Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Lizzie Zoom]

For the first time, and it had to happen eventually, my bank had to contact me late this morning due to "suspicious activity" on my account involving £500 in total.

It turns out that four "purchases" were made using my PayPal details, with two being blocked, but two for computer parts going through and due to be delivered to an address in Burton-On-Trent!

I spent all afternoon on the phone to the bank, PayPal, and Action Fraud.  The fraudulent actions have been accepted by both PayPal and my bank, with refunds being issued. 

The odd thing was though, and no "expert" in any organisation I contacted, including BT, could explain why, after the attempted fraud, thousands of email's started to arrive from all over the World, with I think every language used!  Throughout the afternoon TWO emails EVERY SECOND was touching down, with the eventual grand total reaching 5,000+!!!  

I have now taken action to change my email address and delete the old one, but what an effort that was with 4 different BT customer services staff failing to provide any real help to stop the crazy number of email's. As I was changing the email addresses the BT system stated it could take "up to 60 days" for any changes could be made, and none of the BT staff could help me with that.  In the end I have sorted it all, and I have stopped the rouge email's!! 

I am so careful,and ironically have hardly used Paypal, instead using a direct debit card payment, the details of which the fraudsters used.  How I just do not know, and perhaps will never know. Passwords are changed regularly, full security measures are on my devices,  I don't click onto any emails I do not expect and am very careful to use only legitimate, well known and rated, suppliers.

A life experience indeed!

[TheBoy]

The email thing is not uncommon, and once it happens, all you can do is abandon it and get a new one.

As PP probably used same email address, it becomes a case of just guessing the password...   ...though more likely you used same email/pw combo on another site that has been compromised, and available for sale....

[Field Marshal Dr. Opti]

I had some ne'er do well spent over £2000 on one of my credit cards. A bill for a large TV and assorted electrical appliances landed on my mat.

Financial security is weak. An enterprising 12 year old could probably crack most of it.   

[STEMO]

Why did it have to happen ‘eventually’? Do you think that everyone will be compromised at some point in the future?
Did you have two factor authentication activated on your PayPal account?

[Lizzie Zoom]

The email thing is not uncommon, and once it happens, all you can do is abandon it and get a new one.

As PP probably used same email address, it becomes a case of just guessing the password...   ...though more likely you used same email/pw combo on another site that has been compromised, and available for sale....

Thanks for the info TB.  That has reassured me that I have now done all I can, with my bank card cancelled as soon as I knew what had happened, and now with a new email address.

[Lizzie Zoom]

Why did it have to happen ‘eventually’? Do you think that everyone will be compromised at some point in the future?
Did you have two factor authentication activated on your PayPal account?

That is the interesting fact, I do not use PP, always paying direct with my debit card. Once all this has died down and fully resolved I will certainly close my PP account.

Yes, I really believe that the cyber criminals will get most of us, or at least the companies we deal with as in my case due to poor security at corporate and national level.  After all big organisations, including the NHS, have been compromised at a national level with all their "systems security". What hope have us individuals got when even the "experts" in 3 major organisations had no answers for me?

[STEMO]

If you truly believe that most of us will be ‘hacked’ at some point, and large organisations have no way of defending themselves, then be prepared for something worse than a nuclear strike.

You are sitting at home on a winters evening, watching the telly, when the lights go out. In fact, everything goes out, street lights traffic lights, the works. To add to the sense of shock, house alarms ring out through the darkness, the only sound you can hear. You try to ring someone to see if their power is off, but neither your home phone or your mobile work, and with the heating going off, it’s starting to get a bit cold.
That could be the start of a major attack on our power grid. The first thing to hit would be a total lack of information. No radio, no phone, no street lights, no traffic lights, no ATMs to dispense money, no credit card terminals working, no tills at the supermarket, no pumps at the petrol station.

That big fella you cut up in your car last week is hanging around outside.

Have a nice day. 

[Lizzie Zoom]

If you truly believe that most of us will be ‘hacked’ at some point, and large organisations have no way of defending themselves, then be prepared for something worse than a nuclear strike.

You are sitting at home on a winters evening, watching the telly, when the lights go out. In fact, everything goes out, street lights traffic lights, the works. To add to the sense of shock, house alarms ring out through the darkness, the only sound you can hear. You try to ring someone to see if their power is off, but neither your home phone or your mobile work, and with the heating going off, it’s starting to get a bit cold.
That could be the start of a major attack on our power grid. The first thing to hit would be a total lack of information. No radio, no phone, no street lights, no traffic lights, no ATMs to dispense money, no credit card terminals working, no tills at the supermarket, no pumps at the petrol station.

