Comcast slow to act on hijacked e-mail site

CONSUMING INTERESTS

May 18, 2008|By DAN THANH DANG

Early this year, Gary Brawerman's e-mail account was hijacked. As much of a nightmare that was, it didn't compare to the lack of concern he found when he called his Internet service provider, Comcast Corp., for help.

Brawerman noticed trouble Jan. 21 when he went to log on to the e-mail account he'd used for four years but could not access it. The system couldn't even find his e-mail address.

"That's when I knew something was wrong," said Brawerman, owner of a local mattress store. "I called Comcast and they told me they needed 24 hours."

Brawerman called the next day. A Comcast rep told him they needed another 24 hours.

"When I still had not heard from anyone, I called Jan. 24 and was told by someone named Michael that I should have been told they needed 24 to 72 hours," Brawerman said. "Michael told me he was going on vacation the next day at midnight, but said he could call me late Friday. He didn't call. On Jan. 25, I called and was told 'Your problem has not reached upstairs yet.'"

Three days later, someone named Byron from Comcast told him that "my e-mail was changed by another I.D. user, microsoft.team.206. I told him that's no one I know. Byron said, 'Uh-oh. Let me get back to you.' You guessed it, I never heard from him again."

Meanwhile, Brawerman was in full panic mode.

"I kept a lot of personal data in my e-mail account," Brawerman said. "Bank account numbers, credit card numbers, financial information, passwords, a list of phone numbers and birth dates. I had no idea if someone accessed that information or not."

Since he wasn't getting answers or advice from Comcast, Brawerman took steps to protect himself. He closed his bank accounts and opened new ones. He changed account numbers and passwords for his credit cards and investment funds. He pulled his credit reports to check for unusual activity and signed up for credit-monitoring services.

Then he waited.

By May 5, when Brawerman contacted me, it had been 106 days since his initial call - and he still had not received any explanation of what happened to his e-mail address or what he should do.

He began getting some answers after I contacted Comcast May 7.

Spokesman Aimee Metrick said a spammer used Brawerman's e-mail account in January to set up numerous false e-mail addresses in a short amount of time. Metrick said Comcast's e-mail server was not compromised.

"In a very rare occurrence, it appears the spammer also used the customer's primary e-mail address to send spam and then dumped it, which sent it to our reservoir database of inactive accounts," Metrick said. "We do not believe there are any issues with identity theft, as spammers are generally focused solely on the ability to use the account to set up additional e-mail addresses as a way to send spam."

Because primary e-mail accounts rarely get hijacked, Metrick said, "our customer care center didn't understand why his e-mail wasn't there. It doesn't fall under our troubleshooting guidelines. They didn't understand that this needed escalation. We are using this as a learning opportunity. We will work with our customer care team."

Once the problem was understood, Metrick said, Comcast was able to pull Brawerman's e-mail out of the inactive database and offer to return it to him. Brawerman declined, unsure whether it was secure.

Comcast says the reason it took so long was because the problem was so rare. But wouldn't that alone have been enough reason to escalate the complaint? It doesn't jibe.

Two security experts agreed the breach probably occurred on Brawerman's end through a weak password. Brawerman confirmed that his password included a part of his name and a number of digits - something a computer program likely could have cracked. Strong passwords will include upper and lower case letters, symbols and numbers that are chosen randomly.

The two security experts also agreed that Brawerman's personal data probably wasn't compromised. But there's also no way to know that for sure. So both felt Brawerman was wise to safeguard his accounts and passwords.

But both men said Comcast could and should have done more.

"This can happen to anybody," said Nick Newman, computer crimes specialist at the National White Collar Crimes Center. "It should not have taken them that long."

Avi Rubin, Johns Hopkins computer science professor and founder of a computer security firm, said, "I know firsthand of several instances of people having their e-mail hijacked by spammers. It can't be that uncommon. ... Why Comcast customer service couldn't give him back his account quickly is perplexing to me, too. They should have a mechanism to deal with emergencies. It should be instantaneous."

Since Comcast won't discuss what protocol it has in place to deal with security issues, it's hard to know if Comcast didn't have the technical know-how to deal with e-mail hijacking or if its employees dropped the ball. I'd like to believe the latter; the other scenario would not be too reassuring to its customers.

Metrick assured me that "Comcast takes its responsibility to provide a safe and secure online experience very seriously," adding that it has a "comprehensive, multilayered approach."

Brawerman must have slipped through a lot of layers.

He acknowledges that the breach probably occurred on his end. But if someone at Comcast had taken the time to explain to him what they eventually told me, he would have felt that the company cared. Even if they didn't know what was going on, they should have called him and kept him in the loop.

Brawerman said Comcast offered him six months of free cable, but he declined. He wants a written apology and possibly money for what he spent for credit-monitoring services. In the meantime, Brawerman said he will never ever keep personal data in his e-mail account again. "I learned that the hard way," he said.

dan.thanh.dang@baltsun.com

ONLINE

Find Dan Thanh Dang's column archive at baltimoresun.com/consuming

Baltimore Sun Articles
|
|
|
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.