Announcement

Collapse
No announcement yet.

Phishing nightmares

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Phishing nightmares

    I'm sure many of you have received notices from companies with whom you did business,who used Epsilon information services. These companies ranged from Best Buy to iTunes to banking establishments.

    I thought I was OK because only e-mail addresses were hacked. Well, the phishing attacks began and have been relentless. I have spent a miserable day on the computer changing passwords on my various accounts. Thinking up different passwords and making some record of them, has caused me to eat many many peanut M & M's. It's been a very long, and not very good day.

    I would advise all of you to start changing your passwords any place passwords were required. Start with the password to your e-mail account. Don't forget to change the password on your Internet provider as well as your e-mail reader program. Yes, I still use Outlook Express. I am in the Dark Ages of compter savviness. As in, not very.

    I have yet to hit the chat forums like BBO and changing my passwords there. But, nothing is innocent or safe. I would advise you to change your passwords every place you can remember you have them.

    Phishing has not cost me money. Thank God for that!!! No charges were made to my credit cards. But someone hacked into my iTunes account. Changed the address and billing information. Bought stuff. I only received e-mails afterwards as receipts of what was done. It looked like they had used my Visa Card. But, charges never showed up on my bank account records.

    This is a link to an article about how we should make ourselves more secure. It would mean getting oneself off all e-mail lists for catalogs, notices, sales, etc. I would miss that stuff. Half of my e-mails are notices from companies about sales or some such. So far, I have just been changing passwords. I gather that we should go around and change our passwords on accounts every so many months. Never use the same password twice. Don't make a password anything like information that even slightly related to you. Do not use dictionary words. Use upper and lower case. Use numbers instead of letters. I have yet to make a password that the website recognized as "very secure". I've only ever reached the "moderate" level. This password stuff is for the birds. But now I see the real need for passwords. They are the only thing between you and people who want to either steal your money or charge their purchases to your credit cards! Nasty, nasty people out there. Nasty.

    http://www.consumersearch.com/blog/s...g-expeditions#
    Marilyn

  • #2
    The important thing to remember is, do NOT use the same password for multiple things. If your password for email is "QuiBBLe", for example, don't use "QuiBBLe" as a password anywhere else.

    "But, wait! I'll never remember all those passwords! I'll have to write them down, and then someone could steal the paper or look at the sticky notes around my monitor, and steal everything!"

    Possibly true, but there are ways to work around it. One is to have "password groups", where you chose a "base phrase", and make minor changes that are easy to remember. Let's take the example of "QuiB8L3", which mixes upper/lower case letters and numbers. Have a Netflix account? It's password could be "QuiB8L3Nf" or "NFQuiB8L3". eBay could be "QuiB8L3Bay", and "PPQuiB8L3" for PayPal. And have different base phrases for different classes of accounts - an account on a forum is not the same class as something with financial ramifications, so the base phrases are totally unrelated.

    Personally, I like phonetic passwords. They're spelled exactly the way they sound... assuming you know how to pronounce them! I've had some passwords I created 20 years ago that I have actually given out to people, and they still can't open those accounts without having it printed in front of them, yet they're easy for me to remember.

    So, how can YOU create YOUR base phrases? Choose something familiar to you, like a passage from a book, or line from a movie, and use the first letter from each word. I've known some people who use the resister color code, or a checklist for a particular brand of helicopter, or a line from Shakespeare, any variety of things. Mix up the case of letters. Swap out letters for numbers.

    But the important thing to remember - sharing password between important accounts, like junkies sharing needles, is not safe!
    Last edited by WoodstockJeff; 04-14-2011, 08:19 AM.
    Jeff

    "Remember when being socially distant was a symptom of a potentially debilitating mental disorder, instead of a government mandate? C'mon, it was just a few weeks ago!"

    "Modern Liberalism: The embodiment of an irrational fear of letting other people run their own lives."

