I had an upsetting experience last night. At around 10pm (I never get calls that late) I received a phone call from a woman with an Indian accent who said that she was from Visa security and claimed that they had just noticed a credit charge on my Visa credit card account in the amount of $400 on Amazon from an overseas country. I immediately said that I didn't make that charge. The woman then said that they would cancel my card and issue me a new one and that she would have her supervisor speak with me to confirm my card information. A guy with another Indian accent came on the line and read me my name and address and asked me to verify the information. He then asked me to provide my card number and expiration date. I did do that but then started to get cold feet and asked him why he needed the card number as I would think that Visa would already have that information in their files. He then told me that they were just the security office and would forward my information to my local bank to have them issue me a new card. That sounded slightly reasonable, until he asked for my three digit security code and if my card had my middle initial in my cardholders name. That was just too much for me and I said no way, you don't need that to cancel my card and to issue a new one. When he started to beg for the number, I told him that I would immediately call my bank directly and cancel the card myself. That was when the phone went "click" and the line went dead. I then got on the phone and called my bank directly who canceled my card and they are going to send me a new card within a week. However, I did notice that he asked for my entire credit card number and expiration date, but not the security code.
That call was quite convincing, except for the Indian accents. You could even hear a bunch of office noise in the background, with people apparently on other calls. They mostly followed the same format of a real security call that I have received in the past from Visa when I made a couple of purchases from England and from Denmark (when I bought my Booster Plug). So heads up if you get a similar call. Especially if the caller has an Indian accent.
Richard - Current bikes: 2016 BMW R1200RS, 2018 16.6 kWh Zero S, 2011 Royal Enfield Bullet 500 Classic, 2009 BMW F650GS, 2020 KTM 390 Duke, 2002 Yamaha FZ1 (FZS1000N) and a 1978 Honda Kick 'N Go Senior.
It is easy to get sucked into that kind of scam. I was just thinking about it. Would VISA ask for your credit card into? Or would they ask your security questions?
Thanks for the info.
Chris
Elnathan - 2014 BMW F800GT
IBA# 49894 True Rounder = 0-20's - Rounder -- to -- 100's+ Red Hot Rounder
Tax, credit card, social assistance, bank... Whatever the call, no one should be asking you for your account information. That's a huge red flag. Hang up, find a phone number yourself and make your own call.
Also, no one is going to ask you to pay a bill with gift cards or bit coins.
I got an email from Wells Fargo this morning stating a couple out of state charges seemed odd to them One in Minn and the other in Texas. Looking at my statement I couldn't see the charges, hadn't been posted yet. So I called the number on the credit card and the agent confirmed the charges were made, one had been denied. So it's new card time. I should have it on Tuesday. When they ask about the card number they had me tell them the last 4 numbers and then confirmed the last 4 of my social security. The bank doesn't ask for the whole number, they already have that.
If you don't like the voice or accent on the phone, you have the right to ask for an American rep. It takes a moment or two but they will connect you with a more locally based person.
There are a number of Philippine based offices that do customer support. Their English is good but I seem to be able detect a difference. When I ask how the weather is in Manila, they are surprised but do respond to the question.
Even though they don't have a branch within 30 miles of where I currently live, I have stuck with Chase because their security is so good. The first time I ran into it, I had just tried to use my Chase credit card for a $15 at a CVS in Oakland, CA. It was declined. When I got back to where I was staying, I had an e-mail from them, asking me to call. They put me through a security audit, and kept apologizing for the inconvenience. I said, "No, no, this is great." A couple of years ago, I got an e-mail from Chase asking about two $50 fill-ups in Fresno (I live in Georgia). Whenever my card is used, I get an e-mail confirmation within seconds, so I have early warning if I see something unexpected. Sometimes I will ask my wife, "Did you just order something for $XX?" So far, no surprises.
Two general security tips for anything that you do online:
1. NEVER, EVER use the same password across multiple sites. A password manager helps keep them all unique, cryptic.
2. If at all possible, use two factor authentication, which is analogous the the magstripe/chip on a debit card, which also requires a secondary identifier, the PIN.
