Hacked

I have Amazon two factor authentication set on. Amazon (along with others, like Facebook, Intuit) are on my authenticator app. Good extra sense of security to have.
I understand why 2FA is good but I also think it’s a pain, especially on accounts that we share like Amazon. It’s not generally a problem since we all stay logged in but now and then they make you sign in again. If my wife or daughter tries to log in, I get the code. Or something with my mom’s accounts as I manage all of those. If she locks herself out somehow, I get the code. I’m not always I a position to drop what I’m doing, call her, and walk her through what to do.
 
LESSONS

1. Make all your passwords stronger and do not use the same one for your email that you use for Amazon (because your email is your login at Amazon). I have different passwords for every account. The young wife did not and really did not want to change. I will have to walk through every one of her accounts now and force her to fix them.
Thanks for sharing. I believe your lesson #1 is the most important and easy thing to do, which unfortunately a lot of people don't do. All it takes is a leak of your password somewhere, by some lazy provider, and a hacker will attempt to use that same password for every service under the sun.
 
I have different passwords for every account. The young wife did not and really did not want to change.
Terrible situation; I feel for you.
This is such an important thing, and I'm always surprised at the reluctance of many people to implement it. There are several ways to do it easily (I'm a longtime fan of 1Password), and I agree it's essential these days.
 
Thanks so much for taking the time to share your story and provide a list of lessons learned.

Certainly got me to check that Amazon have my phone number, but then again I knew that as they text me the barcode to open the delivery locker each time I buy something.

I also have 2FA on my email account and different passwords for all my accounts.
 
Thank you for sharing your story. I think that I need to make some passwords stronger.
While it is certainly a good idea to have “strong” passwords, the real important thing is to not use the same password for different sites. I doubt there’s much guessing of passwords. They get them from a hack and use them. Then, if your Facebook and your email have the same password, they’re golden. Of course the email is one of the worst passwords to have compromised because from there you can reset passwords for other sites.

What this really makes me want to do is set up a completely different email address for my financial account. Then if something else gets compromised, they won’t even have my email, which is the most common user name. All of what Gumby went through is terrible, but getting your financial account compromised would be life altering.
 
That has got to be one of the most infuriating things about digital life. They give the CSR's no authority to do anything beyond their prescribed processes, which are all designed to be resistant to people posing as the real account holder. And that's if you can even get to a CSR.

All my passwords are random gibberish, never repeated, saved in KeePass and synchronized across devices with Syncthing (both open source tools that I keep updated).

I'm going to use this opportunity to check DW's passwords. She uses LastPass, so no excuses for using the same password twice.
 
I went through a similar experience a few months ago with my Facebook account. I got locked out because someone hacked it. Unfortunately, Facebook does not offer ANY customer service. There is no way to contact them for anything ever.
Interesting, glad I never had a FB account.
 
Two days ago I had a difficult but eventual successful episode with an excellent service rep. When I retired in the USA in 2010 my company pension/annuity was handled by Prudential and when we moved to England in 2016 I wrote to them to get my address changed as I couldn’t do an overseas address change online. This year they moved my pension to Empower and yesterday I logged onto my Prudential account and followed the link to Empower for me to register with them. The registration process required Name, SSN, date of birth, and ZIPcode or Post Code of my address on file. As I expected, the Post code field will only accept numbers so the account was locked after 3 attempts (I have Prudential statements with the correct address and UK style alphanumeric post code). It took a long time to call and get through to a person - they really do want you to use the website, and the FAQs and chatbot did not address my issue at all. Fortunately the lady who eventually picked up was very understanding and helpful and put me on hold for about 10 minutes while she sought help to get around the problem. She validated my id with some other questions such as address on file, with UK post code, and my date of employment termination, and then was able to read out a PIN to me and direct me to a page where I could register and create an account with username and password.

You definitely need to learn a different skill set when doing stuff on line.
 
