Account Security and Online Safety Essentials
- What security measures are in place to protect my account?
- How do I change my password?
- How do I change my security question?
- How do I edit my security email address?
- What is phishing?
- How do I know I'm really on oDesk?
- How do I know it's safe to enter my password or answer my security question?
- What do I do if I've received a phishing attempt?
- Where can I learn more about protecting myself online?
Here at oDesk, your security is our top priority, but we can't do it alone. To maintain the security of your account, you must not allow others to log into your account. Most importantly, never share your password or security question and answer with anyone.
oDesk staff will never ask for your password, but they may ask you to answer your security question.
Besides these basic security precautions on your part, we have instated several security measures at the system level.
- You must log into the website with your user ID and password to access your personal information. Your user ID and password are also used to log into the oDesk Team application (team room access required).
- Security Question
- The security question is the first line of defense in case a user's password is stolen. This additional level of security was added to prevent fraud and unauthorized access to financial information. When you answer your security question, you are performing device authorization.
- Security Email Address
- A secondary security email address can be added to your account. This precaution will quickly alert you in case your account has been compromised. We recommend you use an email address that will be sent to your mobile phone. The following actions trigger a notification to the security email:
- Device Authorization
- Device authorization begins when you answer your security question and expires at the end of each browser session unless the you check the Remember this computer box.
- Secure Session
- A secure session requires device authorization and lasts for 30 minutes after entering your password or performing a sensitive operation.
- Sensitive Operation
Sensitive operations are actions that can only be performed in a secure session. Listed below:
- Withdrawing funds
- Issuing a bonus payment
- Issuing a fixed price payment
- Adding or editing payment methods
- Adding or editing withdrawal methods
- Hiring a contractor
- Ending a contract
- Accessing the Team Admin page
- Changing your personal email address (must have email access to receive verification link)
- Changing your security email address (must have email access to receive verification code)
- Changing your security question (must answer security question every time)
- Changing your password (must enter current password every time)
- Resetting your password (must answer security question every time and have email access to receive reset link)
You may update your password anytime in Profile & Settings > Change Password. (Learn more about passwords.)
Do not share your password with anyone and never allow others to log in using your oDesk user ID and password.
You may update your password anytime in Profile & Settings > Change Security Question. (Learn more about security questions.)
Do not share your security question and answer with anyone and never allow others to log in using your oDesk user ID and password.
You may update your personal and security email addresses anytime in Profile & Settings > User Info. (Learn more about user info.)
Because time is critical in cases of suspicious account activity, oDesk recommends that you set your security email to an address forwarded to your mobile phone.
According to Wikipedia, "phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication."
The most common type of phishing scam starts with a criminal sending you an email supposedly from site staff. This email will ask you to reply with security information (such as your password or secret question) or send you to a fake web link. The linked page may look like oDesk, but it was created by the phisher to capture you security information. In some cases, the email or the linked website may install a malicious piece of software on your computer or infect your system with a virus.
For your own protection, never give out your security information, and only log in if you're sure you're really on oDesk. For maximum security, always log on by visiting our site directly (manually typing https://www.odesk.com/login.php into your browser's address bar).
Please note that phishing scams aren't always in emails, so be careful of links and requests for security information no matter where you see them: text message, chat, email, on job boards, etc. If you receive a phishing attempt, it is important to let us know.
Look at the URL (site address) carefully. They key is the ".odesk.com/" - but it's OK if there is additional page information before or after the ".odesk.com/". A real oDesk URL must always have:
- a "." before and after the "odesk"
- nothing between the ".odesk" and the ".com/"
- nothing between the ".com" and the "/"
|Illegitimate oDesk addresses:||Why it's wrong||Real oDesk addresses|
no "." before the "odesk"
misspelled, no "." before the "odesk"
word between "odesk" and ".com/"
extra stuff between ".com" and "/"
URLs that begin with https:// are secure pages - that means they're protected using SSL (learn more from Wikipedia and SSL.com). All pages on oDesk asking for your password, secret question, or financial information are secure. Modern browsers let you know the page you're on is secure by displaying a small lock icon in your browser window. In Internet Explorer 7 and Firefox 3, the lock is located in the bottom right of the window. In Safari, the lock is located in the top right of the window. oDesk.com will always have a valid SSL certificate and will only ask for sensitive data on SSL-secured URLs.
Only enter your password or secret question on a page if:
- the URL (website address) starts with https://www.odesk.com/"
- your browser displays the lock symbol
- double-clicking the lock confirms that the certificate is valid
Before you enter your password or answer your security question, always check the URL and look for the lock.
If you've received a phishing attempt, please contact Customer Support to report it. oDesk will investigate and take action against the phishers whenever possible.
If your account has been compromised, by a phishing attack or otherwise, please email firstname.lastname@example.org right away. Be sure to include your name, user ID and an explanation of what you think has happened. If at all possible, immediately change your password and security question. Your account may be temporarily suspended to protect you from fraudulent activity.
US SEC and Microsoft provide some great tips on how to protect yourself. Click here to learn how Mozilla's Firefox browser can help prevent you from accidentally visiting malicious sites.