That big fella you cut up in your car last week is hanging around outside.

Have a nice day. 

Yes, all true!!  And we as a society are still increasing our reliance on electric power, with few back ups of any type when it goes off.  We are living on the edge, but only a few of us seem to recognise that.

I still have an oil lamp, candles, and a number of torches, but what good that we do me or anyone else if the big strike happens.

[Gaffers]

Activating 2 factor authentication can help reduce the likelihood of this happening again.  All of my important email/paypal/linkedin/etc accounts have it enabled.  It wont completely remove the risk but it makes it quite difficult to break.  I also have text alerts for debits over a certain amount from my main bank account.

[STEMO]

Activating 2 factor authentication can help reduce the likelihood of this happening again.  All of my important email/paypal/linkedin/etc accounts have it enabled.  It wont completely remove the risk but it makes it quite difficult to break.  I also have text alerts for debits over a certain amount from my main bank account.

What happens, Matt, if I press the “I don’t have access to my mobile phone” button on PayPal?

[Gaffers]

Activating 2 factor authentication can help reduce the likelihood of this happening again.  All of my important email/paypal/linkedin/etc accounts have it enabled.  It wont completely remove the risk but it makes it quite difficult to break.  I also have text alerts for debits over a certain amount from my main bank account.

What happens, Matt, if I press the “I don’t have access to my mobile phone” button on PayPal?

You get asked a random selection of questions you have already provided the answers to when activating 2FA.  It works quite well.

[STEMO]

Activating 2 factor authentication can help reduce the likelihood of this happening again.  All of my important email/paypal/linkedin/etc accounts have it enabled.  It wont completely remove the risk but it makes it quite difficult to break.  I also have text alerts for debits over a certain amount from my main bank account.

What happens, Matt, if I press the “I don’t have access to my mobile phone” button on PayPal?

You get asked a random selection of questions you have already provided the answers to when activating 2FA.  It works quite well.

Ta 

[Rods2]

I always use a top up credit card for online purchases which automatically limits your financial exposure. Each account has 2 factor activation and an email that informs me of each login when these are available. Each account have a very long unique random characters and numbers string for my passwords. They are hand written on several A4 sheets of paper which I keep locked in my safe.

[STEMO]

I always use a top up credit card for online purchases which automatically limits your financial exposure. Each account has 2 factor activation and an email that informs me of each login when these are available. Each account have a very long unique random characters and numbers string for my passwords. They are hand written on several A4 sheets of paper which I keep locked in my safe.

I had a Monzo card for a while, not only the amount you pre-load can be spent, but you get an instant text showing your purchase, the store it was made at and the location on a map.

[Lizzie Zoom]

Activating 2 factor authentication can help reduce the likelihood of this happening again.  All of my important email/paypal/linkedin/etc accounts have it enabled.  It wont completely remove the risk but it makes it quite difficult to break.  I also have text alerts for debits over a certain amount from my main bank account.

Thanks Guffer

I do have two factor authentication on my main cards, and my bank do text me, as they did today, about anything unusual.  But, it seems whatever 'security' was with the PP account broke down.  The payments made even used a different version of my email, but that failed to be noted!

[New POD]

Daughter had her bank card details used for payments for insurance by someone unknown. And at the same time someone phoned up her mobile supplier to say that her phone had been lost so it was blocked and she couldn't use it.
Apparently because the purchases looked suspicious the bank tried to phone her, but it was dead.
All sorted in about 2 hours.

[78bex]

Activating 2 factor authentication can help reduce the likelihood of this happening again.  All of my important email/paypal/linkedin/etc accounts have it enabled.  It wont completely remove the risk but it makes it quite difficult to break.  I also have text alerts for debits over a certain amount from my main bank account.

Thanks Guffer

I do have two factor authentication on my main cards, and my bank do text me, as they did today, about anything unusual.  But, it seems whatever 'security' was with the PP account broke down.  The payments made even used a different version of my email, but that failed to be noted!

This is weird stuff,  if a different email address was used, how did they manage to login to you paypal account to make the purchases 
Hang on a minute, I take it you have tried to login to your paypal account Lizzie.
If you can`t , that means they`ve locked you out doesn`t it

[Mr Gav]

For the first time, and it had to happen eventually, my bank had to contact me late this morning due to "suspicious activity" on my account involving £500 in total.

