Fraud

@riskybryzness thank you.

@chienfou yep. Tied to my account for auto renewal.

@RiotDemon that’s a bitch. I guess someone skimmed you info. Do you use that card anywhere else? I tend to use mine at gas stations due to the 5% back but that is a GREAT place for a skimmer…

@chienfou my brother had his card skimmed at gas stations 3 or 4 times. This is why he has two different cards for that account. One to buy gas, the other for everything else.

I had gotten a notification that my email was found on the dark web about a year ago. I think I must of had the same password and that was how they got into my account.

@chienfou @RiotDemon I stopped using a CC at the gas station a couple of years ago and started using a debit card with an encrypted PIN. ( I don’t need to enter the actual PIN because the card sends it automatically. Someone with the card # but not the physical card would have to enter the unencrypted PIN.) I hate losing the cashback, but it’s usually too hard for skimmers to break the PIN encryption, so they just ignore those and use the CC info they steal.

@RiotDemon Read my post below-same thing happened to me. Laptop ordered by someone else and shipped to my home address from Sam’s. Although the laptop ordered was only $ 450.

@RiotDemon I highly recommend freezing your credit for the time being. No one will be able to open anything new that requires a credit check.

https://www.creditkarma.com/id-theft/i/how-to-freeze-credit/

@RiotDemon I strongly second that. Was in your situation about 8 years ago.

@RiotDemon Temporary card numbers are a great feature, I wish my bank offered them. My sympathies, it’s a real pain to deal with that stuff.

@blaineg @RiotDemon I started using the privacy app recently and so far, so good. They give you throwaway card numbers for one time use, or you can reuse them for specific merchants. I think it’ll work good for pinpointing where the problem is originating. Obviously only works for online stuff. But I use it for wish, dhgate, etc just for peace of mind.

@carl669 I really hope so!
Fuck these people.
Thanks for the advice.

@carl669

@therealjrn That’s probably what I should do. I have enough cards, accts. They look at me crosseyed when I make a purchase in a store and ask if I want to save 20% by opening a cc and I say No. My credit is about perfect and I want to keep it that way.
How does one go about doing that?
PS. I found Discover to be one of the best ones really at quickly noticing and stopping fraudulent charges on a card.

@lseeber Here’s a good guide from Consumerist Clark Howard https://clark.com/credit/credit-freeze-and-thaw-guide/

@therealjrn Thanks!

@lseeber @therealjrn When I moved into this house I bought a washer and dryer and stove and refrigerator, and I saved a crapload of money by getting their credit card and the discount.

Then I paid it off and cancelled the card.

@craigthom @therealjrn I’ve done the same. But My credit was 840 and I made a big purchase at a store, got the 20% off and my credit dropped to below 800. Which is still good, but not if I do that too many more times. I’d rather keep the high credit rating. I might move again in a few yrs.

@ybmuG The were probably not interested in the watch at all. They simply ordered something expensive to see whether the CC and personal info were valid and that the CC company would accept a charge that large without a blink. If all goes well (for them) then they know they have found “good” info that can be used to open new accounts. They are hoping the CC owner is one of those people who never checks his/her account until the bill comes due.

I’ve had this happen twice in the last few years, but I check my account literally every day looking for new charges. Both times I caught an attempted charge before it even went through, and called my bank. Canceling a CC and getting a new one is always a pain in the arse, but it’s a lot easier if caught early.

@rockblossom Yeah, I thought of that but figured they wouldn’t have started with such a big purchase, but your explanation makes sense. The criminals are getting better, meaning everyone else has to be more vigilant.

@ybmuG I got hit by incompetent thieves some years ago. They ordered a bunch of low-medium dollar items on a stolen card number, and they all got delivered to my house.

What they ordered was really bizarre, everything from children’s books to porn DVDs.

One really annoying thing about the stolen card was the bank knew where it had been breached, but refused to tell me.

@rockblossom @ybmuG That’s exactly what they were doing. That’s why when it happened to me, it got canceled. The name they used was something like ;miowgphoihv oahoghaeo . So the company canceled the order they had placed. They just use it to mine the internet for more places where it will work.

@lseeber @rockblossom Dang. And now we have RFID skimmers to worry about and I just heard that facial recognition is the latest in convenience payment methods to be developed. Yeah, no worries there…

@rockblossom @ybmuG It’s a brave, new world!

@lseeber @ybmuG
https://www.lifewire.com/how-to-avoid-credit-card-skimmers-2487770

Skimmers were found in my area, one being on a pump where I usually get gas. Look out for signs of tampering, but some are really hard to spot. A couple of months ago a customer parked her car near the pumps to check them before pulling into one to get gas. While she was checking the pumps, someone stole her car.

If you have a card that will register without physical contact with the reader, it can also be skimmed in your pocket if someone can get a hand-held skimmer close enough to you in a crowd. You can use RFID-blocking wallets, but a simple solution is to just create a sleeve for the card with aluminum foil. Tinfoil hats for credit cards.

@lseeber @rockblossom Makes you want to go back to cash

@rockblossom @ybmuG I have an RFID blocking card that stays in my wallet.

