Singapore Expats Forum

Your Pay Pal experiences

Discuss about computers & Internet. Including mobile phones, home appliances & other gadgets. Read about Windows security risks or virus updates.
User avatar
zzm9980
Governor
Governor
Posts: 6841
Joined: Wed, 06 Jul 2011
Location: Once more unto the breach

Re: Your Pay Pal experiences

Postby zzm9980 » Sat, 19 Sep 2015 11:05 am

x9200 wrote:
zzm9980 wrote:
x9200 wrote:- PP is more convenient to use (password based system - no need to key in all the cc info every time)


More convenient, but less secure.

If you're using a password for financial transactions that you can remember easier than your CC information, you've already lost. What you should be doing is strong passwords per-site/service and keeping them in a password manager.


It is only less secured because of the human factor

I'm fairly confident everyone in this discussion is human.

SMS, I would not recommend to use any password manager for this sort of service where you may lose a lot of money and you are protected by a single authentication factor. Just make up one complex enough but with elements easy for you to remember: e.g. SmS#BluJAZZ_e-A-G-L-S_gathering%2015
Until you manage to get it remembered write it somewhere down, inside your shoe for example, or if you use PP only from home, inside the toilet flushing water tank. No, I'm not kidding. After you remember, remove it.


And SMS (or anyone else) is going to have a unique password like this for every site? The risk you're trying to mitigate is a site getting compromised and passwords leaking. Then your accounts at every other site you used that password at is at risk.

Use a password manager, and then your advice for the password to that password manager. Don't destroy it when done. Put it in a safety deposit box or something. The risk is much higher of your password getting leaked through a hacked site than from someone breaking into your house and finding the scrap of paper with your password. And even *if* that happens, the people doing that are less likely to be interested in stealing your login credentials than your jewelry.

User avatar
zzm9980
Governor
Governor
Posts: 6841
Joined: Wed, 06 Jul 2011
Location: Once more unto the breach

Re: Your Pay Pal experiences

Postby zzm9980 » Sat, 19 Sep 2015 11:11 am

Just make up one complex enough but with elements easy for you to remember: e.g. SmS#BluJAZZ_e-A-G-L-S_gathering%2015


And also note that making it "complex but easy to remember" makes it much easier to crack than being truly random. There is a lot of research into this area, and a lot of tools to automate it. Basically, if the human mind can take advantage of some factory in it to make it easier to remember then tools can take advantage of it to significantly simplify cracking.

Some good articles to start out with:
http://arstechnica.com/security/2012/08 ... r-assault/
http://arstechnica.com/security/2013/05 ... passwords/
http://arstechnica.com/security/2013/10 ... -cracking/
http://arstechnica.com/security/2014/08 ... -cracking/

User avatar
sundaymorningstaple
Moderator
Moderator
Posts: 35120
Joined: Thu, 11 Nov 2004
Location: Still Fishing!
Contact:

Re: Your Pay Pal experiences

Postby sundaymorningstaple » Sat, 19 Sep 2015 11:19 am

x9200 wrote:
This is what I normally do: I just make up a complex enough but with elements easy for you to remember: e.g. SmS#BluJAZZ_e-A-G-L-S_gathering%2015. Until I manage to get it remembered I write it somewhere down, inside my shoe for example, or if I use the service only from home, inside the toilet flushing water tank (for example). No, I'm not kidding. After I remember, I remove it.


The problem I find is that creating a different password for every bank, every CC, PP, eBay, Amazon, not counting myriad other passwords like Singpass, and any other place where financial transaction may take place, I'd find it virtually impossible to keep track of all of them especially long complex ones that are likely to be secure. And then to supposedly change all of them quarterly as recommended. It's no wonder why people get hacked. Hell, I can't even remember how I got home after the last eagles gathering! Passwords!?!? :oops:

ZZM, I've read something like that before. But about the only way to do that is let my pet monkey input the passwords or get a password manager that will create the random generated passwords.

User avatar
zzm9980
Governor
Governor
Posts: 6841
Joined: Wed, 06 Jul 2011
Location: Once more unto the breach

Re: Your Pay Pal experiences

Postby zzm9980 » Sat, 19 Sep 2015 11:28 am

sundaymorningstaple wrote:
x9200 wrote:
This is what I normally do: I just make up a complex enough but with elements easy for you to remember: e.g. SmS#BluJAZZ_e-A-G-L-S_gathering%2015. Until I manage to get it remembered I write it somewhere down, inside my shoe for example, or if I use the service only from home, inside the toilet flushing water tank (for example). No, I'm not kidding. After I remember, I remove it.