It turns out that four "purchases" were made using my PayPal details, with two being blocked, but two for computer parts going through and due to be delivered to an address in Burton-On-Trent!

I spent all afternoon on the phone to the bank, PayPal, and Action Fraud.  The fraudulent actions have been accepted by both PayPal and my bank, with refunds being issued. 

The odd thing was though, and no "expert" in any organisation I contacted, including BT, could explain why, after the attempted fraud, thousands of email's started to arrive from all over the World, with I think every language used!  Throughout the afternoon TWO emails EVERY SECOND was touching down, with the eventual grand total reaching 5,000+!!!  

I have now taken action to change my email address and delete the old one, but what an effort that was with 4 different BT customer services staff failing to provide any real help to stop the crazy number of email's. As I was changing the email addresses the BT system stated it could take "up to 60 days" for any changes could be made, and none of the BT staff could help me with that.  In the end I have sorted it all, and I have stopped the rouge email's!!

I am so careful,and ironically have hardly used Paypal, instead using a direct debit card payment, the details of which the fraudsters used.  How I just do not know, and perhaps will never know. Passwords are changed regularly, full security measures are on my devices,  I don't click onto any emails I do not expect and am very careful to use only legitimate, well known and rated, suppliers.

A life experience indeed!

Are these the really bad red ones 

[deviator]

Daughter had her bank card details used for payments for insurance by someone unknown. And at the same time someone phoned up her mobile supplier to say that her phone had been lost so it was blocked and she couldn't use it.
Apparently because the purchases looked suspicious the bank tried to phone her, but it was dead.
All sorted in about 2 hours.

It's quite common they will try and take your phone over, it's used for authentication for so many services and it potential keeps you busy/diverted whilst they do other financial things.

[deviator]

For the first time, and it had to happen eventually, my bank had to contact me late this morning due to "suspicious activity" on my account involving £500 in total.

It turns out that four "purchases" were made using my PayPal details, with two being blocked, but two for computer parts going through and due to be delivered to an address in Burton-On-Trent!

I spent all afternoon on the phone to the bank, PayPal, and Action Fraud.  The fraudulent actions have been accepted by both PayPal and my bank, with refunds being issued. 

The odd thing was though, and no "expert" in any organisation I contacted, including BT, could explain why, after the attempted fraud, thousands of email's started to arrive from all over the World, with I think every language used!  Throughout the afternoon TWO emails EVERY SECOND was touching down, with the eventual grand total reaching 5,000+!!!  

I have now taken action to change my email address and delete the old one, but what an effort that was with 4 different BT customer services staff failing to provide any real help to stop the crazy number of email's. As I was changing the email addresses the BT system stated it could take "up to 60 days" for any changes could be made, and none of the BT staff could help me with that.  In the end I have sorted it all, and I have stopped the rouge email's!! 

I am so careful,and ironically have hardly used Paypal, instead using a direct debit card payment, the details of which the fraudsters used.  How I just do not know, and perhaps will never know. Passwords are changed regularly, full security measures are on my devices,  I don't click onto any emails I do not expect and am very careful to use only legitimate, well known and rated, suppliers.

A life experience indeed!

The first question I am asking, is how did they get your details? Your PP address is pretty public, but your password was used elsewhere/cracked or your computer has a virus. Don't reuse passwords, if you can enable 2FA. I know it's difficult to remember all the passwords, so pick a strong one and then add the company to the end so P4ssw0rd5462111-eBay.

Virus scan your computer with multiple (at least 2) free/trial AV packages. If you find anything pretty nasty, then consider a reinstall of the OS.

Use a different email address for paypal to anything else. My eBay email is different to my Paypal email on purpose.

With regards PP, here's how I do it. Setup Paypal, verify via a UK bank account. As soon as this stage is done, remove the account details from Paypal. Paypal DO NOT NEED YOUR BANK ACCOUNT DETAILS. Yes, I can still withdraw money to that account, but PP has no access to take money out of that account. Then I use a credit card with a low limit, say £250 credit limit to fund my Paypal account. This way I have 2 levels of 'insurance' to protect me. If you need to spend more than £250 through PP in one hit, then xfer funds from your current account to your CC card so it has a positive balance and then you can spend the balance plus the credit limit.