@blaineg @ybmuG That sucks that they wouldn’t tell you where it was breached. Why not? You would think they’d help you to avoid it in the future.

@blaineg @lseeber @ybmuG sometimes they don’t know if your card was breached or how. So they are replacing all of them in a certain range of card numbers to be safe. That’s why they don’t tell you — they can’t.

@blaineg @mike808 @ybmuG
Sorry… don’t know how to do that gray text quotey thingy… But… @blaineg said they did know the card was breached and where but wouldn’t tell him. Am I misunderstanding something?

One really annoying thing about the stolen card was the bank knew where it had been breached, but refused to tell me.
blaineg said Wednesday at 7:33 AM

@lseeber if you u put a > before the text toy want in the grey box it will work

@blaineg @lseeber @mike808 @ybmuG

Am I misunderstanding something?

Yes. You’re misunderstanding that @mike808 chimes in regardless of what was posted before, and is frequently wrong and/or overly broad.

@lseeber @mike808 @ybmuG

they did know the card was breached and where but wouldn’t tell him

Correct. That was what was so annoying about it.

Trying to read between the lines, I believe it was a local business, not online. So they probably found it by a pattern of usage, or a bunch of cards compromised at a single business.

Greed and/or stupidity is often what trips up crooks.

@lseeber @rockblossom @ybmuG

While she was checking the pumps, someone stole her car.

That pretty much requires leaving the keys in the car, doesn’t it?

I’m not saying anyone deserves to have their car stolen, but why make it so easy?

A neighbor was telling me a couple of weeks ago he had a car stolen while it was parked at a business. Before I could ask how they did it, he said “I guess I shouldn’t have left the keys in the ignition.”

He got a lucky break though. Either the thief had an attack of conscience, or was done with the car, as the cops found it a few days later, parked in the same place it had been stolen from.

@blaineg

That pretty much requires leaving the keys in the car, doesn’t it?

Exactly. People can be obsessive about security in some instances while being completely dumb about it in other ways.

@blaineg

That pretty much requires leaving the keys in the car, doesn’t it?

I just found out that my Lexus NX can be stolen without the key. The dealer told me you can start the car by having the key fob in your pocket as usual. Then you can leave to go inside your house to go grab something real quick and take the key fob with you. Anyone can jump in your car and drive off with it at that point. The key fob does not need to be in the car to drive away as long as it’s already running.

They said that’s a very common misunderstanding that people think you need the key to drive the car.

@tinamarie1974 Thanks! (need one after the text too? )

@therealjrn

Yes. You’re misunderstanding that @mike808 chimes in regardless of what was posted before, and is frequently wrong and/or overly broad.

bahhhhahaha! I was taking a sip of coffee when I saw this! Guess where it went?! hahaha.

@blaineg There was an episode on The Middle like that. Had the cops out looking for her stolen car. Turned out, it never left the parking spot where she left it. She just hadn’t been able to park in her regular spot that time, lol.

@blaineg @rockblossom

Exactly. People can be obsessive about security in some instances while being completely dumb about it in other ways.

Kind of like, if you go in my sister’s house, every light will be on. TV’s will be on in the LR, bdrm downstairs and bdrm upstairs. Lights, fans and air going in the big game room over the garage and nobody home. But she WILL NOT run the dishwasher until she has crammed the very last fork she can into it.

@cengland0

I just found out that my Lexus NX can be stolen without the key.

What a spectacularly stupid design.

Uh, where did you say you parked?

@blaineg

What a spectacularly stupid design.
Uh, where did you say you parked?

But I don’t believe it’s isolated to just my make and model. Once the car has been started, there’s no need to have the key fob with you to drive away. What car out there requires it? What if the battery dies on you in the middle of a trip?

I park my car in my garage. Sorry.

@blaineg @cengland0 Our car has a key fob but if we get a certain amount of distance away from the car, with the fob, it turns off. Which is a good thing because the engine rarely makes any noise. If it didn’t turn off, no telling how often I’d get out and go in the store with it running.

@cengland0 I had a friend tell me once that a guy came to his gas station in a Corvette he had just picked up in Dallas. When he stopped to get gas he couldn’t start the car and a salesman had to drive the key over (3 hours) to him.

He told it as fact but I didn’t really believe it, because while I’ve seen keyless cars drive without the fob, every one I’ve been in pitches a fit when the key is not detected while the car is running. It would be hard not to know.

Now stealing it, on the other hand, yep. You can certainly ignore all the chiming and warnings on the dash when you’re making your getaway.

@mehbee

I’d get out and go in the store with it running.

Mine is a hybrid so it’s very silent. One day, I left the vehicle to enter the gym. For some reason the car wouldn’t lock (by touching a small indent on the door handle) and kept beeping every time I attempted. I forced locked it with the key fob.

About 4 hours later, I get out of the gym and ready to go home. When I pressed the “Engine Start” button, the car shut off instead of on. I left the car running for 4 hours while I was in the gym and didn’t know it.

I now know to not ignore the door lock beeping if it should happen again. The car also beeps if you open the door while its running but I didn’t notice that either. Must have had a lot of stuff on my mind that day.

@cengland0 @mehbee That makes far more sense. Turning off the engine and/or locking the doors when the remote goes out of range seems like a much better real world approach.

