FUCK FUCK FUCK, credit card asshole is back.

[SurfD]

I dont know how many of you remember, but a while back, some asshole, going by the hotmail handle Afriend(some bunch of numbers)@hotmail.com managed to grab my credit card information.

Well, it seems this fucker is still not through with me, he has now managed to sease controll of my hotmail account. I found out because i couldnt log in, and when i went to reset my password, my secret question had been changed with the following message:

" afriend; When does New York border on North Carolina"

Anyone have any suggestion as to what i could do to really fuck with this asshole. I am drawing a blank on how to get a lock on where this is coming from.

Also, I am beginning to think I may have a possible link on where this started.  Since my password wouldnt be too obvious, though it is possible this person brute forced it, it would have been linked to the ZONE, from my old Asheron's Call subscription (that is the only thing i have used my credit card for that this fucker could have hacked a connection between it and my hotmail acct.

[SurfD]

I just realised also, this fucker has access to my MSN instant messenger info through this, which gives me an idea:

Is it possible to do an IP trace on an MSN messenger buddy?  If yes, i will ask anyone on my MSN list to keep an eye out for me showing up online, and try to trace the IP.

[Calantus]

You could try sending some official-looking email to him with something nasty attached. Alot of those emails fall down when used on smart people because you pretty-much know what you would and would not be sent. He doesn't. You can send something very specifically targeted to the person with the email address (you), and the person opening it can't just say "I never sent an application for a new credit-card". Half the battle won. Send something that looks officially juicy, and he might just open it without checking it out/thinking it through first.

I haven't used hotmail in ages, so I'm not up with how good their protection against this sort of thing is, nor have I ever sent anything nasty to anyone via email, so I'm not sure what exactly you could possibly do. However, maybe this sparks an idea with someone who does know what you could do.

You could also try the law. No idea on what they would do either (with our credit card the bank just gave the money back and we have no idea what else happened in the case), but you never know. If they think enough of it, just having the law looking closely at what he does could be a pain in the ass for him if he regularly does this sort of thing. Though my guess is they'll just file it (if that) and forget about it.

[daveNYC]

" afriend; When does New York border on North Carolina"

In an alphabetical listing of the states.

[Mesozoic]

I assume that Surf has cancelled all his old credit and debit cards and gotten new ones, right?

[Mr_PeaCH]

I recall that you were never completely sure how your CC info got leaked in the first place... and now the dude has your hotmail acct. password too?

You have fingered your AC subscription as one possible mode but have you fully vetted your PC for trojan'd keylogging things and such?

[daveNYC]

I recall that you were never completely sure how your CC info got leaked in the first place... and now the dude has your hotmail acct. password too?

You have fingered your AC subscription as one possible mode but have you fully vetted your PC for trojan'd keylogging things and such?

By this point I hope he's done a full format and re-install.

[hirebrand]

" afriend; When does New York border on North Carolina"

In an alphabetical listing of the states.

A... dictionary! I bet he found your password with a dictionary attack. (A program that guesses passwords by "going down the list" word by word.)

[HaemishM]

Call your local cyber-crimes division of the Police Department. If they want help, call the goddamn FBI. Identity theft is not worth pratting about with, because if you don't deal with it soon, he'll stay on you until he's suck everything he can out of you.

[Rodent]

So this is what happens when you play AC?

[HaemishM]

This and a lot of buffing apparently.

[Mediocre]

Buffs now cast at level 1 speed next patch.  There are also multi-spell buff spells coming soon, as well as fellowship buff spells to save time.

If you got a trojan, though -- that would be bad, son.

[Faust]

If you call the FBI, they will advise much better than we would.  Seriously, they DO get involved with this sort of stuff.

[Alluvian]

And besides, you asked this same exact question months ago.  You won't get any new answers this time, and frankly you obviously didn't do much of what was suggested last time anyway, so why would it be different this time?

Call the authorities.  Don't go punching back, because the second punch is usually the one that gets caught.

[Mr. Crick]

To quote someone I remotely know...

zbererth> Cracking a hotmail account takes approximately 17 seconds.

[SurfD]

And besides, you asked this same exact question months ago.  You won't get any new answers this time, and frankly you obviously didn't do much of what was suggested last time anyway, so why would it be different this time?

Call the authorities.  Don't go punching back, because the second punch is usually the one that gets caught.

Not to get pissy with you Alluvian, but I did NOT ask the exact same question the first time around, and I am insulted that you think I just sat idly by and did nothing.

The first time, I was hit with an Instane of credit card fraud (an unknown party charged shit to my credit card).  I had no idea how they got my card number, and asked the board for general ideas on a course of action.
Since then, I called my CC company, had the card canceled, an investigation launched, and was nicely settled back into my normal routine.

Sure, I still had no idea how someone got my CC number, but I had narrowed it down to either
A: someone at the place i am living at
B: someone i work with
C: someone pulled it out of an online database.

With the TOTALLY NEW event of the Passport Acount hack, i can safely rule out item A, and B (no one i live with is even remotely intelligent enough to dictionary attack my hotmail password, let alone randomly guess the password, and neither is anyone i work with)

Im not really ruling out an actual concentrated atempt at ID theft, but this is looking more like someone managed to get my account info out of something like the ZONE.
I finger the ZONE simply because it is the only thing i can think of that would have had a direct link between my credit card (Through Asherons Call subscription) and my hotmail account (since they both use microsoft's Passport)

So fuck you very much Alluvian, but this is not the same thing.

