The Entrepreneur Forum | Startups | Entrepreneurship | Starting a Business | Motivation | Success

GOLD! Take Your Computer Security Seriously! YOU Are At Risk!

Remove ads while supporting the Unscripted philosophy...become an INSIDER.

The-J

Legendary Contributor
EPIC CONTRIBUTOR
FASTLANE INSIDER
Read Millionaire Fastlane
I've Read UNSCRIPTED
Summit Attendee
Speedway Pass
Aug 28, 2011
3,593
8,506
1,966
Ontario
I didn't think it would happen to me.

A few days ago, I woke up with about ~$1200 USD (in different currencies) taken from various bank accounts via Paypal transactions I didn't make.

Upon calling Paypal to rectify the solution, they told me that those transactions were properly authorized by me, from my computer (!), from my IP address.

That's impossible, I said. I wouldn't do that. I would know!

"Sorry, you're out of luck. Call your bank and have them stop the transactions. That's all you can do."

I kept saying "F*ck Paypal" over and over, until I realized what had happened.

My computer was hacked.

I'm not quite sure how they did it. It could have been a banking trojan. Or a remote access backdoor into my computer. Or they had my password and simply spoofed both my MAC and IP addresses. Could have been a botnet, too. I don't know.

All I know, is that I was vulnerable... and they got me.

It's not Paypal's fault, and Paypal isn't responsible. It's my fault, and I'm responsible.

After several virus scans with different software, I found out that I was, indeed, infected.

I could still be infected right now. I don't know. Many viruses and backdoors remain undetected, and they could be on your computer right now.

Yes, YOU are at risk.

I was lucky that all they took was $1200. They could have cleaned me out. And, after calling my bank, I might only stand to lose $300. Time will tell.

You, however, might not be so lucky.

I took several hours to watch Youtube videos, read articles, and scour interviews with security professionals and experts to figure out 2 things: (1) Why did this happen to me, and (2) How can I make sure it doesn't happen again?

Well, the answer to the first question was clear. It happened to me because I was an easy target. My computer was on overnight. I hadn't run a virus scan in months. And, worst of all, I did not have the proper security on my Paypal account.

The second question weighed heavily on my mind, though, and after some searches I found a lot of 'duh, common sense' kind of answers. I quickly figured out that even though I thought it was common sense, I was not following those rules.

My passwords sucked, and were shared among many sites (remind me to change my FLF password too). I didn't have 2 factor authentication on anything (even my Paypal! I thought I did, but I did not.) I wasn't paying attention to what I was downloading.

So, if you think you're not an idiot, let me run you through a checklist of things you must have.

1) An active antivirus. Yes, that includes you, Mac users. (Linux users, you're pretty much fine.) That should be on your phone, too.

2) 2 factor authentication, on everything that supports it. If you have a spare phone that you can use for it (that you don't give to anyone and, preferably, is not connected to your name), then that should be your 2FA phone. (Two factor authentication would have been my saving grace in the Paypal situation, but it wont always be.) Google Authenticator is also an awesome tool.

3) Different, and strong, passwords for every single site you use. 16 characters minimum. Seriously. Brute forcing is no joke, especially on sites where they allow unlimited login tries. Not only that, they must be different so you're not caught with your pants down if a website's database gets leaked.

4) A way so you don't have to TYPE those passwords. Keyloggers are a bitch, and will steal your passwords, your credit card info, and more, right as your typing them. You can use an encrypted Notepad file stored on the cloud (not the safest thing in the world, because your clipboard could be at risk too), or you can use a password manager like Lastpass or KeePass. Password managers are excellent, because (1) you don't have to type passwords for every site you use, and (2) they're encrypted with a master password as your key. There's also programs like KeyScrambler which are reported to be pretty good.

5) An active firewall on both your computer and your router. Yes, firewalls for routers are different than firewalls for computers, and you should have both.

6) A secure autofill program for when you need to enter your credit card or Paypal info. Lastpass does this pretty well. Preferably, this autofill should be protected by a password (again, Lastpass does this pretty well).

7) A strong password on your computer, and, preferably, a 2nd factor (like a biometric scan or a phone/USB unlock) for your computer. (Also, keep your computer OFF when not using it, and preferably, disconnect it from power so it can't turn on without your control!)

8) As many backdoors closed as possible. Some backdoors on Windows computers include Universal Plug n Play, Teamviewer, and allowing remote access protocols. I understand TeamViewer is an important tool; however, it should not ever be running when you're not using it.

After speaking with some people, I also found out that it's very, very likely to get hacked while travelling. Hotel Wifi, Starbucks Wifi, plane Wifi, all of these networks are often more vulnerable than you think! For your safety, use a VPN while travelling. HideMyAss is a popular one. There are several others. You could even make your own, if you wanted.

However, keep in mind: even while following these tips, you could still be vulnerable. People can spoof your phone so they can get into your 2 factor sites. People can take advantage of database breaches and steal your login info. Hackers are always coming up with new ways to steal info and money. (There are also more tips that might help, so please, feel free to add anything! I'm not a computer expert!)

Your job, though, is to lower the likelihood of something ever happening to you. There is no magic armor, but you could at least be wearing a bulletproof vest.

Protect your a$$.
 

Don't like ads? Remove them while supporting the forum. Subscribe.