@blaineg

Turning off the engine and/or locking the doors when the remote goes out of range

I don’t agree that turning off the engine for that situation is a good idea. You say “out of range” but it could be considered “out of range” if the battery is dead. Imagine going on a family trip and you’re travelling on the highway on a bridge with no shoulder when the engine just suddenly stops because the key fob battery died and the key fob stopped transmitting. That could cause a major accident.

If the battery of my key fob dies, I can still start the car using a battery-less method. Hold the key fob near the start button and the car will send out a wireless signal strong enough to power the key fob (but only at extreme close range) so it can send the appropriate signal to the car so it can start. If you cut the engine if the key fob is not detected, you would leave many motorists stranded.

@cengland0 That would be another horrible design. There’s a simple enough work around, ignore the remote when in gear.

Anways, that’s all details, I think what I’m really saying is this keyless stuff seems vastly inferior to a key in every way.

@blaineg @cengland0 Leaving the car running when the fob is removed is good for when the driver runs into a store leaving passengers (pets or people) with the heat/AC on. Our car chimes a few times to let you know. Some cars chime non-stop until the fob returns.

@blaineg @callow @cengland0 I think the best way around all of this is for me to not be a flake and make sure my car is turned off when I exit!

@callow Yes, and I know mine chimes. Not sure if it’s forever but definitely while the door is open. I know not to ignore that in the future.

Sometimes, when I get home, I simultaneously open the door and turn off the car. Never know if the car thinks I opened the door first or turned it off first.

It doesn’t appear smart enough to stop beeping once the car has been turned off if the door was opened first. Also, if I want to open my hatch with the button on the door rest, it won’t open unless I press the unlock button first. If I make sure to turn off the car first, then open the door, the beeping stops and I can open the hatch without unlocking it first. Weird.

@cengland0 haha. My husband said who TF goes to the gym for four freaking hours??

@ivannabc It’s racquetball 5 days a week for 4 hours a day.

There are times when you lose a game (or win too many in a row) that you’ll sit out for 15 to 20 minutes so others can share the court. It’s not 4 hours of cardio straight without any breaks.

Lesson I learned from reading what all you guys wrote is stick with an old fashioned key.

@medz It’s been well addressed below, but if anyone is still reusing passwords, do yourself a big favor and stop doing that!

@cengland0 I can’t wait for my $125 from the Eqifax settlement to be reduced to the price of a cup of coffee. They only had $33 million in that specific fund, with “millions” of people applying for damages, with the amount received being tied to the fund. They lost the social security numbers and much more personal identification data for over 100 million Americans, and expected less than 200k to apply for damages (instead of credit monitoring, which does jack shit).

tl;dr - freeze your credit if you haven’t already, equifax got away with murder

@jmoor783 Agreed that settlement is a joke. The worst part about settlements like these is that the lawyers get their money first which is millions and the people affected get pennies. Experts on this Equifax breach are recommending people get the free credit monitoring as that would be a better value than to get less than $1 settlement.

As for me, I subscribe to an independent credit monitoring and identity theft service. I can login daily if I want but they will send me a monthly report too. Here’s an example of the report:

If my identity is stolen, they have a dedicated team of case workers to help me. It also comes with $25,000 worth of insurance for the $10/month premium or $1 million insurance for the $15/month premium.

I have a relationship with this company (I don’t work there) so I get my services for free. Not sure I’d pay that much per month if it wasn’t provided for free as I’m generally a cheapskate. The service also comes with free monthly credit reports with FICO scores.

@cengland0 If you can prove it, you can claim more than the $125 from them.

@mikibell They filed for bankruptcy recently so perhaps that is part of why crap is cheap from them?

@mike808 I really hate those “security questions” like mother’s maiden name. They sometimes ask questions like what is your favorite vacation spot. I never go on vacation and never travel. Impossible to answer those with real answers.

Questions one of my credit union asks:
“What was the first foreign country you visited?” How many people even leave their home country?

“What was your High School mascot?” I think most people my age wouldn’t remember this. The only reason I remember is because it’s on my class ring that I still have in a drawer somewhere. I have no idea what my college mascot was though.

“What is the last name of your High School best friend?” I was so introverted that I didn’t have any friends in high school. I also went to two different high schools so which one should I pick?

“In which city did your oldest sibling get married?” What if I don’t have any siblings or none of them got married?

“In which city did your parents get married?” I have absolutely no clue but I can guess that it might be where I was born. Maybe I’m wrong but it’s the best answer I’ve got.

I do agree with your suggestion to put random words in those fields. Many of those questions can be acquired by public records or could be guessed by someone who knows you such as a girlfriend or brother or sister.

I use LastPass and it has a comment section where I can just type in my answers to those questions.

Personally, I think this is a way for a company to reset passwords without having to spend money on a group of people to answer the phone to reset those passwords for you.

@cengland0 @mike808 I have colorful/memorable (and completely false) answers to all of those security questions. I’m also a bit Old School in keeping passwords and security questions in a paper notebook, figuring that any online password program can be hacked by someone eventually. My notebook could be stolen, but someone would have to access it physically from my location. And it does not live near the computer, so they would also have to locate it in a house full of books and notebooks. And I don’t write passwords out in full in most cases - just making a notation that reminds me of how I selected that particular password. Nothing is totally secure, but if someone is going to steal my info, I want to make it as aggravating and irritating for them as possible.

