Online shopping account hacked

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
Topic Author
Barefootgirl
Posts: 2519
Joined: Tue Oct 06, 2009 7:05 pm

Online shopping account hacked

Post by Barefootgirl »

I'm careful to not store my credit card numbers when shopping online, but got lazy at Amazon.com and Walmart.com since I order from those sites so frequently and those accounts each have a couple credit cards stored on them.

Yesterday, I learned my Walmart.com account was hacked and the hackers proceeded to order electronics using my account. Thankfully, the credit card companies detected the fraud and cancelled the orders shortly after they were placed.

I called Walmart.com and they were very cavalier about the whole thing. I asked how they protect their site, but of course they were vague. They told me I should remove my information - which I have done.

So..this is reminder about storing card numbers online...

BFG
How many retired people does it take to screw in a lightbulb? Only one, but he takes all day.
nordlead
Posts: 739
Joined: Thu Sep 12, 2013 9:09 am

Re: Online shopping account hacked

Post by nordlead »

The more important thing is using unique secure passwords at every website.

I've been storing my CC numbers on all sorts of websites for years and I really am not worried about it. Each website has a unique password that even I don't know. If someone gets in, it is a quick 10 minute call to the CC company and life goes on. So far, I've saved more than 10 minutes by having my CC numbers stored on websites I frequent.
User avatar
Quidnam
Posts: 443
Joined: Fri Jun 22, 2007 10:11 am
Location: New York, NY

Re: Online shopping account hacked

Post by Quidnam »

Barefootgirl wrote:Yesterday, I learned my Walmart.com account was hacked and the hackers proceeded to order electronics using my account.
To echo nordlead, if you reuse passwords online, the odds are very good that the security of Walmart.com was not "hacked" at all -- i.e., your login credentials were compromised elsewhere, and were then used to access the account. Using a password manager (such as Lastpass) to assign unique, complex passwords to all of your accounts is an important measure to mitigate the potential for a hack in one place to spill over into another.
Rupert
Posts: 4122
Joined: Fri Aug 17, 2012 12:01 pm

Re: Online shopping account hacked

Post by Rupert »

Are you sure you don't have keylogging malware on the computer you use to access Walmart.com?
Mudpuppy
Posts: 7409
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Online shopping account hacked

Post by Mudpuppy »

The biggest concern one should have about a shopping account getting compromised is not that they could buy something, but rather what information were they able to gather. Most shopping websites display some information about the stored credit card number (like the last 4 digits and/or expiration date), which could then be used to conduct a social engineering attack against another account.

There was a rather high-profile case a few years ago (because it involved a journalist) of attackers getting into one of his accounts that had stored CC info. They then used the last 4 digits displayed on that account to call up another vendor and get the password reset. Ultimately, the attackers were able to get into his Apple account and delete everything on his devices. Since he didn't have independent backups from Apple, he lost a lot of personal photos and data. Link: http://www.wired.com/2012/08/apple-amaz ... n-hacking/

As with many social engineering attacks, his only got to the severity it did because a customer service representative didn't strictly follow procedures. But that's sort of the whole point of this sort of social engineering, to trick call reps into thinking you're legit so they relax procedures a little bit to "help out".
User avatar
Will do good
Posts: 1138
Joined: Fri Feb 24, 2012 7:23 pm

Re: Online shopping account hacked

Post by Will do good »

To educate myself, I'm reading "Future Crimes", it's all about what the bad guys are doing online to steal from us and more. Very informative.

http://www.nytimes.com/2015/05/17/books ... odman.html
User avatar
VictoriaF
Posts: 20122
Joined: Tue Feb 27, 2007 6:27 am
Location: Black Swan Lake

Re: Online shopping account hacked

Post by VictoriaF »

Will do good wrote:To educate myself, I'm reading "Future Crimes", it's all about what the bad guys are doing online to steal from us and more. Very informative.

http://www.nytimes.com/2015/05/17/books ... odman.html
It seems like an interesting book, thank you for the reference. However, by the time a book is published, new exploits and new countermeasures have been developed. While books provide general information about cybercrime, security blogs are more up to date. Check out Bruce Schneier.

