I've been lax in my personal security. Until last week, I only had 5 or so passwords. 1 for bank-grade security sites that required a strong password, 1 for physical computers, a few old ones, and the kicker, 1 for everything on the internet. Evidently I either signed up for something not so safe, or authenticated in plain text somewhere unsafe. Or my "everything password" wasn't that secure.
Either way, someone guessed, stole, or cracked their way to my paypal account, and bought a couple hundred dollars worth of shareware via SWReg.org. The funds came from a savings account so my first warning actually came from paypal, who placed restrictions on my account after the first couple login attempts failed.
I called up to report the fraudulent charges, and while the woman did helpfully explain that I could have done this all without taking my fingers off the keyboard, it was a good thing. Besides being incredibly nice to someone asking questions from the FAQ, She also gave me a little shpiel about their new security keys, and offered to send me one. Given my love of 1) free shit 2) security (present idiocy notwithstanding) 3) gadgets, I think you can guess my answer.
It's a VIP token, a pretty badass little toy. You push a button and it generates a 6-digit number that's good for 30 seconds or so, which you use when you sign into your paypal + ebay accounts. Not only that, but since it's made by verisign, you can add it to your PIP openID as well. Now, in addition to having changed all my internet passwords, I've got ridiculously strong security on anything that I sign into with OpenID. I'm using it for this site with openID+ v2.0(released friday), although the previous versions have been glitchy.
Unfortunately, I still haven't finished with paypal yet. I have a premier account, which at some point required a land line. I no longer have a home phone, so they have to physically mail me something, to restore my account. That's just for the restrictions, though. They've already refunded the fraudulent charges.
8 Comments
I used one of those for a while. Except I found myself needing to log in away from home. And I couldn’t be bothered to carry it with me. There’s a way to bypass it by providing extra information, so I disabled it after a while.
And now I’m thinking twice . . .
yeah, I’ve got the thing clipped to my bag right now, since I don’t trust my keychain to not destroy the thing (I have a bike repair/bottle opener thing, and often bike to work). Being able to bypass it does seem foolish.
I wrote a huge comment and the openID thing got me again. Not a big deal, but I was just sorry to hear this happened to you. I change my passwords relatively often and have to remember 3 or 4 back for the sites I don’t visit often. I wonder if it is worth having a list of sites to change and just do it once a month or so……..
lame. sorry about that. I’ve disabled openID for comments for the moment, then, until I can sort it out.
That’s an amazing experience. Never would I have thought Paypal accounts could be so easily hacked. Or was it just you?
Anyhow that’s a very enlightening post there… but if I were to take that gadget with me where I go, I’d probably no sooner lost it than I would give out my password for free =.=;
Nice, nonetheless
yeah, neither would I. It was probably my own fault, though.
The token isn’t a replacement for a password, they work in tandem, which is nice. neither losing the thing, nor giving out your password, will compromise your accounts.
I am glad you got back more than what you lost
yeah, paypal took great care of me.
Post a Comment