He knows all my secret answers
January 14, 2016 1:49 PM Subscribe
How do you shield yourself from someone tampering with your vendor/service accounts who is able to get past the security gates designed to protect you?
In a sleeping with the enemy kind of situation (ok not *quite* that dramatic but there is a history of verbal and some intermittent physical abuse). I am making my "escape" while my partner is on vacation this spring. Giving myself the gift of freedom for my 40th birthday I suppose you could say. Apartment lease signed, services setup, new bank accounts setup in my name, etc, etc. However I am absolutely terrified he will retaliate in some fashion through the means he has available. He won't know where I live, so that's not an avenue for him. He could show up at my company's offices but I am rarely there (I mostly either work from home or travel to client sites and only go into the office for special meetings) and we have building security.
Where I am vulnerable: vendor/service accounts. While I've already recently gone through and changed my pins/passwords to *every* service (for both phone and online access) he has proven in the past that he is adept at getting around vendor security functionality. For example, 2 years ago while we were having major problems and had separated, he was able to hack into my FB account by correctly identifying FB pictures (FB used to have an account lockout recovery feature that showed you pictures of your FB friends and you had to correctly identify who they were to unlock your account and get back in). And he got into an email account at the same time by correctly answering predefined security questions. What he read after getting into both of those accounts upset him so much that he then got into my airline account ie airlineiuse.com by answering security questions to reset the password and proceeded to cancel my tickets for all upcoming flights (incurring change fees and all sorts of problems until I called the airline crying explaining what had happened and they generously reinstated everything without penalties).
So how can I shield myself from this kind of retaliation? It doesn't matter what security question I choose for "advanced security protection", the man has been my partner for TWENTY FOUR years and knows every answer to these kinds of questions. He will seemingly be able to call any vendor or get on their website and reset my credentials or get into my account bc of the way vendors verify identity.
I did a lot of googling on this topic and while I find a lot of helpful info for domestic violence escapees I can't find any info that specifically pertains to this issue.
Thanks in advance.
In a sleeping with the enemy kind of situation (ok not *quite* that dramatic but there is a history of verbal and some intermittent physical abuse). I am making my "escape" while my partner is on vacation this spring. Giving myself the gift of freedom for my 40th birthday I suppose you could say. Apartment lease signed, services setup, new bank accounts setup in my name, etc, etc. However I am absolutely terrified he will retaliate in some fashion through the means he has available. He won't know where I live, so that's not an avenue for him. He could show up at my company's offices but I am rarely there (I mostly either work from home or travel to client sites and only go into the office for special meetings) and we have building security.
Where I am vulnerable: vendor/service accounts. While I've already recently gone through and changed my pins/passwords to *every* service (for both phone and online access) he has proven in the past that he is adept at getting around vendor security functionality. For example, 2 years ago while we were having major problems and had separated, he was able to hack into my FB account by correctly identifying FB pictures (FB used to have an account lockout recovery feature that showed you pictures of your FB friends and you had to correctly identify who they were to unlock your account and get back in). And he got into an email account at the same time by correctly answering predefined security questions. What he read after getting into both of those accounts upset him so much that he then got into my airline account ie airlineiuse.com by answering security questions to reset the password and proceeded to cancel my tickets for all upcoming flights (incurring change fees and all sorts of problems until I called the airline crying explaining what had happened and they generously reinstated everything without penalties).
So how can I shield myself from this kind of retaliation? It doesn't matter what security question I choose for "advanced security protection", the man has been my partner for TWENTY FOUR years and knows every answer to these kinds of questions. He will seemingly be able to call any vendor or get on their website and reset my credentials or get into my account bc of the way vendors verify identity.
I did a lot of googling on this topic and while I find a lot of helpful info for domestic violence escapees I can't find any info that specifically pertains to this issue.
Thanks in advance.
I came in to make the same suggestion Polycarp did. Except also you'll want to use a password manager like lastpass or something.
This also is more secure than most normal security questions which are often a matter of public record in the first place.
posted by aubilenon at 1:55 PM on January 14, 2016 [9 favorites]
This also is more secure than most normal security questions which are often a matter of public record in the first place.
posted by aubilenon at 1:55 PM on January 14, 2016 [9 favorites]
Security questions are a massive security hole for exactly this reason: they're only as secure as the information that you use to answer them.
How I get around this:
Get a password manager (I use LastPass). In LastPass you can create "secure notes". I create one secure note for every site that has security questions for which you're going to be providing answers. And then you change your security answers to random strings -- Last Pass generated passwords sometimes work, but often these answers are limited to alphanumeric characters only.
This works for sites where you tell the site what your security answers are -- they're essentially an insecure form of password, so you have to secure the password as much as you can.
For some other places, like banks, you need to work a bit differently, because they often use information that you can't change (DOB and so on). In those cases you can usually contact the provider and have them put a flag on your account that indicates you're a common target of fraud. It varies from bank to bank as to what can be done to protect you, so ask them.
Good luck to you. I'm sorry you're going through what you're going through.
posted by gmb at 1:55 PM on January 14, 2016 [4 favorites]
How I get around this:
Get a password manager (I use LastPass). In LastPass you can create "secure notes". I create one secure note for every site that has security questions for which you're going to be providing answers. And then you change your security answers to random strings -- Last Pass generated passwords sometimes work, but often these answers are limited to alphanumeric characters only.
This works for sites where you tell the site what your security answers are -- they're essentially an insecure form of password, so you have to secure the password as much as you can.
For some other places, like banks, you need to work a bit differently, because they often use information that you can't change (DOB and so on). In those cases you can usually contact the provider and have them put a flag on your account that indicates you're a common target of fraud. It varies from bank to bank as to what can be done to protect you, so ask them.
