When you own a short email address at a popular email provider, you are bound to get gobs of spam, and more than a few alerts about random people trying to seize control over the account. If your account name is short and desirable enough, this kind of activity can make the account less reliable for day-to-day communications because it tends to bury emails you do want to receive. But there is also a puzzling side to all this noise: Random people tend to use your account as if it were theirs, and often for some fairly sensitive services online.
About 16 years ago — back when you actually had to be invited by an existing Google Mail user in order to open a new Gmail account — I was able to get hold of a very short email address on the service that hadn’t yet been reserved. Naming the address here would only invite more spam and account hijack attempts, but let’s just say the account name has something to do with computer hacking.
Because it’s a relatively short username, it is what’s known as an “OG” or “original gangster” account. These account names tend to be highly prized among certain communities, who busy themselves with trying to hack them for personal use or resale. Hence, the constant account takeover requests.
What is endlessly fascinating is how many people think it’s a good idea to sign up for important accounts online using my email address. Naturally, my account has been signed up involuntarily for nearly every dating and porn website there is. That is to be expected, I suppose.
But what still blows me away is the number of financial and other sensitive accounts I could access if I were of a devious mind. This particular email address has accounts that I never asked for at H&R Block, Turbotax, TaxAct, iTunes, LastPass, Dashlane, MyPCBackup, and Credit Karma, to name just a few. I’ve lost count of the number of active bank, ISP and web hosting accounts I can tap into.
I’m perpetually amazed by how many other Gmail users and people on similarly-sized webmail providers have opted to pick my account as a backup address if they should ever lose access to their inbox. Almost certainly, these users just lazily picked my account name at random when asked for a backup email — apparently without fully realizing the potential ramifications of doing so. At last check, my account is listed as the backup for more than three dozen Yahoo, Microsoft and other Gmail accounts and their associated file-sharing services.
If for some reason I ever needed to order pet food or medications online, my phantom accounts at Chewy, Coupaw and Petco have me covered. If any of my Weber grill parts ever fail, I’m set for life on that front. The Weber emails I periodically receive remind me of a piece I wrote many years ago for The Washington Post, about companies sending email from [companynamehere]@donotreply.com, without considering that someone might own that domain. Someone did, and the results were often hilarious.
It’s probably a good thing I’m not massively into computer games, because the online gaming (and gambling) profiles tied to my old Gmail account are innumerable.
For several years until recently, I was receiving the monthly statements intended for an older gentleman in India who had the bright idea of using my Gmail account to manage his substantial retirement holdings. Thankfully, after reaching out to him he finally removed my address from his profile, although he never responded to questions about how this might have happened.
On balance, I’ve learned it’s better just not to ask. On multiple occasions, I’d spend a few minutes trying to figure out if the email addresses using my Gmail as a backup were created by real people or just spam bots of some sort. And then I’d send a polite note to those that fell into the former camp, explaining why this was a bad idea and ask what motivated them to do so.
Perhaps because my Gmail account name includes a hacking term, the few responses I’ve received have been less than cheerful. Despite my including detailed instructions on how to undo what she’d done, one woman in Florida screamed in an ALL CAPS reply that I was trying to phish her and that her husband was a police officer who would soon hunt me down. Alas, I still get notifications anytime she logs into her Yahoo account.
Probably for the same reason the Florida lady assumed I was a malicious hacker, my account constantly gets requests from random people who wish to hire me to hack into someone else’s account. I never respond to those either, although I’ll admit that sometimes when I’m procrastinating over something the temptation arises.
Losing access to your inbox can open you up to a cascading nightmare of other problems. Having a backup email address tied to your inbox is a good idea, but obviously only if you also control that backup address.
More importantly, make sure you’re availing yourself of the most secure form of multi-factor authentication offered by the provider. These may range from authentication options like one-time codes sent via email, phone calls, SMS or mobile app, to more robust, true “2-factor authentication” or 2FA options (something you have and something you know), such as security keys or push-based 2FA such as Duo Security (an advertiser on this site and a service I have used for years).
Email, SMS and app-based one-time codes are considered less robust from a security perspective because they can be undermined by a variety of well-established attack scenarios, from SIM-swapping to mobile-based malware. So it makes sense to secure your accounts with the strongest form of MFA available. But please bear in mind that if the only added authentication options offered by a site you frequent are SMS and/or phone calls, this is still better than simply relying on a password to secure your account.