The reason you are getting loads of emails is to throw you off the scent. You are less likely to see the bank/paypal etc; emails if they are 1 in 1000.

If you need any specific advise, please ask.

[Lizzie Zoom]

Activating 2 factor authentication can help reduce the likelihood of this happening again.  All of my important email/paypal/linkedin/etc accounts have it enabled.  It wont completely remove the risk but it makes it quite difficult to break.  I also have text alerts for debits over a certain amount from my main bank account.

Thanks Guffer

I do have two factor authentication on my main cards, and my bank do text me, as they did today, about anything unusual.  But, it seems whatever 'security' was with the PP account broke down.  The payments made even used a different version of my email, but that failed to be noted!

This is weird stuff,  if a different email address was used, how did they manage to login to you paypal account to make the purchases 
Hang on a minute, I take it you have tried to login to your paypal account Lizzie.
If you can`t , that means they`ve locked you out doesn`t it

Yes, I was able to log in still, but needless to say I have changed various security factors, and I have just had PP confirm with me that various new levels of security have been placed around my account.

How the fraud was done I don't know, and PP are still investigating back to the source of the fraud.  It now transpires that 3 other transactions, amounting to about £700 were stopped by my bank.  So, thanks to them it could have been far worse.

[Lizzie Zoom]

Daughter had her bank card details used for payments for insurance by someone unknown. And at the same time someone phoned up her mobile supplier to say that her phone had been lost so it was blocked and she couldn't use it.
Apparently because the purchases looked suspicious the bank tried to phone her, but it was dead.
All sorted in about 2 hours.

It's quite common they will try and take your phone over, it's used for authentication for so many services and it potential keeps you busy/diverted whilst they do other financial things.

That is apparently if they can get hold of your SIM after they have fooled your mobile phone provider to send you a new one.  This did not happen to me, and I believe the phone companies are now ahead of the fraud.

[Gaffers]

Daughter had her bank card details used for payments for insurance by someone unknown. And at the same time someone phoned up her mobile supplier to say that her phone had been lost so it was blocked and she couldn't use it.
Apparently because the purchases looked suspicious the bank tried to phone her, but it was dead.
All sorted in about 2 hours.

It's quite common they will try and take your phone over, it's used for authentication for so many services and it potential keeps you busy/diverted whilst they do other financial things.

That is apparently if they can get hold of your SIM after they have fooled your mobile phone provider to send you a new one.  This did not happen to me, and I believe the phone companies are now ahead of the fraud.

Another way to thwart 2FA using a code sent to a phone is to crack the algorithm and gain access to any local SS7 infrastructure.  It's not that difficult if you know your stuff but you will need to know a lot about how GSM networks work in order to pin point the SMS traffic for the particular phone.  You would also need to know that person's number or IMSI.  I believe that the hardware needed can also be difficult and expensive to come by.  As the networks are switched on to the vulnerabilities in SS7, I would suspect that many of them will be monitoring their networks for certain event markers which would give any miscreants activity away.

[Lizzie Zoom]

ERROR!!

[Lizzie Zoom]

The first question I am asking, is how did they get your details? Your PP address is pretty public, but your password was used elsewhere/cracked or your computer has a virus. Don't reuse passwords, if you can enable 2FA. I know it's difficult to remember all the passwords, so pick a strong one and then add the company to the end so P4ssw0rd5462111-eBay.

Virus scan your computer with multiple (at least 2) free/trial AV packages. If you find anything pretty nasty, then consider a reinstall of the OS.

Use a different email address for paypal to anything else. My eBay email is different to my Paypal email on purpose.

With regards PP, here's how I do it. Setup Paypal, verify via a UK bank account. As soon as this stage is done, remove the account details from Paypal. Paypal DO NOT NEED YOUR BANK ACCOUNT DETAILS. Yes, I can still withdraw money to that account, but PP has no access to take money out of that account. Then I use a credit card with a low limit, say £250 credit limit to fund my Paypal account. This way I have 2 levels of 'insurance' to protect me. If you need to spend more than £250 through PP in one hit, then xfer funds from your current account to your CC card so it has a positive balance and then you can spend the balance plus the credit limit.

The reason you are getting loads of emails is to throw you off the scent. You are less likely to see the bank/paypal etc; emails if they are 1 in 1000.

If you need any specific advise, please ask.
[/quote]



Thanks!

