number, the damage is done and you probably want to avoid that.

    - SwordAngel