Maybe you’ve put off enabling multi-factor authentication for your important accounts, and if that describes you, please take a moment to visit twofactorauth.org and see whether you can harden your various accounts.
As I noted in June’s story, Turn on MFA Before Crooks Do It For You, people who don’t take advantage of these added safeguards may find it far more difficult to regain access when their account gets hacked, because increasingly thieves will enable multi-factor options and tie the account to a device they control.
Are you in possession of an OG email account? Feel free to sound off in the comments below about some of the more gonzo stuff that winds up in your inbox.
Hack Instagram account-Best instagram hacking tool-2019 Biggest update
How to get free instagram followers-Every hours-2019 best tricks 100% worked: https://youtu.be/cGOazOiQbU8
hack instagram account. hack instagram. hack instagram password. instagram password hack online. instagram hack app. instagram hack tool. insta hack. instagram password. hack someones instagram. hack instagram password free. free instagram accounts and passwords. hack instagram online. hack insta account. hack instagram account free. instagram hack password account. hack ig. hack instagram account online. ig hack. hack instagram 2016. instagram password hack app. get instagram password. hack someones instagram password. get someones instagram password. instagram passwords. hack instagram account 2016. hack instagram free. hack instagram password 2016. hack ig account. instagram account password. instagram hack online website. real instagram hack. hack ig password. hack instagram account password free. instagram id hack. instagram hack tool online. app hack instagram. insta hack app. hack someones instagram account. instagram password hack tool. hack any instagram account. hack insta password online free. instagram account hacking app. find instagram password. instagram accounts and passwords. insta password. hack insta account android. get your instagram hack. find someones instagram password. hack someones instagram password free. instagram hacking website. hack instagram profile. get instagram hack. ig hack app. easy way to hack instagram account. hack instagram easy. easy way to hack instagram password. easy way to hack instagram. instagram account hacker tool. easy instagram hack 2016. i want to hack instagram account. instagram password cracker. instagram password finder. hack instagram online free. official instagram hacker. hack people instagram. get someones ig password. easiest way to hack instagram account. hack my instagram password. hack instagram account easy. hack instagram id. hack instagram page. hack ig account free. hack instagram messages. how to get someones instagram password. program to hack instagram accounts. hack account instagram free. how to hack instagram password. find out instagram password. instagram hacking programs. websites to hack instagram accounts. free instagram accounts with password. how to hack someones instagram without their password. how to figure out someones instagram password. how to hack instagram account password. how to hack instagram. instagram hacking sites. how to hack someones instagram account. hack facebook pass. steps to hack instagram account. how to hack instagram account easily. i want to hack my instagram account. how to hack someones instagram. hack instagram account real. ways to hack instagram account. best instagram hacker. ig hack tool. instagram real hack. can i hack someones instagram. link to hack instagram account. how to get into someones instagram. blac chyna instagram. instagram hacker code. best instagram hack. how to find out someones instagram password. gmail id hack. simple way to hack instagram. hack friends instagram. real way to hack instagram. best instagram hacking app. hack instagram no offers. download instagram hacker. how to hack ig account. hot to hack instagram. how to hack someones instagram 2016. how to hack instagram password online. how to hack ig. how to hack someones instagram account password. how to find someones instagram password. hack de insta. how to hack someones instagram password easy. how hack instagram account 2016. injustice gods among us android hack. facebook id hack app. hack your own instagram. how to hack someones instagram account without download. software hack instagram. how to hack people instagram. how to hack someones ig. how to hack instagram 2016. insta private account hacker. how to hack any instagram account. how to hack ig account. hot to hack instagram. how to hack someones instagram 2016. how to hack instagram password online. how to hack ig. how to hack someones instagram account password. how to find someones instagram password. hack de insta. how to hack someones instagram password easy. how hack instagram account 2016. injustice gods among us android hack. facebook id hack app. hack your own instagram. how to hack
Please Like this video ! Comment this video !! Share this video !!! Subscribe my this channel !!!!