The problem I find is that creating a different password for every bank, every CC, PP, eBay, Amazon, not counting myriad other passwords like Singpass, and any other place where financial transaction may take place, I'd find it virtually impossible to keep track of all of them especially long complex ones that are likely to be secure. And then to supposedly change all of them quarterly as recommended. It's no wonder why people get hacked. Hell, I can't even remember how I got home after the last eagles gathering! Passwords!?!? :oops:

ZZM, I've read something like that before. But about the only way to do that is let my pet monkey input the passwords or get a password manager that will create the random generated passwords.


Changing them quarterly is much less important if you use different ones for each site and they're complex. And yes, you should use a random system to pick your passwords. Like a password manager. You can come up with long complex ones randomly yourself if you prefer - google for something called "diceware". It's a system with a list of words where you rule dice and make a password. (A bit more complex than that, but essentially that is it)

User avatar
x9200
Moderator
Moderator
Posts: 9314
Joined: Mon, 07 Sep 2009
Location: Singapore

Re: Your Pay Pal experiences

Postby x9200 » Sat, 19 Sep 2015 11:34 am

zzm9980 wrote:
Just make up one complex enough but with elements easy for you to remember: e.g. SmS#BluJAZZ_e-A-G-L-S_gathering%2015


And also note that making it "complex but easy to remember" makes it much easier to crack than being truly random. There is a lot of research into this area, and a lot of tools to automate it. Basically, if the human mind can take advantage of some factory in it to make it easier to remember then tools can take advantage of it to significantly simplify cracking.

Some good articles to start out with:
http://arstechnica.com/security/2012/08 ... r-assault/
http://arstechnica.com/security/2013/05 ... passwords/
http://arstechnica.com/security/2013/10 ... -cracking/
http://arstechnica.com/security/2014/08 ... -cracking/


Yep, that's true (that's why I don't use it with PP :P ), but is it worse than using a password manager? What if the keyboard, screen and mouse are captured? The system is as strong as it's weakest element.

Also for the password cracking, how practical is to have it cracked for using with PP? What could be the assault scenario where you exploit this specific weakness? I expect PP does not allow unrestricted attempts so it probably would make only practical sense if the PP system is already compromised so the attackers have access to the encrypted (hashed) passwords? But in this case it would not mater at all because this password was unique and not used for any other site.

User avatar
x9200
Moderator
Moderator
Posts: 9314
Joined: Mon, 07 Sep 2009
Location: Singapore

Re: Your Pay Pal experiences

Postby x9200 » Sat, 19 Sep 2015 11:48 am

sundaymorningstaple wrote:
x9200 wrote:
This is what I normally do: I just make up a complex enough but with elements easy for you to remember: e.g. SmS#BluJAZZ_e-A-G-L-S_gathering%2015. Until I manage to get it remembered I write it somewhere down, inside my shoe for example, or if I use the service only from home, inside the toilet flushing water tank (for example). No, I'm not kidding. After I remember, I remove it.


The problem I find is that creating a different password for every bank, every CC, PP, eBay, Amazon, not counting myriad other passwords like Singpass, and any other place where financial transaction may take place, I'd find it virtually impossible to keep track of all of them especially long complex ones that are likely to be secure. And then to supposedly change all of them quarterly as recommended. It's no wonder why people get hacked. Hell, I can't even remember how I got home after the last eagles gathering! Passwords!?!? :oops:

ZZM, I've read something like that before. But about the only way to do that is let my pet monkey input the passwords or get a password manager that will create the random generated passwords.


I found it manageable. For the sites requiring high security I try to have it the way I said, complex and unique (nobody is going to look for it inside my flush tank anyway). I have probably 5 like these. For less secure I do what is highly disapproved by any security person: I use a password with a part of it fixed but with some site dependant component. So for example I may have 7*2gB%3_ss3 for this forum and 7*2gB%3_he2 for hardwarezone.com. The suffix is based on the site name or something regular that may be used for simple on fly "encoding".

Note that having the complex password written somewhere to protect your money is not any worse than having the CC with you. Of course you may want to avoid writing this password on your laptop, postnote placed on your monitor etc. or even better in a file inside the machine. How likely is that somebody will come over, find it and make the right association?

