Urban75 Home About Offline BrixtonBuzz Contact

How to combat identity theft & hacked email

D

David Clapson

Well-Known Member
This thread is prompted by a discussion in the Brixton forum Brixton news, rumours and general chat - September 2017 I'm no expert but I might as well start it off. In recent times hackers have been getting into huge databases full of members' account info, for example LinkedIn, adobe.com, last.fm, dailymotion, myspace, Equifax, Sony and many, many more. Your email address is probably in a hacked database. Maybe the hackers also got the password you were using for that account. Maybe they've sold your info to criminals who will try to take over your online shopping accounts or open some sort of credit account in your name. Or maybe they'll send a phishing email to all your friends.

The best defence is to use a different password for each of your accounts. Another thing you can do is enter your email address(es) at haveibeenpwned.com. This is a free service which you can trust. Have I Been Pwned? - Wikipedia. It tells you which of the databases you're in has been hacked in the past. Best of all, you can use the 'Notify Me' service to get a warning by email the next time hackers get into a database you are in. This service is also free, and there's no spam. (I've been using it for 2 years.) It gives you a heads-up so you can change your password before it gets used to defraud you. (You can even check whether the hackers have your passwords here: haveibeenpwned.com/Password)

Another way you can be screwed is if you lose your phone/tablet/laptop - it might have your online shopping account details in it. (Shortly after I left my phone on the bus, someone took over my ebay account and listed lots of Macbooks for sale.) For this reason it might be a good idea to say No when Chrome asks if you want to save your password. You can also set passwords on your devices so that they automatically lock after a short time. This might stop criminals from getting at your data. But I'm no expert in this either. Hopefully somebody will be along in a minute with chapter and verse.

The big credit file companies, i.e. Experian, Equifax and a couple of others, are always trying to scare people into signing up for an expensive service. But their ads seem deceitful...I don't know of anything useful they do which you can't do for free. But this is another thing I'm no expert in!

If all this is TLDR, just remember to use a different password on every site. If you can be arsed to do that, you'll be one of the safest people in the world!
 
David Clapson said:
Another way you can be screwed is if you lose your phone/tablet/laptop - it might have your online shopping account details in it. (Shortly after I left my phone on the bus, someone took over my ebay account and listed lots of Macbooks for sale.)
Click to expand...

Use a complex unlock code, at least 8 chars, don't use motions, like many android phones offer, there's usually marks all over the screen giving away what it is.

David Clapson said:
For this reason it might be a good idea to say No when Chrome asks if you want to save your password. You can also set passwords on your devices so that they automatically lock after a short time. This might stop criminals from getting at your data. But I'm no expert in this either. Hopefully somebody will be along in a minute with chapter and verse.
Click to expand...

Personally, I think people over complicate the password thing. I have no problem with Chrome remembering my passwords. It's my laptop, no one else uses it. I wouldn't be stupid enough to leave it unattended. Worse case scenario it gets robbed right under my nose, but it's probably going to lose internet connectivity before they get chance to do anything dodgy, and they will probably close it, meaning they need my password to unlock it.

I don't have a clue what 90%+ of my passwords are, I use a piece of software to create a password, I save it in a password locker. Worse case scenario i click on the forgot password link, and it emails me a link to reset password, which for me, is why the only real password i need to know, and protect is my email. Banking passwords are probably also worth remembering, everything else. Fuck it.

Email/Banking/Facebook/Google/Instagram - anything you really really care about and if they offer it, set up two factor authentication, and for the love of god, do save those 10 codes they give you in case you do lose your phone so you don't get fully locked out. This is how many celebs get their social media/phones hacked, because they don't set up 2fa on their cloud accounts.

Data - Personal pet peeve is that Microsoft don't enable disk encryption on Home Editions of Windows 10. Meaning anyone can steal your computer, unplug the drive, plug it into another computer via a USB caddy, and have a good nose at the data that's on your drive. Don't need your passwords to do that. If you take your device out and about, or if it's a desktop with loads of important data on it. Encrypt it. Either upgrade to professional and encrypt the disk, or use something like VeraCrypt to create encrypted containers that have any personal identifiable data on. You can do this with external drives/thumb drives too.

You can also buy already encrypted external drives/thumb drives.
 
Last edited:
Both of these posts are excellent advice, online security is something most people do not look into and are pretty lackadaisical about.

May I also mention that is a bad idea to post your life on social media sites, for most nefarious internet users, having access to a persons life allows them to use social engineering techniques, all the security in the world doesn't help there.
 
