Protecting your online accounts

Forums › Off topic › Protecting your online accounts

nate

6473 posts

Uber Geek
+1 received by user: 458

Retired Mod

Trusted

Lifetime subscriber

#139248 2-Feb-2014 10:41

Read these first:

How Apple and Amazon Security Flaws Led to My Epic Hacking
How I Lost My $50,000 Twitter Username

What tips/tricks do you use to protect what you have online?

1 | 2

3775 posts

Uber Geek
+1 received by user: 1295

Trusted

#978813 2-Feb-2014 11:03

I'd be interested in this too...

I turn on two factor authentication when I can and backup backup backup - but really it seems a couple of the companies named in the stories are to blame - mainly the ones treating the last 4 digits of a credit card (looks like that happened in both cases?) as enough to verify identity - just seems mental!

"I was born not knowing and have had only a little time to change that here and there." | Octopus Energy | Sharesies
- Richard Feynman

Coil

6614 posts

Uber Geek
+1 received by user: 2153
Inactive user

#978814 2-Feb-2014 11:05

I use mobile phone verification. Got my own personal domain for emails or i use gmail / hotmail. My domain is with outlook.com or windows live domains for email. Seems to be fine.

On the topic of domains:

Query Time/Date 11:07 2/2/2014
Domain Name tim.govt.nz
Status Available

Query Time/Date 11:08 2/2/2014
Domain Name k.iwi.nz
Status Available

freitasm

BDFL - Memuneh
80652 posts

Uber Geek
+1 received by user: 41042

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#978818 2-Feb-2014 11:13

Use generic domains for service accounts - outlook.com and gmail.com... This way if someon hijacks your domain NS records they can't receive the password reset emails (as the GoDaddy hack allowed).

Use Two Factor Authentication wherever possible. Preferably with an app instead of SMS - it's not hard to someone to get a copy of your SIM if they apply enough social engineering.

Make sure the device with the 2FA app is password or PIN protected so it can't easily be accessed.

Store the recovery codes for 2FA app in an encrypted file somewhere - but remember to not store it with a service the needs the 2FA for access (I have both Skydrive and Dropbox with 2FA, so it'd be stupid to store the recovery codes with these services as it would be inaccessible).

Use different passwords for each online service/account.

Use different prepaid credit cards for different accounts and change them when renewing accounts. Or use gift cards instead of credit cards.

Do not log using public computers.

Do not answer calls with "I'm from your bank/card/shop, could you please answer some security questions to identify you?"... How can you identify the caller? Asked for a name and call the bank number you find online. Do not call a number they give you as they could just answer the phone and say it's your bank.

Do not open emails saying "We have charged your card for your eBay purchase, click here to login and authorise it" if you have not done anything on eBay (or any other company).

Do not answer calls with "We're from Microsoft and your computer has a virus, we're here to help."

Trust no one, Mr Mulder.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

freitasm

BDFL - Memuneh
80652 posts

Uber Geek
+1 received by user: 41042

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#978823 2-Feb-2014 11:25

Whatever you do, don't bank with ANZ.

For some unknown reason (perhaps because my account was a National Bank before) it seems my password resets by itself every month or so. Last time I tried accessing my account (which I only do once a month) I reset my password online and as part of the process called the 0800 number to confirm the change.

Entered the PIN (it's me!) and answered date of birth (easy to find somewhere, for sure) and the overdraft facility in my in my account (not so easy to find now). Then the next questions were:

- what's the original amount of your home loan (something I signed ten years ago and they wanted to the cents!)
- when was the last date/time you logged into the internet banking system>

Seriously? Are those two "security questions"? I own the account and I have a vague idea of the first one, and absolutely no idea of the second one.

What if I had to change password because someone hijacked my account and accessed it? Even if I had a log of every time I used the internet banking systems my answer would be wrong because I wouldn't know if someone else used it.

I had to go to a branch to reset my password.