Good luck to you. I'm sorry you're going through what you're going through.
posted by gmb at 1:55 PM on January 14, 2016 [4 favorites]
LastPass can be used to generate and store random answers to security questions. It's going to be a pain, but there's no rule that the answers you give actually have to mean anything, just that you be able to give them again later.
Seconding Polycarp's two-factor recommendation.
Some services use dynamic KBA, especially banks. That is, using info from credit reports, public documents, etc. I think this will be harder to deal with, but perhaps somebody else will have an answer in-thread.
posted by hollyholly at 1:56 PM on January 14, 2016 [1 favorite]
Seconding Polycarp's two-factor recommendation.
Some services use dynamic KBA, especially banks. That is, using info from credit reports, public documents, etc. I think this will be harder to deal with, but perhaps somebody else will have an answer in-thread.
posted by hollyholly at 1:56 PM on January 14, 2016 [1 favorite]
I treat all of those security questions as prompts to enter additional passwords. So I'll pick something like "Mother's maiden name" and set the answer to be gold!2tiger%7bridge^2sunset
I then store those answers in a vault like any other password. They can not be guessed by anyone by knowing biographic detail. Make yourself a list of every important account and review their password reset process and ensure yourself that it can not be compromised with knowledge of your personal history.
posted by Lame_username at 1:56 PM on January 14, 2016 [4 favorites]
I then store those answers in a vault like any other password. They can not be guessed by anyone by knowing biographic detail. Make yourself a list of every important account and review their password reset process and ensure yourself that it can not be compromised with knowledge of your personal history.
posted by Lame_username at 1:56 PM on January 14, 2016 [4 favorites]
Best of luck. This seems to me like a job for flagrant lies. There's no rule that your security question answers have to be true -- they just have to be easy for you to remember.
posted by babelfish at 1:56 PM on January 14, 2016 [12 favorites]
posted by babelfish at 1:56 PM on January 14, 2016 [12 favorites]
Polycarp: "Security questions: For the most part, you don't have to answer the question the website asks you."
Yeah. For simplicity's sake, a relative of mine uses the same answer for all security questions, no matter what they are. You could do a kind of rhyming slang thing if you want to be able to remember the answers but keep them all different. Maybe if the question is "What street did you grow up on?" if the answer is "Maple" maybe that makes you think of syrup, so answer "Pancakes" or similar.
Also, you are awesome and brave. Good job you.
posted by Rock Steady at 1:56 PM on January 14, 2016 [11 favorites]
Yeah. For simplicity's sake, a relative of mine uses the same answer for all security questions, no matter what they are. You could do a kind of rhyming slang thing if you want to be able to remember the answers but keep them all different. Maybe if the question is "What street did you grow up on?" if the answer is "Maple" maybe that makes you think of syrup, so answer "Pancakes" or similar.
Also, you are awesome and brave. Good job you.
posted by Rock Steady at 1:56 PM on January 14, 2016 [11 favorites]
It doesn't matter what security question I choose for "advanced security protection"
Well, if you won't want to go full-random as suggested above (which is more secure, but also harder to convey over the phone when interacting with an agent), you can use anomalous replies to these sorts of thing -- so my favorite pet was "Cytokinesis" and the city I was born in was "Optimus Prime" etc.
The vendors basically never vet those fields for reasonableness, so you can almost always put anything you want in there. Pick something that has no relevance to you, your old life, or your new life. Grab a random wikipedia page, for example. Now you were born in the city of "Martensite"....
posted by aramaic at 1:57 PM on January 14, 2016
Well, if you won't want to go full-random as suggested above (which is more secure, but also harder to convey over the phone when interacting with an agent), you can use anomalous replies to these sorts of thing -- so my favorite pet was "Cytokinesis" and the city I was born in was "Optimus Prime" etc.
The vendors basically never vet those fields for reasonableness, so you can almost always put anything you want in there. Pick something that has no relevance to you, your old life, or your new life. Grab a random wikipedia page, for example. Now you were born in the city of "Martensite"....
posted by aramaic at 1:57 PM on January 14, 2016
Polycarp's suggestion is spot on. 2FA might help, but the real answer to keeping him from conning the companies in question into resetting your password is to use incorrect answers to the security questions. Random passwords may not be the best idea, though, depending on the service in question, because you may at some point need to give an answer over the phone, where it is much easier to say your mother's maiden name was Cherenyenko rather than floogl+yblarg22xyz
posted by wierdo at 1:57 PM on January 14, 2016 [2 favorites]
posted by wierdo at 1:57 PM on January 14, 2016 [2 favorites]
Yeah, kind of what polycarp said about getting random answers for your security questions and just keeping track of what they are. A bank employee once advised me to do that routinely, anyway, since it's harder for other people to get through.
posted by dilettante at 1:59 PM on January 14, 2016
posted by dilettante at 1:59 PM on January 14, 2016
The other thing I would add is that there are always going to be social engineering ways to hack into your information. You may want to think about opening new accounts with a new email address and maybe a pseudonym where possible so that he doesn't even know where to look to begin hacking in.
posted by Rock Steady at 2:02 PM on January 14, 2016 [16 favorites]
posted by Rock Steady at 2:02 PM on January 14, 2016 [16 favorites]
Also consider a credit freeze with the three major credit reporting agencies, if he knows you well enough that he knows your SSN, date of birth, etcetera:
http://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs
It will make it difficult for him to open new lines of credit in your name. If he has the skill and motivation to harass you online, this site provides some good information on steps you can take to protect yourself:
http://www.crashoverridenetwork.com/
I hope it doesn't go that far though!
posted by lefty lucky cat at 2:06 PM on January 14, 2016 [29 favorites]
http://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs
It will make it difficult for him to open new lines of credit in your name. If he has the skill and motivation to harass you online, this site provides some good information on steps you can take to protect yourself:
http://www.crashoverridenetwork.com/
I hope it doesn't go that far though!
posted by lefty lucky cat at 2:06 PM on January 14, 2016 [29 favorites]
What you're asking is how to get these companies to disallow "Knowledge-Based Authentication". See this Brian Krebs post - he's a target for online miscreants. Particularly relevant to your situation:
I can recall doing this with most of the utilities we use — including our ISP — after having ne’er-do-wells try to shut off our power, phone and water service by calling in with those static identifiers. None of those companies offered more advanced authentication options — such as mobile device authentication — but most would let me place a flag on my account that no changes were to be made unless I showed up at the utility’s offices in person and presented a photo ID and my username and password.
