Happen to me again

Ryan9764

Well, it happen again. My bank account got hacked again! Same bank from last time. I switch all my passwords, and got a pin sent to me every time I access my account. It is really ******* me off. I can't access my account or use any of my cards. I get ready to go off grid. Luckily, I have a credit card from another bank I don't use, but I going have to use it. I not sure how much they spent, because I can't access my account. But way it seem, they might of spent around 5,000 dollars at a grocery store again.

markulous

Are you reusing any passwords? If not, is your bank password something long and hard to guess?

May want to request that they send you a 2 factor token.

cyberguypr

Can you clarify? Last time you insinuated the account got popped but it ended up being just the card. What exact issue are we talking about here?

Ryan9764

No, I not reusing the same password. Maybe I shouldn't be using lastpass. That might be the reason. One factor token they using is: send me a pin when ever I log on to my account.

Ryan9764

I can't really go into details. My account got block, and they reviewing my account. I called my bank, and the guy can't do anything about it because they reviewing my account. I think it might be my debit card again. The automatic read me a list of my recent transactions and there were like 4 of them around 1500.

Danielh22185

Sounds like it's time to switch banks!

Ryan9764

Danielh22185 wrote: »

Sounds like it's time to switch banks!

yeah really. It's a good bank. Well known through the military. But not quite sure how well their security.

Ryan9764

Anybody got any suggestions? I use last pass and switch all my passwords randomly. It seem like only my usaa bank account get hack.

GSXR750K2

Ryan9764 wrote: »

Anybody got any suggestions? I use last pass and switch all my passwords randomly. It seem like only my usaa bank account get hack.

First, grammar.

Second, don't use a password management application. The more places you have passwords stored, the greater the risk of some of that stored information leaking out. Do you only use a single computer to access these accounts? If so, maybe a key logger is to blame. Did you wipe your OS and do a clean install after the last round, or just reset your passwords and store them back into Last Pass? Convenience has a price, too.

Third, check your accounts frequently. I check all of mine at least once a day.

Fourth, and I only suggest this if you have self-control, use a credit card for everything and pay it off monthly. If this were to happen on your credit card, it's much easier to get off the hook, but your checking/savings account is a whole different story. Plus, if you have a rewards card, you might as well get miles/points for things you're going to buy anyway.

Fifth, set alerts if your bank/card issuer has offers them. New device sign-in? Notify. Transaction exceeding x-dollar amount? Notify. Excessive password attempts? Notify.

Grab the problem by the horns and take steps to mitigate it since apparently just changing passwords and getting a PIN didn't work. There's an old saying about being fooled once and fooled twice...

-EDIT-

Make your passwords like an adult film star...long and strong. Passwords don't have to be just letters and numbers. "Notepads" is a no-go, but "N0t3P@d$" is acceptable. Be creative, use periods, commas, or other punctuation to increase the complexity of a password.

Also, avoid using consecutive or repetitive characters like "abc" or "777".

markulous

Password managers are necessary for a lot of people though. If I have 50 passwords, there's zero way I'd be able to have long random passwords memorized for all of those accounts. Your only options are either a password manager, writing them all down, or reusing your password.

Also, complexity isn't really needed for a good password, it's almost 100% on the length.

Using something like KeePass is what I would recommend. It's offline, so if someone somehow got your file, you probably have bigger problems because they likely aren't breaking the encryption on it.

scaredoftests

I'd go with another bank.

rob42

Ryan9764 wrote: »

No, I not reusing the same password. Maybe I shouldn't be using lastpass. That might be the reason. One factor token they using is: send me a pin when ever I log on to my account.

You know about the recent issues with LastPass, right? The ones reported by Travis Ormandy?

Personally, I don't trust ANY of these 'password manager' apps and I simply don't trust or use them. For people that seem to 'need' them, for whatever reason, my advice (for what it's worth) would be: only use them for sites that don't have any direct consequences for you, should the app be compromised.

As for your banking login, why trust any 3rd party app with that kind of data? Either improve your memory or write it down in some form of encoded text, such as reversing every other symbol: e.g password would become apssowdr <- that's very each to crack, but you see what I'm driving at? Just invent your own method.

p@r0tuXus

GSXR750K2 wrote: »

First, grammar..

Yes...for the love of....

GSXR750K2 wrote: »

Second, don't use a password management application. The more places you have passwords stored, the greater the risk of some of that stored information leaking out. Do you only use a single computer to access these accounts? If so, maybe a key logger is to blame. Did you wipe your OS and do a clean install after the last round, or just reset your passwords and store them back into Last Pass? Convenience has a price, too..

All points I was thinking... Mostly from personal experience. Had a streaming site I used once that came with some unsavory script injections and low and behold, bank account was compromised. Learned alot through that experience.

GSXR750K2 wrote: »

Third, check your accounts frequently. I check all of mine at least once a day.