Join with me in my group :
Like my facebook page : https://www.facebook.com/sajidztech/
Follow me in Twitter : https://twitter.com/MdSajid1514283
Follow me in LinkedIn : https://www.linkedin.com/in/ekrokha-chele-431552139/
Follow me on Instagram : https://www.instagram.com/mohammedraaz/
My website : http://www.sajidhasan360.com/
Video Rating: / 5
Banking industry giant NCR Corp. [NYSE: NCR] late last month took the unusual step of temporarily blocking third-party financial data aggregators Mint and QuickBooks Online from accessing Digital Insight, an online banking platform used by hundreds of financial institutions. That ban, which came in response to a series of bank account takeovers in which cybercriminals used aggregation sites to surveil and drain consumer accounts, has since been rescinded. But the incident raises fresh questions about the proper role of digital banking platforms in fighting password abuse.
On Oct. 29, KrebsOnSecurity heard from a chief security officer at a U.S.-based credit union and Digital Insight customer who said his institution just had several dozen customer accounts hacked over the previous week.
My banking source said the attackers appeared to automate the unauthorized logins, which took place over a week in several distinct 12-hour periods in which a new account was accessed every five to ten minutes.
Most concerning, the source said, was that in many cases the aggregator service did not pass through prompts sent by the credit union’s site for multi-factor authentication, meaning the attackers could access customer accounts with nothing more than a username and password.
“The weird part is sometimes the attackers are getting the multi-factor challenge, and sometimes they aren’t,” said the source, who added that he suspected a breach at Mint and/QuickBooks because NCR had just blocked the two companies from accessing bank Web sites on its platform.
In a statement provided to KrebsOnSecurity, NCR said that on Friday, Oct. 25, the company notified Digital Insight customers “that the aggregation capabilities of certain third-party product were being temporarily suspended.”
“The notification was sent while we investigated a report involving a single user and a third-party product that aggregates bank data,” reads their statement, which was sent to customers on Oct. 29. After confirming that the incident was contained, NCR restored connectivity that is used for account aggregation. “As we noted, the criminals are getting aggressive and creative in accessing tools to access online information, NCR continues to evaluate and proactively defend against these activities.””
What were these sophisticated methods? NCR wouldn’t say, but it seems clear the hacked accounts are tied to customers re-using their online banking passwords at other sites that got hacked.
As I noted earlier this year in The Risk of Weak Online Banking Passwords, if you bank online and choose weak or re-used passwords, there’s a decent chance your account could be pilfered by cyberthieves — even if your bank offers multi-factor authentication as part of its login process.
Crooks are constantly probing bank Web sites for customer accounts protected by weak or recycled passwords. Most often, the attacker will use lists of email addresses and passwords stolen en masse from hacked sites and then try those same credentials to see if they permit online access to accounts at a range of banks.
From there, thieves can take the list of successful logins and feed them into apps that rely on application programming interfaces (API)s from one of several personal financial data aggregators, including Mint, Plaid, QuickBooks, Yodlee, and YNAB.
A number of banks that do offer customers multi-factor authentication — such as a one-time code sent via text message or an app — have chosen to allow these aggregators the ability to view balances and recent transactions without requiring that the aggregator service supply that second factor.
If the thieves are able to access a bank account via an aggregator service or API, they can view the customer’s balance(s) and decide which customers are worthy of further targeting.
But beyond targeting customers for outright account takeovers, the data available via financial aggregators enables a far more insidious type of fraud: The ability to link the target’s bank account(s) to other accounts that the attackers control.
That’s because PayPal, Zelle, and a number of other pure-play online financial institutions allow customers to link accounts by verifying the value of microdeposits. For example, if you wish to be able to transfer funds between PayPal and a bank account, the company will first send a couple of tiny deposits — a few cents, usually — to the account you wish to link. Only after verifying those exact amounts will the account-linking request be granted.
The temporary blocking of data aggregators by NCR brings up a point worthy of discussion by regulators: Namely, in the absence of additional security measures put in place by the aggregators, do the digital banking platform providers like NCR, Fiserv, Jack Henry, and FIS have an obligation to help block or mitigate these large-scale credential exploitation attacks?
KrebsOnSecurity would argue they do, and that the crooks who attacked the customers of my source’s credit union have probably already moved on to using the same attack against one of several thousand other dinky banks across the country.
Intuit Inc., which owns both Mint and QuickBooks, said there is no indication of a breach of Intuit systems.
“As you heard from NCR, we continue to work closely with NCR Digital Banking to enable a secure, reliable customer experience as well as continued ongoing analysis,” Intuit spokesperson Kali Fry said.
NCR declined to discuss specifics about how it plans to respond to similar attacks going forward.