PayPal fraud!

Author
Discussion

E65Ross

Original Poster:

34,946 posts

211 months

Wednesday 23rd November 2016
quotequote all
CoolHands said:
No help but out of interest how good was the password? Since I've started using lastpass I've made some high-risk websites like ebay and paypal extremely secure with long random character passwords.
A definite help.... I've just downloaded that, have changed my PayPal password yet again to something even more secure. My original password was 10 characters long, 1 number, 1 symbol, 7 lower case and 1 upper case letter....

Over the next few days I'll use lastpass to generate some lengthy secure passwords and have a different password for each account, and 1 secure password for my lastpass account.

Ultimately you want that password to be very secure, do you just choose one, or do you have a totally random password for that? I could always generate a secure one, and keep that in a spreadsheet file/document on my pc which could be encrypted, but not sure if that's a bit far? Many thanks for that!

Oh, and do you regularly change passwords for various accounts?

CoolHands

18,496 posts

194 months

Wednesday 23rd November 2016
quotequote all
I wouldn't use another password programme to remember the lastpass master password. I just trust lastpass to do their job properly (which they do). So you just need one decent master password for lastpass, and don't forget it!

I use different passwords for all websites / forums etc. for forums I just use 8 or 10 random letter passwords as I'm not worried about them getting cracked, and if you ever need to type them in (on your phone for example) you don't want it too difficult to type.

but as I say, with high risk ones like paypal I use 12 or 14 random character including symbols (you can choose whether or not to include symbols when generating the password) passwords that you copy & paste when required. I change those ones periodically approx every 6 months.

E65Ross

Original Poster:

34,946 posts

211 months

Wednesday 23rd November 2016
quotequote all
CoolHands said:
I wouldn't use another password programme to remember the lastpass master password. I just trust lastpass to do their job properly (which they do). So you just need one decent master password for lastpass, and don't forget it!

I use different passwords for all websites / forums etc. for forums I just use 8 or 10 random letter passwords as I'm not worried about them getting cracked, and if you ever need to type them in (on your phone for example) you don't want it too difficult to type.

but as I say, with high risk ones like paypal I use 12 or 14 random character including symbols (you can choose whether or not to include symbols when generating the password) passwords that you copy & paste when required. I change those ones periodically approx every 6 months.
That's great. I've just changed my PayPal password for something that's as secure as they'll let me (20 characters max, includes numbers, symbols etc) as well as my amazon and American Express passwords. When I get the chance I'll use it for all various accounts.

Good to be able to choose password length etc and it's good being able to copy/paste the password from either the web browser plugin on the computer or their app which I've now got on my phone.

Great recommendation which I really appreciate. Feel a bit more confident now! Time will tell. I'll keep you posted as to what happens with that £500 transaction and whether any other suspicious activity takes place over the next week or so.

Otherwise, is there anything else worth doing? Cheers.

Edited by E65Ross on Wednesday 23 November 22:05

Fore Left

1,411 posts

181 months

Wednesday 23rd November 2016
quotequote all
The Lastpass Andriod app works pretty well once you've added the websites you need to log into to the Internet app entry the first time you need to log in (Lastpass only sees the app not the individual websites). It works flawlessly with other apps (like Paypal, eBay and Amazon) as it knows what id/password to associate them with.

E65Ross

Original Poster:

34,946 posts

211 months

Thursday 24th November 2016
quotequote all
the only issue is you can't generate a password from within the "vault"/website. You need to use either the phone app or the browser plugin. No real biggy but it'd be nice to be able to do it from within the vault.

I've used it to change various passwords today and tomorrow when I get more time I'll do lots more. I've changed my bank account login password (and security questions, paypal, amazon, my American Express and facebook....need to change email, ebay and a few others which also store my card details.

Thanks so much for the recommendation....great programme!

CoolHands

18,496 posts

194 months

Thursday 24th November 2016
quotequote all
It's sometimes a bit awkward to use, in various ways. But overall it's worthwhile. But you can generate inside the vault - click on the three small dots on the bottom left of the screen, below where the gear cog symbol. Then click Advance, and nearly at the bottom of the next screen is Generate Secure Password

E65Ross

Original Poster:

34,946 posts

211 months

Thursday 24th November 2016
quotequote all
CoolHands said:
It's sometimes a bit awkward to use, in various ways. But overall it's worthwhile. But you can generate inside the vault - click on the three small dots on the bottom left of the screen, below where the gear cog symbol. Then click Advance, and nearly at the bottom of the next screen is Generate Secure Password
I don't seem to have that option, oddly!