Another great suggestion.

I would also consider speaking with a representative at your bank. Most of them will let you change your daily spending limit balance, but generally will only cover so much of an expenditure caused by misuse. Example, your bank covers $500 in fraud cases, but charged amount was $1500, leaving you $1000 in loss. For that reason, I try to plan ahead with larger expenditures and will call in advance if I know I need that limit raised. Otherwise, I keep tight control over what's going out of that account.

jcundiff

scaredoftests wrote: »

I'd go with another bank.

Its not his bank (USAA) its either where he is sticking his card, or most likely (since he said he used lastpass)

https://www.theverge.com/2017/3/22/15023062/lastpass-security-flaw-passwords

Ryan9764

GSXR750K2 wrote: »

First, grammar.

Second, don't use a password management application. The more places you have passwords stored, the greater the risk of some of that stored information leaking out. Do you only use a single computer to access these accounts? If so, maybe a key logger is to blame. Did you wipe your OS and do a clean install after the last round, or just reset your passwords and store them back into Last Pass? Convenience has a price, too.

Third, check your accounts frequently. I check all of mine at least once a day.

Fourth, and I only suggest this if you have self-control, use a credit card for everything and pay it off monthly. If this were to happen on your credit card, it's much easier to get off the hook, but your checking/savings account is a whole different story. Plus, if you have a rewards card, you might as well get miles/points for things you're going to buy anyway.

Fifth, set alerts if your bank/card issuer has offers them. New device sign-in? Notify. Transaction exceeding x-dollar amount? Notify. Excessive password attempts? Notify.

Grab the problem by the horns and take steps to mitigate it since apparently just changing passwords and getting a PIN didn't work. There's an old saying about being fooled once and fooled twice...

-EDIT-

Make your passwords like an adult film star...long and strong. Passwords don't have to be just letters and numbers. "Notepads" is a no-go, but "N0t3P@d$" is acceptable. Be creative, use periods, commas, or other punctuation to increase the complexity of a password.

Also, avoid using consecutive or repetitive characters like "abc" or "777".

Thanks, and sorry about the grammar. I suffer TBI when I was in the military. The reason why I use password management apps is that i have memory issues. As stated in my last sentence, I suffer TBI, and can't remember ****.

GSXR750K2

Ryan9764 wrote: »

Thanks, and sorry about the grammar. I suffer TBI when I was in the military. The reason why I use password management apps is that i have memory issues. As stated in my last sentence, I suffer TBI, and can't remember ****.

I'm sorry to hear that, and I understand somewhat. A friend was a captain in the USMC and suffered a TBI due to a car hitting him while he was returning to base. He got out about three years ago and he still suffers memory lapses from time to time. You and markulous both have valid points regarding password managers in each of your situations.

Thank you for your service, and hopefully this nightmare can be put behind you as soon as possible.

Ryan9764

GSXR750K2 wrote: »

I'm sorry to hear that, and I understand somewhat. A friend was a captain in the USMC and suffered a TBI due to a car hitting him while he was returning to base. He got out about three years ago and he still suffers memory lapses from time to time. You and markulous both have valid points regarding password managers in each of your situations.

Thank you for your service, and hopefully this nightmare can be put behind you as soon as possible.

Thanks man! I shouldn't be using that as an excuse. I thinking about enrolling in some Community college english classes. Try to better myself.

boot

GSXR750K2 wrote: »

Second, don't use a password management application. The more places you have passwords stored, the greater the risk of some of that stored information leaking out.

Um, yes, do use a password manager. Your argument of not storing it in more places than necessary may make sense in theoretical isolation, just like "never patch a server, patches just break services or applications". As soon as you add the real world to the equation it doesn't work in the long run. If your point between the lines was actually "don't use a cloud-based password manager unless you know what that implies", I'd agree with you (I'm not saying "don't use cloud-based password management", I'm just saying you need to understand it and take appropriate precautions).

Make your passwords like an adult film star...long and strong. Passwords don't have to be just letters and numbers. "Notepads" is a no-go, but "N0t3P@d$" is acceptable. Be creative, use periods, commas, or other punctuation to increase the complexity of a password.

"N0t3P@d$" is 8 characters (10 with the quotes...). First, that is not strong (8 characters is trivial to crack in most widespread password storage schemes, with all amounts of character complexity). Second, it's the same length as "Notepads".

Length. Length, length, length. That is what makes a strong password. You should mix in some punctuation or numerals, to make sure your password isn't a complete series of dictionary words, but some is all that is needed. You don't need to alternate lowercase, uppercase, numerals and punctuation throughout your entire password. Mixup 6-8 characters, spell the rest out normally or mostly normally (whenever you can't use a generated password). 14 characters is a reasonable minimum today, but if you're at 14, there is no harm in going longer.

