I have a question for you:
Somebody used my walmart.com account to order some Lego toys, $24 worth of item.
So far nothing unusual.
Funny thing is that not only he added his shipping address to my account, but also a Mastercard in HIS name, which he used to pay
So he used my account to order something and paid for it with his own money...
I cancelled the order, deleted his shipping address and his CC from my account and closed the account for good measure, but what could his endgame possibly be?
What kind of scam is this if he paid for the purchase with his own money???
Confused In Wheatridge

Someone is doing it all wrong.

Yeah, i doubt that, plus he didn't buy me shit with his CC...

How do you know it was his name and his CC?

How do you know it was his name and his CC?

They were both showing on my account detail, one as an alternate shipping address and the other as an alternate method of payment, Mastercard, last 4 digits etc...
We thought maybe his CC would be declined and my CC would end up being used as a backup payment but I was on Chat with Walmart CS this morning and apparentlty his CC charges went trough just fine.

Everybody has a first time, even scammers.

That's a good test.
Your leaked account credentials tested and working [check]
Small amount (>$50) tested on leaked card [check]
Next test is bigger...

Bellavite, Change all your passwords, don't reuse passwords, enable MFA/2FA on your accounts please :) [Beer]

Speaking of wired. Someone created a Sony Play Station account on my gmail. And then managed to change the email on that account prior to verifying it. No one logged onto my gmail account and we don?t have a PS.

That's a good test.
Your leaked account credentials tested and working [check]
Small amount (>$50) tested on leaked card [check]
Next test is bigger...

Bellavite, Change all your passwords, don't reuse passwords, enable MFA/2FA on your accounts please :) [Beer]
Done already.
Closed account
So the CC that was used probably belonged to a3rd party?

Multi factor authentication, or 2 factor authentication

How do people keep track of the gazillion passwords required to live a "normal" life???

What I’m getting at is it’s someone else’s stolen credit card info that was loaded on to your account and as someone else mentioned a test run was made to see if the charge would go through.

How do people keep track of the gazillion passwords required to live a "normal" life???

Last pass and other similar services. You only need one and they keep all your passwords. But I have always wondered how much it would suck when that account gets hacked.


Sent from my iPhone using Tapatalk

Bellavite, Your info was probably in a data breach (same for the CC owner).

Erni, Some one recently tried to open a free website account with one of my old gmail accounts. They probably wanted to setup a phishing campaign that looked like it was coming from me. I am sure there is some trick shit they were trying on yours too, not sure what though.


Pro-tips:

Don't use SMS/Text for 2FA/MFA use an app like Authy/Google/Microsoft authentication, hardware key like Yubikey or a good secure email for a "one time password" (OTP). SMS is becoming a a liability and we are moving away from it for 2FA.

Check out Bitwarden as a password manager. Works pretty good, is open-source and you can use as a browser extension and on your mobile too if you want. Most of my passwords look like this now [CaRR#!6#B&okEMA]. The password manager feeds the site username/password and then you get a code to login. I am sure you already have to do this in other accounts/banks/etc. If your data to be leaked/breached, they still cannot get into your accounts.
Check if email your accounts have appeared in leaks or data breaches. https://haveibeenpwned.com/ You can also run your password through it to see if they have been compromised. You can pretty much assume they all have. That's why we need MFA/2FA.

Don't close accounts either. Often, they can simply be reactivated by the provider, they can also be reactivated by support is someone calls in with a fake sob story, or by answering you old security questions. Start by securing it with a new email/pw/MFA and get notifications of logins if possible. After a while, you should be good to disable or delete if you don't need it.

Brave new world ladies and gents, good luck!

Anything like biometrics that can be used as password for multiple accounts yet?
I always wanted to be a Terminator...

How safe is using Samsung fingerprint scanner with passwords generated by google?

How safe is using Samsung fingerprint scanner with passwords generated by google?

Talk to me about this...(in layman terms, pls, I am an old fart here...).

Anything like biometrics that can be used as password for multiple accounts yet?
I always wanted to be a Terminator...

#1 flaw of biometrics: When that shit gets hacked, it's pretty hard to make new fingerprints, eyeballs, or other physical traits. You're permanently screwed with a compromised "password" for life at that point.

#1 flaw of biometrics: When that shit gets hacked, it's pretty hard to make new fingerprints, eyeballs, or other physical traits. You're permanently screwed with a compromised "password" for life at that point.

Ok, I see that...
Can other body parts be used for logging in? [Flower]

Here's how accounts get hacked, they either know you and you have a password based on your wifes or your dogs name and they get in to your account, or they hack a website and get the info needed to match up an email or username and a password that corresponds in which they then have to use that email and password combination at every bank and credit card company login until they find one that works, or they run a piece of software that runs random user names and passwords through a login interface on an online banking or whatever site until they come up with a match.

How do you combat this... You can break up your online use in to various categories such as your logins for online gun forums, vs online shopping sites, vs personal banking. At one time a professor wrote a paper on online security which came up with the whole must be 12 characters long, contain a letter number and special character and so on. This paper was based on combating the idiots that would use the name of their cat or dog and did not address the random password generator software in which if you have a phrase such a CoLoRado18!$ is no different than using reddogjumpup. The special characters and so on make no difference, basically the longer the password the more combinations of numbers letters and special characters the software has to run to break the password, the longer teh password the more time the hacker is wasting trying to figure it out. I think that I read that basically if you have a password over 15 characters long it wouldn't be worth the time for the random generators to mess around with.