@cengland0 @rockblossom
Unfortunately, you make it aggravating and irritating for yourself when you lose your phone or your laptop gets stolen and you need to login to all of your apps again. Or you’re away and need to create a new account. Or a relative needs to access your accounts if you’re in an accident.

Use a password manager.

@cengland0 You have it right. I do the same thing.

The questions do not require you to answer under oath or to be truthful. It’s just another place to have another, different password in case you lock yourself out or are logging in from a new place and they want to make sure you’re you.

I also avail myself to get “backup codes” and save those elsewhere, offline. If someone takes over your account, changes your password and email, you can still recover control.

@cengland0 That password strength is looking a little weak…

@hanzov69 Even though it had asterisks there, I still blacked it out so you cannot tell how many digits it was.

@cengland0 oh, I was going off the bar that appears below the password- it goes red yellow green, based on strength.

@cengland0 @mike808 @rockblossom How do you know you can trust the manager? Especially if it is a phone app.

@cengland0 @mike808 @ponagathos @rockblossom You have to do a little digging. Check reviews, look for news of compromises, etc. On app stores, how many downloads does it have, millions or ten? What’s the company’s reputation, and/or other products?

Do they store the master key, or do you have sole control of it?

@cengland0 @mike808 @rockblossom This article is a few years old now, but still has a lot of good info, and making up lies to security questions is one thing that’s addressed.

https://arstechnica.com/information-technology/2013/06/the-secret-to-online-safety-lies-random-characters-and-a-password-manager/

@cengland0 @mike808 @rockblossom Also, I’m not paranoid (right), but so many of those online “surveys” seem designed to phish security question answers.

@hanzov69

oh, I was going off the bar that appears below the password- it goes red yellow green, based on strength.

Good catch. I didn’t think about that. At least it’s not red.

I usually set my own password initially and when the company makes me change it, I’ll use the built-in password generator for subsequent passwords. Those are always better. Guess this particular site didn’t make me change it yet. At least they do use 2-factor authentication. I get a text with a code that I have to enter so a perpetrator would need to crack my password as well as have access to my phone.

@mike808 @ponagathos @rockblossom

How do you know you can trust the manager? Especially if it is a phone app.

I didn’t trust LastPass right away either. Didn’t want one company to have all the passwords to all my sites. But that changed when I saw an article that explained how it works. Apparently they are encrypted and decrypted locally and lastpass does not have the master key. So if they were ever hacked, the person gets garbage data they cannot use unless they have my key.

“Your data is encrypted and decrypted at the device level. Data stored in your vault is kept secret, even from LastPass. Your master password, and the keys used to encrypt and decrypt data, are never sent to LastPass’ servers, and are never accessible by LastPass.”

The fact that LastPass is not owned by Facebook is also a plus.

@rockblossom I’m like you. I don’t really trust the password managers. If everything else can be hacked… why not them. Or if employees are less than honorable, yada yada.

@cengland0 @mike808
What was your first car: chicken
What is your favorite food: red
What is your favorite color: ford

etc. Just note them all in your password manager.

@lseeber @rockblossom

I don’t really trust the password managers. If everything else can be hacked… why not them. Or if employees are less than honorable, yada yada.

The main thing to look for is: do they store your master password. If they do, they (potentially) have access.

You want one that says something like: “If you ever forget your master password, you’re royally screwed, and there’s nothing we can do to help you.”

A geek term for it is “zero knowledge”, but doing it is more important than buzzword compliance.

@lseeber @rockblossom Also, if you’re paranoid (that’s a good thing) and geeky, use KeePass. It uses a locally stored database, so there’s no cloud to trust.

If you do need sync ability, you can use a cloud service you do trust, maybe something like SpiderOak.

@lseeber CNet’s evaluation of password managers.

If I were younger and needed access to stuff from a phone, I would probably use one of the managers on their list that has dual authentication. Being old and retired, my “paper memory” system works just fine for me.

Problems I see:
I don’t trust user reviews of this kind of tech because the average user only knows how it looks on their end and how easy it is to use, but has little understanding of what goes on beyond their view. As long as they don’t have a stolen password, they are happy. Of course, people who use passwords like “password” or “4321” are also happy with their system until it fails.

Even a highly respected system can be sold to a company more interested in quick profit than long-term security. While having stuff “in the cloud” sounds all nice and fluffy, I know that databases run on actual servers on/under the ground, and most of them are in giant “server farms” where workers have physical access. They are only as secure as their employees are trustworthy. An uncomfortable percentage of those servers belong to Amazon, which is not exactly known for having happy employees.

@blaineg

What was your first car: chicken
What is your favorite food: red
What is your favorite color: ford

Except my answer for “What was your first car” would be more like “Mumbo dog face banana patch”

@cengland0 @hanzov69 the strength of the password generators and 2-factor authentication is really important. I just hate that we have to be so sophisticated in order to have an online presence.

