Online shopping account hacked
-
- Posts: 2519
- Joined: Tue Oct 06, 2009 7:05 pm
Online shopping account hacked
I'm careful to not store my credit card numbers when shopping online, but got lazy at Amazon.com and Walmart.com since I order from those sites so frequently and those accounts each have a couple credit cards stored on them.
Yesterday, I learned my Walmart.com account was hacked and the hackers proceeded to order electronics using my account. Thankfully, the credit card companies detected the fraud and cancelled the orders shortly after they were placed.
I called Walmart.com and they were very cavalier about the whole thing. I asked how they protect their site, but of course they were vague. They told me I should remove my information - which I have done.
So..this is reminder about storing card numbers online...
BFG
Yesterday, I learned my Walmart.com account was hacked and the hackers proceeded to order electronics using my account. Thankfully, the credit card companies detected the fraud and cancelled the orders shortly after they were placed.
I called Walmart.com and they were very cavalier about the whole thing. I asked how they protect their site, but of course they were vague. They told me I should remove my information - which I have done.
So..this is reminder about storing card numbers online...
BFG
How many retired people does it take to screw in a lightbulb? Only one, but he takes all day.
Re: Online shopping account hacked
The more important thing is using unique secure passwords at every website.
I've been storing my CC numbers on all sorts of websites for years and I really am not worried about it. Each website has a unique password that even I don't know. If someone gets in, it is a quick 10 minute call to the CC company and life goes on. So far, I've saved more than 10 minutes by having my CC numbers stored on websites I frequent.
I've been storing my CC numbers on all sorts of websites for years and I really am not worried about it. Each website has a unique password that even I don't know. If someone gets in, it is a quick 10 minute call to the CC company and life goes on. So far, I've saved more than 10 minutes by having my CC numbers stored on websites I frequent.
Re: Online shopping account hacked
To echo nordlead, if you reuse passwords online, the odds are very good that the security of Walmart.com was not "hacked" at all -- i.e., your login credentials were compromised elsewhere, and were then used to access the account. Using a password manager (such as Lastpass) to assign unique, complex passwords to all of your accounts is an important measure to mitigate the potential for a hack in one place to spill over into another.Barefootgirl wrote:Yesterday, I learned my Walmart.com account was hacked and the hackers proceeded to order electronics using my account.
Re: Online shopping account hacked
Are you sure you don't have keylogging malware on the computer you use to access Walmart.com?
Re: Online shopping account hacked
The biggest concern one should have about a shopping account getting compromised is not that they could buy something, but rather what information were they able to gather. Most shopping websites display some information about the stored credit card number (like the last 4 digits and/or expiration date), which could then be used to conduct a social engineering attack against another account.
There was a rather high-profile case a few years ago (because it involved a journalist) of attackers getting into one of his accounts that had stored CC info. They then used the last 4 digits displayed on that account to call up another vendor and get the password reset. Ultimately, the attackers were able to get into his Apple account and delete everything on his devices. Since he didn't have independent backups from Apple, he lost a lot of personal photos and data. Link: http://www.wired.com/2012/08/apple-amaz ... n-hacking/
As with many social engineering attacks, his only got to the severity it did because a customer service representative didn't strictly follow procedures. But that's sort of the whole point of this sort of social engineering, to trick call reps into thinking you're legit so they relax procedures a little bit to "help out".
There was a rather high-profile case a few years ago (because it involved a journalist) of attackers getting into one of his accounts that had stored CC info. They then used the last 4 digits displayed on that account to call up another vendor and get the password reset. Ultimately, the attackers were able to get into his Apple account and delete everything on his devices. Since he didn't have independent backups from Apple, he lost a lot of personal photos and data. Link: http://www.wired.com/2012/08/apple-amaz ... n-hacking/
As with many social engineering attacks, his only got to the severity it did because a customer service representative didn't strictly follow procedures. But that's sort of the whole point of this sort of social engineering, to trick call reps into thinking you're legit so they relax procedures a little bit to "help out".
- Will do good
- Posts: 1138
- Joined: Fri Feb 24, 2012 7:23 pm
Re: Online shopping account hacked
To educate myself, I'm reading "Future Crimes", it's all about what the bad guys are doing online to steal from us and more. Very informative.
http://www.nytimes.com/2015/05/17/books ... odman.html
http://www.nytimes.com/2015/05/17/books ... odman.html
Re: Online shopping account hacked
It seems like an interesting book, thank you for the reference. However, by the time a book is published, new exploits and new countermeasures have been developed. While books provide general information about cybercrime, security blogs are more up to date. Check out Bruce Schneier.Will do good wrote:To educate myself, I'm reading "Future Crimes", it's all about what the bad guys are doing online to steal from us and more. Very informative.
http://www.nytimes.com/2015/05/17/books ... odman.html
Victoria
Inventor of the Bogleheads Secret Handshake |
Winner of the 2015 Boglehead Contest. |
Every joke has a bit of a joke. ... The rest is the truth. (Marat F)
Re: Online shopping account hacked
The only online merchant who is storing my cc info is chewy dot com
Anyone know if that site is considered pretty safe?