User avatar
sundaymorningstaple
Moderator
Moderator
Posts: 35120
Joined: Thu, 11 Nov 2004
Location: Still Fishing!
Contact:

Re: Your Pay Pal experiences

Postby sundaymorningstaple » Sat, 19 Sep 2015 12:19 pm

After I got hacked last year by some E. European with a mobile phone (fortunately not a critical site and no damage done) I changed up somewhat about a year ago and have been using a similar sort of PP logic as you are using either 13 or 14 digits. But even so, having to change it becomes unwieldy.

User avatar
zzm9980
Governor
Governor
Posts: 6841
Joined: Wed, 06 Jul 2011
Location: Once more unto the breach

Re: Your Pay Pal experiences

Postby zzm9980 » Sat, 19 Sep 2015 2:45 pm

x9200 wrote:
zzm9980 wrote:
Just make up one complex enough but with elements easy for you to remember: e.g. SmS#BluJAZZ_e-A-G-L-S_gathering%2015


And also note that making it "complex but easy to remember" makes it much easier to crack than being truly random. There is a lot of research into this area, and a lot of tools to automate it. Basically, if the human mind can take advantage of some factory in it to make it easier to remember then tools can take advantage of it to significantly simplify cracking.

Some good articles to start out with:
http://arstechnica.com/security/2012/08 ... r-assault/
http://arstechnica.com/security/2013/05 ... passwords/
http://arstechnica.com/security/2013/10 ... -cracking/
http://arstechnica.com/security/2014/08 ... -cracking/


Yep, that's true (that's why I don't use it with PP :P ), but is it worse than using a password manager? What if the keyboard, screen and mouse are captured? The system is as strong as it's weakest element.

Also for the password cracking, how practical is to have it cracked for using with PP? What could be the assault scenario where you exploit this specific weakness? I expect PP does not allow unrestricted attempts so it probably would make only practical sense if the PP system is already compromised so the attackers have access to the encrypted (hashed) passwords? But in this case it would not mater at all because this password was unique and not used for any other site.


You should be worried about re-using passwords, sites getting hacked, and the hashed passwords being brute forced. If you're using a different password everywhere, then you're fine except that one site. But using a strong enough password on every site without a password manager is not feasible for most humans. You must have some super powers which are not common in the 99.9% x9200 :)

Most criminal syndicates looking for financial gains will not target an individual, it doesn't scale. They'll go after the site in a way i described above to get as many user credentials as possible at one time. Those that target an individual (you specifically, your keyboard mouse and monitor) likely are going after you for something besides the passwords to your PayPal and bank accounts. And even if they were, your password doesn't matter. If they target your keyboard, mouse, and monitor yes they'll own your password manager. But they don't need your password manager. They'll just wait for you to log in and do whatever they want from your system once you're authenticated.

*IF* you absolutely must use a password you memorized, make sure you use two-factor auth (akin to the bank tokens Singapore banks issue everyone). You can get secure apps for your iOS or Android phones (or even Windows for that poster here with the Gorilla avatar). Something like Google Authenticator is OK, but Authy or Duo is better from a feature perspective.

User avatar
zzm9980
Governor
Governor
Posts: 6841
Joined: Wed, 06 Jul 2011
Location: Once more unto the breach

Re: Your Pay Pal experiences

Postby zzm9980 » Sat, 19 Sep 2015 2:47 pm

sundaymorningstaple wrote:After I got hacked last year by some E. European with a mobile phone (fortunately not a critical site and no damage done) I changed up somewhat about a year ago and have been using a similar sort of PP logic as you are using either 13 or 14 digits. But even so, having to change it becomes unwieldy.


The nice thing is some of those password managers (like Dashlane) will change your passwords automatically for popular sites. Let it generate a random 30 character password for you. Three months later, you can just open your password manager, click a button, and it automatically sets a new random password. It shouldn't even matter to you, since you just use the app to auto-fill the password when you log in (or copy and paste if you're like me and hate browser integration)

NorrinRadd
Regular
Regular
Posts: 132
Joined: Sun, 29 Apr 2012

Re: Your Pay Pal experiences

Postby NorrinRadd » Sun, 20 Sep 2015 11:35 am

Useful password management posts aside, are there good reasons to top up PP via CC over topping up via bank transfer, and do they outweigh the risks?

