I was feeling insecure, you might not love me anymore
January 5, 2011 8:43 PM   Subscribe

Having a minor freak out about identity theft, and looking for advice on making sure all my online information is as secure as possible.

In October, my bank called me as they had spotted some suspicious charges on my VISA card. I confirmed these charges were not mine, so the card was cancelled. (The charges were both to Netflix, one was for $1.04 the other was $1.07)

In December I started receiving email from a company in Canada welcoming me to the their club and informing me they were sending out my introductory order. This email was sent to my most used email address, and included my full name, but the postal address was Canadian. I ignored their email and have not directly contacted this company, but have verbally reported it to my bank.
On 25 December my (less than 3 months old) VISA card was again frozen by the bank, due to a charge to AOL. By this time a charge had appeared from the club who sent me the email, so not only has the new card been compromised, but whoever did it also has my full name & email address, and who knows what other information.

I am still waiting on the paperwork to finalise the disputed AOL & club charges.

Also on 25 December I was sent 2 emails within about 15 minutes of each other from Firefox Sync saying I had tried to reset my password, which I hadn't.

I just noticed that 2 days ago I was sent 2 emails from my mobile phone provider also saying that I had tried to reset my password.

I am now rather unnerved and looking for advice to lock down my information as securely as possible.
Is it it likely that these events are coincidental?

I'm on a Mac, using Firefox 3.6.13 & 1Password. Just about all of my passwords are generated in 1Password & and the 1Password data file is stored in a Dropbox account. I have no idea what most of the passwords even are.
I've only been using a Mac for a little over a year, and still don't know a lot about the ins & outs.

Internet connection is via WiFi routers at home & at work, using (I think, WPA).

I'm fairly confident no one with nefarious intentions has physical access to my credit cards or my computers.

Ive been on the internet since 1995, never had anyone access any of my accounts before (that I'm aware of). I have been guilty of reusing the same password(s) in multiple places but I'm fairly sure anything remotely important now has it's own mystery password thanks to 1Password.

So any advice on ensuring my passwords/networks/computers are as safe as possible (sans disconnecting from the internet and never using a credit card ever again) appreciated. I am too nervous to even use the new credit card yet or do any internet banking, and the outstanding bills are starting to pile up.
posted by goshling to Computers & Internet (16 answers total) 3 users marked this as a favorite
Could you have been a victim of firesheep? That could explain the password stuff. Change all your passwords now, and don't use them again on any network except your own, which is, of course, secured.

The credit card stuff sounds weirder. I don't know how that would have happened. Unless you bought something online on a non-https site when whoever was being evil stole the rest of your details, and they managed to get your credit card info as well.
posted by lollusc at 8:51 PM on January 5, 2011

Response by poster: Is it possible to tell if I have been or am being firesheeped?

Is there spyware on the Mac that could be keylogging or otherwise attempting to steal my passwords? I fear that the act of changing them might be exposing the old & new passwords. Is this irrational? How can I be confident that it is safe to change them?

Sorry I feel like I'm going a bit nuts here.
posted by goshling at 9:04 PM on January 5, 2011

I don't know much about it, but as far as I understand, firesheep is a one-off thing. I.e. someone has to be connected to your network at the time you are, and have it running, in order to steal your passwords. So if you are only using your machine now on a secure network, and change your passwords, the original thief would not have access to the new ones (unless you later connect to the network that was originally compromised, and they are there again).

You can run blacksheep to see whether anyone is on your network and running firesheep at any given time.

Keylogging software of other sorts is of course another possibility, but less likely if no one had physical access to your machine, and you have adequate spyware protection. Update and run your anti-spyware software just in case.
posted by lollusc at 9:20 PM on January 5, 2011

The credit card stuff sounds weirder. I don't know how that would have happened. Unless you bought something online on a non-https site when whoever was being evil stole the rest of your details, and they managed to get your credit card info as well.

a more likely explanation for that is someone you bought something from once has had their website cracked and their purchase database (name, address, email, cc#, etc) stolen. in theory holders of merchant accounts shouldn't permanently record the cc #s unless they're required for repeat billing, and if they do then the bank should hold them to a higher (auditable) security standard, but in my experience that's not often actually the case.

the only advice I can offer (and this is more an "in future" thing) is to see if your email provider has a feature called "plus addressing" or similar - this lets you make up a new email address for each site signup by appending whatever you want to the name part of the address so you can see who leaked your details. for example, my normal email address is russm@example.com, but the email address I gave MeFi is russm+metafilter@example.com. this still gets delivered to my russm@example.com mailbox, so if I start getting suspicious emails addressed to russm+metafilter@example.com I know that the MeFi database has been compromised.
posted by russm at 9:34 PM on January 5, 2011 [1 favorite]

I am no expert of internet security, but I am paranoid. Not only would I reset my passwords, but I would do two other things. One, I would create new account verification questions that have incorrect answers. For example, if the question was what is your mother's maiden name, I would put something random in there such as the word "pancakes". I would NOT put my mother's real maiden name. Two, I would open a new email account from a different AND secure computer that is used only for security type things like where an email should be sent to verify lost account data. I would have a very very long and secure password for that.

I would also notify the credit bureaus of possible fraud alert.
posted by AugustWest at 9:36 PM on January 5, 2011

First thing's first--don't change your credentials until you're sure you don't have any viruses/malware.

Uninstall, then re-install your antivirus software, update the definitions, and run a full scan. Some families of viruses can disable parts of your a/v software to prevent it from finding the malware on a normal scan (see: gozi, zeus, etc.).

Have a secure webpage up and running during the scan, but don't enter any information (for example, your e-mail, internet banking log-on pages, secure ordering webpages, etc). Some malware remains dormant until it senses a secure browser session.