InformationH

Bronze Contributor
Speedway Pass
Jun 20, 2016
76
182
147
*Next week*
Wantrepreneur: " Well, before I start my business I better buy a new laptop, new phone, and a new backup hardrive. Might as well throwin a new router to be safe."
 

Don't like ads? Remove them while supporting the forum. Subscribe.

OP
OP
The-J

The-J

Legendary Contributor
EPIC CONTRIBUTOR
FASTLANE INSIDER
Read Millionaire Fastlane
I've Read UNSCRIPTED
Summit Attendee
Speedway Pass
Aug 28, 2011
3,593
8,506
1,966
Ontario
Recently, my parents got hit with a ransomware-like virus. Basically, it encrypted most files on their computer, including photos, videos, Office documents, etc.. Their backup was a local USB hard drive. Unfortunately, the virus also went out to that and locked up their backups.

They never got the prompt to pay the ransom and receive an unlock key, which meant they lost their entire digital life.
Ransomware is the most dangerous virus threat out there today. If you get hit with ransomware at the wrong time, like while writing a thesis or while building a software program, you could be F*cked.

The key with ransomware is backups. As you said: local (on your hard drive), peripheral (on an external hard drive), and cloud (on the Internet) backups, as well as a consistent backup schedule. Keep whatever you're working on separate from your disk image backups. Google Drive, Dropbox, these things are excellent for backing up files.

---

Computer security, in general, is made up of 'common sense' rules that should be followed. Protect your a$$ with tools and security measures, of course, but nothing beats good habits.

Some everyday habits to keep your computer security strong:
  1. Be careful what you download. You might want to steer clear of strange torrents, or strange files delivered by a client or customer. If you're suspicious of a file, don't open it. And, before you open anything, hit it with a virus scan like Malwarebytes.
  2. Be careful of what sites you visit. Keep your visited sites to a minimum. Even sites linked to on Reddit could be unsafe.
  3. Don't click on ads. Use an Adblocker (uBlock Origin is excellent). I know a lot of us, including myself, are in the ad business. But it's better to be safe than sorry.
  4. Clean your computer regularly. CCleaner is excellent for this.
  5. Back up your computer regularly.
 
OP
OP
The-J

The-J

Legendary Contributor
EPIC CONTRIBUTOR
FASTLANE INSIDER
Read Millionaire Fastlane
I've Read UNSCRIPTED
Summit Attendee
Speedway Pass
Aug 28, 2011
3,593
8,506
1,966
Ontario
Small update:

I got a little less than half of the money bank after a stop payment. Paypal told me that I should be able to get some more of the money back, as well, as I cancelled the payment pretty quickly and it still shows up as cancelled.

I went ahead and formatted my drive, did a clean install, updated even more of my passwords.

I even went and bought a Chromebook that I plan to use SOLELY for money transfers and online transactions.

Why Chromebook:
  • It uses a non-Windows OS with practically zero market share
  • It's heavily limited in its use
  • Most storage lies on the Cloud
  • I'll never, EVER use it for browsing or downloading!
  • It's cheap (paid $180 CAD for it lmao)
I also plan to make a separate Lastpass account for the Chromebook, same deal: 2 step with a password reprompt every session.

My new rule: new passwords every 3 months, at least.

Another thing I'm considering is USB keys, at least for some of my logins.

By the way, keep in mind that many of your banks are NOT SECURE, don't have 2-factor, and allows instantaneous transfers without so much as a password prompt or a notification. You could get robbed blind and never know until your statement comes.

Also, if you have a Windows computer, turn ON the PIN function. (What, are you nuts?) No, I'm not nuts. It allows easier access to your machine, but not so easy access to your Microsoft account. Best of all, the PIN doesn't allow brute forcing, you only get 5 tries before it prompts for a password. (You'll also probably not be well suited to remember a really long password string that you use to get into your machine)

Next time I travel, I'll be getting a VPN service and probably just gonna pay it month by month. Might even want to use it for my next payment, although HTTPS does a pretty good job.
 
OP
OP
The-J

The-J

Legendary Contributor
EPIC CONTRIBUTOR
FASTLANE INSIDER
Read Millionaire Fastlane
I've Read UNSCRIPTED
Summit Attendee
Speedway Pass
Aug 28, 2011
3,593
8,506
1,966
Ontario
I am a little worried that Lastpass authorities can one day use all passwords they have and become trillionaires lol
Lastpass encrypts your password database and stores it on their cloud servers. It's impossible to recover if you forget your master password; even Lastpass can't do it for you. Your master password encrypts your database on your local computer, and is not stored on LastPass's database.

Change your master passwords often.
 
OP
OP
The-J

The-J

Legendary Contributor
EPIC CONTRIBUTOR
FASTLANE INSIDER
Read Millionaire Fastlane
I've Read UNSCRIPTED
Summit Attendee
Speedway Pass
Aug 28, 2011
3,593
8,506
1,966
Ontario
All my passwords are unique for each site, and they're all diceware phrases. You roll dice and the numbers correspond to random words, symbols and numbers, forming a sentence. For example, "Timid @ cement 1776 gag you're beaches" is easier to memorize than a random string of characters. No password left on your clipboard and it's a strong one, good luck brute forcing that.
I've got a win10 drive with nothing valuable on it I don't care what happens to it. I've got a separate manjaro drive for important stuff, I like manjaro because you get a lot of tools with the installation and if you need more you get them from a secure source (AUR) and the benefit of not being susceptible to windows malware although it's by no means a tight ship.