I've just upgraded to premium....not because I need to, but I figure they're offering a decent service so only fair to pay for it, it's very cheap too. No ideas on the benefits between premium and free versions, though!

E65Ross

Original Poster:

34,946 posts

211 months

Thursday 24th November 2016
quotequote all
Hmmm, I wonder about sending some prank mail to Mr Dwayne Wood, in Birmingham? Since he'll likely pick the mail up, whoever it is? hehe

E65Ross

Original Poster:

34,946 posts

211 months

Thursday 1st December 2016
quotequote all
Well, just to cap this thread off....

The money cleared into my PayPal account yesterday and I immediately transferred it back to my bank....so no money lost in the end.

I have been religiously using Lastpass with every single account I have, and every account has a totally different password. For the sites that utilise it (Gmail, Amazon, PayPal, Lastpass, Facebook...) I am now using 2-way verification using the authenticator app on my phone. My only concern with this is if I happen to lose my phone....or what happens when I upgrade my phone? I'll have to go into each website and change that some how I'm guessing? It'd be worse if I lose the phone, I'm guessing when you change phones you can still access it using the old phone, then change the settings from within the site to allow a new device, but getting in without the old device (if it's been lost) would be harder. I've also changed all my security questions etc and, in some instances, the answers are somewhat different to the questions, but in the notes section in the site on lastpass I have the answers there.

Thanks for the help chaps, certainly an eye opener and I now feel MUCH more secure. I haven't really checked yet, but I'm guessing you can log into lastpass on a machine that doesn't have the lastpass browser plugin via their website?

Finally....how often does one change their master password? At the moment mine is pretty secure, and what with requiring 2-way verification I'm not sure how anyone with my password could access my vault anyway....?

Cheers

CoolHands

18,496 posts

194 months

Thursday 1st December 2016
quotequote all
Yes you can log onto the website from any computer to access your vault. You can change your master password by clicking on the cog symbol bottom left of screen (when logged on the website); or bottom right of screen when on the phone app, and click on 'Your Lastpass Account'.


PositronicRay

26,958 posts

182 months

Thursday 1st December 2016
quotequote all
What happens if lastpass gets hacked?

E65Ross

Original Poster:

34,946 posts

211 months

Thursday 1st December 2016
quotequote all
PositronicRay said:
What happens if lastpass gets hacked?
All of your passwords are encrypted locally, not on their end, so even if they got hacked, they wouldn't get your passwords anyway. Is that what you were asking? Or do you mean if someone got my lastpass pasword? If so....then they still need to pass 2-way verification.

PositronicRay

26,958 posts

182 months

Thursday 1st December 2016
quotequote all
E65Ross said:
PositronicRay said:
What happens if lastpass gets hacked?
All of your passwords are encrypted locally, not on their end, so even if they got hacked, they wouldn't get your passwords anyway. Is that what you were asking? Or do you mean if someone got my lastpass pasword? If so....then they still need to pass 2-way verification.
Thanks, I understand.

Sorry for the numpty questions, what happens if I need to log on from another device?

E65Ross

Original Poster:

34,946 posts

211 months

Thursday 1st December 2016
quotequote all
PositronicRay said:
E65Ross said:
PositronicRay said:
What happens if lastpass gets hacked?
All of your passwords are encrypted locally, not on their end, so even if they got hacked, they wouldn't get your passwords anyway. Is that what you were asking? Or do you mean if someone got my lastpass pasword? If so....then they still need to pass 2-way verification.
Thanks, I understand.

Sorry for the numpty questions, what happens if I need to log on from another device?
You can log into it from anywhere with your master password. If, like me, you set up 2-way verification, you will still need your phone to generate a code to enter to get into the vault. You can "trust devices" for 30 days though...where it checks your IP and if you've saved that device as a trusted device you won't need to keep entering a code, but if someone else gets your password and tries logging in elsewhere, then they will need the 2-way verification code.