For me I use 4 different passwords that are easy to remember phrases for myself that contain enough characters that a random generator would take too long to make it worth figuring out. My online forum and other BS sites use one password, my online shopping sites use another, my business logins use a third and my banking sites use a fourth.

Every year or two I change them. Have yet to have an issue.

The wrench in the whole thing is still the websites that are still living by the false idea that adding caps , numbers or a special character increase your security and require these things.

Or using your account to ship drugs.


https://abcnews.go.com/blogs/headlines/2013/08/ohio-man-orders-empty-gun-safe-finds-300-pounds-of-pot-inside

Here's how accounts get hacked, they either know you and you have a password based on your wifes or your dogs name and they get in to your account, or they hack a website and get the info needed to match up an email or username and a password that corresponds in which they then have to use that email and password combination at every bank and credit card company login until they find one that works, or they run a piece of software that runs random user names and passwords through a login interface on an online banking or whatever site until they come up with a match.

How do you combat this... You can break up your online use in to various categories such as your logins for online gun forums, vs online shopping sites, vs personal banking. At one time a professor wrote a paper on online security which came up with the whole must be 12 characters long, contain a letter number and special character and so on. This paper was based on combating the idiots that would use the name of their cat or dog and did not address the random password generator software in which if you have a phrase such a CoLoRado18!$ is no different than using reddogjumpup. The special characters and so on make no difference, basically the longer the password the more combinations of numbers letters and special characters the software has to run to break the password, the longer teh password the more time the hacker is wasting trying to figure it out. I think that I read that basically if you have a password over 15 characters long it wouldn't be worth the time for the random generators to mess around with.

For me I use 4 different passwords that are easy to remember phrases for myself that contain enough characters that a random generator would take too long to make it worth figuring out. My online forum and other BS sites use one password, my online shopping sites use another, my business logins use a third and my banking sites use a fourth.

Every year or two I change them. Have yet to have an issue.

The wrench in the whole thing is still the websites that are still living by the false idea that adding caps , numbers or a special character increase your security and require these things.

Now, this just may work!
Thank you!

Don't reuse passwords
Enable MFA
Use a password manager

Brute force attacks are not the big threat. 1.Phishing, 2.Breach data, 3.Password guessing/social engineering

Don't reuse passwords
Enable MFA
Use a password manager

How do people keep track of the gazillion passwords required to live a "normal" life???

Password manager like 1Password. There are others but I decided 1Password was the sweet spot for me.

You can also get a "family" subscription if you want to share some passwords with others and keep others to yourself.

Got 1Password about two years ago and haven't looked back.

https://1password.com/

O2

But I have always wondered how much it would suck when that account gets hacked.

If some password manager site got hacked they wouldn't get your passwords*. In a nutshell this is how they all work:

When you subscribe to a service, they generate a key and you supply a password. They don't store the password, so rule number 1 is that if you lose your password manager password, there is NO WAY to recover it. Keep this in mind.

The service never sees your passwords. Your unencrypted passwords exist only on your local system. When you save a new username/password, it's added to your local file of username/passwords, that file is encrypted and sent to the service and stored there in an encrypted state.

You need both the key they generated for you at signup AND your password to decrypt the file. So you need to manually install the gawd-awful (in a good way) key on each system you wish to use the password manager on.

So someone needs BOTH your key and password to get to your info. So getting just one - key or password, is useless.

Takeaways:

The service itself can't decrypt your info, so the service being hacked is useless*
The encryption method is very strong. Services differ in strength, but even the "worst" is very good
You need two pieces of info to decrypt your info, and it's very difficult for someone to get both
IMHO it's God's gift to modern password security, right up there with two factor authentication


O2

* Of course anything can happen if the hacker is able to modify source code, which is what the SolarWinds hack was based upon.

What this guy said ^^^^

If some password manager site got hacked they wouldn't get your passwords*. In a nutshell this is how they all work:

When you subscribe to a service, they generate a key and you supply a password. They don't store the password, so rule number 1 is that if you lose your password manager password, there is NO WAY to recover it. Keep this in mind.

The service never sees your passwords. Your unencrypted passwords exist only on your local system. When you save a new username/password, it's added to your local file of username/passwords, that file is encrypted and sent to the service and stored there in an encrypted state.

You need both the key they generated for you at signup AND your password to decrypt the file. So you need to manually install the gawd-awful (in a good way) key on each system you wish to use the password manager on.

So someone needs BOTH your key and password to get to your info. So getting just one - key or password, is useless.

Takeaways:

The service itself can't decrypt your info, so the service being hacked is useless*
The encryption method is very strong. Services differ in strength, but even the "worst" is very good
You need two pieces of info to decrypt your info, and it's very difficult for someone to get both
IMHO it's God's gift to modern password security, right up there with two factor authentication


O2

* Of course anything can happen if the hacker is able to modify source code, which is what the SolarWinds hack was based upon.

^From a layman's perspective, this is accurate description for many of the common services/methods (but not all).

That said, for those with a significantly lower risk-tolerance - it needs to be mentioned that most of those considerations make a number of assumptions which in many instances may be suspect due to improper implementation....Crypto is hard for most folks to really grasp at a fundamental level, which often results in mistakes being made.

In other words, one could throw in all the bells-and-whistles (e.g. latest crypto algorithms, enormous key-space/length, massive-entropy RNG/IV, decoupled Dek/Kek, HSMs, etc.), and still have a simple/stupid mistake undermine the whole thing.

Have seen similar situations multiple times, some of which boggle the mind....