People who think their systems are impenetrable are the ones who are victimized the most. Maybe they do have decent software, but the peace of mind that comes with it makes them prime targets for social engineering.
There's a guy named Derren Brown who made a video where he'd simply ask strangers to count from 0 to 10 and then guessed their phone passcode based on the ways those people pronounced the numbers. They didn't realize they'd given away their passcode. I can't find the video, but here's one where he pays for stuff with blank paper.
He maintains that this is done on the unsuspecting and skeptical. Prime targets.]
If you don't use a password manager, passphrases are the way to go (with added special characters). There are good and bad passphrases, though.

Good:
  • Phrases of seemingly random words
  • A list of important things in your life
  • The last names of 5 celebrity crushes spelled backwards
Bad:
  • Song lyrics (X.gonna.give.it.to.ya)
  • Movie or TV casts (Mchale.Jacobs.Brie.Glover.Brown)
  • A list of important people in your life (Mum.Dad.Rover.Sister.Brother)
It's good to keep in mind that you're very, very unlikely to be brute forced.

What's more likely to happen is you having some sort of trojan on your computer. (Actually, what's most common is losing your phone or your computer, and if that happens, someone should NOT be able to have access to your bank accounts, your business correspondence, or your personal information!)

Some important additional notes on 2-factor authentication:
  • People who know your 2 factor authentication number are able to get access to your phone. It's not easy, but it's possible.
  • People who know your recovery e-mail can turn off your 2-factor authentication and leave you blind.
The solution: A burner phone and a safety e-mail. Neither of these should EVER be used for any correspondence of any kind, nor should they EVER be given out to anyone. They should also not be in your name. (The e-mail one is easy enough: the burner phone is a little harder. But get your grandma to open up a phone for you, and you pay the bill with a Walmart money card that you transfer money into every month.)

I went a little overboard with my security. I now have a computer logon password that is a random string and more than 20 characters. But F*ck it!

The key is having no SINGLE point of failure. Someone has access to your computer? They can't get access to shit without your phone. Someone remotes into your phone? Oh, they don't know any of your passwords and can't log into anything. Someone gets both? They need to know your master passwords. Someone gets all of it? Well, you're somewhat F*cked, but since you have a safety e-mail, you can stop a lot from happening and you're not going at it blind. Someone steals your safety e-mail and burner phone, too? Can't get access to anything? Well, they just did the Internet equivalent of coming into your house in full SWAT gear, guns drawn, and tied you up. That takes quite a bit of work. The chances of that happening to you are slim, but you still need to be prepared.

Make it as difficult as possible to get access to your phone and computer, even if they have it in front of them.

Nobody in the world is unhackable. Not even the President of the United States. Think like a hacker and plan your security around that.
 

amp0193

Legendary Contributor
EPIC CONTRIBUTOR
FASTLANE INSIDER
Read Millionaire Fastlane
I've Read UNSCRIPTED
Summit Attendee
Speedway Pass
May 27, 2013
2,977
13,035
2,804
United States
So, if you think you're not an idiot, let me run you through a checklist of things you must have.



1) An active antivirus. Yes, that includes you, Mac users. (Linux users, you're pretty much fine.) That should be on your phone, too.



2) 2 factor authentication, on everything that supports it. If you have a spare phone that you can use for it (that you don't give to anyone and, preferably, is not connected to your name), then that should be your 2FA phone. (Two factor authentication would have been my saving grace in the Paypal situation, but it wont always be.) Google Authenticator is also an awesome tool.



3) Different, and strong, passwords for every single site you use. 16 characters minimum. Seriously. Brute forcing is no joke, especially on sites where they allow unlimited login tries. Not only that, they must be different so you're not caught with your pants down if a website's database gets leaked.



4) A way so you don't have to TYPE those passwords. Keyloggers are a bitch, and will steal your passwords, your credit card info, and more, right as your typing them. You can use an encrypted Notepad file stored on the cloud (not the safest thing in the world, because your clipboard could be at risk too), or you can use a password manager like Lastpass or KeePass. Password managers are excellent, because (1) you don't have to type passwords for every site you use, and (2) they're encrypted with a master password as your key. There's also programs like KeyScrambler which are reported to be pretty good.



5) An active firewall on both your computer and your router. Yes, firewalls for routers are different than firewalls for computers, and you should have both.



6) A secure autofill program for when you need to enter your credit card or Paypal info. Lastpass does this pretty well. Preferably, this autofill should be protected by a password (again, Lastpass does this pretty well).



7) A strong password on your computer, and, preferably, a 2nd factor (like a biometric scan or a phone/USB unlock) for your computer. (Also, keep your computer OFF when not using it, and preferably, disconnect it from power so it can't turn on without your control!)



8) As many backdoors closed as possible. Some backdoors on Windows computers include Universal Plug n Play, Teamviewer, and allowing remote access protocols. I understand TeamViewer is an important tool; however, it should not ever be running when you're not using it.



