This blog serves as a warning to any computer users, who use a public internet connection at coffee shops, restaurants, hotels, and libraries. Hackers can use clever methods to gain access to internet accounts. When I visited Bangkok, someone hacked into most of my accounts, except Skype and my bank accounts. The hacker gained access to my accounts for Hotmail, Yahoo, Facebook, Netflix, Amazon, Orbitz, Kohls, etc.
Hacking into internet accounts is extremely difficult, especially if users use strong passwords, such as "Conway@579#." The password is a mixture of numbers, upper and lower case letters, and symbols. Hackers are not likely to deduce the password correctly because it has too many variations. Thus, they steal passwords by relying on phishing and keyloggers. Phishing is a hacker tricks a user by directing the user to a fake webpage that looks genuine. The user enters his personal information, thinking he/she is at the correct website and sends the information to the hacker. The fake website then logs into the correct website , so the user suspects nothing is wrong. A keylogger is a hacker tricks the user into installing a program that records keystrokes from the keyboard. Then the program sends the keystrokes to the hacker. Of course, a relative, spouse, or friend could install a keylogger on the user's computer, joking around, stealing information, or creating mischief.
While in Bangkok, I inadvertently discovered another method hackers can use to gain control over internet accounts. Someone hacked into the hotel's computer network. The first day in the hotel, I checked my Hotmail, Facebook, Yahoo, and my private email accounts using the hotel's wi-fi and my personal laptop. When I returned later in the afternoon, someone changed the passwords to Hotmail, Facebook, and Yahoo. My private email accounts were fine because these accounts require an administrator password, and I never logged on as administrator. Thus, the hacker could not change this password, or at least, I thought he could not.
I recovered all my accounts immediately, using the hotel's wi-fi. Later towards evening, I checked some of my accounts again, and the hacker changed my passwords again. Consequently, I thought someone hacked into the wi-fi network, circumventing the signal's security. Usually people use WPA or WPA2 to encrypt their internet communications as their computers send information through the air. However, encryption fails if someone has hacked into the network.
I made a severe mistake. I should have left the hotel and gone to a computer club to recover my accounts. Instead, I used the public computers in the hotel's lounge that connected to the internet through a line connection. Thus, I recovered my accounts with no problems. I thought I was safe because I did not transmit anything through the air via wi-fi. Nevertheless, the hacker had access to the hotel's network including the computer I used in the lounge.
The next morning, I logged onto several email accounts, using the hotel's public computer, checking my emails. Everything was fine. Then an hour later, I started losing all my internet accounts, including my important account for managing my website. Although I never logged onto my personal website using my administrator password, the hacker found information in my Yahoo email account. The hacker changed the password to my personal website by doing a password reset – the user requests a new password by sending a confirmation email to Yahoo (that he controls, of course). Similarly, the hacker changed all my accounts for Kohl's, Orbitz, Netflix, Amazon, etc. by using the password reset.
I approached the hotel staff and complained to them. I explained someone has hacked into the hotel computer network, and he had changed my passwords. They thought I was crazy. Then I showed them my laptop, and I logged onto Facebook, where it showed someone changed my password by using my laptop or by accessing through the hotel's network. The staff refused to believe me as if I were wasting the staff's time with incredible stories.
After walking around, seeing the sights, I went to a computer club and created a new email account, using Hushmail. First, I recovered my Hotmail account and sent the reset link to Hushmail. Hotmail allows users to recover their email accounts by answering personal questions and sending a confirmation to a new email account. Some questions were subject lines of emails, folder names, and email contacts. Second, I reclaimed Facebook and Yahoo because I already linked those accounts to Hotmail. After recovering Yahoo, I reset all my passwords to my other accounts including the important account for managing my website.
What did the hacker gained by doing this? He did not delete anything or did not attempt to steal money from my bank accounts, but I did cancel my old debit cards and applied for new ones before I left the United State. I never updated the debit card information on most of the internet accounts. Luckily, I did not log onto my bank's website; otherwise, the hacker would have information to these accounts. Consequently, I am careful about checking internet accounts. I use the ATM for account balance inquiries and check one email account using a public wi-fi.
Unfortunately, I was an email hoarder and retained all my vital emails. The hacker read my emails and knew which websites to visit to reset and change my passwords. I still have a potential problem. If the hacker can remember enough account details, then he can recover accounts. After two weeks, all my internet accounts were fine, but I deleted emails that contained too much information to other internet accounts. I also used a different password for every internet account.
After some research, I deduced the method the hacker used. He used a program that identified my computer on the hotel network, and then he rerouted all communications between my computer and the network through his computer. I did notice the internet slowed down as he rerouted communications. Then the hacker saw all the websites I visited. He accessed the websites as if he were me, and he circumvented the encryption. Encryption only works when we send information onto the internet, sending pieces of information over time that travels through thousands of different channels randomly. An eavesdropper only would capture a nugget of encrypted information while the hacker has access to all information. Then he has access to your account and change the password. I was shocked by this method's ease because the programs are available freely in Linux, the choice for computer hackers. Thus, all you users out there, beware!