Needs Pictures: 0
Picture(s) thanks: 0
Results 1 to 15 of 23
Thread: Amazon Sign In Password Hacked
-
25th April 2022, 09:29 AM #1GOLD MEMBER
- Join Date
- Jun 2005
- Location
- Helensburgh
- Posts
- 7,695
Amazon Sign In Password Hacked
I had my password hacked today even though it requires a One Time code to do so. I received the OTP on my phone sometime during the night when they knew customers in Australia were asleep and would not react to receiving it so be warned OTP's do not afford the protection we think they do. I used the "forgot password" to rectify the problem but I guess it is only a matter of time before it happens again. I don't know why it was done as no transactions took place, this has happened to me several times before I used an OTP and I was under the illusion that using an OTP was the answer to stop this sort of activity.
CHRIS
-
25th April 2022 09:29 AM # ADSGoogle Adsense Advertisement
- Join Date
- Always
- Location
- Advertising world
- Posts
- Many
-
25th April 2022, 09:37 AM #2SENIOR MEMBER
- Join Date
- Sep 2009
- Location
- Newcastle
- Posts
- 546
If no transactions happened, how do you know the OTP failed?
OTP are not perfect, though the common way of defeating them is forced porting of your mobile so they receive the text.
Fraudulent mobile number porting and identity theft
-
25th April 2022, 09:43 AM #3SENIOR MEMBER
- Join Date
- Sep 2009
- Location
- Newcastle
- Posts
- 546
Some general security tips:
Use a different password for every site.
Use a password manager to store all these different passwords.
NEVER NEVER NEVER use the same password for your email and anything else. Your email is your master key to everything.
Separate things that actually matter and things that don't.
E.g. internet banking is very important and security breach results in major harm. Someone accessing an account on a random forum or store is not going to cause major harm.
Use separate emails - one limited to high priority, one/others for everything else - if someone gains access to the low priority email they can't intercept your forgotten password emails from important things.
-
25th April 2022, 10:02 AM #4SENIOR MEMBER
- Join Date
- Sep 2010
- Location
- Port Sorell, Tasmania
- Posts
- 595
How safe is google password manager, I assume not very?
You can't use up creativity. The more you use, the more you have. ~Oscar Wilde
-
25th April 2022, 10:51 AM #5GOLD MEMBER
- Join Date
- Jun 2005
- Location
- Helensburgh
- Posts
- 7,695
\
My phone received an OTP without me requesting it. As I said in my post I have had this happen before and no transactions took place then and this is what I don't understand. What is the point of hacking a PW then not doing anything when the PW is unique to the site as all my PW's are. I don't use my phone for internet access at all so the link is not relevant in my case but is relevant for those that do. It seems that there is a bit of interest in cracking Amazon's OTP system. amazon otp cracked - Google SearchCHRIS
-
25th April 2022, 11:29 AM #6
-
25th April 2022, 02:06 PM #7GOLD MEMBER
- Join Date
- Nov 2018
- Location
- Newcastle
- Posts
- 1,018
So the OTP/2FA has worked to protect you - they tried to log in. Amazon sent a OTP request. It went to your phone. The hackers did not get it, so could not continue and get into your account to buy baubles. That's how 2FA works.
2FA doesn't necessarily stop a hacker getting your password (either by guessing it, harvesting it in a security breech, or a brute force hack). But the hacker still can't get into your account because although they now have 'something you know' - your password, they don't have 'something you have' - your phone with the authenticator app or SMS.
Pat yourself on your back. You've saved yourself some $ and trouble.
Now you need to work out how they're getting your password. Is it easy to guess? Has it been used somewhere else? Has there been a known security breech that contained it? Do they have access to your email account (and is that critical password super-secure)?
If your password doesn't look something like this: 7Lh8xyoMrqi?po then you're vulnerable. Another, slightly easier way of generating difficult passwords is by using a set of three or more random words that you'll be able to remember. eg possumbouncyleaflet - they're actually very difficult to hack.
-
25th April 2022, 02:31 PM #8GOLD MEMBER
- Join Date
- Jun 2005
- Location
- Helensburgh
- Posts
- 7,695
They changed the password so I guess they did get in via them receiving the OTP as well as me, how does that work? I had to change the password today so I could get back in and check what had happened. The password is about 20 characters auto generated so it is not a simple guess.
CHRIS
-
25th April 2022, 04:12 PM #9
2c from a paranoid dude
Amazon customer service likely reset it. Internal jobs are rife in all businesses.
