"Security nerds: I received an email with my login creds in the subject....."
What's my next step beyond reporting the message as spam and changing my Gmail password again? Just ignore it?
I googled the email address and found it on www.bitcoinabuse.com. Others have received the same message.
I have multiple email accounts and this one was sent to my main Gmail account. The message demanded I send $1000 in bitcoin. They threatened to share a video clip of me looking at embarrassing material to people in my address book if I don't comply within 24 hours.
Now, I'm fairly certain this is fake but I'm bothered this time because A REAL PASSWORD of mine was in the subject line. ;-/
NOTE: - The password was an older password that I stopped using for most websites several years ago and I don't think I ever used it as my Gmail password. If I did, it ages ago. I've had the account for 10+ years. - Last year, I received a couple of notices that my main Gmail address account was found on the dark web. Speaking of: - I learned about haveibeenpwned.com recently, which reported that my main Gmail account was "Pwned on 13 breached sites and found no pastes." - I stopped using public Wi-Fi. networks last year (e.g. Starbucks) after unauthorized use of my PayPal Debit Mastercard twice short duration. Still haven't figured out how that happened but the transactions were Amazon orders placed on someone else's account. I got Amazon to cancel the orders before they shipped but the site refused to disclose the identity of the person who placed it. They need to start forwarding that shit to local police departments. - I regularly monitor my credit and receive alerts. - I started using a camera cover on my Macbook last year
I hate that data breaches are the new normal. Everything is trash.
Ugh.
--
-- "Music is not to be possessed; it's to be shared.” - James Mtume
"Just stay loose, keep it raw, and bang ya drums out sometimes." - Madlib
legsdiamond Member since May 05th 2011 80224 posts
Wed Apr-15-20 06:18 PM
1. "Change all the passwords you have ASAP" In response to Reply # 0
**************** TBH the fact that you're even a mod here fits squarely within Jag's narrative of OK-sanctioned aggression, bullying, and toxicity. *shrug*
google chrome also has a feature that checks the passwords you enter against ones in known data breaches.
on top of changing your email password (or any other site that uses that password)...you should enable 2 step/factor authorization whenever possible.
also NEVER use a debit card for purchases. that gives thieves a direct line right into your bank account and theres no protection of your money (your bank will prolly make *you* pay it back if you have a negative balance). use a credit card whenever possible (0 fraud liability and chargebacks).
if you cant get a credit card and need something for online purchases...sign up for http://www.privacy.com. you can create virtual cards for each site/purpose you need them. the charges do pull from your bank account but you at least have the option to pause cards, close cards, set spending limits that block anything over the maximum, etc.
Thank you. I mentioned this in the OP. See item No. 3 in my bulleted notes.
I'm going to look into 2-step authorization more. I have that turned on for a couple sites and services, including my Apple account. I need to use that whenever it's available even though it's annoying.
-- "Music is not to be possessed; it's to be shared.” - James Mtume
"Just stay loose, keep it raw, and bang ya drums out sometimes." - Madlib
legsdiamond Member since May 05th 2011 80224 posts
Wed Apr-15-20 06:30 PM
4. "2 step is annoying but it’s damn near impossible to beat" In response to Reply # 3
**************** TBH the fact that you're even a mod here fits squarely within Jag's narrative of OK-sanctioned aggression, bullying, and toxicity. *shrug*
i tend to use an auth app when possible (instead of sms) because its less likely to get compromised as opposed to someone getting the sms code from your notifications or lock screen or something like that. authy also requires another pin (separate from your phone pin) to open up on your phone. so thats at least 2 separate barriers a thief would have to go through to hack one of your accounts.
8. "also if you use a gmail address" In response to Reply # 2
start appending the + sign and an identifier to track your email.
like sign up to sites (or change your account email there) to youraddress+amazon@gmail.com, youraddress+walmart@gmail.com, etc.
sometimes it makes it a lot easier to figure out where your info was compromised when you start receiving spam messages addressed to youraddress+grubhub@gmail.com.
if youre signing up for sketchy sites, sites with lax security (like a low traffic web forum lol), or sites you generally wouldnt wanna be publicly traced to (like porn sites)...you should be using an entirely different email (and still using + to track). you can just forward all messages to your real email so you wont miss any.
you dont want these accounts being linked to your primary email/identity by data collectors/furnishers like intelius, spokeo, etc.
you should prolly get a google voice number to use as a spambox too if you have to enter your number somewhere that you dont want to give them your real number. i have several different google voice numbers for online stores, banks, credit cards, social media sites, etc. keep in mind credit cards (and banks if you get lending) list your number on various credit bureaus/agencies and it can be seen by anyone doing an inquiry. and most of these companies/sites sell your info off to third parties (who may sell it off to even more people). so you prolly dont wanna use your primary mobile number and have it floating around out there.
11. "RE: your problem isn't use of public wifi" In response to Reply # 7
Thanks. I was only visiting sites with secure connections so I was a little perplexed.
When the unauthorized transactions happened, I was mostly pumping gas at Mobil/Exxon to take advantage of their reward/points system. I eventually stopped because of those damn skimmers. I started using the app to pay and collect points, which is easier, anyway.
I have since switched to pumping at Costco exclusively again but now that means I have to go back to swiping my damn card. I'm going to get a new debit card soon and only use my Citi Costco card at the pump. I read skimmers are more sophisticated now and can't really be detected. ;-(
legsdiamond Member since May 05th 2011 80224 posts
Thu Apr-16-20 05:45 AM
16. "Most phishing sites use SSL now" In response to Reply # 11
**************** TBH the fact that you're even a mod here fits squarely within Jag's narrative of OK-sanctioned aggression, bullying, and toxicity. *shrug*
13. "Like other have stated, 2FA is the bare minimum. but" In response to Reply # 0
it doesn't mean you can stop paying attention to where you're going just because you have 2FA enabled.
Receiving your code via SMS is probably the worst out of the 2FA options out there (still better than nothing at all). But, if you're concerned about someone being able to futz with SS7 and/or sim cards...then you gotta be more concerned about an active attacker intercepting the 2FA code when you enter it into a dirty website, cuz that's easier to pull off.
Example, let's say you fell for one of these "hey are you available" phishing emails and after some back and forth, I've convinced you to click on a link in an email which takes you to my phishing site. And I am waiting. You enter in your credentials into my phishing site...I pass that info along to the real site...then my phishing site tells you to "please enter in your six digit code or accept your push notification". So, you pass your code to me and I enter it into the real site that's asking for your 2FA code (and yes these codes self destruct, but I'm actively attacking you) or better yet, I just wait for you to accept your push notification.
Now, if someone is on their job, there's probably an automated process that sees that the push notification was accepted on a device with an IP address that is in a totally different geo-location than the IP address that's logging into the legitimate website and blocks the logon attempt....more likely, that process is just monitoring and they'll know something happened after the fact.
Using something like a yubikey (U2F) would probably be the more secure 2FA solution, since the device has to be accessible by the browser of whomever is triggering the authentication. As an attacker, getting you to press your yubikey attached to your computer does nothing for me....for now...
~~~~~~~~ A bad Samaritan averaging above average men (c) DOOM