A Precautionary Tale (of sorts)
7Got a confirmation email from Amazon for the order of this Nikon lens. The person who placed it used their name for the billing and shipping addresses, and used my gift card balance.
Thankfully, I noticed the email in time, so I was able to cancel the order and change my password.
You never think these things can happen to you…
Until they do.
I was going to keep this in the unofficial goat blame thread for @dashcloud, but decided to expand on my original post.
For a while, I’ve been thinking about using a service like Enpass for passwords. I currently have 2 different different apps on my phone; Enpass, and a similar app called SafeInCloud.
They both have local encryption, so I’m not too concerned with that.
The reason why I have 2 apps(neither of which I use yet), is that while I have a lifetime license for Enpass, SafeInCloud has an Android Wear extension, which Enpass didn’t implement yet.
(I have the premium version of SafeInCloud.)
Anyone have any recommendations for a good password generator/saver app?
(I use Android in case that hasn’t been made obvious in the past. And for those who think that just because I use Android Wear that OBVIOUSLY I use Android - Android Wear works with iOS also.)
- 10 comments, 30 replies
- Comment
Eww Nikon. Canon 4 lyfe!
I use Lastpass paired with Authy for 2FA, very big fan of both. Free and encrypted locally then stored to the cloud. Has Android, it’s, Chrome, Firefox, IE and probably many other plugins and or apps.
@jbartus
Maybe I’ll call the person up and tell them that if they try again, then they should place an order for Canon
@FroodyFrog nah they’re scum, let em stew.
@jbartus
@carl669 true story.
Much as I give Nikon crap at least they’re not Sony… and those people who think they’re great photographers with their smart phones and Instagram filters…Oh boy
1Password, KeePass, LastPass are all fine choices.
@dashcloud
I think I’ll keep LastPass.
Now I just have to work on improving my security score.
@FroodyFrog password security begins and nearly ends with overall length. Yes, avoid putting personal references in, but even something as simple as writing witty little sentences you can remember as your passwords can be very secure. My shortest passwords (barring restrictions(don’t get me started)) begin at 20 characters and go up from there. The only thing keeping me out of the 0th percentile on Lastpass is a couple of clients’ passwords I need to keep handy that they aren’t very secure about.
Oh… and naturally use different passwords for everything. That’s what a password bank is for!
@jbartus
Feel free to explain the restrictions.
I’m using 15 character generated passwords from LastPass.
My current percentage is horrendous, although depending on how fast I work on it, I can raise it up significantly.
@FroodyFrog some sites have dumb restrictions like only allowing 8-16 character passwords thus setting a maximum upper level on the security of accounts on their site.
You can alter the settings for the generator to include more character types (yes please) and length. Me, I don’t use the generator because I like my passwords to be something I could remember in a pinch.
Some leading researchers literally recommend doing short memorable sentences. For example, for Netflix a person might use a password like 'I’ll-Fetch-The-Popcorn!" If you are going to do sentences do be sure to try to use uncommon words whenever possible.
@jbartus Isn’t there any concern about the possibility of ‘robbing the (password) bank’? I’ve avoided that service so far…
@compunaut @jbartus
Yes, these apps have had issues with accounts being hacked.
However:
Unless you memorize all your passwords or have notebooks filled with passwords (I know someone who said she had numerous notebooks filled with passwords which she used over time), they’re stored somewhere (unless you have local encryption).
Double factor authentication helps. Funny enough, Google introduced a new double factor authentication this week which sends a verification screen to your phone so that you could just press yes or no
@compunaut if you’re concerned about such things unplug your computer and walk away from the internet. No seriously.
Could they get hacked? Maybe. Could your password list be retrieved illicitly? Perhaps. But here’s the thing, they’re all encrypted on top of everything before they even reach LastPass’ servers so someone would have to a whole heck of a lot of work to get at even just one of the passwords. By the time they got into one LastPass would more than likely have alerted users to the incursion and given you notice to change your passwords, problem resolved without incident.
You’re more likely to pick a dumb master password and have someone gain access that way than to be exposed in that manner. And like @FroodyFrog said, 2FA is your friend.
If a breach were to occur with LastPass it would more than likely be of the variety that befell Teamviewer recently. Someone else’s large-scale data breach would expose non-secure password usage and result in illicit non-brute-force access to the vault.
@jbartus
@carl669 exactly!
Or in my recently developed German skills:
Ja, genau!
@carl669 i saw this before, so i use correcthorsebatterystaple for all my passwords - they said it was secure, right?
