Amazon security

rolf_f
rolf_f Posts: 16,015
edited January 2013 in Commuting chat
Howdy all. Just had some emails about an Amazon order that someone tried to make on my account. I thought they might be phishing emails but that was followed up by an email from Amazon themselves saying that a dodgy transaction had been attempted. £It seems that someone obtained your personal account and/or financial information elsewhere, and used it on Amazon.co.uk to access your account".

Anyway, according to this email, the attempted thieving scumbag had "personal, specific information about you and your account, including your email address and Amazon.co.uk password". Helpfully vague of Amazon that - what other info besides email addy and password might they have had? Amazon don't say. Now according to Amazon, they might have got the info via phishing emails - but I've never clicked on any such links. And, thing is, the last time I ordered anything from Amazon was in 2010.

So how will this have happened? I can't see what I would have done - I've never written passwords down and never told anyone of them. No one has access to my computer except for me. Nothing else untoward seems to be going on so I am at a loss.

I have requested Amazon to close my account - I had no intention of using it again anyway. But it makes you wonder..... And how paranoid should I be right now?
Faster than a tent.......

Comments

  • Have you used that password anywhere else? If so, that could be what happened - especially if they got hold of a file with an email and password, and maybe used Google to pick up other details such as a date of birth.

    Alternatively, there were big holes in Amazon's credit card security practices, but I assume these have been plugged. This article provides a frightening account of how an online life can be picked to pieces by a determined hacker.

    http://www.wired.com/gadgetlab/2012/08/ ... cking/all/

    One other possibility is that it's a mistake - Twitter once informed tens of thousands of users that their passwords had been compromised, but then back-tracked a day later.

    I would strongly advise you to change passwords on other accounts - especially if you have been reusing passwords.
  • andy9964
    andy9964 Posts: 930
    Are you sure this isn't a phishing email.
    I got one from "Paypal" telling me a purchase was successful. I hadn't made any such purchase, so I clicked on the header at the top of the email. The "PayPal" site it took me to had a dodgy looking URL, so I went no further, other than log in via a google search for PayPal. Then change my password
  • rolf_f
    rolf_f Posts: 16,015
    Yes - I logged into Amazon separately, via Google. I just don't touch, or even open the phishing emails. And I can't see how they could have got hold of a file with email and password - I can't see how such a file would exist.

    Looking on Amazon, the card used isn't one of mine so I daresay my card info should be safe.

    I don't get it anyway - the order was for a gift certificate to be emailed so what's the point?
    Faster than a tent.......
  • itboffin
    itboffin Posts: 20,052
    Windows computer?

    What av, anti spam software are you using?
    Rule #5 // Harden The Feck Up.
    Rule #9 // If you are out riding in bad weather, it means you are a badass. Period.
    Rule #12 // The correct number of bikes to own is n+1.
    Rule #42 // A bike race shall never be preceded with a swim and/or followed by a run.
  • rolf_f
    rolf_f Posts: 16,015
    itboffin wrote:
    Windows computer?

    What av, anti spam software are you using?

    AV = Avast, Anti Spam = Outlook Spam filter. Computer is Win7.
    Faster than a tent.......
  • itboffin
    itboffin Posts: 20,052
    I recommend you try avg free and run a cleaner tool like ccleaner just in case.
    Rule #5 // Harden The Feck Up.
    Rule #9 // If you are out riding in bad weather, it means you are a badass. Period.
    Rule #12 // The correct number of bikes to own is n+1.
    Rule #42 // A bike race shall never be preceded with a swim and/or followed by a run.
  • Rolf F wrote:
    And I can't see how they could have got hold of a file with email and password - I can't see how such a file would exist.

    If a site - such as this one - is hacked, then large amounts of personal information can be released, including encrypted passwords. Once the encryption is broken, then the hackers are able to use the passwords to break into other sites - if you use the same password across lots of sites (which most people do).
  • As someone else mentioned, is it a password you use for other stuff?

    Frequent occurrence is for someone to get your password from elsewhere then use e-mail + that password to try it on with other sites. Remembering loads of passwords is a PITA so I run a 3 password system: sites I don't care much about (e.g. Bikeradar) all use the "level 1" password. Sites I care about quite a lot (e.g. gmail) use the "level 2" password. Sites which involve access to sensitive stuff/money all use a level 3 password. Under no circumstances use your e-mail password for things like banking.
  • davis
    davis Posts: 2,506
    ooermissus wrote:
    Rolf F wrote:
    And I can't see how they could have got hold of a file with email and password - I can't see how such a file would exist.

    If a site - such as this one - is hacked, then large amounts of personal information can be released, including encrypted passwords. Once the encryption is broken, then the hackers are able to use the passwords to break into other sites - if you use the same password across lots of sites (which most people do).