What this really makes me want to do is set up a completely different email address for my financial account. Then if something else gets compromised, they won’t even have my email, which is the most common user name. All of what Gumby went through is terrible, but getting your financial account compromised would be life altering.
I think this is a good idea. Lots of folks carry around a tablet during travel and feel safe that they don't have their financial apps on it. But the email is typically "the keys to the kingdom" because, if compromised, the thief sees old emails from the bank, then completes the email loop to change the email address and password, and you're locked out, just as was done in the OP with Amazon.

The solution that you recommend resolves that. Make a new "sensitive account only" email address, and don't have that on the tablet. Or at least make it so the only way to access that email is by manually typing the password. There's a little problem with that because email addresses tend to leak out. For instance I've got one that I created for financial purposes, used it on PayPal, and now vendors (the shady ones I was trying to protect myself from) have that sensitive email address. But generally, the idea of a separate email for financial institutions (or anywhere you've stored your credit card data) is probably a really good idea.
 
As I was writing the above, I realized one mitigation that I often take that would have made it impossible for the bad guy of the OP to succeed would be don't let sites save your credit card info.

That's a PITA for a site you use a lot, and Amazon is one place I let them save my card info. But I type in my card number pretty much everywhere else, even if I know I'll be back (utilities, airlines, etc). It's a slight pain, but if they get hacked or if a bad guy gets into my account, no CC stuff can happen.
 
My professional background is in Information Security (CISSP certification).
Glad to see there's another ISC2 professional here. As an FYI, that was the toughest test I've ever taken. (By far) Also one of the longest.
 
Anyone manage multiple email accounts through their Outlook account for finance business only?

After reading all the comments I would like a separate email account for safety.
 
I went through a similar experience a few months ago with my Facebook account. I got locked out because someone hacked it. Unfortunately, Facebook does not offer ANY customer service. There is no way to contact them for anything ever. The only option is to use the AI-driven online option. I had to submit proof of identification. I sent in my license only to quickly get an automated response that they were unable to use that to verify my identity and to try again. So I tried with my passport with the same result. Those are the only 2 forms of photo ID I possess so I was out of options. I tried the same thing a few times over the course of a couple of weeks, taking new photos and scans each time in case the image itself was the issue. Still no progress. I finally gave up and started a brand new account. I lost 15 years of history, photos, memories, and my friends list. I had to rebuild everything from scratch which was a little challenging because when I sent out friend requests, many people assumed it was spam since they were already friends with me. Thankfully, a few friends and relatives posted to let our mutual friends know the requests were legit but 4 months later I'm still trying to reconnect with some people. And all of the memories are gone for good.
Yikes. So sorry you had to deal with that - how frustrating. I never think of any social or online account as "mine" anymore.

The company owns and controls it 100% - and what it gives, it can instantly take away or shut down as per its Terms and Conditions.

FB, X, Instagram, Google photos, etc - nothing there is really "ours". We're using it, but we don't own or have any permanent rights to it.

The only assets we truly own are what's housed in our own local computer drive or in real life.
 
Glad to see there's another ISC2 professional here. As an FYI, that was the toughest test I've ever taken. (By far) Also one of the longest.
Yeah, it was long and after a while, it was a little mind numbing. :)
 
As I was writing the above, I realized one mitigation that I often take that would have made it impossible for the bad guy of the OP to succeed would be don't let sites save your credit card info.

That's a PITA for a site you use a lot, and Amazon is one place I let them save my card info. But I type in my card number pretty much everywhere else, even if I know I'll be back (utilities, airlines, etc). It's a slight pain, but if they get hacked or if a bad guy gets into my account, no CC stuff can happen.
I don't save CC info on web commerce sites, either ... except Amazon. This thread may prompt me to delete my CC info from Amazon, which they probably don't make simple to do. Amazon was the first to offer "one click" purchasing, which was great before hacking of email and other accounts became rampant.
 
Just added the 2-step verification on my Amazon account. Thanks.
 