@blaineg @cengland0 So are these your security answers? Cool, I’ll be right back…

@lseeber @rockblossom If you don’t trust the password manager LastPass, you can build and host your own with Bitwarden. Or do more work by having no online capability builtin whatsoever with Keepass.

LastPass has a good balance of security and convenience. Is it perfect, no. Is it perfect for you, maybe not. There are other products out there. You can always code your own password manager if you don’t trust anyone else to write one exactly to your specifications (and give it away for free).

The point is to use a password manager, and pointing out an example of how to use it, and what features are useful in the one they chose. If you prefer some other password manager, then that’s fine. The value I get from LastPass is not having to do a bunch of manual, highly technical maintenance for a “personal system”. I am a security professional and I know I will make a mistake in any manual procedure, so it is far, far better to use a quality tool to help me not make mistakes - using the same password on different accounts, using weak passwords, not changing them “because it is too hard/complicated to do it manually”, or any other excuses for failing to protect myself from those that would do harm.

Try Bitwarden if you don’t like LastPass. Try Dashlane or 1Password if you don’t like those. Try Keepass or another tool until you find one you like.

@mike808 I will never completely trust any of them because if someone cracks the password manager, they get ALL of my passwords. Since I never use a password in more than one place, at least if one is compromised it’s just the one.

@mike808

One of the nice things I like about LastPass is that it will not enter the password into a site that was spoofed. So if you made a typo in the URL and what appears to be your bank is asking you for your login credentials, LastPass will not autopopulate your username and password because the URL isn’t correct.

@rockblossom Good for you to keep track of the 700+ accounts you have with your utilities, banks, wirk, and services you use. How about your spouse and kids? Do they also keep track of them too and whenever there is a breach you change that site’s password to something unique and random (because that’s what makes them so easy to remember)?

You can host Keepass on a VeraCrypt drive or your own Bitwarden service that you compiled yourself.

Sorry, I’m calling bullshit on your ability to do this 100’s of times and still have access to all of your accounts without any tools or password manager of any kind.

Get a password manager you like and use it. Spend the rest of your life doing something productive amd interacting with others with the time you don’t have to spend worrying about and checking yourself or missing out on because you have a magical completely manual way to deal with the 100+ credentials most people have - from their bank, retirement, investment, and credit cards to their facebook, amazon, pinterest, instagram, uber, netflix, pharmacy, power & utilities, school/work, IRS, and Social Security accounts to their Meh account. And then there is all of those same accounts for the spouse and kids.

@mike808 I wish I knew half as much as you THINK you know. Of course, I’d then have a massive headache and wouldn’t be able to do a thing.

@mike808 Do whatever works for you. I’ll do what works for me.

@mike808 @rockblossom Like rockblossom, I’m older. I don’t access or do any of that stuff on my phone, only at home on my laptop so, under those conditions, what’s wrong with keeping track with a notebook and pen? That way also, it’s all down for my kids should something happen to me and they need to access my accounts.
I understand all of what you guys are saying (sorta, lol) but I guess I’m old school. I also don’t trust clouds. Where did all those naked celebrity pics get loosed from? Oh yeah, the cloud!
Even stuff that’s strongly encrypted…you know there are masses of techy, nerdy, geeks out there working feverishly to break each new security measure. It’s a matter of time.
I’m not even sure every time I add a new contact on my phone and it asks me if I want to save it to internal memory, cloud or storage device, which to choose. I’ve got 'em all mixed up now. Back in the 90s I kept up with all that stuff. Now, it might as well be written in Klingon as far as I’m concerned.
I do appreciate all of you taking the time and effort tho to explain to those of us that can’t seem to jump into that game!

PS… my spouse has passed. My kids are grown and gone with kids of their own.

@lseeber I have advised people to always select their own passwords and keep a copy (notebook or backup drive) even if they use a password manager that stores them locally rather than in the cloud. If you allow the manager to generate passwords that you don’t write down and can’t remember, then you are one stolen laptop/phone or dead hard drive away from being locked out of all of your accounts.

@cengland0 @ybmuG

So are these your security answers? Cool, I’ll be right back…

Knock yourself out.

@lseeber @mike808 @rockblossom

@blaineg @lseeber @mike808 @rockblossom
/giphy how true it is

@blaineg @lseeber @mike808 @rockblossom
That was weird…

@ybmuG

If you don’t like a random Giphy, just edit & save to get another one. There’s a 5 minute (I think) edit window.

/giphy random edit

That was about 10 edits, and I gave up.

@blaineg Yeah, done that. Just thought it was weird enough to keep it. Kind of like the randomness anyway, unless it’s just stupid.

@blaineg @ybmuG
/giphy edit at random

@blaineg @therealjrn well that was random…

@carl669

@hanzov69 If they have postage paid return envelopes, stuff them with bricks and send them back.

@blaineg Someone else suggested that, but sadly they don’t. Most of the time it’s something exhorting you go to an event or contribute via some online campaign. The few that come with addressed return mailers don’t include postage, they must have gotten wise.

@warpedrotors That alone would have triggered the AmEx fraud AI algorithm on my account!

@blaineg

Is a lot easier to type than: ^oj-}L@5CtV |x(\7gZgs{I@`3wo-=#%AA2M[#6L

But with a password manager, you never have to type those passwords, you only need to remember the master key.