For online-only service providers with limited or no interaction with real people to put that kind of flag on your accounts, it's just new everything. New email accounts, maybe pseudonyms, etc. If you suspect it's something he could work back to recovering from e.g. your SSN, honestly, you may just have to stop using that service for awhile if you want peace of mind.
Other than that, depending on how punchy you're feeling, you would likely have a very strong case for civil damages if he does this type of thing, entirely apart from the wholly criminal part of it. And it would make a restraining order a no-brainer.
posted by pahalial at 2:08 PM on January 14, 2016 [15 favorites]
I can recall doing this with most of the utilities we use — including our ISP — after having ne’er-do-wells try to shut off our power, phone and water service by calling in with those static identifiers. None of those companies offered more advanced authentication options — such as mobile device authentication — but most would let me place a flag on my account that no changes were to be made unless I showed up at the utility’s offices in person and presented a photo ID and my username and password.
For online-only service providers with limited or no interaction with real people to put that kind of flag on your accounts, it's just new everything. New email accounts, maybe pseudonyms, etc. If you suspect it's something he could work back to recovering from e.g. your SSN, honestly, you may just have to stop using that service for awhile if you want peace of mind.
Other than that, depending on how punchy you're feeling, you would likely have a very strong case for civil damages if he does this type of thing, entirely apart from the wholly criminal part of it. And it would make a restraining order a no-brainer.
posted by pahalial at 2:08 PM on January 14, 2016 [15 favorites]
One relatively easy to way to come up with fake security questions: Use a famous dead person or celebrity. So, for example, you only have to remember that you're fake JFK, and you can easily look him up to verity that your mother's maiden name was Fitzgerald and you were born in Brookline.
posted by Tomorrowful at 2:19 PM on January 14, 2016 [38 favorites]
posted by Tomorrowful at 2:19 PM on January 14, 2016 [38 favorites]
First of all, I just want you to know I was checking up on you only yesterday and I am so, so glad for you that you are making this move. Mazel tov.
It doesn't matter what security question I choose for "advanced security protection", the man has been my partner for TWENTY FOUR years and knows every answer to these kinds of questions. He will seemingly be able to call any vendor or get on their website and reset my credentials or get into my account bc of the way vendors verify identity.
So what I would do is create a fake persona. Sit down and write out all of the information needed for this persona, print it out and put it next to your primary computer so you can refer to it for all current and all future accounts: fake mother's maiden name, fake first pet name, fake street you grew up on. Fake everything except name, email and mobile.
Then use that same information as well as two-factor authentication to secure your mobile phone account.
posted by DarlingBri at 2:21 PM on January 14, 2016 [4 favorites]
It doesn't matter what security question I choose for "advanced security protection", the man has been my partner for TWENTY FOUR years and knows every answer to these kinds of questions. He will seemingly be able to call any vendor or get on their website and reset my credentials or get into my account bc of the way vendors verify identity.
So what I would do is create a fake persona. Sit down and write out all of the information needed for this persona, print it out and put it next to your primary computer so you can refer to it for all current and all future accounts: fake mother's maiden name, fake first pet name, fake street you grew up on. Fake everything except name, email and mobile.
Then use that same information as well as two-factor authentication to secure your mobile phone account.
posted by DarlingBri at 2:21 PM on January 14, 2016 [4 favorites]
Not to derail, but this partner of 24 years doesn't know you have a MetaFilter account which you use to ask, like, non-anonymous questions? Because, um, you know.
posted by rokusan at 2:28 PM on January 14, 2016 [26 favorites]
posted by rokusan at 2:28 PM on January 14, 2016 [26 favorites]
Security questions are a massive security hole for exactly this reason: they're only as secure as the information that you use to answer them.
How I get around this:
Use the same answer for everything. Childhood pet's name? 'abc123' Mother's maiden name? 'abc123' The street you grew up on? 'abc123'
posted by rhizome at 2:29 PM on January 14, 2016 [1 favorite]
How I get around this:
Use the same answer for everything. Childhood pet's name? 'abc123' Mother's maiden name? 'abc123' The street you grew up on? 'abc123'
posted by rhizome at 2:29 PM on January 14, 2016 [1 favorite]
I hate those security questions, because once I exclude the ones that have easily-googleable answers and the ones that don't apply to me, and the ones that I can't remember the answer to (which of my 5 childhood addresses am I talking about when I answered a question about the street I used to live on) there's not much left. So I have a metric, and the answer to the question is included in the question itself. Then I just choose the question such that the metric gives a non-annoying result
possible metrics applied to "What school did you graduate from?"
- the common noun that it's asking about: school
- the first letter of each word. wsdygf
- The last letter of each word. tlduem
- the last word. from
- every third word smashed together. Whatyou
- first letter of each word in reverse order. fgydsw
lots of things you can come up with. Just pick one, and stick with it across all accounts.
One caveat: be sure your metric includes rules on how to capitalize (eg never)
posted by aimedwander at 2:29 PM on January 14, 2016
possible metrics applied to "What school did you graduate from?"