I understand why 2FA is good but I also think it’s a pain, especially on accounts that we share like Amazon.
Some 2FA accounts give the user an option to receive either a text message or an email. We have some accounts set up to give us a choice on which to get each time. We have them set up so my wife can choose to get a text message when she logs in, and I can choose to get an email when I log in.
 
I have quite a few 2FA accounts that use the Symantec VIP Access app on my phone. It generates a new 6-digit number every 30 seconds and has never failed me. Saves the hassle and potential vulnerability of getting an email or text message.
Both my Fidelity and Schwab accounts use it, as well as Amazon and several others.
 
I am POA for my mother with dementia and an authorized user for her credit card. Since I infrequently use her CC I "turn it off" online until I need to use it so no hacker can use it. Easy to turn off and on online and a good idea for infrequently used credit cards.
 
I don't save CC info on web commerce sites, either ... except Amazon. This thread may prompt me to delete my CC info from Amazon, which they probably don't make simple to do. Amazon was the first to offer "one click" purchasing, which was great before hacking of email and other accounts became rampant.
super easy to delete your cards - just go to your account screen, payment options and "edit". You'll see the options there. takes 2 min
 
Anyone manage multiple email accounts through their Outlook account for finance business only?

After reading all the comments I would like a separate email account for safety.
If the risk you are trying to mitigate includes having the unlocked device fall into the wrong hands, you might be better off having a separate email client.

You could use Thunderbird (free and open source) or just use a web client. This way, the bad guy opens Outlook and only sees the decoy email address that isn't used anywhere as a second factor. If you install another local email client, like Thunderbird, you could remove it's shortcut from the OS menu, and, of course, don't save the password in the client, even if it's "protected" (because there are typically brute force attacks that are easy for bad guys to deploy). Removing the shortcut and doing a start>run>Thunderbird isn't air-tight, but might slow them down while letting you have local access to your email history without an Internet connection. Or another option is to only access the sensitive email through a web client, and only in a private tab. The private tab is so the bad guy can't look at browsing history, see that you went to a web email client, and maybe even have the web page come up and self-populate the login email address.
 
Although I have never actually had any of my accounts compromised, I did start using 1Password and Yubikeys several years ago after getting emails demanding payments and listing my email address and my most used password. Now that I think about it, I did get some spurious charges in my USAA credit card and then again on Paypal which were easily resolved.

When I signed up for 1Password, I got the family plan option so DGF could use it as well. She is a disaster when it comes to keeping track of passwords. I keep hearing she is going to start using it but after almost 3 years, no action yet on her part. I will probably have to set it up for her but that's an issue when some apps can utilize biometrics so I need her face or fingerprint to set it up.

For Amazon, fortunately you can set up multi-factor authentication and if you have any access issues you can not regain access via the forgotten password routine as that would essentially bypass the multi-factor making it pointless. I use the 1Password built in authenticator vs receiving a text or email with a code so I can use any of my devices for authentication and not just my cell phone. Amazon also utilizes Passkeys so that option is available.

I hate that we have to resort to these security measures but I will admit that all my password issues evaporated after implementing these changes. It took a few weeks to establish the new habit but I feel it is well worth the effort.
 
....

After calling the email provider, some more waiting and an escalation, we did talk to a rep who suggested that we look on her email account for "message forwarding". And, bingo, the hacker was getting forwarded all her emails. I hadn't even known such a thing existed, and I wish the first email provider rep had told us about that. I still don't know how they did it, but apparently that allowed them to thwart the young wife's receipt of the reset emails.

......
Just an update: I finally figured out why we couldn't get the reset codes from Amazon. When the hacker got into the young wife's email, not only did he start forwarding her email to himself, he also knew the emails that would be sending those reset codes to us and put them in as "blocked senders". I just found that out today by wandering around the email settings for her account. It would have helped if the email provider customer service rep or Amazon rep had suggested that we also look there, as we clearly explained the problem to them two days ago. I can't believe this is the first time this particular scam has happened.

We also worked through all her accounts this morning and changed the passwords to be unique and difficult. What a pain.
 
Back
Top Bottom