@blaineg Is anyone really going to brute force your password (unless its something like “password” or “1234”)? I feel like security breaches come from whatever website/business you are using getting hacked. Don’t use the same password for anything and you will be protected.

@cengland0

But with a password manager, you never have to type those passwords, you only need to remember the master key.

True, and 90% + of my passwords are 40 chars of random gibberish. But then you get the few that have to be typed, like a little hardware gadget of some sort. Then an xkcd style password is worth its weight in cusswords.

@jmoor783 On its own, your particular password is unlikely to be brute forced, but there have been many thefts of password databases of entire companies and their customer lists, and those are well worth brute forcing for the bad guys. And in a lot of these database thefts, the companies were using very weak, outdated encryption, so the cracking is easy.

If you’ve got a short password they’ll get it in seconds or minutes, if you’ve got a long one it will take hundreds of years.

Both long and unique are important.

@jmoor783 I have seen malware brute force a 12 character password with no words and all four character classes. It took it a few weeks, but it did it.

Longer is better, for sure.

@djslack @jmoor783 Don’t the bad guys get locked out after X numbers of tries?

@therealjrn if you’re trying to log in, yes, for sensible systems. (Not all systems are sensible.)

If you steal a password hash and try to encrypt things and compare to it, there is no evidence of you trying.

@djslack Ok, don’t tell anybody, this is a secret. My new password is going to be:
8jPZqGlh&oF0cqBljTLy#oAr2wMURLaBScj9wTNQeESWU4zvu4F%Yv90EfCSIE0XaTS%TDcfWPAo8u@y#id@KhDpLKbp8!w#k

@therealjrn
/giphy your secret is safe with me

@blaineg I remember hearing of a password study being done a while after that xkcd strip came out. There was a rash of people using “correct horse battery staple” as their password.

@djslack @jmoor783 @therealjrn

Don’t the bad guys get locked out after X numbers of tries?

Yes, but that’s only if you’re trying to log into a system. If you’ve got the whole stolen password database to play with, you’ve unlimited tries. And you don’t even have to brute force a lot of passwords, there are pre-computed hashes out there so simple comparisons will reveal a lot of passwords.

Here’s a great article on techniques that are used.

https://arstechnica.com/information-technology/2013/03/how-i-became-a-password-cracker/3/

Also: https://arstechnica.com/information-technology/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

@mehcuda67

There was a rash of people using “correct horse battery staple” as their password.

I’d almost be disappointed if there weren’t.

It’s sad, but the ArsTechnica article I linked above explicitly points out “Don’t use any of these examples!”

@blaineg @mehcuda67 I wouldn’t use an example that someone posted. Besides I’m pretty sure that no one would guess that my password is “I love purple”.

@blaineg The amount of entropy is the thing. The problem with that xkcd strip is A. You can’t just pick four words, you need dice and bigger word lists, and B. You need more like six than four words (at least when I tried diceware).

And then the dice tend to give you these disappointing, long, words. It’s way too much typing.

The inadequacy of the uh, human element is how Google will cheerfully lock you out of your own account after you use the correct password, and meanwhile Facebook will fudge your password and username to let you log in. Password managers are the only passable approach these days.

@InnocuousFarmer Here’s some output of the Python xkcdpass program I use:

Judaea blueblood Brandy revive hydrant Ormazd
Ankara breezy footnote washbasin claptrap anatomize
Cromwell thane disposal bowline imminent peafowl
holily Erica verve halfpenny deniable shirk

It defaults to 6 words, and most are easy to type.

@dashcloud Seconded!

have i been pwned? is an excellent tool from a trustworthy source. Even if you don’t want notification, plug in your email address and see how many times you’ve been involved in a breach.

I just re-ran it on myself, one account is clean, two others have shown up in breaches (one has 3, the other 16). If I were reusing passwords, that would be a serious problem.

An interesting thing is that I have never used about half the services that were breached. At least directly. Some are obviously sites that provide services to other companies. So you not only have to worry about companies you deal with directly, but their entire support structure: payment processors, comment systems, forum hosts, web hosting services, etc.

@dashcloud So… I’ve been looking at the haveibeenpwned website for about 15 mins or so. My main prob with a lot of this online security and other stuff. I didn’t understand about 80% of what I read. I’m not stupid but I’m not up on ANY techie stuff. I can read their explanations in their faq but the language is mostly Klingon to me.
Therein lies most of my prob with all this keeping up with new security measures. Most likely not just me but many women (and some men) in my age group that have never “worked” within the computer industry.
Once upon a time I did keep up, there wasn’t as much to learn as there is now back in the early 90s. Now it requires continual education on so many levels and I can’t keep up.

@dashcloud @lseeber I understand your frustration. I am a geek, and I can’t keep up with it all. You’d have to be a full time security specialist to do so. And while IT security matters to me (personally and professionally) it’s not what I get paid to do. So in the real world, it’s probably item 8 or 10 on the list of things I have to get done.

So for normal people in the real world, I’d say pick one password manager and use it. Mike808 listed several above.

I use LastPass because my non-techie wife likes it (well, at least doesn’t hate it). That’s a high recommendation right there.