- the common noun that it's asking about: school
- the first letter of each word. wsdygf
- The last letter of each word. tlduem
- the last word. from
- every third word smashed together. Whatyou
- first letter of each word in reverse order. fgydsw
lots of things you can come up with. Just pick one, and stick with it across all accounts.
One caveat: be sure your metric includes rules on how to capitalize (eg never)
posted by aimedwander at 2:29 PM on January 14, 2016
Response by poster: Sounds like so much work.
Does anyone know if banks and 401k plan administrators and such are required to give access to non-account holders who are the spouse upon spousal request? Like some sort of community property you can't shield this from me as long as we are still legally married kind of thing? Because Virginia does not recognize separations. You're married and then you're not. There is no in between during the 1 year waiting period between when you move out of the home and are allowed to file.
posted by TestamentToGrace at 2:30 PM on January 14, 2016 [1 favorite]
Does anyone know if banks and 401k plan administrators and such are required to give access to non-account holders who are the spouse upon spousal request? Like some sort of community property you can't shield this from me as long as we are still legally married kind of thing? Because Virginia does not recognize separations. You're married and then you're not. There is no in between during the 1 year waiting period between when you move out of the home and are allowed to file.
posted by TestamentToGrace at 2:30 PM on January 14, 2016 [1 favorite]
Response by poster: No, my partner has never heard of metafilter. he knows about the financial sites i visit and my email account and facebook are a given. anything else (like if i am on pinterest or not, or some random couch25k forum i am on) he wouldn't know about or care about.
posted by TestamentToGrace at 2:32 PM on January 14, 2016 [1 favorite]
posted by TestamentToGrace at 2:32 PM on January 14, 2016 [1 favorite]
I might blow up Facebook and get a new email account. It's a small price to pay. For now, you can get a new one once things have cooled down. You can tell everyone you're taking an FB break.
When I worked for the phone company, we could put a security code on your account that would require someone to tell us the code before we'd provide information, so call Cable, Gas, Electric and your phone company to have these codes added to your account. Again, nothing guessable.
Call your 401(k) administrator and talk to them, tell them about your situation, ditto your banks. Password protect EVERYTHING.
Get a divorce lawyer NOW. If your husband might get violent, get a restraining order.
Of course it's a lot of work. But once you're safe, you won't regret it.
posted by Ruthless Bunny at 2:39 PM on January 14, 2016 [16 favorites]
When I worked for the phone company, we could put a security code on your account that would require someone to tell us the code before we'd provide information, so call Cable, Gas, Electric and your phone company to have these codes added to your account. Again, nothing guessable.
Call your 401(k) administrator and talk to them, tell them about your situation, ditto your banks. Password protect EVERYTHING.
Get a divorce lawyer NOW. If your husband might get violent, get a restraining order.
Of course it's a lot of work. But once you're safe, you won't regret it.
posted by Ruthless Bunny at 2:39 PM on January 14, 2016 [16 favorites]
In addition to the above suggestions, it is time to start coming up with NEW secrets. If you get intimately involved with someone, keep it private. Info related to that private relationship is potential fodder for new secrets. Develop a new hobby or interest and don't tell the ex or anyone who has contact him. Keep it your little secret. Info related to this new interest is also now fodder for new secret verification info.
Bonus: It helps you mentally separate yourself from him and shield you from him creepily and stalkishly trying to talk to you about all your new activities and interests.
Congrats on making the move.
posted by Michele in California at 2:39 PM on January 14, 2016 [1 favorite]
Bonus: It helps you mentally separate yourself from him and shield you from him creepily and stalkishly trying to talk to you about all your new activities and interests.
Congrats on making the move.
posted by Michele in California at 2:39 PM on January 14, 2016 [1 favorite]
Instead of creating from scratch a fake persona to answer all the security questions, consider using an extant fictional person's information or a historical person's information. Pick someone easy to remember for you for whatever reason, maybe they have your initials or are a famous person from your hometown, and it is trivially easy to find all the information if you forget the specifics so you can google "what is teddy roosevelt's mother's maiden name" or "what was the name of the street that buffy summers lived on" or whatever. Obviously don't pick a favourite character or historical figure that your ex might associate with you.
posted by poffin boffin at 3:03 PM on January 14, 2016 [2 favorites]
posted by poffin boffin at 3:03 PM on January 14, 2016 [2 favorites]
Seconding Bunny on the destruction of the Facebook account. All social media accounts for that matter.
Don't just deactivate it, but delete it. Painful, sure. But it's just too massive of a security hole. Instruct your close friends how to reach you via other means. If he knows your friends and even one of them has their social media accounts set up too publicly, it's all for nothing.
posted by JoeZydeco at 3:16 PM on January 14, 2016 [3 favorites]
Don't just deactivate it, but delete it. Painful, sure. But it's just too massive of a security hole. Instruct your close friends how to reach you via other means. If he knows your friends and even one of them has their social media accounts set up too publicly, it's all for nothing.
posted by JoeZydeco at 3:16 PM on January 14, 2016 [3 favorites]
Response by poster: I couldn't delete facebook if i wanted to (which i don't - all my photos and friends and so many people i only get to talk to through FB since i travel so much for work) bc so many of my other online accounts use FB authentication.
This is not a witness protection program level of hiding I am going into. He and I have many mutual friends and that will remain so (none of those mutual friends who know I am moving or my new address will tell him where I live or when I am leaving; they understand it's a personal safety issue). I don't want to have to institute 30 character random passwords that i won't remember (bc what happens if i really do forget my password and now have to rely on answering security questions to get in?) or prevent myself from opening new credit cards. I just want to stop him from being able to call my airline and cancel flights or get into my FB and delete all my friends and photos. ETC. BC he is going to be so angry when he realizes I have left and that's the kind of stuff he might do. I mean there is a reason I am too afraid to tell him upfront I am moving out. He gives me that ragey look a lot lately since everything that went down the last few years (see my posting history if you're curious).