After speaking with some people, I also found out that it's very, very likely to get hacked while travelling. Hotel Wifi, Starbucks Wifi, plane Wifi, all of these networks are often more vulnerable than you think! For your safety, use a VPN while travelling. HideMyAss is a popular one. There are several others. You could even make your own, if you wanted.



However, keep in mind: even while following these tips, you could still be vulnerable. People can spoof your phone so they can get into your 2 factor sites. People can take advantage of database breaches and steal your login info. Hackers are always coming up with new ways to steal info and money. (There are also more tips that might help, so please, feel free to add anything! I'm not a computer expert!)



Your job, though, is to lower the likelihood of something ever happening to you. There is no magic armor, but you could at least be wearing a bulletproof vest.



Protect your a$$.

Done Today:

1). Got an annual subscription to Webroot. 3 devices for $29.99 first year. My wife goes all over the internet and downloads torrents, so this is going on both computers.

2) 2fa enabled on paypal/google.

3-4) Changed to 20char passwords on every site using Lastpass

5) Firewall through Windows and Webroot. Firewall turned to Maximum Security on Router (it was on "moderate" before). Ran the firewall through the 5 tests at ShieldsUp!!! and got rid of a vulnerability it found.

6) Will add CC into Lastpass as I come across forms going forwards.

7) Enabled PIN mode on computer. I couldn't find a 2nd factor solution for PC to iPhone. None appear to exist. Only phone to mac, and some complicated android to PC solutions. Opportunity for someone here to make one...

8) No backdoors that I could find.

9) Installed HTTPS Everwhere Plug-in that someone mentioned


* I will get a Chromebook Later and set up as others have suggested.

Thanks @The-J
 

eliquid

( Jason Brown )
EPIC CONTRIBUTOR
Read Millionaire Fastlane
I've Read UNSCRIPTED
Summit Attendee
Speedway Pass
May 29, 2013
1,495
7,296
1,716
Louisville - Kentucky
I took this to heart after reading this thread this week.

I'm a power user when it comes to my desktops and laptops so I always thought it would never be me.

However, after reading this thread I did some digging and noticed my email was released in a breach of other sites along with my password over at Have I been pwned? Check if your email has been compromised in a data breach

I advise you to look to see if your email and password is listed. I had been reusing my password on a few other sites, so this got me worried and thinking. Since then I have been using Lastpass with more unique passwords on all services and sites. Sometimes I'll reuse a password for sites that I am not too worried about, like I might use the same password to sign up for trial accounts of SaaS software or the same password for all forums ( reading material, nothing where I make a transaction ).

This week I switched from Chrome to Firefox and backed it up with several privacy plugins as well as:
  • Changed my router DNS and TeamViewer settings on all my computers
  • Enabled 2FA on several services
  • Encrypted my Macbook, also increased security and privacy on it all the way around
  • Changed my desktops and PC based laptops to more secure settings
  • Using LastPass more then simple/complex passwords ( meaning, I use phrases now instead of 1 string of characters )
Part of what made me get more involved is hacking and data breaches are happening more and more and more than compared to 10 years ago. The scale of which is happens is also greater. I can't rely on just a password and my own desktop security, I have to worry about Yahoo getting breached or Myspace and my details leaking out.

And what about my kids laptops and iPads? Someone gets into one of those and then see's my networked computers and gets into those.

I'm still making changes, but the most important stuff is locked down in some way now. If someone were to steal my username and password for 1 site, they can't get into another 2nd site with it. If someone stole my laptop or cellphone, they can't log into it or take the drive out and try to read it from another device because it's encrypted.

If someone wants to read my deleted files, the free space and recycle bin have been wiped with 32 passes to make them almost unrecoverable.

Sure, if someone really wants my data I am sure they can get it. However, I feel that I have protected myself against most hackers and other people looking for an easy find.

Thanks for the thread and bringing it my attention a bit more.
 
OP
OP
The-J

The-J

Legendary Contributor
EPIC CONTRIBUTOR
FASTLANE INSIDER
Read Millionaire Fastlane
I've Read UNSCRIPTED
Summit Attendee
Speedway Pass
Aug 28, 2011
3,593
8,506
1,966
Ontario
I can't rely on just a password and my own desktop security, I have to worry about Yahoo getting breached or Myspace and my details leaking out.
Exactly. The US government has been hacked multiple times. Banks have been hacked. Yahoo had a breach a few years back. Lastpass itself had a breach.

The services we all use every day are NOT secure enough. The best protection is to make sure that there is no 'key to the castle', but rather a labyrinth.

Also keeping oneself on as much of a down low as possible, don't be a dick on the Internet so that people wanna hack and doxx (release sensitive info to the public) you, and remembering that social engineering (not necessarily technological breaches) is how a lot of hacks take place.

No single point of failure. No key to the castle.
 

Omega

Absolute dominationem vitae
Read Millionaire Fastlane
Speedway Pass
Sep 28, 2015
667
1,339
425
Brute forcing is extremely easy, to combat it you just need a solid password.

http://random-ize.com/how-long-to-hack-pass/

Type in a similar password or your own and see how long it will take to brute force it.

Make sure your numbers are in a random sequence and your letters are also uppercase and lowercase.

As long as your password is decent brute forcing shouldn't be a problem.
 
