Identity Theft - what to expect, and what to do now

Sites with payment information such as online banking, Ebay, Amazon etc..I have 2 part verification setup. Its a PITA but it is secure and stops anyone doing anything to my accounts.
Most sites allow you to register your computer as a secure device so you don’t have to enter a code if using that device.
 

endure

GCM
That's built in to macOS/iOS/iPadOS, and is something I use today, but I have been choosing my own passwords, which have all been the same. So I'll go through and change them all to unique ones.

One of the issues stopping me was the Chrome browser. I have to use Chrome at work; some of our internal systems are developed specifically against Chrome, and some features don't work on other browsers.

Until recently it couldn't read the Keychain, but apparently now there's an extension from Apple that does do that. I was just going to say that's an hour of my life I won't get back, but now I've looked into it, I have 471 compromised passwords in the password manager. So more like half a day!

Most of them are compromised through re-use. Though I have a lot accounts that I can get rid of. For example, apparently I have an account with sbb.ch (Swiss trains) because I bought some tickets there about 5 years ago. So all this will have to be combed through and I'll bin stuff like that. If I ever have to use Swiss trains again, I'll just reset the password, I suppose.

Bit of an eye-opener, to be honest.
I use Bitwarden partly because it's open source and partly because it's free :)

I used to do the same as you and choose my own passwords but I eventually realised that it could generate better passwords than me and they were all being stored in the same place anyway so I now let it generate them.
 
Interesting! When I joined a company a long time ago that I don't work for anymore, they asked me to have a master password, and I used that for everything for years. It was a name and two numbers. Say "David01". That site tells me a massive attack scenario would take less than a second to brute-force it.

The 2022 version of my "master password" is measured in thousands of centuries in the best case.

So my concern isn't so much password strength, I think we're there, as-is. The problem is re-use, so if a company gets hacked and loses their customer data, I am still at risk, because they can just try Bank A, B and C with my email and password. At some point they would succeed.
They won’t succeed if you have MFA enabled because knowing your password would just inform you that someone is attempting to hack your account.
 

RBMK

LE
Book Reviewer
In terms of the ID theft, I'd inform the bank immediately by phone and recorded delivery post.

One approach I've used is to use What 3 Words and pick a random location. Then add a random number, capital letters and symbols into the mix.

E.g. noses / planar / feast would become

noSes|pl@nAr>f34sT935
 

endure

GCM
Interesting! When I joined a company a long time ago that I don't work for anymore, they asked me to have a master password, and I used that for everything for years. It was a name and two numbers. Say "David01". That site tells me a massive attack scenario would take less than a second to brute-force it.

The 2022 version of my "master password" is measured in thousands of centuries in the best case.

So my concern isn't so much password strength, I think we're there, as-is. The problem is re-use, so if a company gets hacked and loses their customer data, I am still at risk, because they can just try Bank A, B and C with my email and password. At some point they would succeed.
Try putting a one character password in. Put a single number in first, (say 1) then a single letter (say a) and then a single special character (say !) and watch the difference. Stick 'password' in as the password and then stick a special character on the end of it. It's quite interesting.
 
They won’t succeed if you have MFA enabled because knowing your password would just inform you that someone is attempting to hack your account.

Well apparently that's not the case with a very large bank that has a name not dissimilar to Fells Wargo, apparently they don't even verify email addresses. It turns out that when the account opened, they did indeed email me, but it went straight into spam, so I never saw it.

That's another thing - I get 3-400 emails a day. Just too much fog. I think I'll rationalize it as much as I can and have important stuff like banking go to a separate, less-used email. I do use 2FA on my bank and work accounts.
 
Well apparently that's not the case with a very large bank that has a name not dissimilar to Fells Wargo, apparently they don't even verify email addresses. It turns out that when the account opened, they did indeed email me, but it went straight into spam, so I never saw it.

That's another thing - I get 3-400 emails a day. Just too much fog. I think I'll rationalize it as much as I can and have important stuff like banking go to a separate, less-used email. I do use 2FA on my bank and work accounts.
Don’t use email for MFA - if they crack that password then it defeats the system. Use a text to your phone or use an authentication app.
 
Don’t use email for MFA - if they crack that password then it defeats the system. Use a text to your phone or use an authentication app.

I do, sorry if that wasn't clear. Well for personal stuff I do.

Work has 2FA for connecting the VPN. You need your AD password, a secondary 6-digit PIN to initiate the connection. It then sends you an email with another 6 digit PIN that is needed to complete the connection. Bizarrely, the AD password is not the same as the email password.
 

TotalBanker

Old-Salt
That's effectively what I had, although not as long as that. I think they key thing is have them be unique to each site, so if one gets compromised, that's boxed off to just that account/bank/company.
i used to have the same password for everything, which was a bit of a risk! what iver done now is still use same password, but add a couple of special characters to the beginning, then another digit or 2 that is specific to the site, so eg (no, this isnt my password!) @@Amyoldpassword
where the A stands for Arrse, or Amazon or whatever
 

OneTenner

LE
Book Reviewer
Well apparently that's not the case with a very large bank that has a name not dissimilar to Fells Wargo, apparently they don't even verify email addresses. It turns out that when the account opened, they did indeed email me, but it went straight into spam, so I never saw it.