If I might offer my 2 cents?
This seems like a lot, but it isn't.
-- Bernmc is dead right. FluffyPinkBunny is far harder to crack than 7Lh8xyoMrqi?po (see comic below)
-- Authy | Two-factor Authentication (2FA) App & Guides for 2FA. Put it on your PC and phone. Trust Google? Hahahahaha (ahem. Ahahahahahaha)
-- Use BRAVE browser for automatic password generation and management. Its all encrypted into a personal blockchain (blob). OK... and use Brave Browser.
-- Never store your credit card on a facility. Enter it every time, even if you copy/paste the numbers/expiry/code from a text note on your desktop.
-- Cloudflare WARP for free fast pseudo-VPN. Its a VPN to protect your privacy, not evade the authorities. Its very good.
-- Change your DNS to 1.1.1.1 and 1.0.0.1 on your router and elsewhere (such as your TV)
-- Use DuckDuckGos Privacy Addon and get your free relay-email. One choose a base [email protected] and it sends all email to your real email. It also allows one to generate one-off [email protected] emails that relay to your own real address. This way your real address is never exposed by scumbags selling your data (ahem, CMC markets stockbrokers!)
-- Get a second SIM from Amaysim for your phone for $10 a year (if your phone can handle two sims). Use the new one ONLY for auths and website signups. NEVER use your personal phone number.
Also, check to see if your info is public: Have I been p0wned .... if you have, rectify it.
There is a lot more one can do, but this is the very minimum. The internet has become a LETHAL place. Everyones data is always for sale, from everyone. Its as become toxic.
password_strength.png
-
25th April 2022, 04:19 PM #10
-
25th April 2022, 04:38 PM #11
-
25th April 2022, 04:40 PM #12GOLD MEMBER
- Join Date
- Jun 2005
- Location
- Helensburgh
- Posts
- 7,695
All good advice WP & Bernard. I have taken a few of those steps, my phone is not connected to the internet and the password cracked was a phrase though not random words and not one that would be familiar to any other person except me. I think auto log in found on browsers is another problem and I log in manually each time. I doubt any measures will keep them out if they want to get in.
CHRIS
-
26th April 2022, 02:02 PM #13
Sure, if you are talking about a state actor (FSB, NSA etc). However, you would have to be of interest to them to go to that trouble.
However, having real strong and unique passwords and enabling 2FA (two factor authentication, note that Amazon does offer genuine 2FA) that is not based on text messages makes it pretty damn hard. Even better are things like Yubikey (Yubico | YubiKey Strong Two Factor Authentication).
I use LastPass as my password manager and they also offer a 2FA app that can use local biometric authentication on your device as an additional layer of security.
The biggest threat we all face is crypto ware. There is only one protection against that and that is backups. Having a cloud service file system (Google Drive, iCloud etc) is not sufficient backup to protect against crypto ware. In addition to local backups, I use Backblaze and have the unlimited versions backup service.
I know of a medium sized company in QLD that got ALL of their data encrypted by crypto ware last month. Even their backups were encrypted by it. I have no idea how they are going to survive as a business.
-
26th April 2022, 02:09 PM #14
In addition to what I said; phone numbers can be hijacked by porting the SIM. You can read a brief synopsis of how this is done here: SIM Hijacking Explained - Panda Security
Another attack vector is SIM card cloning. Have you had your phone serviced or looked at by anyone recently?
-
26th April 2022, 04:17 PM #15GOLD MEMBER
- Join Date
- Jun 2005
- Location
- Helensburgh
- Posts
- 7,695
Similar Threads
-
Is my Facebook Account hacked ?
By Dengue in forum COMPUTERSReplies: 2Last Post: 26th December 2018, 02:03 AM -
Have we been hacked?
By turnerted in forum FORUMS INFO, HELP, DISCUSSION & FEEDBACKReplies: 20Last Post: 3rd February 2017, 01:05 PM -
Netflix Account Hacked
By Chris Parks in forum NOTHING AT ALL TO DO WITH WOODWORKReplies: 8Last Post: 28th November 2016, 06:58 PM -
Router Plane Sharpening Jig (Hacked Attempt #1)
By RedShirtGuy in forum SHARPENINGReplies: 4Last Post: 28th March 2013, 08:48 PM -
We was hacked
By ubeaut in forum ANNOUNCEMENTSReplies: 31Last Post: 6th May 2005, 06:40 AM