OP
OP
The-J

The-J

Legendary Contributor
EPIC CONTRIBUTOR
FASTLANE INSIDER
Read Millionaire Fastlane
I've Read UNSCRIPTED
Summit Attendee
Speedway Pass
Aug 28, 2011
3,593
8,506
1,966
Ontario
Tape over mics and camera.
Do that, too. Trouble is, anyone can record you when you're on a Skype call (or any kind of call). So accept that responsibility, and be careful with whom you share your screen. I don't quite understand much of it myself, but apparently, there's metadata that can be used to help identify your machine and your IP address.

The big key, though, is no single point of failure.

Lastpass offers 2 factor authentication, and idle time-outs. You need both. If someone gets access to your device, and somehow knows your master password, they should still be unable to get into your password vault.

Not only that, if someone is able to get your phone's SIM and load your phone onto theirs, they should not be able to know your passwords.

For most people, if someone is able to get access to both your phone AND your computer (not too difficult if they're on the same network!), you're right F*cked. The chances of that happening are very, very low.

2 factor protects you from most executables (trojans, etc.) as well as from password leaks. Strong, unique passwords protect you from password leaks and brute force attacks.

Here's something to remember, though: a truly motivated hacker CAN get your shit. The most motivated hackers use social engineering to find the weakest link in the chain: stupid humans with access to your accounts.
 

devine

Bronze Contributor
Read Millionaire Fastlane
Apr 16, 2015
761
137
0
Russia
Jay, one small advice that helped me personally:
Get yourself a brand new phone and brand new laptop exclusively for all activities where money is involved.
Trust me, it's worth it.

I know people who got their accounts, with 2-step-authentification (!!!), hacked with help of GSM operators, so take care.
 
Last edited:

JasonR

Maverick
EPIC CONTRIBUTOR
Read Millionaire Fastlane
I've Read UNSCRIPTED
Summit Attendee
Speedway Pass
May 29, 2012
2,037
10,545
2,556
Traveling
@The-J - this is a well timed post. Thank you. I take computer security very seriously, especially since I am constantly traveling, but I probably don't do enough.

I use 1Password for all of my passwords, and have strong passwords on all of my financial and business accounts.

I use a VPN (Cloak for Mac) when I'm not on a "safe" network. All of my traffic in and out is encrypted.

I don't carry my "main" wallet with my business debit card. I carry my personal checking account card, and smaller limit credit card, which I keep small balances in.

Perhaps I need to open a secondary paypal account solely for Paypal (I hate Paypal but there are some situations where I have to use it).

The biggest thing that scares me is someone managing to get into my business accounts, as that's where the damage could be done. I think I'll start paying for anything on Credit Cards, and keep the business debit cards locked up safely.

Thanks for the wake up call, and I hope your situation gets cleared up quickly.
 

Brandon Parker

All or nothing
Speedway Pass
Apr 16, 2015
34
67
118
23
Anchorage, AK
One very very simple thing you left out is.... keep your shit updated. Especially browsers. Many exploits come from things like Firefox, Chrome plugins, Flash player, etc. Whether you are running sudo apt-get upgrade or on Windows, figure out how to keep your system up to date consistently.

Also, https everywhere. It's a chrome plugin that automatically makes every connection to a website secure. It's super easy to install.

Thanks for this post, I've been slipping on the security aspect. I seem to think Linux will protect me forever, but it won't. Getting a VPN right now. Also, the Lastpass thing is brilliant. I use the same password for everything and now that I think about it, if somebody got that password, I'd be pretty F*cked.
 

ddzc

Gold Contributor
Speedway Pass
May 22, 2012
579
1,216
388
Toronto
Hey everyone,

I want to share a little story. I'm in the domain investing space, as a side hobby and just found out about a story where a hacker stole a domain from someone. All of the information was revealed and how it happened.

1. Domain was hosted with Godaddy. Whois information was wide open for inquiry reasoning from interested buyers and prospects who may want the domain
2. Domain was linked to an aol email account
3. Hacker got in to his email address, immediately changed all of his personal information including his backup email to ensure the original owner couldn't recover it in a short time span
4. Hacker went to godaddy, reset the password with the email account he now had access to
5. Hacker transferred a domain out of the account and in to his own
6. Hacker had the opportunity to steal up to 1000 names. This could have gotten really ugly! But he only took one
7. Hacker updated the whois with different information and a valid email
8. Original owner reached out to a lawyer for advice and was advised that it would cost him 15K to file a lawsuit. Domain was worth around 4K. Not worth it
9. Original owner decided to send an email to the hacker to try and buy it back from him or get it back by some other means
10. Hacker replied via mobile (he had the original owners number). Probably used a voip or fake number, which is easily obtainable with third party apps
11. Hacker requested $1500 in bitcoin to be received the same day or the domain was getting sold off on the darkweb
12. After several days, the original owner got the domain back for a very small fee

The hacker also provided information to him upon request on how he got in. We can all learn from this, which is why I'm sharing this.

The hacker obtained his credentials from the LinkedIn hack which occurred back in 2012. The domain owner was using the same password for his email address which was linked to his Linkedin account. Back in 2012, 6.5 million passwords were leaked on to the dark web. They were sold to guys like this hacker for a couple grand. This hack happened just two weeks ago.