Victoria
Inventor of the Bogleheads Secret Handshake | Winner of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)
drawpoker
Posts: 2809
Joined: Mon May 19, 2014 6:33 pm
Location: Delmarva

Re: Online shopping account hacked

Post by drawpoker »

The only online merchant who is storing my cc info is chewy dot com

Anyone know if that site is considered pretty safe?
User avatar
VictoriaF
Posts: 20122
Joined: Tue Feb 27, 2007 6:27 am
Location: Black Swan Lake

Re: Online shopping account hacked

Post by VictoriaF »

drawpoker wrote:The only online merchant who is storing my cc info is chewy dot com

Anyone know if that site is considered pretty safe?
A site may be pretty safe today and get hacked tomorrow, due to a rougue IT guy or just bad luck. Not storing credit card information with online merchants has a side benefit of preventing impulsive purchases.

Victoria
Inventor of the Bogleheads Secret Handshake | Winner of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)
User avatar
Rob5TCP
Posts: 3812
Joined: Tue Jun 05, 2007 7:34 pm
Location: New York, NY

Re: Online shopping account hacked

Post by Rob5TCP »

VictoriaF wrote:
Will do good wrote:To educate myself, I'm reading "Future Crimes", it's all about what the bad guys are doing online to steal from us and more. Very informative.

http://www.nytimes.com/2015/05/17/books ... odman.html
It seems like an interesting book, thank you for the reference. However, by the time a book is published, new exploits and new countermeasures have been developed. While books provide general information about cybercrime, security blogs are more up to date. Check out Bruce Schneier.

Victoria
I read Bruce Schneier's monthly newsletter. Some of his articles could give nightmares - He shows just how unprepared we are for the massive amount of hacking that is going on.

Currently I use Tor (privacy), Sandboxie to trap downloads, Voodo Shield to prevent hijacking, Malwarebytes anti malware and the separate program Malwarebytes anti exploit, plus a good anti virus and a separate anti virus for daily scans. I have gotten way too paranoid.
drawpoker
Posts: 2809
Joined: Mon May 19, 2014 6:33 pm
Location: Delmarva

Re: Online shopping account hacked

Post by drawpoker »

VictoriaF wrote:...A site may be pretty safe today and get hacked tomorrow, due to a rougue IT guy or just bad luck. Not storing credit card information with online merchants has a side benefit of preventing impulsive purchases.

Victoria
You're 100 % right about the safety angle. Something to think about.

But as far as "impulsive " buying - nope, not likely with this BH. :)
Require 85-100 pounds of cat litter every month, along with some supplements that are way cheaper with chewy than at the vet's or other stores.
User avatar
Will do good
Posts: 1138
Joined: Fri Feb 24, 2012 7:23 pm

Re: Online shopping account hacked

Post by Will do good »

Rob5TCP wrote:
VictoriaF wrote:
Will do good wrote:To educate myself, I'm reading "Future Crimes", it's all about what the bad guys are doing online to steal from us and more. Very informative.

http://www.nytimes.com/2015/05/17/books ... odman.html
It seems like an interesting book, thank you for the reference. However, by the time a book is published, new exploits and new countermeasures have been developed. While books provide general information about cybercrime, security blogs are more up to date. Check out Bruce Schneier.

Victoria
I read Bruce Schneier's monthly newsletter. Some of his articles could give nightmares - He shows just how unprepared we are for the massive amount of hacking that is going on.

