Hacked?

Jun 8, 2004
10,024
-na -NA Anywhere USA
Recently, Phil Herring advised to change passwords. Some may have while others not. SUGGEST YOU DO SO IF NOT ALREADY.

I received an alert and sure enough, my old password was on the dark web. I already had changed mine

You can lock all credit bureau accounts. There is also one for the banks as well, so I suggest putting a hold thru I think Chex Systems.
For on line, I only use a separate credit card with a low limit versus your main card. If you must use a debit card, ensure you do have challenges on questionable charges as some debit cards do not allow that.

As for giving out personal information on the phone, only do so if you made the call.
 
Jan 11, 2014
11,323
Sabre 362 113 Fair Haven, NY
Good advice. To which I might add, set up notification alerts on your bank account and credit cards to send texts or emails of charges over a certain limit. And check the accounts daily, I use Quicken which allows me to check everyday for new charges and withdrawals. Once it is set up, it is a quick and simple task I do each morning while reading email. And, subscribe to a credit monitoring service, many banks will provide this along with other companies like CreditKarma.com

Four years ago someone opened an account in my name with my credentials. I was fortunate enough to catch it quickly and have had little trouble since then. The banks were cooperative, the credit agencies put a lock on all new applications and for the next 3 years I am well protected. Even the IRS supplies me with a secure code in order to file my 1040.

When you monitor your credit card activity watch for small incidental charges, usually under $10. CC thieves will first make a small charge to see if the card goes through before making a larger purchase. These charges often go unnoticed because they are small and under most alert limits and many people do not check activity on a daily basis. When you catch these transactions quickly, the bank will freeze your account number and send a new card and number.

Stay safe!
 
  • Like
Likes: jssailem
Jan 19, 2010
12,362
Hobie 16 & Rhodes 22 Skeeter Charleston
Another good trick is to change up your primary email address every now and again. I'd suggest every few years. gmail lets you forward to a new account so you don't have to notifiy all of your old friends of your new account. I just now tried the link from @justsomeguy and plugged in an old (don't use it anymore) email and it showed up in 9 data breaches. Then put in my newer email and it came back with zero. :cool::dancing:
 

capta

.
Jun 4, 2009
4,766
Pearson 530 Admiralty Bay, Bequia SVG
When you catch these transactions quickly, the bank will freeze your account number and send a new card and number
This in itself is a really big problem if one is away from home cruising. Any call, even one erroneously reported, immediately invalidates the card and you are left to figure how to get the new one down to the island you plan to be on for its arrival.
We have had our cards cancelled when we made a purchase down here, even though it should be in the records that we are down here full time. It can be a real pain.
 
  • Like
Likes: NotCook
Jan 11, 2014
11,323
Sabre 362 113 Fair Haven, NY
This in itself is a really big problem if one is away from home cruising. Any call, even one erroneously reported, immediately invalidates the card and you are left to figure how to get the new one down to the island you plan to be on for its arrival.
We have had our cards cancelled when we made a purchase down here, even though it should be in the records that we are down here full time. It can be a real pain.
Having cards cancelled wherever you are is a PITA. That's why it is a good idea to have 2 cards, with one in reserve.

I've been through the card canceling a few times, sometimes for fraudulent cards and sometimes for user error (we won't go in the embarrassing details). Even when a card is cancelled and the number changed some banks will continue to allow automatic charges go through, such as cell phone charges and subscription charges. If the charge was legitimate before the card was cancelled the bank assumes the charge is still legitimate and simply puts it on the new account.

Many cards allow for travel notifications so charges won't be denied in a foreign country.
 
Jun 2, 2004
3,390
Hunter 23.5 Fort Walton Yacht Club, Florida
DON"T use a debit card. If a debit card gets hacked it is up to you to show the charges were not yours. With a credit card the card issuer must prove the charge is yours.

Took a long time for my daughter to figure this out. She was hacked three times while in college before she understood. She was fortunate though I doubt she ever had more than $400 sitting in that account.

It's funny too the card companies won't tell you where you card likely was hacked. It would be pretty easy to compare lists of charges on hacked cards in a particular area and find a nexus of where they were all used probably even down to a time and what employee was working at the time the hacked cards were used and nail them. Guess they are afraid if I knew where my card was being hacked from I would never return to that establishment, which actually probably is in fact the case.
 