Pay attention to the news in the cyber world and always stay informed. Act immediately when these data breaches occur. Linkedin, Yahoo, Ashley Madison, all of these big sites were hacked and your email/passwords are available on the darkweb for purchase, RIGHT NOW. It takes me 5 mins to use tor and gain access to the darkweb and purchase these myself. If you have any accounts from any of these sites which were compromised, and your passwords are the same for your banking, paypal, shopify, email, cpanel, domain accounts, etc etc, you need to act now. Change them to something different immediately, today!
 

Justin Gesso

Bronze Contributor
Read Millionaire Fastlane
Speedway Pass
Jun 4, 2014
122
157
156
Colorado
Great thread. Sorry this happened to you.

Recently, my parents got hit with a ransomware-like virus. Basically, it encrypted most files on their computer, including photos, videos, Office documents, etc.. Their backup was a local USB hard drive. Unfortunately, the virus also went out to that and locked up their backups.

They never got the prompt to pay the ransom and receive an unlock key, which meant they lost their entire digital life.

About 10 years of photos...gone.

All of the files they put together over that time...gone.

My mom was working on a book for the last 3 years and was almost done. That got wiped out, but we found a few older versions she had sent in email.

Basically, this was absolutely devastating and they felt robbed. They would have paid a huge amount to get these personal files back.

We had numerous people (including some of my A-class software engineer buddies in India) try to recover their files with no luck.

My Security Recommendations as a Result:

  1. Follow the things already mentioned here in this thread, namely Lastpass, password best practices, Google 2FA.
  2. Test your backup and recovery solution.
  3. Use multiple backup solutions, including cloud.
  4. In the postmortem of this event, it was determined the virus came in through a shared Microsoft Word doc. Since my parents were using Office 2007, they were vulnerable. So...don't use end-of-support software. They've since upgraded to Office 365. Use cloud apps where possible.
A simple solution is to go Chromebook + cloud apps with solid password practices.
 

devine

Bronze Contributor
Read Millionaire Fastlane
Apr 16, 2015
761
137
0
Russia
Thanks for the heads-up, men.

I didn't click "like/thanks" on some of the posts because although valuable, they made me feel uneasy. Especially that con man paying with sheets of blank paper in New York (thank heavens for the fat guy getting out of a BMW i8 thread in the funnies section, did wonders to clear my mind).

It appears that the best course of action for securing online business activities is to get a cheap netbook with a LAN port (for wired connections only), then install Linux and the other apps and safety precautions that posters in this thread recommended. Get all the games, CAD software and everyday use stuff on your proper computer with less hardcore security to protect your sanity. As a matter of course, your business and private bank accounts should also be separate.

A burner phone is a great idea, but it might be a total PITA to pull off in today's world of ubiquitous "anti-terrorist" government spying.

How about TOR for browsing? I'm not much of an expert in computer security, but it makes your device almost untraceable, right? Does that help in terms of not getting your money stolen? I've never used it because it's supposed to make your connection slower.
TOR is quite tracable, it's just harder to trace your steps.

For any money transfers I use a clean KIS-protected laptop with DNS encryption > direct cable-connection with IPv6 disabled > VPN > bank software 2-step authentification from clean cellphone with single-purpose sim-card > virtual keyboard.
I have a previous history of losing quite significant amounts of money (much more than J) due to not complying with more advanced security measures. I do quick shopping from an account with ~500$ transaction limit from my regular devices so I don't lose too much.
For any communications I need to be completely safe within - I use a Telegram messanger with a sim-card that is registered to a non-existing person.

That is very basic measures to stay safe, if you deal with really serious stuff - it's worth hiring a specialist to setup a more protected enviroment for you.
 
Last edited:

devine

Bronze Contributor
Read Millionaire Fastlane
Apr 16, 2015
761
137
0
Russia
Is this a story you want to tell? How did that happen?

A Linux machine for online banking sounds like it's the way to go. There's so many routes someone can take into your computer, it's quite frightening.
I got hacked two times, first one was via ipv6 exploits. The second (I won't tell all the steps and all the details due to harm it can cause) one involved quite a decent personal research, social engineering a 3d person, hacking his *won't mention software name* account and just completely clearing me out.

Always use whois privacy on all your domain names. Avoid using your real name as long as you possibly can. Don't ever mention anywhere how much money you make or give any hint on it, until you're 200% positive you can handle that.
You will be found. You will get hacked. And this is not the worst that can happen.
 

TheNextTrump

Bronze Contributor
Read Millionaire Fastlane
Jun 7, 2012
102
152
144
Omaha, NE.
Crazy timing, I spent a few hours yesterday updating all of my accounts tied to finances.

It's truly scary how easy it is for people to hack your accounts and take you to the cleaner. Sorry to hear about your experience OP, and thank you for sharing some knowledge on the subject.

I updated all user names and accounts, all different long and unique.

I also transferred all accounts to a new email that I dedicated strictly for finances, which will only be used for those accounts.

Do you guys think its dumb to have ONE solo email connected to all finance accounts? Or should I have individual emails for each separate account?

-My thought was, as long as I don't use it for anything else it should be fine....

Also used any second and third step authentication's that were available. Pin codes, phone verifications etc.

_______________________________

Lastly, I've dedicated 2 smaller credit cards that will be used for any scenario where I feel at risk. Which both have a credit limit that CANT BE BREACHED lol.