Currently I use Tor (privacy), Sandboxie to trap downloads, Voodo Shield to prevent hijacking, Malwarebytes anti malware and the separate program Malwarebytes anti exploit, plus a good anti virus and a separate anti virus for daily scans. I have gotten way too paranoid.
Rob5TCP, Any of those work on Macs?
Topic Author
Barefootgirl
Posts: 2519
Joined: Tue Oct 06, 2009 7:05 pm

Re: Online shopping account hacked

Post by Barefootgirl »

Thank you for the tip on Lastpass
How many retired people does it take to screw in a lightbulb? Only one, but he takes all day.
User avatar
Rob5TCP
Posts: 3812
Joined: Tue Jun 05, 2007 7:34 pm
Location: New York, NY

Re: Online shopping account hacked

Post by Rob5TCP »

Will do good wrote:
Rob5TCP wrote:
VictoriaF wrote:
Will do good wrote:To educate myself, I'm reading "Future Crimes", it's all about what the bad guys are doing online to steal from us and more. Very informative.

http://www.nytimes.com/2015/05/17/books ... odman.html
It seems like an interesting book, thank you for the reference. However, by the time a book is published, new exploits and new countermeasures have been developed. While books provide general information about cybercrime, security blogs are more up to date. Check out Bruce Schneier.

Victoria
I read Bruce Schneier's monthly newsletter. Some of his articles could give nightmares - He shows just how unprepared we are for the massive amount of hacking that is going on.

Currently I use Tor (privacy), Sandboxie to trap downloads, Voodo Shield to prevent hijacking, Malwarebytes anti malware and the separate program Malwarebytes anti exploit, plus a good anti virus and a separate anti virus for daily scans. I have gotten way too paranoid.
Rob5TCP, Any of those work on Macs?
Not as far as I know ??
astrohip
Posts: 569
Joined: Tue Dec 21, 2010 3:29 pm
Location: Houston TX

Re: Online shopping account hacked

Post by astrohip »

Barefootgirl wrote:Yesterday, I learned my Walmart.com account was hacked and the hackers proceeded to order electronics using my account.

I called Walmart.com and they were very cavalier about the whole thing. I asked how they protect their site, but of course they were vague. They told me I should remove my information - which I have done.
BFG
There is a significant difference between a company being hacked, and YOUR account being hacked.

If Wal*Mart was hacked, it would be HUGE news. On the order of when Target was hacked. And credit card & identity theft would be a real danger.

When YOUR account is hacked, the stores don't really care, as it's YOUR fault. Always. That's why they were cavalier. There's nothing they can do when YOUR account is hacked.

There will be something you did that led to your account being hacked. You might use the same password at two sites, and that other site was hacked, and now they have your password. Or maybe you used a weak password. Or keylogging software (much more rare than people think).

I use LastPass, and have no idea what most of my passwords are, but I know they're unique from site to site.
"Happiness is not about doing, it’s about being." - R Branson
cherijoh
Posts: 6591
Joined: Tue Feb 20, 2007 3:49 pm
Location: Charlotte NC

Re: Online shopping account hacked

Post by cherijoh »

nordlead wrote:The more important thing is using unique secure passwords at every website.

I've been storing my CC numbers on all sorts of websites for years and I really am not worried about it. Each website has a unique password that even I don't know. If someone gets in, it is a quick 10 minute call to the CC company and life goes on. So far, I've saved more than 10 minutes by having my CC numbers stored on websites I frequent.
If you don't know your password, how are you logging in?
astrohip
Posts: 569
Joined: Tue Dec 21, 2010 3:29 pm
Location: Houston TX

Re: Online shopping account hacked

Post by astrohip »

cherijoh wrote:If you don't know your password, how are you logging in?
Either:

1) They use their browser's "remember this password" feature. Which is terrible, please don't ever do that.

or far more likely

2) They use a password program, that creates, stores and use a random password for you. This is the only way to go.

For example, I register at a new site, Boogleheads. When it asks for a password, my PW program (LastPass for me, but there are others) creates a random password (something like "6fg7Rt$fZ"). It then stores the site Boogleheads.com with this newly created random password. Next time I need to login, Lastpass recognizes the domain, logs me in, and I'm done. And I never know what random string is my password.