That's another thing - I get 3-400 emails a day. Just too much fog. I think I'll rationalize it as much as I can and have important stuff like banking go to a separate, less-used email. I do use 2FA on my bank and work accounts.
I use 'tiered' email accounts, one for financial only, one for personal friends only, one for general Web clutter and one I expect to get spam or phishing attempts on. That one I use the + variable on so I can ID the source, for example myemail+arrse @ outlook.com not all sites allow the + (they should) but every little helps.
Along with bolting the stable doors, I'd try and find out where the compromise came from, they're unlikely to have sat on your details for any length of time so start with the day the account was opened and the unemployment claim was initiated and work back from there. Its possible that both were initiated and then they sit back to see if there is any intervention, if not, then that's the point they crack on....
 

endure

GCM
Well apparently that's not the case with a very large bank that has a name not dissimilar to Fells Wargo, apparently they don't even verify email addresses. It turns out that when the account opened, they did indeed email me, but it went straight into spam, so I never saw it.

That's another thing - I get 3-400 emails a day. Just too much fog. I think I'll rationalize it as much as I can and have important stuff like banking go to a separate, less-used email. I do use 2FA on my bank and work accounts.
I don't know which email client you use but can it use rules to filter into folders? I use Thunderbird (free again :mrgreen:) and I have folders set up for Amazon, Ebay, my bank etc. and when an email arrives Thunderbird dumps it into the correct folder where it's obvious that it's just arrived.
 
Bank #1
j0yT0TheW0rld
#2
@llTheB0y$@ndGirl$
#3
J0yT0TheFi$he$
etc etc etc

Works for me.
However, choosing a Daft Punk song last time was pretty dumb.

Trivial, easy to crack, simple substitutions.


Generate to a file. Print the file. Store file with other valuable domestic documents.

Then burn the computer and printer. Just to be sure.
 
Trivial, easy to crack, simple substitutions.


Generate to a file. Print the file. Store file with other valuable domestic documents.

Then burn the computer and printer. Just to be sure.
Is that better at generating passwords than those in Google chrome suggestions?
 
I don't know which email client you use but can it use rules to filter into folders? I use Thunderbird (free again :mrgreen:) and I have folders set up for Amazon, Ebay, my bank etc. and when an email arrives Thunderbird dumps it into the correct folder where it's obvious that it's just arrived.

I just use the standard email clients on Macs, iPhone and iPads. Yes, they do have pretty clever filtering/filing rules, but the search facility is pretty good too, so I haven't bothered at this point to set up those rules. I guess things will have to change. Also not sure if I set up a folder on one device if it will cross-populate to the others, or if it's local to that machine. I'll have a play. That's one of the primary reasons I have all Apple gear, so that I can use any device and have all my info in the same location. There's about 140,000 emails across 4 accounts. Most of that is garbage, but I haven't bothered to sort the wheat from the chaff.
 
Maybe using ARRSE terms, like cnutspangle, wankpuffin and drippingquim would fool the 'predictive' stuff?

"So what exactly did you use for a password?"

"I thought Tw@tsp@ngle9099!! would be quite unique"

"Well, it seems that's not the case, now it is it?" :D

Edited to add - I've just remembered my iCloud password has some swear words in it, because the twats made me reset it on an Apple TV, which is a cvnt to use the keyboard on :)
 
The Mrs as an HR personage had this happen with some of her staff. It became a problem over covid because so many people were picking up unemployment. Some of the states became overwhelmed with the applications and as a result the fraudsters moved in to take advantage with IDs they had in their possession. The IDs effectively being useless for anything if they had no creditcard number to go with them. But if someone is going to pay money to people for free it is worth opening an account, asking for the free money, and seeing if it arrives.

My daughter apparently bought 4 iPhone 12’s around a year, or so, ago. They were all bought on the never from Wallyworld at the same time,………..made me wonder. I’d have been sticking bamboo pointy things under the fingernails of the twat doing the phone sales at wallyworld till he coughed.

The mrs working in top brand name banks has told me of organised rings (religion of peace, Indians, choggies, NORKs) all getting jobs with the same bank. Usually in call centres where they may be spread around various departments, but it makes for good intelligence gathering on customers. They create their own databases of customer information slowly pulling together everything they need to mount attacks on accounts and customers. Think of when you call a call centre and they ask you for various letters, or numbers from addresses, secret words, social security numbers. They do not get to see all your information, but they get your name, and parts of your information, with a bit of chit chat they can find out other significant information to create a unique identifier for you, then they just go about populating your file on their database. Not difficult, just time consuming. The Mrs was working with the Box 500 people regarding a couple of well organised (terrorist group) cases of this in the UK, it had cost her bank millions.

@Roadster280 all you can do is change everything, and keep the police allocated crime number as proof of crime. It is likely that having tried and failed with the unemployment scam they will not bother you again and just move on. You were probably one of tens, if not hundreds, or thousands attacked by this scammer.

It is not difficult to start to pin down who is behind these things. Sadly, plod, and the banks are not interested. In your case I would want a chat without coffee with the person that opened your account. With all the Know Your Customer (anti money laundering requirements) it is not easy to just open an account,………..unless you happen to work in a part of a bank that lets you do so.
 
"So what exactly did you use for a password?"

"I thought Tw@tsp@ngle9099!! would be quite unique"

"Well, it seems that's not the case, now it is it?" :D

Edited to add - I've just remembered my iCloud password has some swear words in it, because the twats made me reset it on an Apple TV, which is a cvnt to use the keyboard on :)
My home network is called GCHQ.
 

Latest Threads

Top