It has a few nice features I like: It can help you change passwords on a lot of sites; It has a security audit feature that will warn you of password reuse, etc.; You can share password entries with others (like my wife).

@lseeber If there’s something you’d like to know about from there (or elsewhere), just let me know and I’ll do my best to explain it for you.

@blaineg Thanks!

@dashcloud Thank you, but I think that’s it. Basically, all I asked in the first place was what was wrong with keeping track of passwords in a notebook with a pen, lol. I don’t use my phone to conduct business. Just my laptop.
However, If something comes up, I’m taggin’ ya!

@dashcloud @lseeber Nothing at all with writing them down, as long as it’s not a post-it note on the display or keyboard.

https://www.cnet.com/news/microsoft-security-guru-jot-down-your-passwords/

@blaineg @dashcloud Nope. Dedicated notebook! (started that when hubby passed and I couldn’t get into any of our accounts that he took care of on his computer).

@dashcloud @lseeber That must have been very frustrating at a very bad time.

I’ve made sure that mine & my wife’s master passwords are in each other’s password managers. But perhaps a paper record somewhere would be a good idea too.

@blaineg @dashcloud @lseeber

But perhaps a paper record somewhere would be a good idea too.

Absolutely. Everyone should have an ‘in the event of my death or incapacity’ envelope with an inner envelope with the instructions on how to access your password manager and the master password. And then give that to your executor or child/relative you trust to keep safe and not to open it. If you’re paranoid, you can ask them to retrieve it from their safe document storage and inspect the outermost envelope (actually a clear tamper-evident bag) for being opened.

You will need to replace the envelopes whenever you change your master password.

I use a system with an encrypted (VeraCrypt) thumb drive with its own password and I put the unencrypted export of all my passwords on it, scans of my will, life insurance policy, trusts, real estate titles, account statements (so my surviving family will know the account numbers and where they are) and legal documents. A copy of VeraCrypt is on the unencrypted portion of the thumbdrive. I have paper instructions (and a plaintext file copy on the unencrypted portion) on how to install VeraCrypt, to open the envelope with the VeraCrypt drive password, and how to launch and mount the encryoted drive.

I have a separate envelope with the password manager master password and a copied two-factor keyfob (yubikey). I also include a paper copy of instructions on how to install and launch my password manager using the master password in the password manager envelope and two-factor keyfob for any current passwords, and that there is a (dated) backup of all passwords on the thumb drive on the encrypted drive they just opened with VeraCrypt.

I also include a paper list of all the legal documents (will, trusts, stock certificates, passport, drivers license/ID, SSA card, life insurance policy, and account statements, property deeds, tax returns, etc. that have scans on the encrypted drive.

If something happens to me, my wife, or worse, both of us at the same time, our designated survivor has everything they need to access our estate and digital assets and any online accounts to execute the will and dispense the estate, and close the online accounts (including exercising posthumous deleting info if desired and possible).

@mike808 That’s too much forward thinking. As for me, I don’t have a will and don’t have any accounts documented for them to find. When I die, my brother and sister will have to fight for everything I own. I’m not going to make it easy for them. They will be like vultures after I’m gone.

@cengland0 @mike808 The lawyers will end up with it all in that case.

@Avalora That is why I never, ever, under any circumstance, get a debit card for general purchases.

With a credit card, if there’s a transaction you don’t recognize, you don’t have to pay until the dispute is resolved. With a debit card, the money is already gone from your account and then you have to dispute the charge to get the money back. In the meantime, depending on how much fraud occurred, you can be bouncing payments all over town and then you have to deal with each individual merchant separately about bounced payments. Not worth it in my opinion.

With a credit card, you’re using the bank’s money for at least 25 days and up to 55 days (depending on cycle date and when the purchase was made). Then you can make one payment monthly (pay it in full). If you select a bank that offers reward points, you can actually earn money while using the bank’s resources.

@cengland0 Exactly! The debit card issue was about 5-6 years ago now and I don’t think I’ve used it since. I have one around in case I need it, but I switched to only using credit cards after that.

@Avalora @cengland0 Yep, I got burned on a debit card years ago, and it wasn’t even fraud. Company policy on travel was you were liable if you didn’t make a trip, but didn’t cancel it, and they wanted a personal card number to cover that. I foolishly used a debit card number.

A trip was canceled properly, and in plenty of time, but there were multiple screwups and they hit my debit card for the cost of the flight. They eventually fixed things, but that was money out of my pocket for two months until they did.

@blaineg Part of my secret past is that I worked for a major credit card company for 10 years and I have seen my fair share of fraud and other mistakes.

No matter how good you are at keeping your data safe from fraud, that doesn’t prevent human errors.

I’ve seen customers double billed for thousands of dollars. You buy a computer for $3456.78 and you get two charges for $3456.78 from the same company. It’s obviously a mistake and easily corrected as long as it’s a credit card and not a debit card.

I’ve seen $100 purchases charged as $1000 purchases. Simple typo of an extra zero. Again, easily disputed and merchant charged back as long as it’s a credit card and not a debit card.

If any of the above scenarios happen with your debit card, you’re out the money immediately potentially impacting your ability to buy other things until your next payday.