    '13 XT250
    '10 ZG-1400 (operational again)

    Comment


    • #3
      To remember my passwords, I have a file on the thumb drive that I always carry in my pocket. The login and password base ("QuiBBLe" in Jeff's example) is written are "*" since I know what they always are. If some one gets the file, they may have a good start, but they still have to figure out a few pieces.
      Fatcat

      2004 Vulcan 500 LTD
      sigpic

      Comment


      • #4
        If you are multi-lingual, passwords in other languages are helpful. As is spelling in l33t
        When life throws you curves, aim for the apex
        sigpic
        08 Spyder RS SM5 "big Bird" \ 12 S'TtripleR "stripper" \ 02 VFR800 "big red" \ 09 KLX250-S
        Sold: 97 Ninja 500R / 03 SV650N / 01 Ducati 750SS / 73 CB350-Four / 03 BMWF650GS / 08 Gixxer600 / 09 KLX250S "Gumby" / 06 Thruxton "crumpet" / 91 VFR750 /03 Gixxer6 the bass boat
        my Facebook, SpeedShotsPhotography
        MITGC #22

        "I have seen fat kids on Segways go through corners faster."

        Comment


        • #5
          Originally posted by asp125 View Post
          If you are multi-lingual, passwords in other languages are helpful. As is spelling in l33t
          Sadly, this isn't really true anymore. Many dictionaries and sets of (good) rainbow crack tables will include both -- especially l33t.

          I have a password safe application that I use, keeping sets of passwords encrypted and stored on a couple of (synced) devices. It's not perfect, but it's better than it could be.

          I also tend to use long passwords, where I can, that are relatively easy for me to type in. 16+ characters isn't /difficult/ to remember if it's something like 'bl00dy stup!d PASSWORDS!' and will keep you out of almost any brute force or dictionary attack; multiple word combinations are difficult.

          The end statement really is: the password is a dead technology, and one of the largest challenges in computer security today. You just have to look at the HB Gary incident with Anonymous to realise this isn't just an issue for the average consumer; it's a common and deadly flaw. The alternatives, currently, are either too expensive or just not scaleable for consumer use in the US. (Though 2-factor type solutions seems much more common even with consumer apps in the EU.)
          --
          M.I.T.G.C #11

          Current bike: '11 Ducati MTS1200S, '08 WR250X
          Bikes I have owned: '06 Sprint ST, '06 KTM 950 SM, '03 KLR 650

          Comment


          • #6
            Biometrics? Retina scans?
            When life throws you curves, aim for the apex
            sigpic
            08 Spyder RS SM5 "big Bird" \ 12 S'TtripleR "stripper" \ 02 VFR800 "big red" \ 09 KLX250-S
            Sold: 97 Ninja 500R / 03 SV650N / 01 Ducati 750SS / 73 CB350-Four / 03 BMWF650GS / 08 Gixxer600 / 09 KLX250S "Gumby" / 06 Thruxton "crumpet" / 91 VFR750 /03 Gixxer6 the bass boat
            my Facebook, SpeedShotsPhotography
            MITGC #22

            "I have seen fat kids on Segways go through corners faster."

            Comment


            • #7
              Longer passwords... very important!

              Several systems store an "encrypted" version of your password, rather than the actual text. It was common until a couple of years ago to store the MD5 or SHA hash value of whatever you typed, because there was "very little chance" of reverse-engineering the original from the stored value, if it were stolen. However, it is simple to run a program to build a database of the hashed values for all combinations of characters between 1 and 6 characters long, and "crack" any password 6-or-fewer character password in a single database query. And the only thing preventing expanding it to more is the size of the database...

              Oh, and you know those annoying places that require you to build your password using very specific rules? Far easier to crack, because there are far fewer combinations to try! Change the password every 30 or 90 days? Far more likely to get a weak password, or permutations on them, like changing "jrb#0331" to "jrb#0618" at the next require password change in June. It's like the TSA - an increased level of inconvenience to portray the semblance of security.
              Jeff

              "Remember when being socially distant was a symptom of a potentially debilitating mental disorder, instead of a government mandate? C'mon, it was just a few weeks ago!"

              "Modern Liberalism: The embodiment of an irrational fear of letting other people run their own lives."

              '13 XT250
              '10 ZG-1400 (operational again)

              Comment


              • #8
                "1-2-3-4-5? That's the stupidest combination I've ever heard of in my life! That's the kinda thing an idiot would have on his luggage"
                When life throws you curves, aim for the apex
                sigpic
                08 Spyder RS SM5 "big Bird" \ 12 S'TtripleR "stripper" \ 02 VFR800 "big red" \ 09 KLX250-S
                Sold: 97 Ninja 500R / 03 SV650N / 01 Ducati 750SS / 73 CB350-Four / 03 BMWF650GS / 08 Gixxer600 / 09 KLX250S "Gumby" / 06 Thruxton "crumpet" / 91 VFR750 /03 Gixxer6 the bass boat
                my Facebook, SpeedShotsPhotography
                MITGC #22

                "I have seen fat kids on Segways go through corners faster."