Perik Omo

1,883 posts

147 months

Monday 5th December 2016
quotequote all
Late to this thread but my PayPal account was "hacked" last week too. Had about €1800 spent at a French online retailer. They made a small credit to the account of €1,79 and then later the same day made three large purchases. I only found out when I started to get purchase confirmations in my email, the address used looks to be a restaurant below some apartments in 75019 Paris. The Paypal account had been set up by me in February to purchase some luggage labels from the USA and Paypal was the only way to pay and hadn't been used since. Had good service from my bank who stopped any payments going to Paypal and cancelled/re-issued my debit card. I notice that PayPal have done somethng to my account as I can no longer access it to see what's happened to the transactions, I did report the frauds to Paypal but never heard anything from them.

E65Ross

Original Poster:

34,946 posts

211 months

Monday 5th December 2016
quotequote all
Perik Omo said:
Late to this thread but my PayPal account was "hacked" last week too. Had about €1800 spent at a French online retailer. They made a small credit to the account of €1,79 and then later the same day made three large purchases. I only found out when I started to get purchase confirmations in my email, the address used looks to be a restaurant below some apartments in 75019 Paris. The Paypal account had been set up by me in February to purchase some luggage labels from the USA and Paypal was the only way to pay and hadn't been used since. Had good service from my bank who stopped any payments going to Paypal and cancelled/re-issued my debit card. I notice that PayPal have done somethng to my account as I can no longer access it to see what's happened to the transactions, I did report the frauds to Paypal but never heard anything from them.
If you can't access it, it's possible the hackers have changed your password. I'd definitely be back on the phone to PayPal.

In other news related to this thread, I have downloaded a programme called VeraCrypt....it's basically an encryption programme where you can create a file of any given size, and using VeraCrypt you can open it as if it's like a portable hard drive. You just have to set a password for it and use that to open it. Once you close it, the effective "portable hard drive" disppears and any files stored within it are hidden. I've created a spreadsheet which is effectively a copy of everything in my LastPass account. I've done this if, just in case, LastPass goes down or for some reason I can't access it or for any other reason.

I used to use TrueCrypt years ago but that's now defunct, but this seems almost identical, and it's a very good piece of kit.

Must say I'm loving LastPass....little more hassle but definitely feeling a lot safer with it. I have also made it so my browser doesn't store my passwords, cookies or any history at all....which can't hurt. Just means a bit more typing.

E65Ross

Original Poster:

34,946 posts

211 months

Sunday 16th April 2017
quotequote all
Since this hacking business I've become a bit of a stickler for security now.... Perhaps a bit obsessive but better that than the other way.

I have obviously set up lastpass for every single one of my accounts with totally different passwords for every account (where possible every password has totally different characters and 30 characters long), I run a VPN software on both my computer and my phone, I also have changed my WiFi password for my router at home to a code generated by lastpass.....

Probably a bit over the top but after what happened with PayPal I'm quite concerned with security. Even my secret recovery answers for when you forget a password (eg "name of your first school) is just a random code using lastpass for every different account. I also use 2-way authentication for my email, PayPal, Amazon etc.

Question though..... What would you do if you're away and lose your phone or something and can't access lastpass? I suppose you're stuck?

Also.... When changing my phone..... What will happen with the 2way authentication?

anonymous-user

53 months

Sunday 16th April 2017
quotequote all
one thing to remember is that vpns can leak data. always use the best one and research. i personally would't use one, 2fa is better i think.

E65Ross

Original Poster:

34,946 posts

211 months

Sunday 16th April 2017
quotequote all
I use private Internet access asy VPN. I know they can leak data but using various browser plugins (like safescript, https everywhere) can help make things more secure.

I use 2fa wherever possible, but not all websites feature that (such as pistonheads.com, for example!).

Cheers

Perik Omo

1,883 posts

147 months

Monday 17th April 2017
quotequote all
I'm still suffering the fallout from my Paypal hacking, I found out last week that a loan has been taken out with Sainsburys Finance in my name but at my daughters old address (the only link for me to that address is that I was joint mortgage holder with her for a short time). I've notified them and have been asked to "urgently" speak to Sainsburys Finance fraud department tomorrow as they don't work over Bank Holiday. There was also a loan application with Capital One at the end of last year which I haven't yet managed to get removed from my credit record afer 'phoning and writing to them telling them that it's nothing to do with me.

After the hacking last year I started to use 1Password for everything and it's now second nature and very esy to use.