Anyone know if that site is considered pretty safe?
Re: Online shopping account hacked
A site may be pretty safe today and get hacked tomorrow, due to a rougue IT guy or just bad luck. Not storing credit card information with online merchants has a side benefit of preventing impulsive purchases.drawpoker wrote:The only online merchant who is storing my cc info is chewy dot com
Anyone know if that site is considered pretty safe?
Victoria
Inventor of the Bogleheads Secret Handshake |
Winner of the 2015 Boglehead Contest. |
Every joke has a bit of a joke. ... The rest is the truth. (Marat F)
Re: Online shopping account hacked
I read Bruce Schneier's monthly newsletter. Some of his articles could give nightmares - He shows just how unprepared we are for the massive amount of hacking that is going on.VictoriaF wrote:It seems like an interesting book, thank you for the reference. However, by the time a book is published, new exploits and new countermeasures have been developed. While books provide general information about cybercrime, security blogs are more up to date. Check out Bruce Schneier.Will do good wrote:To educate myself, I'm reading "Future Crimes", it's all about what the bad guys are doing online to steal from us and more. Very informative.
http://www.nytimes.com/2015/05/17/books ... odman.html
Victoria
Currently I use Tor (privacy), Sandboxie to trap downloads, Voodo Shield to prevent hijacking, Malwarebytes anti malware and the separate program Malwarebytes anti exploit, plus a good anti virus and a separate anti virus for daily scans. I have gotten way too paranoid.
Re: Online shopping account hacked
You're 100 % right about the safety angle. Something to think about.VictoriaF wrote:...A site may be pretty safe today and get hacked tomorrow, due to a rougue IT guy or just bad luck. Not storing credit card information with online merchants has a side benefit of preventing impulsive purchases.
Victoria
But as far as "impulsive " buying - nope, not likely with this BH.
Require 85-100 pounds of cat litter every month, along with some supplements that are way cheaper with chewy than at the vet's or other stores.
- Will do good
- Posts: 1138
- Joined: Fri Feb 24, 2012 7:23 pm
Re: Online shopping account hacked
Rob5TCP, Any of those work on Macs?Rob5TCP wrote:I read Bruce Schneier's monthly newsletter. Some of his articles could give nightmares - He shows just how unprepared we are for the massive amount of hacking that is going on.VictoriaF wrote:It seems like an interesting book, thank you for the reference. However, by the time a book is published, new exploits and new countermeasures have been developed. While books provide general information about cybercrime, security blogs are more up to date. Check out Bruce Schneier.Will do good wrote:To educate myself, I'm reading "Future Crimes", it's all about what the bad guys are doing online to steal from us and more. Very informative.
http://www.nytimes.com/2015/05/17/books ... odman.html
Victoria
Currently I use Tor (privacy), Sandboxie to trap downloads, Voodo Shield to prevent hijacking, Malwarebytes anti malware and the separate program Malwarebytes anti exploit, plus a good anti virus and a separate anti virus for daily scans. I have gotten way too paranoid.
-
- Posts: 2519
- Joined: Tue Oct 06, 2009 7:05 pm
Re: Online shopping account hacked
Thank you for the tip on Lastpass
How many retired people does it take to screw in a lightbulb? Only one, but he takes all day.
Re: Online shopping account hacked
Not as far as I know ??Will do good wrote:Rob5TCP, Any of those work on Macs?Rob5TCP wrote:I read Bruce Schneier's monthly newsletter. Some of his articles could give nightmares - He shows just how unprepared we are for the massive amount of hacking that is going on.VictoriaF wrote:It seems like an interesting book, thank you for the reference. However, by the time a book is published, new exploits and new countermeasures have been developed. While books provide general information about cybercrime, security blogs are more up to date. Check out Bruce Schneier.Will do good wrote:To educate myself, I'm reading "Future Crimes", it's all about what the bad guys are doing online to steal from us and more. Very informative.
http://www.nytimes.com/2015/05/17/books ... odman.html
Victoria
Currently I use Tor (privacy), Sandboxie to trap downloads, Voodo Shield to prevent hijacking, Malwarebytes anti malware and the separate program Malwarebytes anti exploit, plus a good anti virus and a separate anti virus for daily scans. I have gotten way too paranoid.
Re: Online shopping account hacked
There is a significant difference between a company being hacked, and YOUR account being hacked.Barefootgirl wrote:Yesterday, I learned my Walmart.com account was hacked and the hackers proceeded to order electronics using my account.
I called Walmart.com and they were very cavalier about the whole thing. I asked how they protect their site, but of course they were vague. They told me I should remove my information - which I have done.
BFG
If Wal*Mart was hacked, it would be HUGE news. On the order of when Target was hacked. And credit card & identity theft would be a real danger.
When YOUR account is hacked, the stores don't really care, as it's YOUR fault. Always. That's why they were cavalier. There's nothing they can do when YOUR account is hacked.
There will be something you did that led to your account being hacked. You might use the same password at two sites, and that other site was hacked, and now they have your password. Or maybe you used a weak password. Or keylogging software (much more rare than people think).