I can always look it up if I have to, and on rare occasion will need it. But for the most part, I have hundreds of random, very secure but totally not-memorized passwords.
"Happiness is not about doing, it’s about being." - R Branson
dolphinsaremammals
Posts: 2094
Joined: Tue Jul 22, 2014 4:18 pm

Re: Online shopping account hacked

Post by dolphinsaremammals »

Mudpuppy wrote: There was a rather high-profile case a few years ago (because it involved a journalist) of attackers getting into one of his accounts that had stored CC info. They then used the last 4 digits displayed on that account to call up another vendor and get the password reset. Ultimately, the attackers were able to get into his Apple account and delete everything on his devices. Since he didn't have independent backups from Apple, he lost a lot of personal photos and data. Link: http://www.wired.com/2012/08/apple-amaz ... n-hacking/
Independent backups from Apple? He had no backup himself? This is the Apple world, someone hacks into an Apple account and they can wipe out all the data on all the person's devices? Windows is looking pretty good (never thought I'd type that :D )
nordlead
Posts: 739
Joined: Thu Sep 12, 2013 9:09 am

Re: Online shopping account hacked

Post by nordlead »

astrohip wrote:
cherijoh wrote:If you don't know your password, how are you logging in?
Either:

1) They use their browser's "remember this password" feature. Which is terrible, please don't ever do that.

or far more likely

2) They use a password program, that creates, stores and use a random password for you. This is the only way to go.

For example, I register at a new site, Boogleheads. When it asks for a password, my PW program (LastPass for me, but there are others) creates a random password (something like "6fg7Rt$fZ"). It then stores the site Boogleheads.com with this newly created random password. Next time I need to login, Lastpass recognizes the domain, logs me in, and I'm done. And I never know what random string is my password.

I can always look it up if I have to, and on rare occasion will need it. But for the most part, I have hundreds of random, very secure but totally not-memorized passwords.
#2 is the winner. I use keepass2 and have the database on my server which I access via ssh(scp) if I'm not inside my network.
Topic Author
Barefootgirl
Posts: 2519
Joined: Tue Oct 06, 2009 7:05 pm

Re: Online shopping account hacked

Post by Barefootgirl »

Several days ago, it was recommended that I get Lastpass (or similar) to protect my passwords.

and now this: (Lastpass has been hacked)

http://www.pcworld.com/article/2936272/ ... acked.html

So now what should I do to protect my Lastpass account?

What's the next tier of security?
How many retired people does it take to screw in a lightbulb? Only one, but he takes all day.
astrohip
Posts: 569
Joined: Tue Dec 21, 2010 3:29 pm
Location: Houston TX

Re: Online shopping account hacked

Post by astrohip »

Barefootgirl wrote:Several days ago, it was recommended that I get Lastpass (or similar) to protect my passwords.

and now this: (Lastpass has been hacked)

http://www.pcworld.com/article/2936272/ ... acked.html

So now what should I do to protect my Lastpass account?

What's the next tier of security?
LastPass was not hacked in the sense your passwords were stolen. They took some users encrypted data, but as it's encrypted, it's mostly useless. Unless you have a very simplistic master password ("abc" or whatnot), the hackers will never decipher it. And if you had "abc" as a password, well...

If you are super-paranoid, you can change your master password, and that will remove ANY chance they could access your data. Or, if like me, you had a decently strong master password, I'm doing nothing. They'll never brute force crack an 11 character string.

BTW, you can always add two-factor authorization. That makes you bulletproof.
"Happiness is not about doing, it’s about being." - R Branson
User avatar
LadyGeek
Site Admin
Posts: 95696
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: Online shopping account hacked

Post by LadyGeek »

FYI - We have a dedicated LastPass thread. See: LastPass.com Breach
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
Mudpuppy
Posts: 7409
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Online shopping account hacked

Post by Mudpuppy »

astrohip wrote:They'll never brute force crack an 11 character string.
Just as a general FYI, depending on the cipher used, they reasonably could brute force an 11 character master password if they have the ciphertext. Lastpass uses a reasonably strong cipher where 11 characters would still take time, but an 11 character key for some weaker ciphers would easily fall to the latest password cracking GPU rigs.

I personally recommend at least 16 characters for strong ciphers. 20-24 characters is even better, and would be useful for even weak ciphers (or if you don't know the ciphers).
Post Reply