I like the idea of instituting security answers that he wouldn't know but that are easy enough to remember (like the same answer for everything as someone else suggested). It did not actually occur to me that lying in those answers was an option so I am thankful for that guidance. I'd like 2 factor authentication so that to reset a password one had to text my phone except that a couple years ago I had my phone pickpocketed in Turkey and if something like that happens again i absolutely need to be able to get onto my accounts and reset passwords without relying on something coming to my phone (which is the whole reason in that case i wanted to reset passwords to begin with bc someone had my phone and therefore access to all accounts).
This whole process is exhausting and starting to feel demoralizing. Some days I just think WHAT AM I DOING. When I signed the lease last week i cried for 3 days bc that made everything real. I am going to die alone probably now and leaving the only partner i've ever had (been together since i was 16). I've never even had a break up before. Meh.
posted by TestamentToGrace at 3:28 PM on January 14, 2016
This is not a witness protection program level of hiding I am going into. He and I have many mutual friends and that will remain so (none of those mutual friends who know I am moving or my new address will tell him where I live or when I am leaving; they understand it's a personal safety issue). I don't want to have to institute 30 character random passwords that i won't remember (bc what happens if i really do forget my password and now have to rely on answering security questions to get in?) or prevent myself from opening new credit cards. I just want to stop him from being able to call my airline and cancel flights or get into my FB and delete all my friends and photos. ETC. BC he is going to be so angry when he realizes I have left and that's the kind of stuff he might do. I mean there is a reason I am too afraid to tell him upfront I am moving out. He gives me that ragey look a lot lately since everything that went down the last few years (see my posting history if you're curious).
I like the idea of instituting security answers that he wouldn't know but that are easy enough to remember (like the same answer for everything as someone else suggested). It did not actually occur to me that lying in those answers was an option so I am thankful for that guidance. I'd like 2 factor authentication so that to reset a password one had to text my phone except that a couple years ago I had my phone pickpocketed in Turkey and if something like that happens again i absolutely need to be able to get onto my accounts and reset passwords without relying on something coming to my phone (which is the whole reason in that case i wanted to reset passwords to begin with bc someone had my phone and therefore access to all accounts).
This whole process is exhausting and starting to feel demoralizing. Some days I just think WHAT AM I DOING. When I signed the lease last week i cried for 3 days bc that made everything real. I am going to die alone probably now and leaving the only partner i've ever had (been together since i was 16). I've never even had a break up before. Meh.
posted by TestamentToGrace at 3:28 PM on January 14, 2016
Definitely lie, but don't use the same answer for all the questions or some other obvious pattern -- if you do, he'll be able to get into all your accounts if he gets into one. If you're concerned about forgetting your fake answers, and you don't want to use a password service, write out all the fake answers and what they're for (by hand! Don't save any of this anywhere on your computer) and put the piece of paper in a safe deposit box at the bank where you have your new account. Give secondary access to your most trusted friend in case of emergency. If you do forget, you can go to the bank with some ID and remind yourself.
As you might expect, banks are better than most other companies at not letting plausible-sounding third parties talk their way into other people's stuff.
posted by ostro at 3:58 PM on January 14, 2016 [1 favorite]
As you might expect, banks are better than most other companies at not letting plausible-sounding third parties talk their way into other people's stuff.
posted by ostro at 3:58 PM on January 14, 2016 [1 favorite]
However I am absolutely terrified he will retaliate in some fashion through the means he has available.
He gives me that ragey look a lot lately
I don't think you understand the potential danger you face. Your safety is worth the inconvenience of using a password manager (which is actually more convenient since you don't have to remember anything). Or using TFA. It's far more likely that he will do something awful than it is that your phone will be stolen.
Women are most at risk of getting hurt or killed when they leave an abusive partner. You already know that he will fuck with your accounts. I really don't understand why you wouldn't take more steps to protect yourself. You may as well leave your door unlocked.
posted by desjardins at 4:16 PM on January 14, 2016 [11 favorites]
He gives me that ragey look a lot lately
I don't think you understand the potential danger you face. Your safety is worth the inconvenience of using a password manager (which is actually more convenient since you don't have to remember anything). Or using TFA. It's far more likely that he will do something awful than it is that your phone will be stolen.
Women are most at risk of getting hurt or killed when they leave an abusive partner. You already know that he will fuck with your accounts. I really don't understand why you wouldn't take more steps to protect yourself. You may as well leave your door unlocked.
posted by desjardins at 4:16 PM on January 14, 2016 [11 favorites]
Regarding the Facebook authentication thing, you can definitely get around that. Someone more knowledgeable than me could probably give you more information, but usually all you do is reset your password.
posted by radioamy at 4:42 PM on January 14, 2016 [1 favorite]
posted by radioamy at 4:42 PM on January 14, 2016 [1 favorite]
In this case, using FB authentication is a bug, not a feature. You need to err on the side of paranoia. It is better to have the security and not need it than to need the security and not have it.
I would promptly go through and change all accounts to a password manager. He has a history of breaking into your FB account.
Keep the FB account. As suggested above, leave him some easy bait. But stop using it as part of your online security.
posted by Michele in California at 4:56 PM on January 14, 2016 [2 favorites]
I would promptly go through and change all accounts to a password manager. He has a history of breaking into your FB account.