I got a phone call from Sear Citi bank this afternoon about a similar charges on that card. I finally got through and got that card stopped too.
Weird thing my wife had those cards in her purse and I've had a number of Care Givers here over the last few months. Something is fishy. I'll not be putting copies of the cards back in her purse. I'll be mentioning the problem to the office manager in the Monday morning when I take the check to her. No one else has had access to those cards in months.
There be thieves about.
I should do #1, but haven't yet. I have taken a different route by using a password that isn't easy to break, but is consistent across all the forums I'm a member of. If you get that, all you can do with it, is make posts on motorcycle forums.
My "fear" on using a password manager, is that if they break that they have everything. I'll probably do it later though.
Chris
Elnathan - 2014 BMW F800GT
IBA# 49894 True Rounder = 0-20's - Rounder -- to -- 100's+ Red Hot Rounder
I've got a password manager, a ledger book in the desk drawer. But I oops and occasionally don't write something down. DOH!
Like the sears city password,. I have it now though.
I should do #1, but haven't yet. I have taken a different route by using a password that isn't easy to break, but is consistent across all the forums I'm a member of. If you get that, all you can do with it, is make posts on motorcycle forums.
My "fear" on using a password manager, is that if they break that they have everything. I'll probably do it later though.
I have more than 200 online accounts, each with a unique password, for example 9oaoDmy*9f64. There is no way I could manage 200 unique passwords using a ledger book, especially when I am travelling.
Critical accounts use 2-factor authentication. Here is how 2FA works with my Google account. If somehow my Google password were compromised:
1. If someone tries to login to my Google account from an untrusted computer, anywhere in the world, they can get no farther without the second factor.
2. I immediately get an e-mail from Google that someone has tried to login.
3. This gives me a chance to change my password before any damage can be done. Changing my password also requires the second factor, which is generated by a security key. I also carry a printed list of 10 emergency codes with me, but without my userid, in case my wallet should be stolen.
If I have to login to a computer, for example at a library while travelling, I do so on an "untrusted" basis, so that as soon as I logout, my account is no longer accessible through that device. When I travel with a Chromebook, it is always either sleeping or off when not in use. Everything that is stored locally is encrypted, and my login/userid provide the only access key.
I have more than 200 online accounts, each with a unique password, for example 9oaoDmy*9f64. There is no way I could manage 200 unique passwords using a ledger book, especially when I am travelling.
Critical accounts use 2-factor authentication. Here is how 2FA works with my Google account. If somehow my Google password were compromised:
1. If someone tries to login to my Google account from an untrusted computer, anywhere in the world, they can get no farther without the second factor.
2. I immediately get an e-mail from Google that someone has tried to login.
3. This gives me a chance to change my password before any damage can be done. Changing my password also requires the second factor, which is generated by a security key. I also carry a printed list of 10 emergency codes with me, but without my userid, in case my wallet should be stolen.
If I have to login to a computer, for example at a library while travelling, I do so on an "untrusted" basis, so that as soon as I logout, my account is no longer accessible through that device. When I travel with a Chromebook, it is always either sleeping or off when not in use. Everything that is stored locally is encrypted, and my login/userid provide the only access key.
My Snoopy would never be able to deal with that level of security.
Richard - Current bikes: 2016 BMW R1200RS, 2018 16.6 kWh Zero S, 2011 Royal Enfield Bullet 500 Classic, 2009 BMW F650GS, 2020 KTM 390 Duke, 2002 Yamaha FZ1 (FZS1000N) and a 1978 Honda Kick 'N Go Senior.
I have more than 200 online accounts, each with a unique password, for example 9oaoDmy*9f64. There is no way I could manage 200 unique passwords using a ledger book, especially when I am travelling.