@blaineg @cengland0 luckily, my credit union puts money that was fraudulently taken as soon as i call them. Within 24 hours (except on weekends) i have to go in and sign the dispute paperwork which is a pain, but… At least they replace the money while the investigation is on-going. I don’t know what other credit unions do, and no bank I’ve ever dealt with does this.

@sarahsandroid That is fast. Of course that’s if you notice. I don’t even look at my credit card transactions until I get my statement. But if I used a debit card, I feel like I’d have to monitor it daily.

@cengland0 @sarahsandroid

With a debit card, your money is stolen.
With a credit card, the bank’s money is stolen.

That’s why the bank is only interested in getting their money back from the crooks, and not at all interested in helping you get your money back.

The only thing a debit card is good for is an ATM to take out cash, because cash advance fees are horrible for consumers (there is nobody to reverse the charge against is a big part of why, the other is just because they can).

@mike808

With a debit card, your money is stolen.
With a credit card, the bank’s money is stolen.

That’s exactly right and I couldn’t have said it any better myself.

The only thing a debit card is good for is an ATM to take out cash

Yes, and that’s all I ever use mine for. Rare that I need to use cash for anything unless I’m buying something from a friend but I usually have some cash on hand for that purpose.

@lseeber YUCK.

@lseeber @therealjrn That’s an understatement

@lseeber A similar thing happened to me, and I found through research that all the newsletters aren’t them looking for existing accounts, but them trying to drown you in so much spam that you miss the order confirmation emails. There are “registration bots” that take an email address and sign you up for everything.

@ribzer That makes sense. It sucks too!

@blaineg Seconded for Authy. One drawback - every phone you put Authy on has access to all of the accounts you’ve setup. You can’t have some of your authy-setup accounts on one phone and full access on another. Tried to put just my gaming account authy logins on my son’s phone, but authy will only backup and restore the whole set.

Another thing about Authy - the backup/restore is only for authy. You can’t transfer it to another authenticator (LastPass, Google, etc). Well, you can, but it’s very technical and a hack to extract the tokens from Authy to back them up in plaintext (for storage on an encrypted drive, of course).

That said, I like it far more than any of the others.

@blaineg so instead if using a secure two- factor system let’s use a 3rd party app? Um. Ok

@blaineg @unksol Why not both? It’s a third party app that is a secure two factor system.

I use OpenOTP Token myself because I’ve implemented push authentication but it also handles Google/Authy TOTP codes.

@blaineg @unksol Normally not a problem, but the fail state for two-factor authentication is fail closed or fail deadly, which is not a problem people ever think about until it happens to them, and then it’s an ugly scenario.
As an example, if the power goes out and the doors stay closed, it sucks, but it’s not a big deal- on the other hand, if you’re sealed in with a fire, it’s catastrophically bad.
Most people should have a backup method or a way to recover their account if the chosen two-factor method becomes unavailable or unusable for some reason.
Obviously, if you are in a high-risk bracket where your backups would also be a target, then you need to carefully consider how to handle the risk- unless you deal in cryptocurrency or are a high-profile figure in some way, you don’t need to worry.

@ribzer ahhhh, never even thought of that! Thanks.

@ribzer I checked. 137 more items in my spam folder. You were correct.

@Felton10 MasterCard.

I’m hoping since I cancelled the card right away and changed my password at Sam’s within a couple of minutes they gave up on me.

I haven’t gotten any more spam emails beyond the ones that started flooding in right away.

Which reminds me… I need to look at my spam folder and see how many more I got.

@Felton10
137 more things I signed up in my spam.

@RiotDemon Wonder if any of this had to do with all these data breaches that have been happening. All I know if the Sam’s Club couldn’t have handled this in a worst fashion. Walmart/Sams’s club is shit organization run by money grubbing individuals who hire the cheapest and most incompetent people available. And I belong to all three warehouse clubs and am a Walmart and Costco stockholder so I have a right to complain about how crappy an organization they are.

@blaineg That’s more like a trojan horse virus.

Phishing is like Dwight from The Office tricked Phyllis into signing his letter of regret by making her think she was signing for a delivery then yanks it away using a literal fishing line. Sadly, I can’t find a gif of this.

@RiotDemon I got one too. Hmm. Could be that Mediocre’s servers were breached.
/giphy Yeah, that’s the ticket!

@RiotDemon …C’est pas moi!

@Barney lol. That’s fantastic.

Wtf kind of virus waits for porn? It’s it for blackmail? Weird.

@RiotDemon Yes, it’s for blackmail.

@Barney @RiotDemon I guess this means it’s over between me and Vareny in Kentucky.

@Barney @therealjrn it’s some Black Mirror shit.

There’s an episode that is related.

@Barney @RiotDemon @therealjrn That is one truly inspired show. So many amazing ideas breached there.

@Barney Does it work on smart phones too or just computers? Like if a person only uses a phone for that stuff are they safe?

@medz You are asking me a tech question? Hahahahahahahahaha!

(I’ll go see if I can find the article.)

@medz I couldn’t find the article; I think I trashed it. So, I think you should stop what it is that you are doing, just to be on the safe side.