Posted by: Ken Harthun
Hacking, Identity Theft, Security, Security practice, Skype
The news today is not good for many of those who have had their Skype accounts hacked. As part of my investigation in one wave of Skype phishing attempts, which I detailed in Skype Phishing Attempts and Account Hacking – Part 1, I attempted to recover a Skype ID. I was not successful for the test account (thanks again to my friend Allen D. for his help). Apparently, if you have never bought any credits from Skype–in essence, making you a “free” member–they don’t extend to you the ability to recover your password. So, if you get hacked, the hacker pwns your Skype ID forever. Not good, especially if you have used your real name (many people use IDs like mine: ken.harthun1). Fortunately, since I use Skype credits for regular calling, I have full access to the recovery features. I subscribe to the plan that allows me unlimited calls to regular phones in the U.S. and Canada. This costs $8.40 quarterly. I consider that cheap insurance.
Besides purchasing something at least once from Skype, there are other steps you must take for maximum security and “recoverability.” Here they are.
1. Sign up for a Gmail account and secure it with at least a 10-character RANDOM password. I’m talking like gtJ62kl9xL or something similar. Yes, you really need to do that.
2. Use the Gmail account to sign up for your Skype account and then don’t use it for anything else.
3. Use a 10-character RANDOM password when you sign up for your Skype accounts.
4. Use something other than your real name for your PUBLIC Skype ID; i.e., don’t use joe.blow, use jblow2341 or something of the sort. You can set up a second PRIVATE Skype ID with your real name.
5. Use the PUBLIC Skype ID for rooms, forums and chat; reserve the PRIVATE Skype ID for trusted contacts only.
6. If you have a PayPal account and don’t already have the PayPal Security Key, get one immediatley. The PayPal Security Key creates random temporary security codes that help safeguard your PayPal account when you log in. If a hacker ever gets your PayPal information, they won’t be able to log in without the security key. This is important if you plan to use PayPal for purchasing any credits on Skype.
7. For both your PUBLIC and PRIVATE Skype IDs, immediately purchase Skype credits or subscribe to a calling plan so you have a purchase record/history with Skype. Use PayPal or a credit card. The reason you want to do this is so that you have information that identifies you without a doubt–information that the hacker won’t have. You don’t have to make ongoing purchases, just a one-time purchase.
8. As soon as the purchase has been completed, immediately delete your stored payment details under the Settings and Extras section in each account. This prevents a hacker from getting any sensitive information.
If you do these things, you will have a verifiable identity with Skype because you will have information that only you know. If your account is ever hacked, you will be able to provide this information to verify your identity and reset your password; otherwise, you’re at the mercy of Skype’s support to recover your identity and you may or may not be able to do that. In any event, it will be an ordeal.
One more thing: Never click on any link anyone sends you asking you to log into Skype. This is especially true for one that does not begin with https:// and end with skype.com. Anything else is suspect.
Questions welcome here, or via Skype @ken.harthun1.