However, how they did it is still under investigation, but it appears my password was initially hacked at the PP end, and in fact I regularly use many varied, and very strong passwords that cover all the combinations of number, letters and symbols.  They are regularly updated and are not recorded anywhere but in my head as they all make sense to me using various factors, and would be hard to guess.  As TB has suggested it could be that my passcode was sold on, or it was computer linked with a device going through thousands of combinations until it hits the spot!

The strange thing is, that no one can advise me on, apart from you with your observation, although I have stopped it in it's tracks, is the 5,000 email's I received from all over the World about offers, membership, registration, joining, etc, etc, just from the ones where I could understand the language.  None were opened; all deleted in bulk!  That had to be actioned by a computer system, and it is interesting to note that the goods purchased on Ebay using my account details that went through initially were for computer parts! 

Maybe TB, or another techy on here, can find a clue in this, but the two orders where:

 Asus AMD PRIME X370-A AM4 ATX Motherboard Socket AM4 Ryzen 7 Support  = £126.01  and................

 Asus AMD PRIME X370-PRO-Motherboard ATX, AMD X370, Socket AM4, DDR4, HDMI, SLI/XFire  = £159.90

I suspect that the other 3 orders, going on the values involved and the companies named, were as IT parts.

They were all heading to an address in Burton-on-Trent, which is now under investigation.

No, overall deviator, as someone used to investigating fraud, this seems to me after talking to the organisations involved that this could have been part of a far bigger breach of PP security with an insider or a mainframe (do they still have those?!) hack.  I am not getting a direct answer as to how my details (bank card) was used when I know I had a security screen on it.  My PC is the only device used for my financial dealings and this is heavily covered by security software, including regular virus scans, and warnings are given about "Harmful sites". I have various levels of security that I will not go into.  The speed at which this transpired, all within about 30 minutes, with even my bank being deceived by demands on my account that should not have been authorised, leads me to believe serious hackers were involved with this and they knew what they were doing.

As I said before, what hope has any of us as individuals in stopping this when even large corporate institutions are hacked.  How much "security" do we need to install?

I note your useful advice on using PP, which I will use, but ironically I rarely use PP. I will probably now NEVER use it!!

[TheBoy]

What hope have us individuals got when even the "experts" in 3 major organisations had no answers for me?

What experts? You called helpdesks etc. For example, why should the BT helpdesk agent be an expert in your banking security? Surely they are experts in your internet connection and/or phone line?

I imagine that the Police are experts in crime and upholding the law, and paramedics are experts in general injuries. I wouldn't call the Police asking them why my arm hurts

[TheBoy]

Nothing suspicious about what was ordered, except its electronic stuff that's easy to move on.  I suspect the started at the lowest cost, and kept trying, bumping up costs until it was spotted.  That's a fairly common MO used.

laptops and mobiles are easier to shift, but the banks (any PP etc) are pretty switched onto this, so get closer scrutiny.


Guffers is the IT security/cybersecurity expert on here, so pay attention to what he says

[Lizzie Zoom]

What hope have us individuals got when even the "experts" in 3 major organisations had no answers for me?

What experts? You called helpdesks etc. For example, why should the BT helpdesk agent be an expert in your banking security? Surely they are experts in your internet connection and/or phone line?

I imagine that the Police are experts in crime and upholding the law, and paramedics are experts in general injuries. I wouldn't call the Police asking them why my arm hurts

No TB,  I asked their technical department about how the thousands of email's were hitting my PC over their broadband and could they stop it. They didn't know and had no answers apart from change my email address, and that could take up to 60 days to be actioned!!   I sorted that myself by uninstalling my programs that covered emails, then reinstalling.  "Experts"?  Well you would think staff in BT, the central banking system of my bank and PayPal  would have some to tackle these issues, but no, it was down to me to sort out even though the problem was their end.

It strikes me that even large organisations are unprepared for these hacking attacks, which I understand are common, not uncommon.

[Lizzie Zoom]

Daughter had her bank card details used for payments for insurance by someone unknown. And at the same time someone phoned up her mobile supplier to say that her phone had been lost so it was blocked and she couldn't use it.
Apparently because the purchases looked suspicious the bank tried to phone her, but it was dead.
All sorted in about 2 hours.

It's quite common they will try and take your phone over, it's used for authentication for so many services and it potential keeps you busy/diverted whilst they do other financial things.

That is apparently if they can get hold of your SIM after they have fooled your mobile phone provider to send you a new one.  This did not happen to me, and I believe the phone companies are now ahead of the fraud.