My Internet banking password I remember.

Plus a few other important ones.

The rest I note down.

I do have to audit my less important accounts because I think a couple of them retain my CC number so they will have to become high security. I need to do this.

Then I would like an online password locker, but so far I haven't found one I liked.
 
snadge said:
May I also mention that is a bad idea to post your life on social media sites
Click to expand...

There are plenty of people who've fallen foul of newspapers, their employers or the police by telling the world what they're doing and thinking. Best to delete everything which uses your real name and start again with fake or joke names or something.

If you're going to do something so naughty that people will make an effort to unmask you, you could use the Tor browser www.torproject.org . It scrambles your IP address, which means that even if all your wrongdoing is done on the same computer every day, nobody will be able to work out where it is. Not even GCHQ or the CIA. I gave Tor a go recently, and Hotmail finds it so dodgy that every time you try to check your mail it accuses you of being a wrong 'un and you have to ask for a Secret Special Code. Which is annoying but reassuring at the same time.
 
Tor isn't that safe, you're data is being passed through loads of nodes, most of these nodes are hosted by people I wouldn't trust. If you want to browse dodgy sites, by all means, use it, but do not log into sites via it. (watch Mr. Robot first episode) Use a VPN instead, ideally one you pay for that keeps no logs.

Whilst on the subject using free and open wifi hotspots can also be dodgy, once your phone remembers them, it will auto connect. Nothing stopping me sitting on a train, sharing my phone 4G as a wifi hotspot called 'starbucks' and seeing how many people's phones connect to it. Using some cool tools I can intercept all that data with my laptop and save it for later analysis.

So whenever I connect to free wifi, I fire up my VPN!
 
Not enough for me to notice. There's a VPN thread in this section where I've posted Speedtest results of my provider.

I use PIA.
 
Fez909 said:
FBI Can't Crack Android Pattern-Screen Lock

The rest of your post is good advice, though. Especially using a password manager. I use LastPass, and like you, I don't know 90% of my passwords.
Click to expand...

I think with regards to this thread, you don't need to worry about the FBI cracking your screen lock code - given enough importance they almost certainly can, however long you make it. You need to worry about the bloke who steals your phone in a pub cracking your screen lock code - and 8 digits is more than enough for that.

Turn 2fa on wherever you can - especially on accounts which can unlock other accounts, accounts which give access to money or which store credit cards - e.g. amazon not urban

Alex
 
editor said:
Exactly. And that's assuming the bouncer/door person is minded to start telling you such details (if they even know themselves).
Click to expand...

The reason this is interesting is that if you are doing anything with pii the law (the information commissioners office, who provides interpretation and enforcement) says you have to tell people what you are doing, why you are doing it, you have to give them the right to withdraw their permission ( this has to be as easy to withdraw as give ), and in may 2018 this gets a load stricter.

So unless you are signing something or ticking a box on a screen ( and I've certainly never done this, you just hand a bloke your id ) when you hand over your id. I don't see how they are getting your permission to process your pii, which means they can't use it for anything, and probably not even store it - because they don't have your permission documented anywhere. So unless there is a very clearly displayed sign which explains all of this, and a clickwrap style contract under the bar would not be ok - I can't see how any of this is ok under data protection law.

And while there are law enforcement exclusions, the venues in Brixton collecting data, and the companies providing them the scanners are private companies not the police.

Alex
 
alex_ said:
I think with regards to this thread, you don't need to worry about the FBI cracking your screen lock code - given enough importance they almost certainly can, however long you make it. You need to worry about the bloke who steals your phone in a pub cracking your screen lock code - and 8 digits is more than enough for that.

Turn 2fa on wherever you can - especially on accounts which can unlock other accounts, accounts which give access to money or which store credit cards - e.g. amazon not urban

Alex
Click to expand...
If the FBI can't crack your pattern, the bloke down the pub can't. That's the point.
 
Fez909 said:
FBI Can't Crack Android Pattern-Screen Lock

The rest of your post is good advice, though. Especially using a password manager. I use LastPass, and like you, I don't know 90% of my passwords.
Click to expand...

I never managed to get on with LastPass - too many of the websites I needed to access (including banks) require a combination of different passcodes or have their own rules about password length and what characters they allow.

That was some time ago - can LastPass deal with that now?
 
Winot said:
I never managed to get on with LastPass - too many of the websites I needed to access (including banks) require a combination of different passcodes or have their own rules about password length and what characters they allow.