                Comment


                • #9
                  Originally posted by asp125 View Post
                  Biometrics? Retina scans?
                  The challenge isn't (necessarily) the technology. Transparency to the end-user is pretty key, but with more and more the applications being delivered over the Web, it has to (easily) tie in to that. Tokens work, but fail the transparency test. Biometrics, etc, require you to have some interface on the endpoint that is ubiquitous (fingerprint scanner on phones?) and are legacy compatible.

                  I suspect the winner will be biometric, but something akin to facial recognition. A camera is a relative ubiquitous piece of technology and WWW interfaces to it are relatively easy. Migrating apps to it will be the challenge, along with lighting, etc.
                  --
                  M.I.T.G.C #11

                  Current bike: '11 Ducati MTS1200S, '08 WR250X
                  Bikes I have owned: '06 Sprint ST, '06 KTM 950 SM, '03 KLR 650

                  Comment


                  • #10
                    Originally posted by asp125 View Post
                    "1-2-3-4-5? That's the stupidest combination I've ever heard of in my life! That's the kinda thing an idiot would have on his luggage"
                    Asp has been looking over my shoulder...
                    '05 Blue Kawi EX250 - RIP 6/17/10
                    Still in the market. Free is good.
                    motorcycle4amonth.blogspot.com

                    Comment


                    • #11
                      Wait, so you're telling me that "password" might not be secure? What if I kick it up a notch and change it to "suomi's-password," assuming the apostrophe is allowed of course? For serious, though, every office I've seen that required frequent password changes seemed to also have another thing in common: almost computer had a sticky note hung from the monitor with the password written thereon. I did have someone once supposedly break into my eBay account, but they didn't actually do anything with it, so who knows.
                      Last edited by Suomi; 04-14-2011, 03:44 PM. Reason: fixing mixed up tenses
                      Tim
                      2011 Triumph Sprint GT
                      vroom

                      Comment


                      • #12
                        I once used a password = "I dont have a password" , whenever anyone asked me what my password was, I'd tell them.
                        When life throws you curves, aim for the apex
                        sigpic
                        08 Spyder RS SM5 "big Bird" \ 12 S'TtripleR "stripper" \ 02 VFR800 "big red" \ 09 KLX250-S
                        Sold: 97 Ninja 500R / 03 SV650N / 01 Ducati 750SS / 73 CB350-Four / 03 BMWF650GS / 08 Gixxer600 / 09 KLX250S "Gumby" / 06 Thruxton "crumpet" / 91 VFR750 /03 Gixxer6 the bass boat
                        my Facebook, SpeedShotsPhotography
                        MITGC #22

                        "I have seen fat kids on Segways go through corners faster."

                        Comment


                        • #13
                          I have a system very similar to what Jeff described. For general internet use I use 3 or 4 different "key" words, and when I write them down, I can just use the first letter and then * for the rest, with a combination of upper and lower case, and a number or two thrown in for fun. I have different permutations of those same 3 or 4 key words that I use with other trigger words based on what the particular site is. For email accounts and financial stuff, I have a different set of 3 or 4 key words - different for each site. For my work computer, where I have to change the password every 3 months, I have yet a different a series of words built into (however many different ones they require before you can repeat) that I rotate.
                          sigpic

                          Comment


                          • #14
                            Originally posted by Suomi View Post
                            Wait, so you're telling me that "password" might not be secure? What if I kick it up a notch and change it to "suomi's-password," assuming the apostrophe is allowed of course? For serious, though, every office I've seen that required frequent password changes seemed to also have another thing in common: almost computer had a sticky note hung from the monitor with the password written thereon. I did have someone once supposedly break into my eBay account, but they didn't actually do anything with it, so who knows.
                            See: 'the password is dead'
                            --
                            M.I.T.G.C #11

                            Current bike: '11 Ducati MTS1200S, '08 WR250X
                            Bikes I have owned: '06 Sprint ST, '06 KTM 950 SM, '03 KLR 650

                            Comment


                            • #15
                              For sites that you might only visit a few times a year. Put any character string in. Then click the 'i forgot my password'. Good sites have secondary security. Not-so-secure sites just send a link to a new password or worse yet, send you the bloody password in the clear!
                              photos and blog
                              2013 BMW F700 GS
                              ~sold~2001 F650 GSa, SYM HD200

                              Comment

                              Working...
                              X