Another way to thwart 2FA using a code sent to a phone is to crack the algorithm and gain access to any local SS7 infrastructure.  It's not that difficult if you know your stuff but you will need to know a lot about how GSM networks work in order to pin point the SMS traffic for the particular phone.  You would also need to know that person's number or IMSI.  I believe that the hardware needed can also be difficult and expensive to come by.  As the networks are switched on to the vulnerabilities in SS7, I would suspect that many of them will be monitoring their networks for certain event markers which would give any miscreants activity away.

Thanks Guffer, I think I understand what you are saying, but as with all this you have to be a specialist in the IT field to know all about it.  The consumer like me who pays the money, and gives them business, should not have to go into such detail as the organisation that you deal with should be protecting their customers, as I did in the retail trade by ensuring full H & S requirements, along with security buffers, were in place to protect those who gave us business/profit

[Lizzie Zoom]

Nothing suspicious about what was ordered, except its electronic stuff that's easy to move on.  I suspect the started at the lowest cost, and kept trying, bumping up costs until it was spotted.  That's a fairly common MO used.

laptops and mobiles are easier to shift, but the banks (any PP etc) are pretty switched onto this, so get closer scrutiny.


Guffers is the IT security/cybersecurity expert on here, so pay attention to what he says

Yes, obviously TB, but he and you talk a language that us mere mortals cannot fully follow!

[Gaffers]

Daughter had her bank card details used for payments for insurance by someone unknown. And at the same time someone phoned up her mobile supplier to say that her phone had been lost so it was blocked and she couldn't use it.
Apparently because the purchases looked suspicious the bank tried to phone her, but it was dead.
All sorted in about 2 hours.

It's quite common they will try and take your phone over, it's used for authentication for so many services and it potential keeps you busy/diverted whilst they do other financial things.

That is apparently if they can get hold of your SIM after they have fooled your mobile phone provider to send you a new one.  This did not happen to me, and I believe the phone companies are now ahead of the fraud.

Another way to thwart 2FA using a code sent to a phone is to crack the algorithm and gain access to any local SS7 infrastructure.  It's not that difficult if you know your stuff but you will need to know a lot about how GSM networks work in order to pin point the SMS traffic for the particular phone.  You would also need to know that person's number or IMSI.  I believe that the hardware needed can also be difficult and expensive to come by.  As the networks are switched on to the vulnerabilities in SS7, I would suspect that many of them will be monitoring their networks for certain event markers which would give any miscreants activity away.

Thanks Guffer, I think I understand what you are saying, but as with all this you have to be a specialist in the IT field to know all about it.  The consumer like me who pays the money, and gives them business, should not have to go into such detail as the organisation that you deal with should be protecting their customers, as I did in the retail trade by ensuring full H & S requirements, along with security buffers, were in place to protect those who gave us business/profit

Bear in mind also that you are one of many millions of customers.  You have already been included in a very general sweeping appreciation of risk across their client-base.  To be 100% unhackable (if it is at all possible) it can be uneconomical for system owners to do so.  The law of diminishing returns applies a lot in security, the easy and cheap stuff can cover 80% while covering the other 20% can cost you many times more.  How far you go will always depend on several factors including a companies appetite for risk to their financials and reputation.  So there is a trade-off where it becomes cost ineffective to do more than X.  That point will have shifted slightly over recent months as preparations for GDPR are made and the extra regulatory risk is factored in to the appetite for risk with budgets shifted accordingly.  So the money they paid you back has already been budgeted for and frankly they don't care unless it generates significant negative media coverage.  However, I know of one organisation whose approach to the upcoming change in regulation was to just set-aside money for the inevitable fines.  No point in doing the work!

I deal with such things in every organisation I work with, us cyber nerds would like to get as close as possible to 100% but the bean-counters fight back and in the end the board will dictate how much you get.  As a case in point I worked for a building society a short while back and their annual loss to fraud was extremely low, barely enough to cover a single low-level security expert FTE (because they didn't use faster payments, thus a good place to keep larger amounts of cash IMO) However the reputational risk, highlighted by the TalkTalk debacle, is what spurred them on to improve their posture and make a significant investment, many times their fraud loss value.  They were targeted quite often with social engineering attacks yet the staff were very good at noticing and doing the right thing because they were forced to complete training every year (a very easy and relatively cheap security control)

[Gaffers]

Nothing suspicious about what was ordered, except its electronic stuff that's easy to move on.  I suspect the started at the lowest cost, and kept trying, bumping up costs until it was spotted.  That's a fairly common MO used.

laptops and mobiles are easier to shift, but the banks (any PP etc) are pretty switched onto this, so get closer scrutiny.