  • Like
Likes: BigEasy

Phil Herring

Alien
Mar 25, 1997
4,918
- - Bainbridge Island
I tend to distrust commercial services that -- when you boil it all down -- make money by scaring the crap out of you. The best monitor I've found is here:


It's not commercial and there are plenty of nifty tools including a check if your password has been breached, too. We monitor all of our SBO addresses there so we get an alert if there's a problem we missed.
 
Sep 20, 2014
1,320
Rob Legg RL24 Chain O'Lakes
Not sure if any of this matters much. I use several different layers of passwords. If someone gains access to one of my passwords from a forum, its certianly not the end of the world. Someone could post something using my name. Not sure why anyone would be motivated to do so. My posts on forums don't have that much monetary value. If anyone would really believe that I was kidnapped and being held for ransome and be willing to send money, I'll tell you what, why don't you just send me money now and I can hold it just in case :)
 
Oct 10, 2009
982
Catalina 27 Lake Monroe
I have to take a DHS network security training each year as part of my job. I'm sure the next one will be super interesting. Generally, a few highlights from last briefing that I can recall:

Password length doesn't matter as much as it used to.

Multiple (>4) random, unconnected words seems to be very difficult for password cracking software to solve. Example- BellytoWerimaGePanda1! would be pretty strong and would satisfy most requirements for length and characters.

You really should get used to not remembering individual passwords. We are required to use a password saver and all our passwords should be long strings of random words that are too long and complex to recall.

Writing your passwords in a binder (like a lot of old guys) is possibly the most secure password manager, since you are much more likely to be compromised online rather than in person.

Lastly, a note on password saving. Our security developer reported he cracked Google's password saver on the first try.

Other recommendations are standard, but now elevated. One in particular is to never click on a link provided to you by someone else unless they verbally confirm having sent it, sort of a way of running a quick two factor validation. Our security team carries out routine penetration attacks in house and you'd be surprised how sophisticated this strategy has become. What appears to be a real email from a friend may not be what it appears, regardless of what you can see in the message details.
 
Jun 14, 2010
2,081
Robertson & Caine 2017 Leopard 40 CT
Password length doesn't matter as much as it used to.
I agree with everything in your post except this one. Length is the most important making it difficult for a password cracker. Most experts agree the length should be at least 12 characters, more is better. Complexity doesn’t matter as much.
 
Jan 7, 2011
4,727
Oday 322 East Chicago, IN
You really should get used to not remembering individual passwords. We are required to use a password saver and all our passwords should be long strings of random words that are too long and complex to recall.

Writing your passwords in a binder (like a lot of old guys) is possibly the most secure password manager, since you are much more likely to be compromised online rather than in person.
Can you recommend a good password saver? All of the ones I have tried have “issues”...

The written list is good, but if you are traveling and don’t have the list with you...not so good.

Banks and other companies know what computers you use to access their sites and will challenge a login from an unknown device. I like this feature (assuming it really works).

2-factor authentication is pretty robust I think but I find it inconvenient (phone is downstairs and some site I am accessing from my desktop computer in office wants to send me a text to verify my ID)...:banghead:

Some days I think I just want to unplug all my devices, get on a boat, and sail away. :cool:

Cheers,

Greg
 
Oct 22, 2014
20,995
CAL 35 Cruiser #21 moored EVERETT WA
I am with you on the sail away part...

I had work passwords changing every 60 days. As cyber issues developed so did the work related password demands. 15-20 or more characters, at least one from each of the list of possible characters, no 3 of the same characters in sequence etc. It became a night mare. I landed on a password manager, "Keeper". Not perfect, but it works across multiple platforms. It has reduced my password tension.

Now if I could just do more of that sailing stuff.
 
Jan 11, 2014
11,323
Sabre 362 113 Fair Haven, NY
I use 1 Password and Keychain which is built into the Mac OS. Each has distinct advantages.

1 Password can store more than just passwords, it has a place to store credit card numbers which makes it easier to purchase things online, a couple of clicks and the CC info is correctly entered. I don't store CC info with online retailers.

