Good reminder regarding online security

[Auream]

If you don't follow tech news you probably missed this:

http://www.wired.com/gadgetlab/2012/08/ ... n-hacking/

Great reminder about how important it is to keep your online accounts properly secured, and to make regular backups of your data. Even this tech-savvy journalist lost a whole bunch of irreplacable photos and documents and got several of his accounts hacked due to lax security both on his part and Amazon and Apple.

Prompted me to go in and turn on two-factor authentication for my gmail account and remove all my saved credit cards from Amazon and iTunes.

[nonnie]

This is really scary stuff. I just read another version of it with lots and lots of tips on how to avoid this situation:

http://www.slate.com/articles/technolog ... ingle.html

It also exposes gaping holes in Apple and Amazon security.

Nonnie

[chaz]

Online insecurity.

[TF Hutch]

I am trying Roboform for free with 30 day trial. http://www.roboform.com/everywhere
So far I'm not happy with my login info on the cloud.

[Auream]

I am trying Roboform for free with 30 day trial. http://www.roboform.com/everywhere
So far i'm not happy with my login info on the cloud.

I've been using 1Password for a couple years now and I love it. By default, it does not save your data in the cloud, although it has dropbox integration available as an option. Even if someone were to hack your dropbox, the file that saves your passwords is 256-bit encrypted.

[nonnie]

I am trying Roboform for free with 30 day trial. http://www.roboform.com/everywhere
So far I'm not happy with my login info on the cloud.

I've been using Roboform for a couple years on my laptop and have been very pleased with it. I hesitated before I bought RF Everywhere yesterday for us on my Nexus for the same reason. I don't even really like having my Dropbox stuff in the cloud (I live with a techie who does most of this stuff so forgive my syntax). I'd welcome other recommendations in addition to 1Password--reviews say it doesn't work very well for Android which is what I'm interested in.

Nonnie

[TF Hutch]

Here are ten 2012 reviews for password manager softwear. http://password-management-software-rev ... views.com/

If RoboForm is number 1 then this stuff has a long way to go, in my opinion.

I really would like to have a conservation regarding on line security with those who know what they are talking about. I trust folks on this forum for guidence about investment advice, perhaps a few may also know about where to find actionable information about Cyber Security, with appropriate references of course.

[Auream]

Here are ten 2012 reviews for password manager softwear.

If RoboForm is number 1 then this stuff has a long way to go, in my opinion.

Those "TopTenReviews" sites are all scams, basically they put up random content and try to game google searches for ad revenue. Basically a "content farm." I wouldn't put any stock into what one of those type of sites says.

In fact, you might want to edit your post to remove the link, as the more sites that link to that garbage, the more likely it'll come up high on Google, confusing even more people.

[AndroAsc]

Good article, even I learnt some stuff. I even created a new google 2FA account today, which I plan to move all my finance-related emails to. In that way, if my personal email is compromised, the hacker won't (in theory) have access to my finances.

[lightheir]

Good article, even I learnt some stuff. I even created a new google 2FA account today, which I plan to move all my finance-related emails to. In that way, if my personal email is compromised, the hacker won't (in theory) have access to my finances.

I did exactly this. I have a separate, 'secret' google docs account with double authentication, that stores all my finances and other records. I never access it unless I'm at home on my own computer.

All my passwords are Keepass encrypted with a good strong master password - I'd trust this over any commercial solution as it's been well reviewed and is open-source so the algorithms have been checked out and passed.

That article is a good reminder of how much damage the loss of a email password can do. While I used to think such situations were extreme and rare, truth is that in today's cloud connected world, it's becoming a serious, and possibly commonplace issue. The author of the article is dead correct when saying that the only barrier between you and identity theft is often your email password, so to avoid this, it's a good idea to activate the double-authentication on Gmail as he recommends which requires a code from an authorized cell phone. (It works even if you don't have cell access as there's an app that works without it.)

My general email account for sure has enough personal info on it given that I send emails from it every single day that you could trace large parts of my existence just by following my email trail. Not something I want somebody who's trying to impersonate me online to have access to.

[Kenkat]

Interesting to note that as much talk as there is about strong passwords, this attack had nothing to do with password hacking. It instead relied on social engineering, cross-linked accounts and security flaws with the service providers themselves. Scary and definitely gave me pause...

[Mudpuppy]

We had lots of good discussions and suggestions about password management in general, and password management tools in particular, in the thread I started about the LinkedIn password database breach. Prepare to settle in for a while because it's 201 posts (and counting) of password and security discussions: http://www.bogleheads.org/forum/viewtop ... 11&t=97664

[daytona084]

A couple points:

1. The motive for the hacker was the victim's three-letter twitter handle. Apparently that's a big deal.
2. Amazingly, the victim did not keep a local backup of his data, including all photos of his child.