After you run the scan, then change your credentials. You're absolutely correct--if you change the info before completing the scan, malware can just harvest your info all over again and have a jolly good time with it.

Yes, this can still happen on Macs. With the advent of the iPad and rampant use of iPhones/iPods for pretty much everything, malware developers are working to get their viruses Mac compatible ASAP.

I'm writing this right before bed, so if I left anything out, i'm sorry. Good luck!
posted by Verdandi at 9:41 PM on January 5, 2011 [1 favorite]

Could you have been a victim of firesheep?

Sure, by that doesn't give anyone access to passwords. Just access to the current session. Changing passwords requires one to know the current password and you cannot get that through firesheep.

Is it possible to tell if I have been or am being firesheeped?

Gosh, no, there is no way to know. As for currently, not likely. Are you connected to a secure wifi with a wpa/wep password? Then no. To prevent firesheep attacks from happening in the future (although I am almost sure it had nothing to do with the current situation), install https everywhere.
posted by special-k at 9:54 PM on January 5, 2011

I'm so glad you're using 1Password. Have you used the new card (since the Netflix incident) anywhere new online? Sites that you had just heard of? Look at your banking activity since the first breach and see if something looks unusual. Perhaps a new payment processor (most sites use 3rd party processors, especially small ones). Perhaps one of those was compromised.

Is your dropbox password or 1Password master password used anywhere else? If so change both first.

Next, is your primary email gmail? If so, then login, and see what sessions are/were open recently by clicking details at the bottom of the page. Does anything look out of the ordinary?
If this is indeed gmail, please be sure to update all the recovery information.

If this is an ISP based email account, get someone on the phone, authenticate yourself, and get them to do a hard reset of your password.

Don't worry too much about password reset emails. Dispute the new charges, get a new VISA card asap. Then perhaps use a credit card rather than a debit card for transactions online so that it is easier to dispute charges and not something that is directly connected to your bank balance.

Good luck!
posted by special-k at 10:07 PM on January 5, 2011

1. Use WPA2 instead of WPA
2. Use one time credit card numbers for all non-reoccurring charges. Citicard offers this.
3. Use a shredder for all private information, get a mailbox for privacy reasons or if mail gets stolen
4. Get a free credit report every year
5. Stop all Credit Card offers
6. Besides a good OS, Firewall and Virus scanner, there is no place like

I had problems with my CC several times. No idea how it happened. One Card I used only once at all, but online, and 6 months later problems occurred. Fairly often Citibank calls me that a server of a customer has been compromised and they have to issue me a new card. Better carry at least two cards if traveling abroad. (There you have to make sure they don't get copied). And based on my GF experience: Never use a suspicious looking ATM...
posted by yoyo_nyc at 10:09 PM on January 5, 2011

If you suspect a keylogger, then just click show keyboard viewer on the menu bar (top right) and use a mouse to change a password.
posted by special-k at 10:09 PM on January 5, 2011

Some ideas:

1. Get a cheap (and new/virgin) notebook/netbook w/ security software inc. firewall and password software, and use only this device for all transactions for banking and trading stocks. Do not use this computer for ANYTHING else. Connect to the net ONLY with ethernet cable-no WiFi. This protects all of your most sensitive internet use. KEEP THIS COMPUTER IN A SAFE!!!
2. If you must use WiFi, get a PVN service (private virtual network) to encrypt all internet traffic to and from your computer.
3. Change your passwords again with a secure machine such as in #1 above. Do this regularly.
4. A credit freeze may ease your mind about others establishing credit accounts that you wouldn't know about.
5. Another machine like #1 above could be used for all purchases.
6. Use PayPal when it is an option.
7. Always check for https when buying on the net.
8. When using the net at a public place, check for over-the-shoulder spying. And don't do anything sensitive (netwise) in public places.
posted by noonknight at 1:42 AM on January 6, 2011

See this for some VPN info.
posted by noonknight at 1:51 AM on January 6, 2011

I wouldn't hold off on changing your passwords until your pc is clean, just do it from a different computer.
posted by empath at 5:52 AM on January 6, 2011

If possible, remove any permissions for on-line funds transfers between Big Investment account and your bank transaction accounts. Use paper checks instead. This way even if all of your credentials are stolen, there would be no way for the bad guy to electronically move funds from Big Investment account to your bank account and out the door.

Nthing one time credit card numbers (e.g., Citibank).
posted by Kevin S at 6:01 AM on January 6, 2011

OP lives in Australia and is on a mac.

If she really only connected to the internet via home/office wifi, both encrypted, then the chances of someone sniffing traffic are minuscule. Sitting in a coffee shop with unencrypted wifi comes with a bigger, easier payoff. I use a VPN simply because I use numerous unencrypted wifi connections throughout the day. If you do go with a commercial VPN, check the vpn tag on Ask me. Expect to pay ~$6 (US) a month or ~$80 (US) per year if you go that route.

1. Get a cheap (and new/virgin) notebook/netbook w/ security software inc. firewall and password software, and use only this device for all transactions for banking and trading stocks. Do not use this computer for ANYTHING else. Connect to the net ONLY with ethernet cable-no WiFi. This protects all of your most sensitive internet use. KEEP THIS COMPUTER IN A SAFE!!!

Seems rather over the top. Unless you hold material related to national security, there is no such need.
posted by special-k at 9:57 AM on January 6, 2011

Special-K, it may be over the top, but it IS ultra-secure and the $500.00 cost pales in comparison with the cost of a true virulent attack on one's finances. How much money could be at stake? How much lost time in recovery afterwards?
posted by noonknight at 10:46 PM on January 6, 2011

« Older Celebrity costume conundrum   |   Don Draper's drink glasses? Newer »
This thread is closed to new comments.