I complained on Twitter about these two question. ANZ was silent (yes, they only reply when you say good things about them) and I actually got berated by an ANZ employee who follows me with things like "We're protecting your account, I bet you don't even have a PIN" and saying it was my fault I didn't keep a record of every time I log into the internet banking.

So whatever you do, stay away from ANZ.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

loceff13

1089 posts

Uber Geek
+1 received by user: 340

#978848 2-Feb-2014 11:51

RT the ANZ employee tweets (tag in ANZ) and let them deal with it.

Coil

6614 posts

Uber Geek
+1 received by user: 2153
Inactive user

#978850 2-Feb-2014 11:59

Bank with ASB, Has the best 2 factor authentication.

Geekzone

Want to support Geekzone and browse the site without the ads? Subscribe to Geekzone now (monthly, annual and lifetime options).

Geektastic

18009 posts

Uber Geek
+1 received by user: 8465

Trusted

Lifetime subscriber

#978887 2-Feb-2014 13:25

nate: Read these first:

How Apple and Amazon Security Flaws Led to My Epic Hacking
How I Lost My $50,000 Twitter Username

What tips/tricks do you use to protect what you have online?

Go old school to keep track of passwords since you need so many these days and none of them should be the same.

Write your passwords in a notebook and lock it in a fireproof safe.

Number the passwords but do not write what websites they refer to.

In an online document somewhere just store a list of websites with the corresponding numbers. Either document is useless to anyone on it's own, and the likelihood of someone other than you possessing both is so low that if they are THAT good and THAT determined, you've got no chance anyway! They can't hack the password list because it does not exist in hackable form - they'd have to break and enter your home and be capable of opening your safe.

Unless you have billions, I suspect they'd just find an easier target.

sidefx

3775 posts

Uber Geek
+1 received by user: 1295

Trusted

#978889 2-Feb-2014 13:38

Geektastic:
Go old school to keep track of passwords since you need so many these days and none of them should be the same.

Write your passwords in a notebook and lock it in a fireproof safe.

Number the passwords but do not write what websites they refer to.

In an online document somewhere just store a list of websites with the corresponding numbers. Either document is useless to anyone on it's own, and the likelihood of someone other than you possessing both is so low that if they are THAT good and THAT determined, you've got no chance anyway! They can't hack the password list because it does not exist in hackable form - they'd have to break and enter your home and be capable of opening your safe.

Unless you have billions, I suspect they'd just find an easier target.

None of this will help if the attacker is using social engineering to just get the companies involved to give information over the phone\set PINs\reset passwords\etc with minimal verification of identity.

"I was born not knowing and have had only a little time to change that here and there." | Octopus Energy | Sharesies
- Richard Feynman

BruceHamilton

77 posts

Master Geek
+1 received by user: 18

#978895 2-Feb-2014 13:50

freitasm: Whatever you do, don't bank with ANZ.

...I reset my password online and as part of the process called the 0800 number to confirm the change.

Entered the PIN (it's me!) and answered date of birth (easy to find somewhere, for sure) and the overdraft facility in my in my account (not so easy to find now). Then the next questions were:

- what's the original amount of your home loan (something I signed ten years ago and they wanted to the cents!)
- when was the last date/time you logged into the internet banking system>

Seriously? Are those two "security questions"? I own the account and I have a vague idea of the first one, and absolutely no idea of the second one.

So whatever you do, stay away from ANZ.

That's interesting because I also use ANZ, and during the recent Vodafone text fiasco, I had to contact them them to switch off the 2FA until it was fixed just so I could access my accounts. All of those questions were the same, and I also failed :-) .

I asked the nice lady how they expected me to remember a 20+ year old mortgage value ( which wasn't a nice round number - due to repayment insurance and fees ). She said the questions were randomly selected from a set they had. I got the impression from her tone that failure was common, and she was half-expecting an angry response. I decided to wait for Vodafone to fix the problem.