---Here I thought I was a paranoid nut, but this tech safety shiz is the real deal. Never worried about it until I had some coin, now its a super big deal.

Stay safe out there my friends, and be stupid cautious when using cards ANYWHERE, skimmers are literally popping up around every corner.
 
OP
OP
The-J

The-J

Legendary Contributor
EPIC CONTRIBUTOR
FASTLANE INSIDER
Read Millionaire Fastlane
I've Read UNSCRIPTED
Summit Attendee
Speedway Pass
Aug 28, 2011
3,593
8,506
1,966
Ontario
Solid thread. No one takes security serious until they're the victim of a crime such as this. Great advice in here bud.
That's the sad thing. MJ talks a lot in his book about due diligence. Pretty much all the examples in the book actually happened... to HIM.

I think everyone has some sort of twinge of "It'll never happen to me", no matter what it is. Thank god it was only $1200, and I got a fair bit of that back. What if I had gotten completely cleaned? What if they got access to my Stripe account and changed the payment recipient?

It's funny how we experience these kinds of things and it isn't until it's too late that we decide to do something about it.
 
OP
OP
The-J

The-J

Legendary Contributor
EPIC CONTRIBUTOR
FASTLANE INSIDER
Read Millionaire Fastlane
I've Read UNSCRIPTED
Summit Attendee
Speedway Pass
Aug 28, 2011
3,593
8,506
1,966
Ontario
This news is a little late.

EQUIFAX, one of the Big 3 credit bureaus, just got hit with a data breach.

If you have ever checked your credit score with Equifax, your data may be compromised. IF you have used Equifax's online systems, your data may be compromised.

Massive Equifax data breach hits 143 million - BBC News

WHAT GOT STOLEN?

It's unclear at the moment, but it includes credit card numbers and personally identifying information. There isn't any evidence that commercial credit reporting has been compromised, but if it has: your business might be at risk.

WHAT DO YOU DO?

If you think your data has been compromised, you may benefit from putting a credit freeze on your account. Call up one of the credit bureaus and request a credit freeze. What this will do is prevent anyone (including yourself) from taking out additional debt in your name.

You may remove this freeze at any time.

https://www.equifaxsecurity2017.com/

Use this site (which is run by Equifax themselves) to check whether or not you have been affected. If you have, you will be provided free credit monitoring by Equifax, with the ability to request a credit freeze.

If your credit card info has been compromised, don't fear. Figure out which credit card you used by giving them a call (just ask for the last 4 digits) and report the card as lost or stolen. You'll get a new one in the mail in about a week or so. If you think you might be in trouble, don't F*cking wait!

If you try to call Equifax today, I guarantee you'll be put on hold and left there for several hours. You're not going to get a hold of a real person very easily just because of the size of this hit. Do it anyway.

NOTE: There is a chance that this hack is bigger than Equifax is willing to say. If that's the case, then we could be talking about an incident of cataclysmic proportions. We could be talking about a hit to the credit reporting system as a whole.

---

I guess I'll use this opportunity to talk about identity theft and how F*cking damaging it could be.

Identity theft is simply the use of someone else's identity in order to get something. Credit, loans, or even using one's name to commit a crime. Typically, identity theft is committed by the friends and family of the victim. However, data breaches are different.

Data breaches are like gold mines for identity fraudsters. Often times, the people who get hit are caught unaware because they don't know that their info has been caught in the breach!

Equifax announces that 209,000 customers were affected, however BBC estimated it could be up to 143 million people. That's more than a third of the population of the US. Is a 1 in 3 coinflip a chance you're willing to take?

If someone knows your legal name, DOB, and your social, they could take out loans in your name ranging from credit cards to mortgages. If they go delinquent, this affects your credit score and it could take years for it to recover (even after you get it all sorted out).

Identity theft insurance might help you, and Equifax is offering this to people affected. However it's not a foolproof solution.

---

Please don't WORRY. ACT. If you think you might be in trouble, go to https://www.equifaxsecurity2017.com/ and check to see if your information has been breached.

Other data breaches have happened recently. Check out Have I been pwned? Check if your email has been compromised in a data breach to see if your email has been compromised.
 

Don't like ads? Remove them while supporting the forum. Subscribe.

OP
OP
The-J

The-J

Legendary Contributor
EPIC CONTRIBUTOR
FASTLANE INSIDER
Read Millionaire Fastlane
I've Read UNSCRIPTED
Summit Attendee
Speedway Pass
Aug 28, 2011
3,593
8,506
1,966
Ontario
I think the whole have a strong password thing is kind of a joke.

Most of these hackers attack larger database's and get 1000's or millions of passwords and info at one time. So doesn't matter if you have the most difficult password in the world, it's reduced to 1's and 0's somewhere, and that's the easiet place to get the password.

Just like seeing people worried and cover there pin code at atm's and gas stations. Meanwhile the actual threat is the atm machine or card reader itself has been compromised.

Yes it's good to have good passwords. It is better to limit exposure to an attack so not having your paypal account linked to a larger account etc... Or using credits card since they offer better protection when your account is compromised. I know lots of people don't realize the huge inconvenience and possible loss between getting money stolen from a debit card vs credit card. Debit card theft will require the bank to investigate and if they see that the money was stolen using your pin number you are most likely out of luck if you get anything back at all. This is all after they investigate checking camera's etc.. which can take time. As opposed to credit card theft one call they will go over the fraudulent charges, issue you a new card and off you go.
Strong passwordS. As in, different passwords for each site.

