PayPal Account Hacked Lessons Learned

[Boswell]

I did link a bank debit card

I suggest that you check with your Bank or Credit Union on the details of the Debit Card. Some Debit cards do not have the same fraud protection that a credit card does.

 

[keeena]

Thanks!

The password was considered fairly strong...upper case, lower case, special characters, fairly long, etc. I can't recall exactly, but I think it was one I forgot to change after an auction website I use got hacked and I happened to have the same user account and password. Again, two-factor authentication should have prevented that, so I have to take blame twice there.

While a bit of a bad practice, don't victim-blame yourself. The criminal is the one to blame.

I have used a random character generator I created in Excel to generate my passwords for the past twenty years. I also don't use the same password twice. Unfortunately, this creates passwords that are impossible to memorize so I have a master password list in Excel, password protected, of course.

Its been a long time since I've worked with Excel at a programming level, but at that time it was trivial code to crack Excel's sheet-level password protection. But otherwise this is pretty much what everyone should be doing.



If anyone is shopping for a password manager, include KeePass in your search. I runs locally (PC software), very good encryption, open-source with active community to provide checks & balances. I have no affiliation, just a long-time user. They do not feature a native mobile app, but there are a few unofficial ports based on the same code. And if you want: you can use a cloud storage of your choice (Google drive, drop box, OneDrive, etc...) for the primary or a backup copy of the encrypted DB file.

If you want to get really serious (regardless of which PM manager you choose): use a second-level cypher that only you would know. For instance: use a musical artist's song names for passwords. But instead of storing the literal song name in your password manager, use a cypher like album number and song number. So your password manager password entry would look like "2.3", which stands for Album #2, Song #3. And of course: the actual password (song name) should be made strong using various methods like character replacement (A->4, I->1, etc...), backwards, appending/prepending a particular char/s, etc...to ensure the actual password is complex. I'd suggest using a consistent method for this part.

Yes, its a bit of work but about the best you can do (in addition to 2FA).

 

[Boswell]

Good encryption is fine but remember that almost no bad actors attach an individuals system to hack passwords. Just not labor efficient. It is much more productive to find a weekly protected commercial system and get the passwords and usernames from there. Then test those usernames and passwords against other more desirable targets like banks and paypal. Plenty of people re-use passwords and usernames and so this technique can work very well. I believe there is an entire economy build around stealing and selling username/password combinations. Two most important and easy ways to protect yourself is 1. Don't reuse passwords or use simple passwords (most systems don't allow that anymore) 2. use Two-Factor Authentication when ever possible. This is when the site you are logging into send you a one time code to your phone.

Of course this is not enough if you are a unique and valuable target like a bank manager or entrusted with government secrets etc. But for us average people, this will most often be enough.

BTW, I also do not have a bank-account tied to my pay-pal or Venmo and I have one account that I don't keep more than I am willing to loose for automatic bill payments etc. Unique passwords are impossible to manage without some way to store them like RJ. I personally use a commercial PW tool 1Password in my case. Frankly that is more for the convenience of auto-entry of username and password than anything else.

IT is sorta like how to survive a bear attack. You don't have to be faster than the bear, just faster that the others around you.

 

[ChazzC]

I suggest that you check with your Bank or Credit Union on the details of the Debit Card. Some Debit cards do not have the same fraud protection that a credit card does.

I have most options blocked and transfers are limited to $25 (I can change if needed and switch back).

 

[woodchucker]

so I had a bank account linked, and unlinked it so long , long ago. I use my discover card linked. I get $$$ back that way, and it works perfectly.
Also it is a secondary way to stop the flow of money if every. The big question is ... how were you hacked??? Have you tried to figure that out?

 

[woodchucker]

Thanks!

The password was considered fairly strong...upper case, lower case, special characters, fairly long, etc. I can't recall exactly, but I think it was one I forgot to change after an auction website I use got hacked and I happened to have the same user account and password. Again, two-factor authentication should have prevented that, so I have to take blame twice there.

I never use the same user/password.
I use a program Keepass, been using it for years. It hasn't let me down yet. it will provide passwords, you can configure it .. it allows autotyping your password in apps. it prevents the copy paste from a memory hack. https://keepass.info/
I do not have the phone version .. I am not comfortable with phone security.


EDIT: BTW, do not use online password storage .. that is a danger in that if the system is hacked, so are your passwords. And trust me... I have seen so many systems even in major banks that there is always some idiot who doesn't understand that they are creating a hole...

 

[woodchucker]

I have used a random character generator I created in Excel to generate my passwords for the past twenty years. I also don't use the same password twice. Unfortunately, this creates passwords that are impossible to memorize so I have a master password list in Excel, password protected, of course.

You really want to use something that has excellent encryption, and also eliminates memory hacking/peeking

 

[keeena]

Good encryption is fine but remember that almost no bad actors attach an individuals system to hack passwords. Just not labor efficient. It is much more productive to find a weekly protected commercial system and get the passwords and usernames from there.

100%. This is why I use a 2nd personal cypher: even if someone was able to get your password manager's master password or a hack a cloud PM service: the saved password in the PM is only an indirect reference to the actual password.

Thieves suck.

 

[ChazzC]

I have most options blocked and transfers are limited to $25 (I can change if needed and switch back).

Forgot that I had the Debit Card blocked & limited to $25: it worked - I had to go into my banking app and unblock it so I could get a money order at the Post Office (thanks again @twhite). I then put everything back the way it was before leaving the Post Office; added a total of maybe a minute to my transaction (other than getting back in line).