Join Early Retirement Today
Reply
 
Thread Tools Search this Thread Display Modes
Old 09-05-2007, 08:03 PM   #61
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
clifp's Avatar
 
Join Date: Oct 2006
Posts: 7,450
Quote:
Originally Posted by ERD50 View Post
Question - do you think this was the result of a phishing scam? Maybe you don't remember, but did you go to a (fake) eBay account directly from a pfishing email?

If not, that means the hackers have found other ways in, an then I am worried.

-ERD50
The short answer is I am not sure. The longer answer is I did have a talk with Ebay about how they got my password, and the security folks at ebay were pretty uncommital about it.

In the proceeding several months I had been soliciting with ebay phishing schemes. I dutifully passed them on to Ebay. I am not a big Ebay or PayPal user a couple of times a year. So any request to do anything on Ebay or PayPal would have been viewed by me with skepticism. So I rather doubt.

I suspect that most likely way is that I had been sloppy about using a generic password, so possibly any website I had register would have a good chance of guessing my username a password. I since have made a point of not using my generic password for any site where money is involved.
__________________

__________________
clifp is offline   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Old 09-05-2007, 09:30 PM   #62
Recycles dryer sheets
 
Join Date: Apr 2007
Posts: 292
Step 1 is to make a good password.

Longer than 8 characters.

Letters and numbers maybe special characters if allowed, mixed case.

One nice suggestion I read recently is to make a sentence that you can remember and then use the first letter of each word to make the password. That ay it can be long yet remembered.

Different password for each site. rite them down and lock it up in case you forget.

That e-bay security key sounds good - too bad they have the gall to charge for it, but probably worth getting.
__________________

__________________
joesxm3 is offline   Reply With Quote
Old 09-06-2007, 02:42 AM   #63
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Feb 2007
Posts: 5,072
Quote:
Originally Posted by joesxm View Post
Step 1 is to make a good password.

Longer than 8 characters.

Letters and numbers maybe special characters if allowed, mixed case.

One nice suggestion I read recently is to make a sentence that you can remember and then use the first letter of each word to make the password. That ay it can be long yet remembered.

Different password for each site. rite them down and lock it up in case you forget.

That e-bay security key sounds good - too bad they have the gall to charge for it, but probably worth getting.
Step 2. Change the passwords on a regular basis. (perhaps quarterly).
__________________
chinaco is offline   Reply With Quote
Old 09-06-2007, 03:37 AM   #64
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Feb 2007
Posts: 5,072
Quote:
Originally Posted by ERD50 View Post
Question - do you think this was the result of a phishing scam? Maybe you don't remember, but did you go to a (fake) eBay account directly from a pfishing email?

If not, that means the hackers have found other ways in, an then I am worried.

-ERD50
According to the article, the recent compromise used brute-force to collect IDs and PWs. If that technique was used, it may indicate that a common security best practice is not in place. The practice being "inactivate an account after several (small number) unsuccessful attempts to login". Brute force often takes a bunch of tests. The login id for ebay is readily available... it is everyone's screen handle. A more secure approach would be to not make the login id public. Keep the login id private and have people key in a different handle.

There are many, many ways to exploit a weakness and compromise a site. There are loads of cracks in the way sites are designed and the supporting pieces of the system. The cracks often extend to the basic business processes (employees and their procedures).

You (as a customer) can do everything right and some other weak link in the chain can be compromised.

When it comes to the internet... Security was an after thought! Holes will continue to be chased for years to come. And the thieves are getting more sophisticated. No longer is the problem a lone nerd reveling over his accomplishment of just breaking into a site and defacing it. Now we face organized crime rings.


If I were using ebay or paypal, I would get the two-factor device (even if I had to pay for it). Consider it a cost of doing business with that platform.

If any of my financial institutions offer two-factor devices, and I use the online service, I will get it.

One basic way to protect oneself (related to internet accounts) is to close unused (or little used) accounts. Personally I limit who I do business with over the internet. For me, ebay is a novelty not a necessity.
__________________
chinaco is offline   Reply With Quote
Old 09-06-2007, 11:03 AM   #65
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Lsbcal's Avatar
 
Join Date: May 2006
Location: west coast, hi there!
Posts: 5,676
From what I understand, Vanguard will not let the user try more then about 3 attempts before deactiviation. If trying from a computer outside the home I think that they ask additional questions that the user has preselected, such as was city were you married in. If other companies aren't using at least this sort of system, it makes you wonder why.

I agree that easy passwords should only be used for non-financial, non-sensitive accounts like a web forum. Personally, if your password is robust I don't see the need to consistently change it on a regular basis -- give me a convincing argument if you think this is wrong.

Les

P.S. Just downloaded AVG's rootkit tool. It runs quite quickly on my XP system and I'll just run it every month or so I guess.
__________________
Lsbcal is online now   Reply With Quote
Old 09-06-2007, 11:26 AM   #66
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Sep 2005
Location: Northern IL
Posts: 18,264
Quote:
Originally Posted by chinaco View Post
The practice being "inactivate an account after several (small number) unsuccessful attempts to login". Brute force often takes a bunch of tests. The login id for ebay is readily available... it is everyone's screen handle. A more secure approach would be to not make the login id public. Keep the login id private and have people key in a different handle.
You make some good points. Having a separate user name from what is displayed is good, but really no better than requiring a longer password.

X character hidden login ID plus Y character password = public login ID and an (X+Y) length password. No difference.

But that public login id does give the scammers a limited number of accounts to try to crack, which makes weak passwords all that more vulnerable - I think I'm, going to go back and make sure I have a very strong password on ebay/paypal.

