My phone hacked

steve_sordy
steve_sordy Posts: 2,443
edited June 2018 in The hub
I was out on my bike and I kept getting silent calls on my mobile. Eventually I got a text from my provider saying that my password had been changed and to call them if it wasn't me. So I did.

It seems that someone knew my account password and had changed it. It was only when they then tried to cancel the account and other security questions were asked that my provider smelled a rat and refused to co-operate. No financial harm was done and I changed my password to something else and added a second one as well just for good measure.

But I wondered how the hell the hacker knew my password as it wasn't anything simple. I wondered if my laptop had been compromised when I took it in for some work to be done on it. (I keep all my passwords on it under a very tricky password itself). So I went through all my financial accounts and other stuff where I knew they had my bank account or credit card details and changed the passwords on them all.

It is not until I had to do this that I realised just how many I had. There were 81 of them! It took me pigging ages! :(

Not just obvious stuff like banks, mortgage accounts, and cards, but what about Amazon, premium bonds, Stores of all kinds, insurances of all kinds, comparison websites..........?

In future I will keep the list of passwords on a flash drive, backed up by another flash drive somewhere else in the house.

Comments

  • meursault
    meursault Posts: 1,433
    https://en.wikipedia.org/wiki/Brute-force_attack

    Financial transaction remain secure because the coding is based onmultiplying two very large prime numbers to generate the keys. Because there is no apparent order to prime numbers (known to date) you cannot reverse engineer the algorithm. That situation could change if an order is discovered.
    Superstition sets the whole world in flames; philosophy quenches them.

    Voltaire
  • steve_sordy
    steve_sordy Posts: 2,443
    Fascinating, but I'd be astonished if an ordinary guy like me was worth the effort!
  • sniper68
    sniper68 Posts: 2,910
    In future I will keep the list of passwords on a flash drive, backed up by another flash drive somewhere else in the house.
    I keep all my passwords on my Mobile Flash drive Steve(ie in my head) :wink: I change them around frequently and thankfully have never been hacked.It's surprising just how many passwords I/we/anyone has until you stop and think..... :o
    I'm sure many peoples passwords follow a pattern that your average hacking scumbag can quite easily work out!
    A bloke at work has the year 1960 written on a little bit of paper taped to the back of his phone....it's his Bank Card Pin....and his year of Birth!
  • perfectmark
    perfectmark Posts: 117
    I would normally say that they probably just got a few bits of info about you (like name, address, etc) and called up the company to try and get access to your account, pretending that they have forgotten the password.

    But seeing as you said you sent in your laptop somewhere to repair, it is relatively easy to extract them.

    Edit: May I ask how you store your passwords exactly? As if you are storing in something like an Excel document, they are very easy to crack (will probably take less than a min). You are probably better off using an online password storage service like lastpass. Then you use a strong password, plus 2 factor authentication (so they send you text which you have to type in) to access.
  • blokie13
    blokie13 Posts: 93
    LastPass with 2FA for the win!

    I only exclude my primary email account password, my bank account password (which both have 2fa enabled anyway) and my PayPal password from LastPass and "store" them in my head only.
    Boardman Pro FS 650b | Boardman Team 29er HT | Specialized Tricross Sport
  • JGTR
    JGTR Posts: 1,404
    Had this with O2 few years ago. Password was changed and a new phone and other bits ordered on my account. Told O2 but they didn’t do anything and it happened again a week later. 99.9% sure it was an inside job (O2 employee) as I didn’t actually know my password to change it in the first place!
  • steve_sordy
    steve_sordy Posts: 2,443
    JGTR wrote:
    Had this with O2 few years ago. Password was changed and a new phone and other bits ordered on my account. Told O2 but they didn’t do anything and it happened again a week later. 99.9% sure it was an inside job (O2 employee) as I didn’t actually know my password to change it in the first place!

    I'd rather it be an inside job with my phone provider than the laptop repair place, for two reasons:
    1) The phone people don't have access to the rest of my stuff.
    2) I wouldn't feel so stupid in not removing the password file before I sent my laptop for repair, (like I have done every time before, except the last time). :oops:

    Anyway, while I was changing all my passwords, I never came across a single one that had been changed, so it was probably someone from the phone people.
  • bompington
    bompington Posts: 7,674
    if you are storing in something like an Excel document, they are very easy to crack (will probably take less than a min)
    Not true for more recent Excel files that are encrypted and need a password to open. 2007 introduced 128-bit encryption - basically impossible to crack - and it's got harder since then.
    Worksheet protection is another story - basically trivial to crack.
  • steve_sordy
    steve_sordy Posts: 2,443
    bompington wrote:
    if you are storing in something like an Excel document, they are very easy to crack (will probably take less than a min)
    ..................
    Worksheet protection is another story - basically trivial to crack.

    Oh dear! I'm using a 2003 version.

    So it's an open book then? :shock:
  • billycool
    billycool Posts: 833
    bompington wrote:
    if you are storing in something like an Excel document, they are very easy to crack (will probably take less than a min)
    ..................
    Worksheet protection is another story - basically trivial to crack.

    Oh dear! I'm using a 2003 version.

    So it's an open book then? :shock:

    Steve - I'd say it's not the most secure.

    Might be worth looking at something like Office 365. I'm sure there might be other options as well.

    FWIW - I'm using Excel '97 on my desktop PC :?
    "Ride, crash, replace"
  • steve_sordy
    steve_sordy Posts: 2,443
    BillyCool wrote:
    .................

    FWIW - I'm using Excel '97 on my desktop PC :?

    Don't accept any Microsoft updates then as they will make it difficult to use. The last Microsoft update I received stopped cut & paste working on Office 2003 products. I was in Australia at the time, trying to save some good stuff on the MBR Forum and my laptop basically went on strike. When I got home, I had to pay the computer shop to remove the update and then load in just the stuff I needed.
  • simono5
    simono5 Posts: 42
    Steve, don't look over the guys suggesting LastPass (or similar).

    In the past I had the sameish password for 100's of sites. Massive risk to mine and my familys data.

    Now I'm using LastPass which remembers all my passwords for me, I've changed 100's of passwords to random alpha numeric ones e.g. aPw3pT4awXxk and I have absolutely no idea what any of these passwords are anymore. But that's the beauty, I don't need to, LastPass looks after everything including signing into websites that it recognises.

    With LastPass and enabling 2FA on it and as many other sites as possible you can't go wrong.
  • blokie13
    blokie13 Posts: 93
    Just to add with LastPass it automatically fills in your username and password for all of your sites too, so you don't have some cumbersome process of looking it up every time either.

    ..oh, and it's free (there is a premium version, but it's not required for the basic password features)
    Boardman Pro FS 650b | Boardman Team 29er HT | Specialized Tricross Sport
  • steve_sordy
    steve_sordy Posts: 2,443
    Last Pass sounds like the Holy Grail. I'll take a look.

    Many thanks to all that responded. :)
  • blokie13
    blokie13 Posts: 93
    Just make sure that your master LastPass password is a really good one, and make sure you use 2fa on it too.
    Boardman Pro FS 650b | Boardman Team 29er HT | Specialized Tricross Sport