Guffers is the IT security/cybersecurity expert on here, so pay attention to what he says

Yes, obviously TB, but he and you talk a language that us mere mortals cannot fully follow!

I could try base 16 if that would help.....

[Lizzie Zoom]

Bear in mind also that you are one of many millions of customers.  You have already been included in a very general sweeping appreciation of risk across their client-base.  To be 100% unhackable (if it is at all possible) it can be uneconomical for system owners to do so.  The law of diminishing returns applies a lot in security, the easy and cheap stuff can cover 80% while covering the other 20% can cost you many times more.  How far you go will always depend on several factors including a companies appetite for risk to their financials and reputation.  So there is a trade-off where it becomes cost ineffective to do more than X.  That point will have shifted slightly over recent months as preparations for GDPR are made and the extra regulatory risk is factored in to the appetite for risk with budgets shifted accordingly.  So the money they paid you back has already been budgeted for and frankly they don't care unless it generates significant negative media coverage.  However, I know of one organisation whose approach to the upcoming change in regulation was to just set-aside money for the inevitable fines.  No point in doing the work!

I deal with such things in every organisation I work with, us cyber nerds would like to get as close as possible to 100% but the bean-counters fight back and in the end the board will dictate how much you get.  As a case in point I worked for a building society a short while back and their annual loss to fraud was extremely low, barely enough to cover a single low-level security expert FTE (because they didn't use faster payments, thus a good place to keep larger amounts of cash IMO) However the reputational risk, highlighted by the TalkTalk debacle, is what spurred them on to improve their posture and make a significant investment, many times their fraud loss value.  They were targeted quite often with social engineering attacks yet the staff were very good at noticing and doing the right thing because they were forced to complete training every year (a very easy and relatively cheap security control)

Thanks Guffer, that is a great and very interesting explanation which I do fully understand as a business manager used to dealing with multi-million pound budgets and being fully responsible for my Division's P&L account.  I used to factor in losses, or to use the other term, "wastage" with a remit to control them to maximise final bottom line profit (never a loss).

I think, as with any service industry, the "company" must take responsibility for looking after it's customers as you want their repeat business and give them maximum security whilst you do that.  It is the online companies that have encouraged the development into a boom of their business so they should go the extra mile to protect their customers, let alone their profits.  It strikes me, and really confirmed by you, that they have the attitude that "oh well, hacking is going to happen, no point in worrying too much about it apart from limiting it's impact on profits, and sod the customers "security".  In the press we have seen instances of these hackings taking place when there should have been even the regular software to stop such attacks.  No the online industry has got to do a lot more to encourage those potential customers who at the moment (wisely) refuse to use online services, and keep the customers that already do.  The companies who finally really do pull out all the stops will be the ones to survive with a healthy growing customer base. It is dog eat dog out their in all variants of the retail industry, and only the strongest and best will survive.

[Gaffers]

Agreed Lizzie, but in our business we always say that the weakest link is always Layer 8/CKI (ie the user) being suckered in by Socil Engineering or employing poor password policy (not helped by the appalling minimum password levels enforced by many popular sites, some as low as 6 characters minimum but none higher than 8! )

[Rods2]

The problem starts with lack of political will as the legal framework could make things much more difficult for hackers, next is a farcical legal situation where little Johnny's solicitor says he can't help it due to Asperger's syndrome and he will probably get no more than a conditional discharge after causing millions in costs and loses for multiple people and businesses. This makes the crimes highly profitable, with the criminals unlikely to be brought to justice and then the punishment for a 'white collar' crime minimal to nothing.

The price is more expensive goods from online suppliers, higher credit card interest rates and bank account charges and inconvenience for the public at large.

To show how profitable it is two former Scottish bank employees that went into the online fraud business proceeds of crime stuff has just been auctioned with a new value of £2.8m.

If the Government wanted to get tough they could as all of the criminal's activities are traceable but it has to be at the Government law enforcement or security services level and it is easier and cheaper to pass that buck to make it a business and Joe public problem.