I use LastPass, and have no idea what most of my passwords are, but I know they're unique from site to site.
"Happiness is not about doing, it’s about being." - R Branson
Re: Online shopping account hacked
If you don't know your password, how are you logging in?nordlead wrote:The more important thing is using unique secure passwords at every website.
I've been storing my CC numbers on all sorts of websites for years and I really am not worried about it. Each website has a unique password that even I don't know. If someone gets in, it is a quick 10 minute call to the CC company and life goes on. So far, I've saved more than 10 minutes by having my CC numbers stored on websites I frequent.
Re: Online shopping account hacked
Either:cherijoh wrote:If you don't know your password, how are you logging in?
1) They use their browser's "remember this password" feature. Which is terrible, please don't ever do that.
or far more likely
2) They use a password program, that creates, stores and use a random password for you. This is the only way to go.
For example, I register at a new site, Boogleheads. When it asks for a password, my PW program (LastPass for me, but there are others) creates a random password (something like "6fg7Rt$fZ"). It then stores the site Boogleheads.com with this newly created random password. Next time I need to login, Lastpass recognizes the domain, logs me in, and I'm done. And I never know what random string is my password.
I can always look it up if I have to, and on rare occasion will need it. But for the most part, I have hundreds of random, very secure but totally not-memorized passwords.
"Happiness is not about doing, it’s about being." - R Branson
-
- Posts: 2094
- Joined: Tue Jul 22, 2014 4:18 pm
Re: Online shopping account hacked
Independent backups from Apple? He had no backup himself? This is the Apple world, someone hacks into an Apple account and they can wipe out all the data on all the person's devices? Windows is looking pretty good (never thought I'd type that )Mudpuppy wrote: There was a rather high-profile case a few years ago (because it involved a journalist) of attackers getting into one of his accounts that had stored CC info. They then used the last 4 digits displayed on that account to call up another vendor and get the password reset. Ultimately, the attackers were able to get into his Apple account and delete everything on his devices. Since he didn't have independent backups from Apple, he lost a lot of personal photos and data. Link: http://www.wired.com/2012/08/apple-amaz ... n-hacking/
Re: Online shopping account hacked
#2 is the winner. I use keepass2 and have the database on my server which I access via ssh(scp) if I'm not inside my network.astrohip wrote:Either:cherijoh wrote:If you don't know your password, how are you logging in?
1) They use their browser's "remember this password" feature. Which is terrible, please don't ever do that.
or far more likely
2) They use a password program, that creates, stores and use a random password for you. This is the only way to go.
For example, I register at a new site, Boogleheads. When it asks for a password, my PW program (LastPass for me, but there are others) creates a random password (something like "6fg7Rt$fZ"). It then stores the site Boogleheads.com with this newly created random password. Next time I need to login, Lastpass recognizes the domain, logs me in, and I'm done. And I never know what random string is my password.
I can always look it up if I have to, and on rare occasion will need it. But for the most part, I have hundreds of random, very secure but totally not-memorized passwords.
-
- Posts: 2519
- Joined: Tue Oct 06, 2009 7:05 pm
Re: Online shopping account hacked
Several days ago, it was recommended that I get Lastpass (or similar) to protect my passwords.
and now this: (Lastpass has been hacked)
http://www.pcworld.com/article/2936272/ ... acked.html
So now what should I do to protect my Lastpass account?
What's the next tier of security?
and now this: (Lastpass has been hacked)
http://www.pcworld.com/article/2936272/ ... acked.html
So now what should I do to protect my Lastpass account?
What's the next tier of security?
How many retired people does it take to screw in a lightbulb? Only one, but he takes all day.
Re: Online shopping account hacked
LastPass was not hacked in the sense your passwords were stolen. They took some users encrypted data, but as it's encrypted, it's mostly useless. Unless you have a very simplistic master password ("abc" or whatnot), the hackers will never decipher it. And if you had "abc" as a password, well...Barefootgirl wrote:Several days ago, it was recommended that I get Lastpass (or similar) to protect my passwords.
and now this: (Lastpass has been hacked)
http://www.pcworld.com/article/2936272/ ... acked.html
So now what should I do to protect my Lastpass account?
What's the next tier of security?
If you are super-paranoid, you can change your master password, and that will remove ANY chance they could access your data. Or, if like me, you had a decently strong master password, I'm doing nothing. They'll never brute force crack an 11 character string.
BTW, you can always add two-factor authorization. That makes you bulletproof.
"Happiness is not about doing, it’s about being." - R Branson
Re: Online shopping account hacked
FYI - We have a dedicated LastPass thread. See: LastPass.com Breach
Re: Online shopping account hacked
Just as a general FYI, depending on the cipher used, they reasonably could brute force an 11 character master password if they have the ciphertext. Lastpass uses a reasonably strong cipher where 11 characters would still take time, but an 11 character key for some weaker ciphers would easily fall to the latest password cracking GPU rigs.astrohip wrote:They'll never brute force crack an 11 character string.
I personally recommend at least 16 characters for strong ciphers. 20-24 characters is even better, and would be useful for even weak ciphers (or if you don't know the ciphers).