Hacked, With No One To Call

Two weeks ago, my personal e-mail was hacked on a Sunday morning. For several days I experienced the reality of what it could be like if I were a small business trying to deal with a cloud supplier with whom I have very little clout. My e-mail was with AOL's AIM division -- bad idea, and I'll explain why.

It all started when I got a call from a neighbor who had just received an e-mail from me that I had been mugged in London at both knifepoint and gunpoint and needed $1,950 to get out of the jam. First off, if I were going to mug someone, I'd choose either a gun or a knife. Seems to me you need one hand free to grab the cash, but what do I know?

A few minutes later, I got a call from a California-based business contact asking if I was alright. Within a few minutes, I realized that the scammer had used my e-mail to hack into my LinkedIn and Facebook accounts, which had the same passwords -- yes I know that was stupid. Before long, thousands of personal and business contacts were getting e-mails asking for cash. The scammer was using several free e-mail providers to set up accounts in my name and use my contact list to try to scam them.

By the way, as far as I know no one took the bait. I don't know what this says about me, but it's probably a sign that I need to invest in a good money belt next time I travel rather than depend on you know who to bail me out.

In any case, the interesting thing here was that there was no one I could call to stop this. It took me two days to regain control of my e-mail. I called AOL and repeatedly got a "sorry, we can't help" reply. I finally made my way to the fraud division of AOL and talked live to a fraud investigator who gave me an e-mail address to report this to at AOL. If you can believe it, the e-mail address was no longer in use. Facebook and LinkedIn were no better, and also don't provide any support numbers. I sent both of them e-mails that my accounts had been hacked and got no meaningful response.

Now granted, I wasn't running business applications here and I don't pay for any of these services so to some degree you might ask, what should I expect? At the very least, when someone has a system that has access to personal information and it's been compromised there needs to be some ability to get to someone that can do something.

So what's the lesson here? As we move more toward computing as a utility, the channel is going to take on a role similar to that of the independent insurance agent who, because he writes millions of dollars in policies for the companies he represents, has leverage and the customer has someone to call.

It's a role solution providers have always played and to me it's a pitch that needs to be refined, especially when selling to small business. As for me, I've now got more passwords than I can remember and no two are the same. Given that the fraud protection group at AOL can't even get an e-mail address correct, I'm winding down that account in favor of one for which I pay my Internet service provider. As for Facebook and LinkedIn, I've regained control of my accounts, and because of their monopoly status, I have no choice but to stick with them -- for now.