Keep the FB account. As suggested above, leave him some easy bait. But stop using it as part of your online security.
posted by Michele in California at 4:56 PM on January 14, 2016 [2 favorites]
You're only 40? You're only a little older than me! You're young! You're next question should be a request for inspiring stories about folks over 40 who did awesome things. Once this is over, you're going to feel awesome.
posted by jrobin276 at 5:08 PM on January 14, 2016 [8 favorites]
posted by jrobin276 at 5:08 PM on January 14, 2016 [8 favorites]
You should make a second FB account, friend everyone you trust and then leave the old one for fodder.
posted by aetg at 5:23 PM on January 14, 2016 [6 favorites]
posted by aetg at 5:23 PM on January 14, 2016 [6 favorites]
I can understand you balking at the amount of work involved here. It's not fair that you should have to do the work and/or make the sacrifices for his decisions about how to treat you. But he has already shown he will use this kind of tactic, and I would be cautious about assuming that you know how far he will go. Perhaps consider how much easier it will be to protect yourself upfront, with enough time to make plans and carry them through, rather than having to recover after he sabotages you (say, tearful phonecalls to airlines)?
posted by Cheese Monster at 5:28 PM on January 14, 2016 [1 favorite]
posted by Cheese Monster at 5:28 PM on January 14, 2016 [1 favorite]
As part of your preparations, make sure that your property insurance is robust and up-to-date. If you're leaving him in the house and he's a spiteful, angry person, make sure you have enough insurance to cover anything he may do to your property in revenge. Also, get a lawyer immediately if you haven't already. Missteps at this stage can be costly and damaging to your divorce case.
Download whatever photos or info you have on FB so that if he does get into your accounts, you still have a back-up. I'd also make a new FB with a new name, generic avatar, and email he doesn't know and re-friend your friends there (not mutual friends, but friends who have your back). Make sure he and anyone else whose account he can use is blocked.
When this is all over and behind you, you will be so very happy about the life you get to have. You're still so young and you giving yourself this gift is the best thing you can do for future you. Good luck!
posted by quince at 5:29 PM on January 14, 2016 [3 favorites]
Download whatever photos or info you have on FB so that if he does get into your accounts, you still have a back-up. I'd also make a new FB with a new name, generic avatar, and email he doesn't know and re-friend your friends there (not mutual friends, but friends who have your back). Make sure he and anyone else whose account he can use is blocked.
When this is all over and behind you, you will be so very happy about the life you get to have. You're still so young and you giving yourself this gift is the best thing you can do for future you. Good luck!
posted by quince at 5:29 PM on January 14, 2016 [3 favorites]
For consideration: a person who hacks your accounts and changes your flights when upset with you does sound to me like the kind of person you want to go full witness protection from. Obviously I do not have all the info, but from an outsider's perspective, that is incredibly intrusive and controlling behaviour and I would be very alarmed.
posted by jojobobo at 6:11 PM on January 14, 2016 [10 favorites]
posted by jojobobo at 6:11 PM on January 14, 2016 [10 favorites]
How about using a Google voice number (that, of course, he doesn't know or know about) for 2-factor texts?
Best wishes.
posted by Dashy at 6:35 PM on January 14, 2016 [4 favorites]
Best wishes.
posted by Dashy at 6:35 PM on January 14, 2016 [4 favorites]
You could have Google voice texts forwarded to your email or your phone, and still be able to turn it off if you lose your phone.
posted by Dashy at 6:42 PM on January 14, 2016 [1 favorite]
posted by Dashy at 6:42 PM on January 14, 2016 [1 favorite]
And about spousal access to retirement: IANAL, but I think that because retirement accounts follow the person and are always individual (the I in IRA), there is no such thing as automatic spousal access. You could give him access and signing power to your account, but you would have to give it explicitly.
Divorce settlements might force you to account for splitting assets accumulated during marriage and thus considered financially part of your joint total portfolio. But he can't access your accounts just by being married. But - please do 2-factor those, anyway!
posted by Dashy at 6:50 PM on January 14, 2016
Divorce settlements might force you to account for splitting assets accumulated during marriage and thus considered financially part of your joint total portfolio. But he can't access your accounts just by being married. But - please do 2-factor those, anyway!
posted by Dashy at 6:50 PM on January 14, 2016
Digital security is a lot of work for those of us who don't have someone specifically targeting their accounts too... Most of the measures are a good idea for everyone who is reading this to do. Yeah, it sucks that there are a lot of bad people out there trying to do nasty things to us. But there are, and protecting ourselves against it is an important part of being a member of today's society and using the internet. I don't know if that makes you feel any better, but you're far from alone...
posted by primethyme at 6:55 PM on January 14, 2016 [4 favorites]
posted by primethyme at 6:55 PM on January 14, 2016 [4 favorites]
LastPass is a service that does all that remembering for you, though. You only have to know one password and it knows all the rest and your security answers. You handled making the rest of your escape plan, so you can handle this, I promise.
posted by hollyholly at 7:25 PM on January 14, 2016 [3 favorites]
posted by hollyholly at 7:25 PM on January 14, 2016 [3 favorites]
1pass or last pass are really easy. It'll take you about an hour to get everything set with all your accounts. Two-factor authentication can be bypassed if you don't have your device on you. That one time you lost your phone was a rare situation.
posted by k8t at 7:54 PM on January 14, 2016 [2 favorites]
posted by k8t at 7:54 PM on January 14, 2016 [2 favorites]
Listen... in all things related to security and privacy, the tradeoff is always between convenience and security. People and things do bad security and people and things get hacked because they are lazy and decide not to put in the effort to be safe. If it took 10 minutes every night to lock up the front door, most people would leave it open. That doesn't mean it's a good idea.