 

[Lizzie Zoom]

Agreed Lizzie, but in our business we always say that the weakest link is always Layer 8/CKI (ie the user) being suckered in by Socil Engineering or employing poor password policy (not helped by the appalling minimum password levels enforced by many popular sites, some as low as 6 characters minimum but none higher than 8! )

Oh yes, fully agree with that Guffer:y

One bank that I use does not accept symbols being used in the password.  Thank goodness other sites I use do allow my passwords of 12 characters, with combinations of letter, upper and lower case, numbers, and with some symbols.  Others I have tried as you say restrict you to silly lengths of password.  Why do the banks continue to use only 4 digit pin numbers with their cards?  Far too small!  At least some credit cards companies are pushing authorisation code lengths to 5 or even 6 numbers (not letters!!)

[STEMO]

Agreed Lizzie, but in our business we always say that the weakest link is always Layer 8/CKI (ie the user) being suckered in by Socil Engineering or employing poor password policy (not helped by the appalling minimum password levels enforced by many popular sites, some as low as 6 characters minimum but none higher than 8! )

Oh yes, fully agree with that Guffer:y

One bank that I use does not accept symbols being used in the password.  Thank goodness other sites I use do allow my passwords of 12 characters, with combinations of letter, upper and lower case, numbers, and with some symbols.  Others I have tried as you say restrict you to silly lengths of password.  Why do the banks continue to use only 4 digit pin numbers with their cards?  Far too small!  At least some credit cards companies are pushing authorisation code lengths to 5 or even 6 numbers (not letters!!)

Buffer has already explained about 8/CKI. Banks like people to be able to use their products, and I don't think they want to be employing people to remind folk of their forgotten details.
There was actually research into the optimum number of digits for a PIN......and four won.

[Gaffers]

Passwords and codes are all about entropy, and where it isn't high enough additional controls are added. So for PINs there are the 3 tries and you are locked out. Passwords that are 8 characters or less can be reversed if you can intercept the hash. At 9 and above it becomes more difficult so my personal advice is do not have any passwords shorter than 10 complex characters for anything important. If you have difficulty remembering them then look at something like mooltipass which is an offline password manager. I got one for the wife because she is terrible for forgetting them.  Online password managers, use at your own risk.

[Lizzie Zoom]

Passwords and codes are all about entropy, and where it isn't high enough additional controls are added. So for PINs there are the 3 tries and you are locked out. Passwords that are 8 characters or less can be reversed if you can intercept the hash. At 9 and above it becomes more difficult so my personal advice is do not have any passwords shorter than 10 complex characters for anything important. If you have difficulty remembering them then look at something like mooltipass which is an offline password manager. I got one for the wife because she is terrible for forgetting them.  Online password managers, use at your own risk.

 

[Doctor Gollum]

Is Lastpass available here, and is it any good?

[Gaffers]

Is Lastpass available here, and is it any good?

How do I put this?  If it were a crucial part of a boat's hull, it would be as effective as swiss cheese.

How many times has last pass been hacked?  I've lost count.

ANy online password manager is going to be a target of malicious actors.  Plus it is only a matter of time before they breach data because some dumb idiot lazy admin leaves the credentials for each machine in their datacenter in an excel file (look up the Sony Pictures hack)

[Gaffers]

Agreed Lizzie, but in our business we always say that the weakest link is always Layer 8/CKI (ie the user) being suckered in by Socil Engineering or employing poor password policy (not helped by the appalling minimum password levels enforced by many popular sites, some as low as 6 characters minimum but none higher than 8! )

Oh yes, fully agree with that Guffer:y

One bank that I use does not accept symbols being used in the password.  Thank goodness other sites I use do allow my passwords of 12 characters, with combinations of letter, upper and lower case, numbers, and with some symbols.  Others I have tried as you say restrict you to silly lengths of password.  Why do the banks continue to use only 4 digit pin numbers with their cards?  Far too small!  At least some credit cards companies are pushing authorisation code lengths to 5 or even 6 numbers (not letters!!)

Buffer has already explained about 8/CKI. Banks like people to be able to use their products, and I don't think they want to be employing people to remind folk of their forgotten details.
There was actually research into the optimum number of digits for a PIN......and four won.

The lack of special characters has probably more to do with being lazy about protecting against deliberate/accidental SQL Injection.  IE whereby the input field has characters that the database backend uses to separate functions, lines of code or values.  Most do it properly by sanitising input or converting it to a format where it doesn't cause a problem.  Others are lazy and just ban special characters.