Critical accounts use 2-factor authentication. Here is how 2FA works with my Google account. If somehow my Google password were compromised:
1. If someone tries to login to my Google account from an untrusted computer, anywhere in the world, they can get no farther without the second factor.
2. I immediately get an e-mail from Google that someone has tried to login.
3. This gives me a chance to change my password before any damage can be done. Changing my password also requires the second factor, which is generated by a security key. I also carry a printed list of 10 emergency codes with me, but without my userid, in case my wallet should be stolen.
If I have to login to a computer, for example at a library while travelling, I do so on an "untrusted" basis, so that as soon as I logout, my account is no longer accessible through that device. When I travel with a Chromebook, it is always either sleeping or off when not in use. Everything that is stored locally is encrypted, and my login/userid provide the only access key.
Excellent article. It raised some questions in my mind.
The first question is how does a hacker try thousands and millions of brute force attacks on my account? You probably could do that here on this forum, but that gets you nothing. On any account worth worrying about, after three tries the account is locked for 24 hours or till you call their Help Desk. And the Help Desk will require you to prove your identity.
They kept mentioning passphrases and the use of full words strung together. I wonder if they also have partial words. For instance, we have a lot of things named from what the Indians called them originally. Like the Skykomish river. What if you used "Skyk" as part of your password? Like Skyk123@. Upper and lower case, alphanumeric, and includes a symbol. That significantly increases the dictionary possibilities.
What program do you use for your passwords? Both to generate the passwords, and to store them?
Chris
Elnathan - 2014 BMW F800GT
IBA# 49894 True Rounder = 0-20's - Rounder -- to -- 100's+ Red Hot Rounder
I got my Wells Fargo replacement card today and won't be putting her card in her purse that she never uses.
most aggravating to have folks take opportunity.
There have been many documented reports of hackers gaining access to password files. The worst cases have involved systems that stored or passed passwords as plain text.
Even if the passwords are hashed, they are susceptible to cracking. Unlike an encrypted value, a hash value is a one-way process, and cannot be recovered. BUT it is still vulnerable to dictionary attacks, in which an attacker can compute the hash values of commonly used passwords or just one potential password. Let's say someone has a password that is based on natural language components, such as iHateMyComputer, which produces a hash of 3dtssrvssfeygjxhk%1* The cracking program throws words at the file of hashed passwords until he gets a matching hash.
So, if a hacker gained access to a system, and is able to download its password file, whether plain text or encrypted, once they have the file, it's a matter of brute force to crack its passwords.
While not invulnerable, password managers (for which the master password is always the weakest link), generate semi-random passwords such as:
that are virtually impossible to remember, but also difficult to crack using a dictionary-based algorithm. LastPass can automatically generate passwords up to 99 characters, with a mix of upper and lower case alpha, numeric, and punctuation characters. I try to avoid characters with diacritics because they can be problematic.
I use LastPass, which has a 2FA option. I change the master password at intervals, always at home. My wife has emergency access, and I keep a printed copy of the current password on a piece of paper in my bank safe deposit box. There are many options; just Google for "best password managers 2020"
Good article. I've been using the Password Safe app on my Samsung Note 9 to keep track of things like passwords and accounts. The phone has both fingerprint and biometric security.
The only password that has been found on the Dark Web has been my login info to the Linux Mint forum from 10 years ago.
I wish we didn't have to bother with these things, but we do.
Chris
Elnathan - 2014 BMW F800GT
IBA# 49894 True Rounder = 0-20's - Rounder -- to -- 100's+ Red Hot Rounder
I use a password manager and 2factor auth. after a friend of mine lost a substantial amount of money/time after several of his accounts were compromised (used the same password).
You also have to realize that your security is only as good as where it's being housed.
Case in point: https://haveibeenpwned.com/ that website looks to see who has had data breaches with your email. I noticed my hotmail account getting hammered with spam after vendor xxxx's database was compromised
(obviously do your research before you click on that website, don't belive some guy on the interwebz)
Reply With Quote
Originally Posted by Daboo
Your Privacy Choices
Bookmarks