Brute force and a limit at three attempts: I suspect that their robots would just make three attempts, note it, and move on to the next account. Come back to the first after they cycle through all of them, maybe a day later. They don't need to keep going until they find YOUR password, they just need to keep going till the find ANY password. Then start again.

Like lsbcal notes, some of my financial sites are leaving cookies on my computer, and when I try to log on from a different computer it sees that I don't have the cookie from the latest log on, and starts asking the security questions. Maybe the viruses can get into the cookie jar, though I would assume this is encoded?

-ERD50
__________________
ERD50 is offline   Reply With Quote
Old 09-07-2007, 03:42 AM   #67
Recycles dryer sheets
whitestick's Avatar
 
Join Date: Apr 2005
Posts: 415
Quote:
Originally Posted by TexasGal View Post
ERD50,
It is fairly obvious the bad guys have it in for PayPal so I think PayPal is responsible to offer me another layer of security free if they want me to continue doing business with them.
I can undestand your feelings from a user perspective, however, this is a topic that I have been deeply involved with, for my MegaCorp. In that role, I can tell you that the cost to implement and operate that two-factor key is significantly higher then the PayPal charge of $5 per user. Matter of fact, from the costs that i have been looking at to implement a bare bones similar implimentation, I would question if their CFO had knowledge of their providing a service like that for such a low price. I believe that the charge is primarily to cover the cost of shipping and handling, which as we know for a commercial account is not free.
Personally, as soons as I was able to purchase the token from PayPal, I placed my order, and thought it a bargain.
IMHO.
__________________
Mens ability to see the future is limited by their horizons of today!
Unknown!
whitestick is offline   Reply With Quote
An example of poor practice from a legitimate business
Old 09-07-2007, 10:07 AM   #68
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Sep 2005
Location: Northern IL
Posts: 18,264
An example of poor practice from a legitimate business

I got an email from my CC company today. I am 99% sure this is legit, but have not checked yet. I'm going to post a portion of it here (with links and ID removed for safety - but in blue font):

Quote:
If you are concerned about the authenticity of this message, please click here or call the phone number on the back of your credit card and reference the <snip> If you would like to learn more about e-mail security or want to report a suspicious e-mail, click here

Note: If you are concerned about clicking links in this e-mail, the <snip> services mentioned above can be accessed by typing www.<snip>.com directly into your browser.
This is really stupid. They are conditioning people to click links in an email they get. Just because it has the company name, does not mean it is legit. You should ASSUME it is fake, and follow their second suggestion - go to the site directly. They should not even spell out the URL in the email, they should do like they did with the phone # ' call the number on your card or statement'.

There should not be an "IF' about it - DO NOT CLICK from an email!

Stupid, stupid, stupid. - ERD50
__________________
ERD50 is offline   Reply With Quote
Old 09-08-2007, 09:33 AM   #69
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Feb 2007
Posts: 5,072
Quote:
Originally Posted by ERD50 View Post
... Having a separate user name from what is displayed is good, but really no better than requiring a longer password.

X character hidden login ID plus Y character password = public login ID and an (X+Y) length password. No difference.
I follow your logic, but you missed something...

The max length of X and Y together is alway greater than the max length of Y.

Knowing the ids enables the hacker (i.e., software) to focus the attack on valid accounts.

__________________
chinaco is offline   Reply With Quote
Old 09-08-2007, 01:18 PM   #70
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Sep 2005
Location: Northern IL
Posts: 18,264
Quote:
Originally Posted by chinaco View Post
I follow your logic, but you missed something...

The max length of X and Y together is alway greater than the max length of Y.

Knowing the ids enables the hacker (i.e., software) to focus the attack on valid accounts.

Yes, implied (but not stated) was that the new 'Y' password used would be as many char as the old login ID plus the old password.

Weak passwords are bad. I need to put a few of mine on an exercise plan

-ERD50
__________________
ERD50 is offline   Reply With Quote
Old 09-08-2007, 03:03 PM   #71
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Dawg52's Avatar
 
Join Date: Feb 2005
Location: Central MS/Orange Beach, AL
Posts: 7,434
Quote:
Originally Posted by lsbcal View Post
From what I understand, Vanguard will not let the user try more then about 3 attempts before deactiviation. If trying from a computer outside the home I think that they ask additional questions that the user has preselected, such as was city were you married in. If other companies aren't using at least this sort of system, it makes you wonder why.
Fidelity does this as well. I actually had someone try to hack into my Fidelity account a few months ago. They informed me of this and closed all my accounts and established new ones. I established new passwords and user names too.

I was on the last leg of my old computer so I got a new one at the same time all this occurred. I had a virus I couldn't get rid of so I dumped it. Just didn't trust it anymore. I make sure I get anti-virus updates and run scans frequently now.

Just got through changing all user names and passwords with all financial institutions I use. Just can't be too careful anymore.
__________________

__________________
Retired 3/31/2007@52
Full time wuss.......
Dawg52 is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
identity theft Corporateburnout Other topics 21 10-27-2006 05:00 PM
Theft of VA data (SSNs for 26.5 million vets) Nords Other topics 25 06-26-2006 03:42 AM
Identity Theft - Maybe Eagle43 Other topics 6 06-11-2006 04:19 PM
Identity Theft Scam Eagle43 Other topics 1 02-13-2006 06:14 PM
Identity Theft haha Other topics 10 11-20-2003 11:38 AM

 

 
All times are GMT -6. The time now is 11:44 PM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.