Finally, I know plenty of US banks have archaic password restrictions limiting you to 8 or even 6 characters, which may apply to OP. In fact, I haven't heard about any US bank that lets you make reasonable passwords. How all of those big banks are not fined daily for their shitty systems is beyond me, 2FA for banking and public services is the norm here, it's the ones that don't provide that that stands out (and would be steamrolled in any fraud case).

dhay13

I don't like password managers. I don't like the idea of my passwords all being in one place and trusted to 3rd party software. I do like password length though. Most of my passwords are at least 15 characters and include upper and lower case, numbers, and special characters. I don't know the exact formula but after 8 characters the complexity goes up exponentially with each character added. 20 characters would be something like a few thousand years. That is only if they have to go through every possible combination. There is the chance they could get it on the first try but not likely. Also, I don't NEED your password to impersonate you. I only need the hash of your password. If I can steal your hashed password then that is almost as good as having your password.

markulous

@boot

Amen. Several bad practices and misinformation in this thread.

xxxkaliboyxxx

Applications vulnerabilities are going to be compromised. Just the way it is, what you should of observed was how fast they patch their vulnerability. Stay with Last Pass, stay off public wifi.

Ryan9764

Thanks everybody!!! This question came up in my last post, when I got hack the first time. But is Lifelock worth getting? I debating on whether or not to get it.

Queue

You can lock your credit down on your own for free, by going through the three bureaus websites. This will prevent any unauthorized credit to be opened on your behalf.

I mentioned this before, but never use a check card/ATM card for purchases. You should just set your bank account to ACH transfer your payments to credit card companies, loans, mortage, whatever. Set up all alerts on your bank account and use strong password and multi-factor for authentication.

Use credit cards for all purchases or cash that you withdraw from a safe ATM/ or inside teller. Always pull on card swipes to make sure there isn't a skimmer. Since it seems you keep getting your card compromised at least if its a credit card, your cash is not at stake.

Use long passwords, just make up a sentence. HappenMeAgainIgotH@ck69 = 23 characters

If I were you since it seems its a place you frequent doing this, I would open a small pre-paid credit card. Then use it in a controlled manner to see which establishment is cloning your card.

infosec123

dhay13 wrote: »

I don't like password managers. I don't like the idea of my passwords all being in one place and trusted to 3rd party software.

I hope you dont bring this attitude to where you work, because if you do, you are putting your company in danger. Privileged password management is an essential practice in any properly controlled company. There are numerous vendors out there which specialize in properly built systems, just because Lastpass and a few other vendors cant properly implement a product, it doesnt mean they are all bad. Some of the largest corporations in the world use password management solutions, and they dont have issues in that department.

NetworkNewb

^^^^

While this is all true, I'm sure he referring to the ones meant for average users. I don't like them either.

Ryan9764

Queue wrote: »

You can lock your credit down on your own for free, by going through the three bureaus websites. This will prevent any unauthorized credit to be opened on your behalf.

I mentioned this before, but never use a check card/ATM card for purchases. You should just set your bank account to ACH transfer your payments to credit card companies, loans, mortage, whatever. Set up all alerts on your bank account and use strong password and multi-factor for authentication.

Use credit cards for all purchases or cash that you withdraw from a safe ATM/ or inside teller. Always pull on card swipes to make sure there isn't a skimmer. Since it seems you keep getting your card compromised at least if its a credit card, your cash is not at stake.

Use long passwords, just make up a sentence. HappenMeAgainIgotH@ck69 = 23 characters

If I were you since it seems its a place you frequent doing this, I would open a small pre-paid credit card. Then use it in a controlled manner to see which establishment is cloning your card.

Thank man. I going start using only my credit card. I am pretty good at keeping track of all my money, but sometime I get lazy and forget to put my purchase in my quicken.

kurosaki00

Might be some place you frequent has a compromised atm machine or something. Could be a compromised machine in a cash registrar.
Your information might be compromised too. Like your bday, who is your uncle, street you grew up, mother maiden name, etc.
Might want to start using other info to recover info.

Ryan9764

kurosaki00 wrote: »

Might be some place you frequent has a compromised atm machine or something. Could be a compromised machine in a cash registrar.
Your information might be compromised too. Like your bday, who is your uncle, street you grew up, mother maiden name, etc.
Might want to start using other info to recover info.

Yeah, probably. I was in the military, so, my ssn was handed out like candy. I going to take some people advices on this thread, and just use my credit card. I talked with my cousin who is an IT tech at UMB, and told me the same thing:use my credit card, and pay it back at the end of each month.

Nerkle

Considering how many times the government and military branches have been breached, your ssn may be on a saved list somewhere too.

Ryan9764

Well, just got off of the phone with my Navy Fed bank. I told her about my problems, and she suggest a prepaid card. So, I getting one, hopefully this will help solve some of my problems.

E Double U

Hack me once, shame on you. Hack me twice...