Keychain works seamlessly across the Apple environment. Need a password on my phone, Keychain is there. The Mac OS also includes iMessage which can receive text messages sent to my phone. When Two Factor authentication is needed the text message comes to my computer and in the latest OS, it will auto fill the code.
 
Jun 14, 2010
2,081
Robertson & Caine 2017 Leopard 40 CT
I am with you on the sail away part...

I had work passwords changing every 60 days. As cyber issues developed so did the work related password demands. 15-20 or more characters, at least one from each of the list of possible characters, no 3 of the same characters in sequence etc. It became a night mare. I landed on a password manager, "Keeper". Not perfect, but it works across multiple platforms. It has reduced my password tension.

Now if I could just do more of that sailing stuff.
Keeper is good. However I use and recommend LastPass with a long Master pass-phrase and 2FA using an authenticator app. LastPass syncs securely with your computers and phones, and does auto fill on all devices, including form fills for address and credit cards.
I use DUO authenticator but Google and Microsoft each have a free authenticator app as a download from your phone’s app store (both work with other apps and web sites that support open standards for authentication).
Using an authenticator app is better than getting texts because 1) the auth code is encrypted end to end, 2) the auth code is valid typically less than one minute, 3) it’s easier to hijack a SIM through social engineering. Also - Text is usually not encrypted, and texted authentication codes are typically good for up to an hour, or more.
 
Oct 22, 2014
20,995
CAL 35 Cruiser #21 moored EVERETT WA
Since getting my MAC laptop, I have enjoyed the Apple integration. I looked at 1 Password, it was on my shortlist.

Having a PC and Apple environment, I had to forego the Keychain system. As I simplify my life I suspect the PC will get less usage. At least that has been the trend for the past 9 months.
 
  • Like
Likes: JamesG161

capta

.
Jun 4, 2009
4,766
Pearson 530 Admiralty Bay, Bequia SVG
Some years back, my daughter and I were in a shop and they had a "password" book. Slightly larger than a note pad, with every entry in pencil, it is small enough to carry when traveling and update in pencil. This has worked out very well for us for more than ten years.
 
Jun 14, 2010
2,081
Robertson & Caine 2017 Leopard 40 CT
Some years back, my daughter and I were in a shop and they had a "password" book. Slightly larger than a note pad, with every entry in pencil, it is small enough to carry when traveling and update in pencil. This has worked out very well for us for more than ten years.
Not a safe thing to travel with that. It's safe if you keep it at home, and in a lockbox when you leave the house or have visitors you wouldn't trust with your life savings. What would happen if that fell into the wrong hands?
 
  • Like
Likes: Will Gilmore
Jun 14, 2010
2,081
Robertson & Caine 2017 Leopard 40 CT
Someone wrote me a PM and I'm posting it here for general info:
I am looking for an alternate to having the bank or other suppliers of data provide me a 6digit token via text to allow access to their online system. DUO does not look like that solution.

What am I missing?
Authenticator apps are a more secure alternative to text authentication. DUO is an enterprise authenticator application (I don't think they have a free version). For personal use I recommend the Microsoft or Google authenticator apps, which are free to download and use from your phone's app store.
Using an authenticator app: When you set up 2FA/MFA with a web site that supports it (e.g. Microsoft, Google, or Amazon, to name just a few) you will be given a choice of how you want to authenticate. Usually the choices will include text, an alternate email address, phone call to a number on file, or an authenticator app. If you choose the latter, it will display a scan code on screen. No matter which app, the next steps are as follows:
1) Open the authenticator app on your phone
2) Touch the + symbol to add an account
3) Use your phone's camera to view the scan code
4) The app will add the site (usually naming it with your UserID, which is typically the same on many sites, assuming you use your email address)
5) The web site will show a form for you to enter the code from your authenticator app. (watch the countdown timer and wait for the next one if you need more time). Enter the code from your authenticator app into the web site and click to save.
6) Optional step: from within the authenticator app, edit the last site you entered to put the name of the site in front of your UserID so you can easily know which site it is (you will accumulate sites over time).

PS - your bank is likely to insist you use only their authenticator app or a hardware token they provide.