My phone hacked

steve_sordy

I was out on my bike and I kept getting silent calls on my mobile. Eventually I got a text from my provider saying that my password had been changed and to call them if it wasn't me. So I did.

It seems that someone knew my account password and had changed it. It was only when they then tried to cancel the account and other security questions were asked that my provider smelled a rat and refused to co-operate. No financial harm was done and I changed my password to something else and added a second one as well just for good measure.

But I wondered how the hell the hacker knew my password as it wasn't anything simple. I wondered if my laptop had been compromised when I took it in for some work to be done on it. (I keep all my passwords on it under a very tricky password itself). So I went through all my financial accounts and other stuff where I knew they had my bank account or credit card details and changed the passwords on them all.

It is not until I had to do this that I realised just how many I had. There were 81 of them! It took me pigging ages!

Not just obvious stuff like banks, mortgage accounts, and cards, but what about Amazon, premium bonds, Stores of all kinds, insurances of all kinds, comparison websites..........?

In future I will keep the list of passwords on a flash drive, backed up by another flash drive somewhere else in the house.

meursault

https://en.wikipedia.org/wiki/Brute-force_attack

Financial transaction remain secure because the coding is based onmultiplying two very large prime numbers to generate the keys. Because there is no apparent order to prime numbers (known to date) you cannot reverse engineer the algorithm. That situation could change if an order is discovered.

steve_sordy

Fascinating, but I'd be astonished if an ordinary guy like me was worth the effort!

sniper68

steve_sordy wrote:

In future I will keep the list of passwords on a flash drive, backed up by another flash drive somewhere else in the house.

I keep all my passwords on my Mobile Flash drive Steve(ie in my head) I change them around frequently and thankfully have never been hacked.It's surprising just how many passwords I/we/anyone has until you stop and think.....
I'm sure many peoples passwords follow a pattern that your average hacking scumbag can quite easily work out!
A bloke at work has the year 1960 written on a little bit of paper taped to the back of his phone....it's his Bank Card Pin....and his year of Birth!

perfectmark

I would normally say that they probably just got a few bits of info about you (like name, address, etc) and called up the company to try and get access to your account, pretending that they have forgotten the password.

But seeing as you said you sent in your laptop somewhere to repair, it is relatively easy to extract them.

Edit: May I ask how you store your passwords exactly? As if you are storing in something like an Excel document, they are very easy to crack (will probably take less than a min). You are probably better off using an online password storage service like lastpass. Then you use a strong password, plus 2 factor authentication (so they send you text which you have to type in) to access.

blokie13

LastPass with 2FA for the win!

I only exclude my primary email account password, my bank account password (which both have 2fa enabled anyway) and my PayPal password from LastPass and "store" them in my head only.

JGTR

Had this with O2 few years ago. Password was changed and a new phone and other bits ordered on my account. Told O2 but they didn’t do anything and it happened again a week later. 99.9% sure it was an inside job (O2 employee) as I didn’t actually know my password to change it in the first place!

steve_sordy

JGTR wrote:

Had this with O2 few years ago. Password was changed and a new phone and other bits ordered on my account. Told O2 but they didn’t do anything and it happened again a week later. 99.9% sure it was an inside job (O2 employee) as I didn’t actually know my password to change it in the first place!

I'd rather it be an inside job with my phone provider than the laptop repair place, for two reasons:
1) The phone people don't have access to the rest of my stuff.
2) I wouldn't feel so stupid in not removing the password file before I sent my laptop for repair, (like I have done every time before, except the last time). :oops:

Anyway, while I was changing all my passwords, I never came across a single one that had been changed, so it was probably someone from the phone people.

bompington

perfectmark wrote:

if you are storing in something like an Excel document, they are very easy to crack (will probably take less than a min)

Not true for more recent Excel files that are encrypted and need a password to open. 2007 introduced 128-bit encryption - basically impossible to crack - and it's got harder since then.
Worksheet protection is another story - basically trivial to crack.

steve_sordy

bompington wrote:

perfectmark wrote:

if you are storing in something like an Excel document, they are very easy to crack (will probably take less than a min)

..................
Worksheet protection is another story - basically trivial to crack.

Oh dear! I'm using a 2003 version.

So it's an open book then? :shock:

billycool

steve_sordy wrote:

bompington wrote:

perfectmark wrote:

if you are storing in something like an Excel document, they are very easy to crack (will probably take less than a min)

..................
Worksheet protection is another story - basically trivial to crack.

Oh dear! I'm using a 2003 version.

So it's an open book then? :shock:

Steve - I'd say it's not the most secure.

Might be worth looking at something like Office 365. I'm sure there might be other options as well.

FWIW - I'm using Excel '97 on my desktop PC :?

steve_sordy

BillyCool wrote:

.................

FWIW - I'm using Excel '97 on my desktop PC :?

Don't accept any Microsoft updates then as they will make it difficult to use. The last Microsoft update I received stopped cut & paste working on Office 2003 products. I was in Australia at the time, trying to save some good stuff on the MBR Forum and my laptop basically went on strike. When I got home, I had to pay the computer shop to remove the update and then load in just the stuff I needed.

simono5

Steve, don't look over the guys suggesting LastPass (or similar).

In the past I had the sameish password for 100's of sites. Massive risk to mine and my familys data.

Now I'm using LastPass which remembers all my passwords for me, I've changed 100's of passwords to random alpha numeric ones e.g. aPw3pT4awXxk and I have absolutely no idea what any of these passwords are anymore. But that's the beauty, I don't need to, LastPass looks after everything including signing into websites that it recognises.

With LastPass and enabling 2FA on it and as many other sites as possible you can't go wrong.

blokie13

Just to add with LastPass it automatically fills in your username and password for all of your sites too, so you don't have some cumbersome process of looking it up every time either.

..oh, and it's free (there is a premium version, but it's not required for the basic password features)

steve_sordy

Last Pass sounds like the Holy Grail. I'll take a look.

Many thanks to all that responded.

blokie13

Just make sure that your master LastPass password is a really good one, and make sure you use 2fa on it too.