If you have already put in so much effort w/r/t moving and setting up a new life for yourself, and if this is as important as it certainly sounds, not to mention spent 20+ years summoning the courage to do all this, please do not apply shortcuts now on the last critical steps, just because it "seems like so much work."
posted by rokusan at 10:29 PM on January 14, 2016 [6 favorites]
If you have already put in so much effort w/r/t moving and setting up a new life for yourself, and if this is as important as it certainly sounds, not to mention spent 20+ years summoning the courage to do all this, please do not apply shortcuts now on the last critical steps, just because it "seems like so much work."
posted by rokusan at 10:29 PM on January 14, 2016 [6 favorites]
It really sounds like, at the same time you file for divorce, you really need to file for a restraining order... along with making sure that in the divorce petition there is language specifically designed to prevent him from disposing of or damaging assets, so that there is a way to punish him if he does. (I don't know the specifics of what these sorts of things are called - it's been 16 years since I talked to someone about this sort of stuff.)
posted by stormyteal at 10:40 PM on January 14, 2016
posted by stormyteal at 10:40 PM on January 14, 2016
Using a password manager seems like a lot less work than setting up dummy bank accounts and attempting to convince this person that you don't use the things you use. I use Password Safe because I don't like online password managers. It's very easy to use and just requires me to remember the one password to log into it.
posted by Anonymous at 11:07 PM on January 14, 2016
posted by Anonymous at 11:07 PM on January 14, 2016
...he knows about the financial sites i visit and my email account and facebook are a given.If you have selected to have your MetaFilter MeMails forwarded to your email account, there will be a record of MetaFilter for him to see in your email account. Might just want to double-check.
posted by blueberry at 11:58 PM on January 14, 2016 [4 favorites]
babelfish: "Best of luck. This seems to me like a job for flagrant lies. There's no rule that your security question answers have to be true -- they just have to be easy for you to remember."
Ahhh, I miss Aunt Fuckyouabusiveex ever since she passed on... Her cookies?
Seriously though, this is a tough situation, and one I wish you didn't have to deal with. I am seconding the two factor authentication (although, be REALLY careful with the device you authenticate with. I recently had a tablet stolen and had to jump through some major hoops to turn the authentication off without the authenticator). Also, a good password vault is awfully handy. I like LastPass because I am lazy and use multiple devices and operating systems and don't want to have to hand sync things.
Fingers crossed and hang tough!
posted by Samizdata at 12:13 AM on January 15, 2016 [1 favorite]
Ahhh, I miss Aunt Fuckyouabusiveex ever since she passed on... Her cookies?
Seriously though, this is a tough situation, and one I wish you didn't have to deal with. I am seconding the two factor authentication (although, be REALLY careful with the device you authenticate with. I recently had a tablet stolen and had to jump through some major hoops to turn the authentication off without the authenticator). Also, a good password vault is awfully handy. I like LastPass because I am lazy and use multiple devices and operating systems and don't want to have to hand sync things.
Fingers crossed and hang tough!
posted by Samizdata at 12:13 AM on January 15, 2016 [1 favorite]
JoeZydeco: "Seconding Bunny on the destruction of the Facebook account. All social media accounts for that matter.
Don't just deactivate it, but delete it. Painful, sure. But it's just too massive of a security hole. Instruct your close friends how to reach you via other means. If he knows your friends and even one of them has their social media accounts set up too publicly, it's all for nothing."
I would wait on that one, as such a potentially vindictive ex could hound friends asking for information. If they don't know said information, and there's no proof they do, then it is easier all around, I think.
Also, it is one less channel for them to harass you and cause trouble via.
posted by Samizdata at 12:17 AM on January 15, 2016
Don't just deactivate it, but delete it. Painful, sure. But it's just too massive of a security hole. Instruct your close friends how to reach you via other means. If he knows your friends and even one of them has their social media accounts set up too publicly, it's all for nothing."
I would wait on that one, as such a potentially vindictive ex could hound friends asking for information. If they don't know said information, and there's no proof they do, then it is easier all around, I think.
Also, it is one less channel for them to harass you and cause trouble via.
posted by Samizdata at 12:17 AM on January 15, 2016
A simple thing to also do would be to change the password recovery email everywhere to a brand new gmail account with two factor authentication turned on. Most sites that ask you the security questions then send you a link in your email to actually reset the password. If that is to a new email with two factor, that's makes things a lot harder.
Really, a password manager is a very important thing to start using. Last pass is free, 1 password is cheap, and they are all really useful tools. Then you don't have to worry about remembering any passports other than the one to your vault.
Something else that is not mentioned so I will. You need to become more paranoid about device security. There are many frustratingly easy to install pieces of malware (especially on android) that your ex could be installing on your phone and computer that could be recording and sending to him everything you are doing, and everywhere you have been, even taking over the camera and microphone to listen to and see you. Add passcodes to the lock screen on your phone and computer, turn on full disk encryption, and seriously consider a full on factory reset and/or a new device if you can afford it before you move out.
posted by rockindata at 3:37 AM on January 15, 2016 [2 favorites]
Really, a password manager is a very important thing to start using. Last pass is free, 1 password is cheap, and they are all really useful tools. Then you don't have to worry about remembering any passports other than the one to your vault.
