'I fought the Dark Web and the Dark Web won' Author documents dive into internet basement after ID theft

realclearinvestigations.com ^ | 2/3/2021 | John Wasick

[rktman]

A lot of people would be disgusted and 🤢 by some of the things that go on out there. Libs, probably not. Even participants.

[rktman]

Thanks.

[sergeantdave]

For what it’s worth, I finally set up a yubikey to access certain sites.

Yubikey seems to be a “no-brainer” security device to create another level of security. Once yubikey recognizes your computer and the site you’ve registered with, there’s no way anyone can hack into your account without the yubikey. Or at least, that’s what I’m told.

To access a site, you must physically plug the yubikey into your computer and then tap it when prompted.

I’ll now go cross my fingers and rub my lucky rabbit’s foot, just in case.

[Sequoyah101]

Can you recommend a place I can read more about this security? I have the padlock and it is clickable.

[fr_freak]

I use the same password on all chat boards, and hackers probably know it.

I'm convinced that there are a fair number of FR accounts, especially unused old ones from 1999 or so, that have been taken over by trolls, and my guess is that it wasn't difficult for them to guess the password. The concept of strong passwords isn't as well embedded in certain age demographics, especially back in 1999, and I'm guessing that many passwords for the first accounts were something along the lines of "mypassword".

[Vaduz]

Thieves kept getting my information.
Every agency or company has a long list of names and information more often tan not it’s sold not stolen.
Ever winder how so many lap top of business people get lost?.
It even happens with the FBI.

[Organic Panic]

The benefits of having an Eastern European name that was mispelled on immigration papers has its benefits. Hard to steal your identity.

[palmer]

Meant to say emais, not passwords. Password generators are useless if a site is hacked because the hackers have everything they want from the site, whether or not they want the passwords. If they want those they would capture them clear as they arrive.

Having a different random password for every site is nice, but it is equivalent in security to using gibberish1, gibberish2, etc. Your adversary only gets a few tries in a properly designed site and won't guess. If the site is not properly designed and insecure then nothing will save you from having all your personal info stolen.

[BiglyCommentary]

That web site has a lot of good info. Click around the top links.

What,who, when, where. Here's an example. Notice the info about passwords.

Adobe


In October 2013, 153 million Adobe accounts were breached with each containing an internal ID, username, email, encrypted password and a password hint in plain text. The password cryptography was poorly done and many were quickly resolved back to plain text. The unencrypted hints also disclosed much about the passwords adding further to the risk that hundreds of millions of Adobe customers already faced.

Breach date: 4 October 2013
Date added to HIBP: 4 December 2013
Compromised accounts: 152,445,165
Compromised data: Email addresses, Password hints,
Passwords, Usernames

[palmer]

The padlock tells you about the server you are connecting to. https://www.globalsign.com/en/blog/how-to-view-ssl-certificate-details But the issuer is also important.

My cert on ny throwaway website says "Issued by: Sectigo RSA Domain Validation Secure Server CA" That means I used one of the cheaper cert issuers and they validated my domain meaning I have control over the contents of the website (it could be malware, and they don't care).

OTOH when I click on the padlock for bbt.com it says "Issued by: DigiCert TLS RSA SHA256 2020 CA1" which a more expensive cert issuer and they check more about the company (BB&T) before they issue it. They won't give one to someone claiming to represent BB&T, the applicant would have to prove they are authorized by BB&T, a manual process which takes days. It's called business validation and it costs more often $100 or more per year versus $10 or less per year for domain validation.

[palmer]

Sorry, I meant to say email addresses. I looked up my old emai addreses. I didn't look up any passwords.

[palmer]

Yubikey seems to be a “no-brainer” security device to create another level of security. Once yubikey recognizes your computer and the site you’ve registered with, there’s no way anyone can hack into your account without the yubikey. Or at least, that’s what I’m told.

Yubikey is recognized by the server you are connecting to. Your computer is just he go-between. You can use the same yubikey on any computer (that's one of the advantages).

[Notthereyet]

“I’ve often wondered if Lifelock was reliable for protection.”
_______________________________________________

When I applied for a new account, before I even got out of the store, Lifelock had left both a text message, a voice message, and sent me an e-mail.

Before I finished applying for a car loan, the same thing happened. Before I even signed the paperwork.

Years ago, we used a card we use for our vet bill at a Lowe’s which was going out of business. AT THE REGISTER, we were advised our credit card wanted us to call them from the Lowe’s Customer Service.

The particular card company picked up it was NOT a vet purchase and wanted to make sure it was us making the purchase at Lowe’s.

My beloved did have one account compromised because he failed to have security measures in place; got it all taken care of and he’s better at it, now.

While I dearly hope we never have to use the ‘after ID theft’ part of Lifelock, I would imagine it’s good.

[GOPJ]

Very thoughtful thread... thanks for posting.

[Chode]

it's been done...