The real threat is not just getting one account hacked, it's a hacker getting access to your password, running your email address through a tool that searches websites that have an account with that address, then trying that one password in every site (and successfully breaking in).

You can't prevent data breaches, and you can't fix another business's security, but you can minimize the damage done.
 

eliquid

( Jason Brown )
EPIC CONTRIBUTOR
Read Millionaire Fastlane
I've Read UNSCRIPTED
Summit Attendee
Speedway Pass
May 29, 2013
1,495
7,296
1,716
Louisville - Kentucky
I have been going through a recent update of all my laptops/desktops too recently.

And yes, it's more about different passwords on each site/service than character length because of breaches on other sites, stolen data, hacked/leaked databases, etc. About once a month I have a few different services alert me my data was found on the dark web or some hack site.

When I go look, it's always breaches at forums, stolen info from big companies, etc. So what's the point of me doing all I can on my end, when hackers are stealing it on the other end....

While you want your password to be long and complex to keep the weak sites from having hackers guess your passwords on the front end ( strong sites ban multiple attempts and have other safeguards ), you also need different passwords for when someone breaches the backend of these sites too.

Something I have also recently done that not many talk about are:
  • Put a freeze on all my credit reports.
    • Let's assume someone does hack into a few sites and gets a lot of my info. What's the worse they can do? Steal my identity for one. And with that the biggest issue is financial fraud. Locking my credit pulls/reports/use at all 3 bureaus should block all of that possibility.
    • This freeze stays froze until I decide to undo it. Which will prob only be the next time I look into buying another home or another car which will be a long time from now.

  • Change out my emails ( and usernames if I can ) every year.
    • As a marketer, I have maybe 30+ emails. If you are a marketer ( especially one that freelances ) you know what I am talking about here. Generally most lists of hacked data contain your password, but what else? YES YOUR EMAIL ( or username ). While the data separately can be used, lets face it.. these people are using both to try to hack in and steal more data and collect info on you.
    • So why not change your email too? If they try to log into your Amazon account it won't work because the email is wrong. If they try to email you malware you won't get it since you might be on your new email now.
    • I'm looking to change my email once a year. I will still keep my personal email since it may be hard for family or connections to remember to email me at my new email, but any and all websites/apps/SaaS/etc will get the new email.

  • Mass deleting software, apps, files, zip archives, etc that I haven't touched in X months/years.
    • Bad things can live in these apps and zips. Hidden malware, trojans, etc.
    • Having a ton of software can potentially open up areas prone to attack on your computers and phones. The less you have, the better off you will more than likely be.
.
 

tspzo

New Contributor
Read Millionaire Fastlane
Jul 31, 2016
9
14
19
New York
All my passwords are unique for each site, and they're all diceware phrases. You roll dice and the numbers correspond to random words, symbols and numbers, forming a sentence. For example, "Timid @ cement 1776 gag you're beaches" is easier to memorize than a random string of characters. No password left on your clipboard and it's a strong one, good luck brute forcing that.
I've got a win10 drive with nothing valuable on it I don't care what happens to it. I've got a separate manjaro drive for important stuff, I like manjaro because you get a lot of tools with the installation and if you need more you get them from a secure source (AUR) and the benefit of not being susceptible to windows malware although it's by no means a tight ship.
Here's something to remember, though: a truly motivated hacker CAN get your shit. The most motivated hackers use social engineering to find the weakest link in the chain: stupid humans with access to your accounts.
People who think their systems are impenetrable are the ones who are victimized the most. Maybe they do have decent software, but the peace of mind that comes with it makes them prime targets for social engineering.
There's a guy named Derren Brown who made a video where he'd simply ask strangers to count from 0 to 10 and then guessed their phone passcode based on the ways those people pronounced the numbers. They didn't realize they'd given away their passcode. I can't find the video, but here's one where he pays for stuff with blank paper.
He maintains that this is done on the unsuspecting and skeptical. Prime targets.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Sponsored Offers

  • Sticky
MARKETPLACE Lex DeVille's - Advanced Freelance Udemy Courses!
Advanced Upwork Proposals II IS FINALLY LIVE! Here's a look at what's inside: Improved YOU...
  • Sticky
MARKETPLACE You Are One Call Away From Living Your Dream Life - LightHouse’s Accountability Program ⚡
Here is where you eliminate uncertainty from the future! I wanted to post this image as I...
  • Sticky
MARKETPLACE KAK’s “Kill Bigger” Incubation Program- With DAILY personal attention.
Hey Guys! I wanted to give a quick update on what this program has become. In its infancy, we...


Don't like ads? Remove them while supporting the forum. Subscribe to become an INSIDER.

New Topics

Fastlane Insiders

View the forum AD FREE.
Private, unindexed content
Detailed process/execution threads
Monthly conference calls with doers
Ideas needing execution, more!

Join Fastlane Insiders.

Top Bottom
AdBlock Detected - Please Disable

Yes, ads can be annoying. But please...

...to support the Unscripted/Fastlane mission (and to respect the immense amount of time needed to manage this forum) please DISABLE your ad-block. Thank you.

I've Disabled AdBlock