That was some time ago - can LastPass deal with that now?
Click to expand...
Nope.

Your only option there is to let LastPass generate a password/phrase for you (you can adjust the rules it uses - so to avoid symbols or set the length, etc.) and then store those in the "Secure Notes" section in your vault.

It's not as smooth as the normal LastPass flow, though.
 
Winot said:
I never managed to get on with LastPass - too many of the websites I needed to access (including banks) require a combination of different passcodes or have their own rules about password length and what characters they allow.

That was some time ago - can LastPass deal with that now?
Click to expand...

Screen Shot 2017-09-13 at 10.10.34.png

Here's the generate password config. So you can make it match whatever you need, but it won't auto-fill.
 
alex_ said:
The reason this is interesting is that if you are doing anything with pii the law (the information commissioners office, who provides interpretation and enforcement) says you have to tell people what you are doing, why you are doing it, you have to give them the right to withdraw their permission ( this has to be as easy to withdraw as give ), and in may 2018 this gets a load stricter.

So unless you are signing something or ticking a box on a screen ( and I've certainly never done this, you just hand a bloke your id ) when you hand over your id. I don't see how they are getting your permission to process your pii, which means they can't use it for anything, and probably not even store it - because they don't have your permission documented anywhere. So unless there is a very clearly displayed sign which explains all of this, and a clickwrap style contract under the bar would not be ok - I can't see how any of this is ok under data protection law.

And while there are law enforcement exclusions, the venues in Brixton collecting data, and the companies providing them the scanners are private companies not the police.

Alex
Click to expand...
And you could imagine most bouncers wouldn't be minded to be too cordial if someone trying to get into a club started - quite reasonably - to ask questions about where their data was going etc, who was storing it etc.
 
alex_ said:
I get it, the bouncer isn't the person to ask - the companies data protection officer is.

Anyway article in vice saying the same thing I'm saying
Are UK Nightclubs Breaking Data Laws by Storing Your IDs and Fingerprints?


Alex
Click to expand...
I was talking about a real world situation where you're about to go into a club and they're demanding to scan in your ID. Either you meekly comply or you go home alone and I suspect asking for information about the scanning company and data protection is unlikely to be met with many answers.
 
editor said:
I was talking about a real world situation where you're about to go into a club and they're demanding to scan in your ID. Either you meekly comply or you go home alone and I suspect asking for information about the scanning company and data protection is unlikely to be met with many answers.
Click to expand...

This will be a lot easier to deal with once gdpr comes in.

1) Wait until may 24th 2018
2) file subject access request, to find out what data on you they hold and what they are doing with it ( data controllers cannot charge for this )
3) wait 30 days
4) refer to information commissioner for enforcement action ( they need to reply within 30 days )

I totally agree that asking the bouncers is pointless.

But making businesses who are holding pii unreasonably is fair game in my view.

Alex
 
Fez909 said:
Nope.

Your only option there is to let LastPass generate a password/phrase for you (you can adjust the rules it uses - so to avoid symbols or set the length, etc.) and then store those in the "Secure Notes" section in your vault.

It's not as smooth as the normal LastPass flow, though.
Click to expand...
When lastpass can't autofill, it's relatively easy to have the relevant info stored in whatever fields you like on the site's record in your lastpass account. It's generally set up so you can copy-and-paste fairly easily, including on the mobile helper app. No need to have the info stored as a separate note, unless I've misunderstood you.
 
teuchter said:
When lastpass can't autofill, it's relatively easy to have the relevant info stored in whatever fields you like on the site's record in your lastpass account. It's generally set up so you can copy-and-paste fairly easily, including on the mobile helper app. No need to have the info stored as a separate note, unless I've misunderstood you.
Click to expand...
No you're right, you can do that, but often you can't paste into banking apps anyway. It's separate boxes per char, and only the third ninth and last etc
 
You must log in or register to reply here.

Similar threads

weltweit
How to do this, or that? Skills etc .. questions and answers
Replies
5
Views
209
weltweit
weltweit
teuchter
Recommendation How do you listen to internet radio?
Replies
11
Views
400
Sir Belchalot
Sir Belchalot
T
bulk emails being blocked
Replies
1
Views
130
trevhagl
T
X
Spatial audio, Dolby Atmos Sony 360 audio etc: Who else listens to this stuff and how?
Replies
21
Views
416
Kid_Eternity
Kid_Eternity
T
Domain email
Replies
3
Views
290
trevhagl
T
Back
Top Bottom