    Erm. No.

    Assuming that Amazon store passwords even vaguely properly (admittedly this might be a big assumption, but from what I remember reading about Amazon's infrastructure years and years and years ago, I suspect it's true. The fact that they themselves can't tell you what your password is [only whether you've supplied the correct one] also suggests they do things properly) there's no such watershed event as "once the encryption's broken". You will be able to establish "weak" passwords if you had a dump of their hashed password, but not everyone's all at once in a massive "breakthrough" moment.

    Hashing != Encryption. Life != Movies.
    Sometimes parts break. Sometimes you crash. Sometimes it’s your fault.
  • Wrath Rob
    Wrath Rob Posts: 2,918
    davis wrote:
    ooermissus wrote:
    Rolf F wrote:
    And I can't see how they could have got hold of a file with email and password - I can't see how such a file would exist.

    If a site - such as this one - is hacked, then large amounts of personal information can be released, including encrypted passwords. Once the encryption is broken, then the hackers are able to use the passwords to break into other sites - if you use the same password across lots of sites (which most people do).

    Erm. No.

    Assuming that Amazon store passwords even vaguely properly (admittedly this might be a big assumption, but from what I remember reading about Amazon's infrastructure years and years and years ago, I suspect it's true. The fact that they themselves can't tell you what your password is [only whether you've supplied the correct one] also suggests they do things properly) there's no such watershed event as "once the encryption's broken". You will be able to establish "weak" passwords if you had a dump of their hashed password, but not everyone's all at once in a massive "breakthrough" moment.

    Hashing != Encryption. Life != Movies.
    That all depends on how Amazon have implemented their password security.

    As Davis states, the best way is for any site to store a 1 way "hash" of your password. This can't be "de-crypted" as its a 1 way algorithm so its pretty secure. Any website that is able to re-send you your password rather than resetting it isn't using this mechanism, they're using a 2 way algorithm that can be de-crypted to access the original passwords and therefore is inherently at risk of being hacked.
    FCN3: Titanium Qoroz.
  • davis wrote:
    ooermissus wrote:
    If a site - such as this one - is hacked, then large amounts of personal information can be released, including encrypted passwords. Once the encryption is broken, then the hackers are able to use the passwords to break into other sites - if you use the same password across lots of sites (which most people do).

    Erm. No.

    Assuming that Amazon store passwords even vaguely properly (admittedly this might be a big assumption, but from what I remember reading about Amazon's infrastructure years and years and years ago, I suspect it's true. The fact that they themselves can't tell you what your password is [only whether you've supplied the correct one] also suggests they do things properly) there's no such watershed event as "once the encryption's broken". You will be able to establish "weak" passwords if you had a dump of their hashed password, but not everyone's all at once in a massive "breakthrough" moment.

    Hashing != Encryption. Life != Movies.

    I think you misunderstand. LinkedIn, Gawker and Yahoo are just two companies that have been hacked, allowing the release of large numbers of log-in credentials. This site claims to have 50m or so compromised email addresses. https://shouldichangemypassword.com/

    These leaks have varying levels of encryption (some have none at all) and the passwords range from ridiculously weak to strong. Those that are broken can then be used to login to sites with better security such as Amazon.
  • davis
    davis Posts: 2,506
    ooermissus wrote:
    davis wrote:
    ooermissus wrote:
    If a site - such as this one - is hacked, then large amounts of personal information can be released, including encrypted passwords. Once the encryption is broken, then the hackers are able to use the passwords to break into other sites - if you use the same password across lots of sites (which most people do).

    Erm. No.

    Assuming that Amazon store passwords even vaguely properly (admittedly this might be a big assumption, but from what I remember reading about Amazon's infrastructure years and years and years ago, I suspect it's true. The fact that they themselves can't tell you what your password is [only whether you've supplied the correct one] also suggests they do things properly) there's no such watershed event as "once the encryption's broken". You will be able to establish "weak" passwords if you had a dump of their hashed password, but not everyone's all at once in a massive "breakthrough" moment.

    Hashing != Encryption. Life != Movies.

    I think you misunderstand. LinkedIn, Gawker and Yahoo are just two companies that have been hacked, allowing the release of large numbers of log-in credentials. This site claims to have 50m or so compromised email addresses. https://shouldichangemypassword.com/

    These leaks have varying levels of encryption (some have none at all) and the passwords range from ridiculously weak to strong. Those that are broken can then be used to login to sites with better security such as Amazon.

    Yup. I misunderstood that you might have been talking about other sites.

    However, my point still stands that there is almost no defensible reason to choose to encrypt a password rather than hashing it. Annoyingly, that still doesn't stop some people choosing encryption, or, worse not even bothering to do that.
    Sometimes parts break. Sometimes you crash. Sometimes it’s your fault.