User avatar
x9200
Moderator
Moderator
Posts: 9314
Joined: Mon, 07 Sep 2009
Location: Singapore

Re: Your Pay Pal experiences

Postby x9200 » Sun, 20 Sep 2015 12:18 pm

zzm9980 wrote:But using a strong enough password on every site without a password manager is not feasible for most humans. You must have some super powers which are not common in the 99.9% x9200 :)

I am afraid for most humans using password managers is a superpower. The majority of humans will use name/DoB/pet name/etc password if only they would be allowed to do it. You certainly must have seen this one following the (in)famous Ashley-Medison site hack:
http://arstechnica.com/security/2015/09 ... -the-rest/

zzm9980 wrote:Most criminal syndicates looking for financial gains will not target an individual, it doesn't scale. They'll go after the site in a way i described above to get as many user credentials as possible at one time. Those that target an individual (you specifically, your keyboard mouse and monitor) likely are going after you for something besides the passwords to your PayPal and bank accounts. And even if they were, your password doesn't matter. If they target your keyboard, mouse, and monitor yes they'll own your password manager. But they don't need your password manager. They'll just wait for you to log in and do whatever they want from your system once you're authenticated.

And that's why I always say it's about the risk management rather than to do it the most stronger and most secure way. Don't attract attention, stay under the radar, protect your personal data (IP inclusive) and do with the password and any sensitive data what is optimal in your situation rather than the most secure approach.


zzm9980 wrote:*IF* you absolutely must use a password you memorized, make sure you use two-factor auth (akin to the bank tokens Singapore banks issue everyone). You can get secure apps for your iOS or Android phones (or even Windows for that poster here with the Gorilla avatar). Something like Google Authenticator is OK, but Authy or Duo is better from a feature perspective.

I only use Linux and OSX to access this sort of services. Not sure how safe is MsWindows right now when properly secured but with its rather long history of security related problems I would be very hesitant. Android, no way.

BTW, another tip for having pseudo-random, reasonably complex password that may be used and easy to handle until they are memorised are documents numbers. E.g. NRIC No + something in between + Passport No. All to be remembered is the middle part and the rest can be safely checked if needed.

User avatar
zzm9980
Governor
Governor
Posts: 6841
Joined: Wed, 06 Jul 2011
Location: Once more unto the breach

Re: Your Pay Pal experiences

Postby zzm9980 » Sun, 20 Sep 2015 2:55 pm

NorrinRadd wrote:Useful password management posts aside, are there good reasons to top up PP via CC over topping up via bank transfer, and do they outweigh the risks?


If you fund PayPal via a CC, you can sometimes dispute the charge with your CC directly if there is a dispute. I was able to do this (with Amex) and it saved my ass.

User avatar
zzm9980
Governor
Governor
Posts: 6841
Joined: Wed, 06 Jul 2011
Location: Once more unto the breach

Re: Your Pay Pal experiences

Postby zzm9980 » Sun, 20 Sep 2015 3:00 pm

All of your other points are taken. While valid, I'll just agree to agree and disagree with each at varying levels.

x9200 wrote: You certainly must have seen this one following the (in)famous Ashley-Medison site hack:
http://arstechnica.com/security/2015/09 ... -the-rest/


Articles (and breaches) like this to me are big red herrings of password security. I'm willing to suspect that most of these passwords are "throw aways", and not something taken seriously by the people who created them. Especially AM, as a lot of those accounts were probably created out of curiosity and then never used again.

My guess is if the same population was sampled a significant portion would have much better passwords for sites they cared more about like banks. Not all, but a lot.

User avatar
kaseyma
Chatter
Chatter
Posts: 213
Joined: Sat, 05 Apr 2008
Location: in question

Re: Your Pay Pal experiences

Postby kaseyma » Mon, 21 Sep 2015 2:20 am

zzm9980 wrote:
NorrinRadd wrote:Useful password management posts aside, are there good reasons to top up PP via CC over topping up via bank transfer, and do they outweigh the risks?


If you fund PayPal via a CC, you can sometimes dispute the charge with your CC directly if there is a dispute. I was able to do this (with Amex) and it saved my ass.

Also had an issue with strange PP charges showing up on our Amex card recently. Strange thing is the PP account hadn't been used for a few years.
At least Amex is good about reversing the charges.

User avatar
sundaymorningstaple
Moderator
Moderator
Posts: 35120
Joined: Thu, 11 Nov 2004
Location: Still Fishing!
Contact:

Re: Your Pay Pal experiences

Postby sundaymorningstaple » Mon, 21 Sep 2015 6:59 am

Was it from a company in Indonesia? PT Tr* something?


  • Similar Topics
    Replies
    Views
    Last post

Return to “Computer, Internet, Phone & Electronics”

Who is online

Users browsing this forum: No registered users and 1 guest