@compunaut even lastpass support can’t help you if you lose your password, since it’s all encrypted on your side. on top of that, use two factor authentication and your pretty secure.
to get at my stuff someone would have to guess my strong password, generated with the scheme @carl699 provided above, then they would have to have my phone to complete the two factor authentication. The phone also is encrypted and has a hard password on it.
i once changed my lastpass master password and then could not get back in, i was freakin’…
turns out, i accidentally hit CAPS LOCK when creating the new password, so everytime i typed i had the upper/lower case exactly wrong, that took about a half hour to figure out.
@Yoda_Daenerys exactly.
I use LastPass Premium, $12/yr, have for several years now
@Yoda_Daenerys
I looked at my account, and I noticed that I have 2 months of premium service. Can’t remember how I got it. But I’m not complaining.
@Yoda_Daenerys Same. Love LassPass. I literally do not know any of my passwords anymore so if they go belly up I’m screwed. But it does app fill on Android and I’m really happy with the service and security of the thing.
@ACraigL @Yoda_Daenerys
App fill on Android affects device encryption though, so…
@FroodyFrog It’s optional.
@ACraigL
Weird, no notification for this message.
I know it’s optional, which is why I’m trying it out. I’ll probably keep it disabled just because even though my phone is encrypted, having an extra password screen on bootup just feels right for an encrypted device.
My walmart gift card balance got hacked once. Someone tried to order a pre-paid cell phone card. Luckily, I saw the email and canceled the order then changed my password. Now I try to use my “savings catcher” dollars as soon as I earn them.
@medz I cancelled my savings catcher account. I tried to redeem about $50 and someone else used it. I changed passwords and called customer service. They did an investigation, notified me that I was correct, my account was hacked. Duh. Said they would reinstate the money to my account in 7 to 10 days. OK, whatever. When I called again, I was told that it was reinstated and I used it. Ummm, no. They reused the same gift card number and did not send me notification. I quit using the program. Idiots drive me nuts.
Three other times someone placed an order and I got the notice to pick it up in another state. The notice included the other person’s information. I am not fond of the security there.
OK, so any speculation on how this actually happens? Did somebody hack Amazon, the Frog/Smaug, or some other method? How do crooks break thru firewalls?
@compunaut Usually brute force. Sometimes they just hit on the random letter sequences. I’m hoping its not social engineering – I’d pray that Amazon support is well-versed there.
@ACraigL @compunaut
If someone does access my stuff, I like to know how.
Is there any easy way to find out how this was done?
@FroodyFrog Probably the only realistic way is to check all of your email addresses in http://haveibeenpwned.com/.
It’s a wonderful service by Troy Hunt which catalogs nearly every known breach and lets you search for your email address to see if it’s been present in any breaches, past or present.
As to how this would let you know, if your email address & password was in a breach, it’s possible password reuse was a factor.
@dashcloud
A few years ago, I noticed that an email address I deleted came back with an alert.
Other than that, none of my other email addresses have ever shown any notifications.
And yes, I just looked again.
@dashcloud thank you for the above link. I forgot about LinkedIn’s hack. I am certain I used different passwords between LinkedIn and my email account though
i have a bunch of randomly generated passwords that I use, I will have to change out the LinkedIn one.
Just spoke to Amazon.
They’re submitting a form for the account specialists to get them to look at my account, and if the purchaser has an account.
In the meantime, my account will have a temporary safe, while they investigate and sanitize.
Didn’t ask what kind of sanitizer though.
I use assorted words of profanity and/or obscenity in four languages, plus some numbers and characters, and change them frequently. Livens things up a little.
@OldCatLady hang on, and you remember them? or you use one of the tools listed here?
@Yoda_Daenerys I use some of the tools, now. If I’m entering a temporary password, I usually default to Italian vulgarisms and change them ASAP. German is good for memorable temporary words too.
Last pass paid, plus all the other tricks mentioned above. Each is unique, except for a few I haven’t gotten to yet. Every couple of years I up the complexity.
Sites that don’t allow full character sets really annoy me.
Just heard back from Amazon.
Long story short, they weren’t of any use in helping me with stuff which I didn’t already know.
The person used their name and billing and shipping addresses? Can’t you go to the police? I know we’re talking about a gift card balance, but it’s still theft. And hacking. And probably other things.
@pitamuffin
I could open a complaint with the IC3, but then in the event that they send the complaint to the appropriate department, and a claim is opened, then it’ll involve some time being spent, and I don’t have a copy of the invoice, only the order confirmation email.