The hacker used Amazon to get the last 4 digits of a credit card number, which he then used to get into the victim's email. Hopefully Amazon will take notice and upgrade its procedures.

[linuxuser]

A couple points:

1. The motive for the hacker was the victim's three-letter twitter handle. Apparently that's a big deal.
2. Amazingly, the victim did not keep a local backup of his data, including all photos of his child.

The hacker used Amazon to get the last 4 digits of a credit card number, which he then used to get into the victim's email. Hopefully Amazon will take notice and upgrade its procedures.

The victim seems to be a big Apple-head so he trusted his photos to their cloud.
The notion that if you go Apple nothing can go wrong mentality.

[Auream]

The victim seems to be a big Apple-head so he trusted his photos to their cloud.
The notion that if you go Apple nothing can go wrong mentality.

Actually no, Apple doesn't have a cloud-based photo backup solution. They only store the last 1000 photos you took (called a "Photo Stream") on iCloud. They don't make any representations whatsoever that you'll have access to all of your photos, or that it is permanent in any way. So really, this guy was just completely negligent when it comes to backups.

[lightheir]

Interesting to note that as much talk as there is about strong passwords, this attack had nothing to do with password hacking. It instead relied on social engineering, cross-linked accounts and security flaws with the service providers themselves. Scary and definitely gave me pause...

While this is true, it's also true that this entire fiasco would have been stopped dead in its tracks had the author used the double-authentication feature on his gmail account (which he clearly admits.) Given that email is the hub of a lot of adult online communication, it's a pretty good idea to lock it down as reasonably as possible.

The social engineering bit is real, though, and adds a whole layer of complexity to identity theft. At the same time, think of how many times you use your credit card at restaurants, etc., and how easy it would be for an unscrupulous person to just simply copy the info right off of it.

[TA_Lurker]

Given that email is the hub of a lot of adult online communication, it's a pretty good idea to lock it down as reasonably as possible.

Hey, how do you know what I do online? Have you been spying on my e-mail???

[Mudpuppy]

Interesting to note that as much talk as there is about strong passwords, this attack had nothing to do with password hacking. It instead relied on social engineering, cross-linked accounts and security flaws with the service providers themselves. Scary and definitely gave me pause...

While this is true, it's also true that this entire fiasco would have been stopped dead in its tracks had the author used the double-authentication feature on his gmail account (which he clearly admits.) Given that email is the hub of a lot of adult online communication, it's a pretty good idea to lock it down as reasonably as possible.

It could have also been shut down if Amazon had better policies in place. Being able to add a credit card number WITHOUT knowing the login credentials for an account, then using said credit card number to get the password reset for the account is a blatantly, glaringly, astoundingly bad security practice. Yet another example to put in the book of bad security practices that I would write if I had the time to write a book....

[lightheir]

Interesting to note that as much talk as there is about strong passwords, this attack had nothing to do with password hacking. It instead relied on social engineering, cross-linked accounts and security flaws with the service providers themselves. Scary and definitely gave me pause...

While this is true, it's also true that this entire fiasco would have been stopped dead in its tracks had the author used the double-authentication feature on his gmail account (which he clearly admits.) Given that email is the hub of a lot of adult online communication, it's a pretty good idea to lock it down as reasonably as possible.

It could have also been shut down if Amazon had better policies in place. Being able to add a credit card number WITHOUT knowing the login credentials for an account, then using said credit card number to get the password reset for the account is a blatantly, glaringly, astoundingly bad security practice. Yet another example to put in the book of bad security practices that I would write if I had the time to write a book....

Again, def agree with you here, but there's bound to be crafty back-door low-tech exploits very similar to this one occurring again and again in the future, no doubt. All we can do is lock down what we can and try to stop a small exploit from ballooning into a massive one like what happened to that author. Given that email is often the key to the kingdom, it's worth paying special attention to locking that down.

[chaz]

This link was found in another thread:

http://www.wonderoftech.com/a-true-and- ... ng-to-you/

[Epsilon Delta]

It could have also been shut down if Amazon had better policies in place. Being able to add a credit card number WITHOUT knowing the login credentials for an account, then using said credit card number to get the password reset for the account is a blatantly, glaringly, astoundingly bad security practice. Yet another example to put in the book of bad security practices that I would write if I had the time to write a book....

While Amazon's system leaves something to be desired Apple is fundamentally to blame. A security system has to rely on the behavior by the principles (e.g. Apple and Matt Honan). It should not rely on the behavior of third parties, such as Amazon. If you could rely on arbitrary third parties you could just ask them not to steal and no other security would be required.

That's why using things like SSN as passwords is broken. My SSN, and probably yours, is legitimately know to dozens if not hundreds of people and companies, some of which are thieving scum.