Something else that is not mentioned so I will. You need to become more paranoid about device security. There are many frustratingly easy to install pieces of malware (especially on android) that your ex could be installing on your phone and computer that could be recording and sending to him everything you are doing, and everywhere you have been, even taking over the camera and microphone to listen to and see you. Add passcodes to the lock screen on your phone and computer, turn on full disk encryption, and seriously consider a full on factory reset and/or a new device if you can afford it before you move out.
posted by rockindata at 3:37 AM on January 15, 2016 [2 favorites]
I would suggest calling all service providers (power, gas, water, internet) and asking them whether it's possible to add an alert to your account that anyone calling in regards to your account needs to know an additional pass phrase to gain access to the account.
posted by kinddieserzeit at 4:54 AM on January 15, 2016 [3 favorites]
posted by kinddieserzeit at 4:54 AM on January 15, 2016 [3 favorites]
I suggest having someone more knowledgeable take a look at your phone to make sure that there have been no apps downloaded to your phone without your knowledge, such as find my phone (gps tracker) or sms backup (texts forwarded to an email account).
posted by vignettist at 8:51 AM on January 15, 2016 [4 favorites]
posted by vignettist at 8:51 AM on January 15, 2016 [4 favorites]
You don't have to use accurate information on security questions. What's your mother's maiden name? You don't have to supply Smith. You can answer Dontmesswithme. Just write it down in a secure location.
I would get a brand new free email account that he will know nothing about. Write down the account name and password in different places. Then store password and account information in that account. Never share that account name; it's only for you.
Do you have any assets? Do you have any debt? I would use any joint assets to pay down any joint debt. Many people, on learning of a spouse's intention to leave, will just go spending money. Make sure you have no joint credit cards where he could spend money that you'd have joint responsibility to repay.
Keep in mind that you have a goal, and you'll be able to overcome the discouraging realities. Ending a relationship that's bad for you isn't easy, but you will feel so much batter.
posted by theora55 at 9:04 AM on January 15, 2016
I would get a brand new free email account that he will know nothing about. Write down the account name and password in different places. Then store password and account information in that account. Never share that account name; it's only for you.
Do you have any assets? Do you have any debt? I would use any joint assets to pay down any joint debt. Many people, on learning of a spouse's intention to leave, will just go spending money. Make sure you have no joint credit cards where he could spend money that you'd have joint responsibility to repay.
Keep in mind that you have a goal, and you'll be able to overcome the discouraging realities. Ending a relationship that's bad for you isn't easy, but you will feel so much batter.
posted by theora55 at 9:04 AM on January 15, 2016
Look, I am the worst at this kind of stuff. I hate managing it and calling companies and asking someone to help me manage my account, even when it's really important to me to get it done. The only way I have found to do it is to attach it to something I really want to do. Either logically: "if I get the wall painted, then I can finally hang up some pictures in this place" or I don't let myself do something fun until I've done one of the hard things on my list. In my mind, your "rewards" are freedom, security and safety.
If you think about changing your security questions to something really hard and it just seems like a big pain in the ass and "what would be so bad about him messing with this one account anyway?" then you lose momentum. Instead, think "this is a pain in the ass but my peace of mind and safety are worth it". And if you have to pull out the big guns, then do so: "this is a pain in the ass but I really want that new pair of boots".
I wish you the best.
posted by dawkins_7 at 9:30 AM on January 15, 2016
If you think about changing your security questions to something really hard and it just seems like a big pain in the ass and "what would be so bad about him messing with this one account anyway?" then you lose momentum. Instead, think "this is a pain in the ass but my peace of mind and safety are worth it". And if you have to pull out the big guns, then do so: "this is a pain in the ass but I really want that new pair of boots".
I wish you the best.
posted by dawkins_7 at 9:30 AM on January 15, 2016
You should also think about what might motivate him to accept the breakup. There might be a way that your final note explaining why you are doing this could decrease his motivation. You are going to be delivering a big shock to him and he doesn't sound like he is good at processing that.
posted by Ironmouth at 10:40 AM on January 15, 2016
posted by Ironmouth at 10:40 AM on January 15, 2016
Pick a fictional character you're obsessed with enough to know all the details of his/her life and change all your security question answers to be what they would answer.
Like, for example, let's say you picked Arya Stark. Her mother's maiden name is Tully. She was born in the city of Winterfell. Her first pet's name was Nymeria. She's attending "school" at the House of Black and White. etc.
posted by Jacqueline at 8:14 PM on January 15, 2016 [2 favorites]
Like, for example, let's say you picked Arya Stark. Her mother's maiden name is Tully. She was born in the city of Winterfell. Her first pet's name was Nymeria. She's attending "school" at the House of Black and White. etc.
posted by Jacqueline at 8:14 PM on January 15, 2016 [2 favorites]
Jacqueline's answer appeals to my sense of wryness and irony, but it's actually a bad practice, because it fails the isolation test, otherwise known as the eggs-in-baskets problem*.
If someone knows, learns, guesses or otherwise realizes that your "first street address" was 221B Baker Street or your mother's maiden name was Sherrinford, they will probably be able to guess every other security question you have on every website with just a little Googling.
Your passwords and security question answers should not be related in such a way. Otherwise you might as well just make them all the same, which of course is bad.
* Okay, nobody calls it that except me.
posted by rokusan at 5:35 AM on January 17, 2016 [1 favorite]
If someone knows, learns, guesses or otherwise realizes that your "first street address" was 221B Baker Street or your mother's maiden name was Sherrinford, they will probably be able to guess every other security question you have on every website with just a little Googling.
Your passwords and security question answers should not be related in such a way. Otherwise you might as well just make them all the same, which of course is bad.
* Okay, nobody calls it that except me.
posted by rokusan at 5:35 AM on January 17, 2016 [1 favorite]
This thread is closed to new comments.
Two-factor: You put in your password and, if it doesn't recognize your computer, it sends you a text message with a one-time-use PIN. Unless somebody has your phone, they're out of luck.
Security questions: For online services, at least, you don't have to answer the question the website asks you. It's just another field you can put a hard-to-guess password into. (My first grade teacher? Oh, that's xCvjQ45^%4a. Grandmother's maiden name? I'll never forget Gramma vc-fe35tWefx###)
posted by Polycarp at 1:53 PM on January 14, 2016 [103 favorites]