5 replies to this topic

[Tony]

I have to say that this world is becoming more and more frightening by the day.  I just received a fake (spoof) Paypal email telling me that they (Paypal) had put a hold on all of my transactions until I add more money to my account.  This spurious email even told me who I pay, how much I pay and when I pay.  I was amazed that anyone could get so deep in to my account without prior authorization.  I did not do anything with the fake email except to send it off to Paypal's spoof department.  After that, I received another fake email telling me that as of now, my account is being held in suspension until I add more $$$ to it.  I sent this one off to Paypal also.

Unbelievable, here I am looking at this fake email that is a perfect mirror to the genuine article.  They somehow managed to get passed all the protection I have including Norton 360.  I also reported this to Norton and they are continuing to work on this issue.  Man, O' Man, talk about feeling violated.  You can never be too careful, and you cannot be careful enough.  

 

Please be diligent on what you receive, and when you receive it.

 

Tony

[Thumper]

If you haven't done so already, I would recommend that you change your password on your Paypal account.  You might also run a virus scan on all of the computers that you use to access that account, just to be sure.   I would also recommend clearing your cookies, browsing history, and temporary internet files. 

 

 

 

 

I do IT for a living, and one of the techniques that I urge my users to employ regarding passwords is to not use any sort of "real" words or numbers that relate to them in any way, such as dates personal identification numbers, children or pet names, etc.   I tell them to create a long password that is itself a mnemonic.   Take a phrase, a quote, a song lyric, a movie line, etc. that you can remember, then take the first letter of every word and make that your password.  You can change a letter or two into numbers, for example, change any upper case "I" to 1, or any "s" to 5.   Then to remember your password, you simply recite the line to yourself (as in silently) as you type it in.   EX:  phrase - "Ask not what your country can do for you, but what you can do for your country."   password - @nwyccdfybwycd4yC.     That has 1 special character, 1 number, and 1 uppercase letter in it.  No one can use a "dictionary attack" on it, and a brute force password cracker would literally take years to crack.  

 

Also, never write your password down anywhere (especially on a sticky note and put it in your desk or under your keyboard).  Never use 1 password for all of your online accounts.  Have a few that are completely different.  You can get good password vaults that you can install on your computer to keep track of them all (and the good ones will encrypt the data).  

 

 

Not saying that someone got into your account, but it is odd that someone was able to tell you what your account info was.  I would take no chances if I were you.  

[TBonz]

Thumper is right on the money...I also work in IT...NeEwdYdgPW1ce!  Not one I have used, but Never ever EVER write down Your PassWord once!  There are lots of phrases out there that you can adapt as necessary...The crackers will even have trouble with some real words as long as they are embedded in a more complex password.  As a test, I ran just a BASIC password cracker against passwords in a real environment - at the request of the company's Security Dept.  Out of about 1000 accounts, I grabbed about 150 passwords AND edited the file so that I only had passwords without usernames filling 3-4 columns on one page of a Word document in less than 20 minutes.  I put the page up at a Security presentation and told the employees if they saw their password that they needed to go change it NOW as we were going to test again that evening...lots of folks got up and walked out !  

 

It probably isn't a big deal if someone grabbed my password to this site, but it definitely would be if they could get into PayPal or some of the other accounts that I have...But I don't use the same password everywhere and I change all of them regularly.  

 

You might want to ask PayPal to close out that account and have you open a new one...maybe use a different e-mail address.  With so many free e-mail options out there, I have more e-mails than I care to, but I separate things so that breaking one won't impact everything.  

[Tony]

Thumper is right on the money...I also work in IT...NeEwdYdgPW1ce!  Not one I have used, but Never ever EVER write down Your PassWord once!  There are lots of phrases out there that you can adapt as necessary...The crackers will even have trouble with some real words as long as they are embedded in a more complex password.  As a test, I ran just a BASIC password cracker against passwords in a real environment - at the request of the company's Security Dept.  Out of about 1000 accounts, I grabbed about 150 passwords AND edited the file so that I only had passwords without usernames filling 3-4 columns on one page of a Word document in less than 20 minutes.  I put the page up at a Security presentation and told the employees if they saw their password that they needed to go change it NOW as we were going to test again that evening...lots of folks got up and walked out !  

 

It probably isn't a big deal if someone grabbed my password to this site, but it definitely would be if they could get into PayPal or some of the other accounts that I have...But I don't use the same password everywhere and I change all of them regularly.  

 

You might want to ask PayPal to close out that account and have you open a new one...maybe use a different e-mail address.  With so many free e-mail options out there, I have more e-mails than I care to, but I separate things so that breaking one won't impact everything.  

Excellent advice here, thank you.  Interesting that Paypal has not advised or instructed me to change anything regarding access to my account.  I wonder why not.  One idea that I have is to use a Scripture Verse, especially from The Old Testament and mix in some numbers with it.  I do belong to a lot of sites, photography, language learning, Chess Learning, financial and investment sites as well, including email.  I know I do not have the capacity to recall every password that I have set up, so I do need to record them and keep them in a safe place.  I do work at home so I should be secure enough. Yes, I know, famous last words.  Well, thanks again I will contact Paypal and see what they have to say.

 

Regards,

 

Tony

[TBonz]

There are software and hardware products you can get to do that for you...a friend of mine uses what is effectively an encrypted USB Thumb Drive along with a software product...the product creates extremely difficult passwords for any site he specifies and saves it in its own DB on the thumb drive.  So he needs the thumb drive and the complex password he setup to access that software and then that software takes care of remembering the rest of his passwords and providing that info to the individual sites.  Thus, he only has to remember the one password.  I haven't checked to see if he is still using it or not, but that's what he was doing a few years ago...Of course, if you choose to trust Microsoft, Apple, Google and / or Mozilla, all of the browsers offer the ability to store passwords so you don't have to remember them all (although you do need to remember to update them when you change your password.

[Thumper]

Ironkey.   I have a couple of those.   They work very well.  They even have a version of Firefox onboard that you can surf with on any pc and not leave any residual footprint of your history on the pc.  

 

 

Ironkey used to be its own company, but Imation purchased them a couple of years ago.  Apparently, Kingston Digital now owns them.