Sounds like their procedure might need updating/expanding, and they definitely need to sort out a superior means of telephone security identification. All of the money that ANZ makes should enable them to provide rational means of checking the person calling.

josephhinvest

1550 posts

Uber Geek
+1 received by user: 322

ID Verified

Trusted

#978906 2-Feb-2014 14:33

This is something I've been thinking about after reading the @N twitter handle story.
I've been using 1Password app on iOS to store all my usernames and passwords. I have over 50 usernames/passwords saved for various accounts, there's just no way I can remember usernames, let alone passwords for all these accounts.
My password for the 1Password app is pretty strong, 10 digits, alpha+ numbers+ cases etc.
I've been considering using the integrated "random" password generator to make new passwords for my domain name and google apps administrator account etc
I am also guilty of using the same passwords over multiple accounts, but I periodically invent a new strong one, and demote the old ones down to less important accounts. Thus I know anything involving money always has my newest password.

Cheers,
Joseph

insane

3324 posts

Uber Geek
+1 received by user: 1006

ID Verified

Trusted

2degrees

Subscriber

#978910 2-Feb-2014 15:00

I've just enabled the two factor auth on both my gmail accounts, only took around 30 minutes to get all my devices re-authed, but I feel better after reading that @N story... poor guy.

I also do at least yearly password changes on my social networking and banking passwords, using silly riddles no one else could know so that I can remember them easily without needing to write them down anywhere, not even in a password manager.

I suspect I'm most vulnerable to those horrible 'lost my password' questions some sites enforce.

HP

Shop now for HP laptops and other devices (affiliate link).

josephhinvest

1550 posts

Uber Geek
+1 received by user: 322

ID Verified

Trusted

#978938 2-Feb-2014 16:10

insane:
I suspect I'm most vulnerable to those horrible 'lost my password' questions some sites enforce.

This. Why can't I provide my own questions. My mothers maiden name, my primary school etc could all be obtained or guessed. Let me provide my own question that no one will be able to guess!

freitasm

BDFL - Memuneh
80652 posts

Uber Geek
+1 received by user: 41042

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#978939 2-Feb-2014 16:11

Nothing preventing you entering a WRONG answer when setting up the account. This will put anyone out of the tracks.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

TinyTim

1058 posts

Uber Geek
+1 received by user: 167

Trusted

#979201 3-Feb-2014 09:15

freitasm: Nothing preventing you entering a WRONG answer when setting up the account. This will put anyone out of the tracks.

I HAD to when asked my mother's birth place - four letters (Gore) was too short! Actually, I may have put down "New Zealand" as the answer. I can't remember. So I may be in trouble if I ever need to use it.

I think this was some third party password manager for an academic network that also integrated with Live ID.

Geektastic

18009 posts

Uber Geek
+1 received by user: 8465

Trusted

Lifetime subscriber

#979207 3-Feb-2014 09:19

josephhinvest:
insane:
I suspect I'm most vulnerable to those horrible 'lost my password' questions some sites enforce.

This. Why can't I provide my own questions. My mothers maiden name, my primary school etc could all be obtained or guessed. Let me provide my own question that no one will be able to guess!

True. I suppose that since I did not go to school here in NZ and neither have my parents ever been here, it would at least be a challenge for someone in my case. I can see it might be easier for locals.

I watched a program (from the BBC science/technology magazine series Horizon) about computer security recently. It was interesting. It explained in relatively straightforward terms how most internet security works mainly because the computing power required to calculate the factors in semi-prime numbers is so huge (the largest semi-prime so far generated had over 17 million numbers making it up!) that by the time it succeeded you'd be dead and the accounts deleted!

It then went on to show how quantum computing could crack the calculation in what amounted to seconds by comparison and that the eventual wide propagation of quantum computing would necessitate a different way of securing internet accounts etc. The program went on to explain quantum cryptographics which had really only one flaw - that a human being could be tortured or bribed or coerced into revealing a password thus defeating it easily.

They were trying methods where they used a memory game to teach your subconscious a password that you could never be forced to reveal because you were not consciously aware of it at all!

1 | 2