I saw earlier this month a Javelin Strategy & Research study that found the number of identity fraud victims increased 22 percent last year -- to 9.9 million adults in the United States over the year before. But it wasn't till I read in his TechBite newsletter that Steve Bass' PayPal account had been hacked that I paid attention.
"The e-mail from PayPal said I'd sent $400 to a gaming firm in Germany. It's a dopey phishing expedition, I thought, and authentic-looking, for sure, but nothing to worry about," he says in the newsletter. "The trouble was that when I logged on to PayPal, I really did have a $400 withdrawal. It was clear that someone had my password."
I've worked with Steve Bass -- off and on -- for years. He wrote the Home Office column for PC World for decades, and I was his editor from some of that time. He is -- easily -- the most paranoid geek I know. He says it himself in his newsletter: "I see myself as suspicious -- verging on paranoid -- when it comes to phishing e-mails. What better prize than bragging rights to hacking a PC World guy, right? So I'm as vigilant as my dog is when I try to get her to take a pill wrapped in peanut butter."
OK, I know Steve. He isn't just bordering on suspicious -- he expects disaster. This is a guy who keeps a mirror of his hard drive at a neighbor's house in case he goes out for coffee and comes home to find his house is gone -- that way, he can still meet his deadlines. He is the least likely guy I know to fall for a phishing scam or to let anyone socially engineer him out of a password. And he is too smart to use a password that could be easily cracked.
Was he slipping? I called him.
"I almost clicked on a link in a phishing e-mail a while back," he admits, the same old Steve. "It was from my ISP and it was in the middle of a dispute I was having with them. But something about following the link bothered me. I didn't do it." While this near-fail incident was clearly still troubling him, almost clicking a link is certainly not giving away a password.