As to protecting myself, even before the credit card theft, I had a firewall, virus scanner, and spybot seach and destroy, and used them religiously.  I can say with fair certenty, that i have not been trojan hacked.

[SurfD]

oh, and on another note, "Alphabetically" actually worked, so now i have my hotmail account back!?

(a few of my friends on icq actually knew the answer as well).

heh.

[TripleDES]

Do the same as I do. Just write the answer of your (new) secret question backwards next time. Or some other jokes of that style. Easy for you to remember, but gives you some nice halfassed protection against people guessing the answer.

And for the password? Try to remember some longass random letter and number combo, and use it as password for everywhere. While it might pose a risk that someone could hijack all your accounts if he snatches the password, it's pretty much impossible that someone can guess or get it, unless you write it down somewhere or have a keylogger installed (multiple passwords wont help then either).

[Alluvian]

Not to get pissy with you Alluvian, but I did NOT ask the exact same question the first time around, and I am insulted that you think I just sat idly by and did nothing.

Whoa, touchy touchy.  We really need to re-evaluate our priorities when some random stranger on an internet board can make a mild statement that throws our panties in this much of a bind.  Lay off the coffee.

The question was essentially the same both times.  This has a new event that has occurred, but your second and third threads on the topic have both been "Man this person is really pissing me off, how can I fuck with them?".  Which is IMO (as I explained) the wrong direction to go.

He actually seems to be intentionally yanking your chain.  I don't see why else he would have put the "Afriend: ..." part in the password question identifying himself.

Credit card theft is a big deal.  Moreso if they cross state lines.  Identity threat is a big deal.  Report it to the authorities.

Friend of mine had a card number stolen when he was on vacation and the perps crossed state lines on a charging spree while he was flying back.  FBI hunted them down rather nicely and busted their ass.  I this case they had charged a lot of money though.  He had a 10k limit on the card and they got it up to about 7k before the credit card company shut it off.

A co-worker had someone physically steal his wifes card and use it at a few gas stations.  This floored us because it was one of those picture credit cards with her photo on it.  The guys were caught and they did NOT look like his wife, heh.  Credit card company sued the gas stations for basic incompetence and won the punitive suits.

[HaemishM]

Just as a tangent, whenever I get a new credit card/checkcard, I never sign the back of it. If you don't sign it, the clerk at whatever place you buy stuff is supposed to check your ID just as if it was a check. They are required to do that.

Of course, the number of places (and I mean big nationwide retail chains) that actually do that is miniscule. And the companies wonder why credit card fraud is so big.

[Mr_PeaCH]

Moving tangentaly with Haem... how does not signing your card help you though if you ever lose your card?  (Answer: it doesn't, it can only hurt.)  I mean, as you point out, when you use your card they hardly check anyway... and if they do check, no biggie, you, after all, are you.  But if you lose that card and I find it and I want to engage in a bit of social engineering I bet I'd find it easier to prove I was you by demonstrating that my signature matches the one I just put down on the back of your card, hmm?

[HaemishM]

Solution: Don't lose your card. :)

Other solution: Credit card companies start spot-checking ID confirmations in retailers with secret shoppers and start strong-arming some of these bastards into making an effort to cut down on credit card fraud. The less cash we use in our economy, the more your ID will matter.

[Merusk]

Moving tangentaly with Haem... how does not signing your card help you though if you ever lose your card?  (Answer: it doesn't, it can only hurt.)  I mean, as you point out, when you use your card they hardly check anyway... and if they do check, no biggie, you, after all, are you.  But if you lose that card and I find it and I want to engage in a bit of social engineering I bet I'd find it easier to prove I was you by demonstrating that my signature matches the one I just put down on the back of your card, hmm?

Haemish has it half right.  You're supposed to write "Check ID" across the back of the card instead of just leaving it unsigned.

[cevik]

Haemish has it half right.  You're supposed to write "Check ID" across the back of the card instead of just leaving it unsigned.

When I worked at a gas station back in college a lady came in and she had written "Check ID" on the back of her card with a sharpie, so of course I say "Uhm, can I see your ID?"

She looked at me all confused, stared blankly for about 30 seconds, then reached in her purse, grabbed her ID and handed it me.  I was suspicious at this point (after all, theoretically it was her that asked me to check the ID!) so I carefully examine the ID, but to the best of my ability to tell it was definitely her on the picture and the signature on the ID matched her sig, so I hand her the reciept and the card and her ID and get ready to help the next person.

Then she asks "Why did you check my ID?"  So of course I responded "You wrote 'Check ID' on the back of your card."  Then she gets this sheepish look and says something like "Wow, I wrote that on there 2 years ago and you're the first person who's ever asked for my ID, I totally forgot about it."

Of course that was almost 10 years ago, and I notice that people seem to have gotten much more diligent about checking my card in the last couple of years..

[HaemishM]

Another tangent post:

Back in the early 90's (around 92 I think it was), I was working at EB back before they were EB Games. For some reason, a directive came down that no matter what, we HAD to check driver's licenses on anyone who tried to buy anything with an AMEX card. We didn't have to note anything, just check the ID before we could accept it. The half-assed reason we were given is that it was "something AMEX had started doing." We didn't do it on any other credit cards, just AMEX. I actually had customers pissed off at me because I wouldn't sell them a $300 CD-ROM drive (back in the day, remember) unless they showed me their license.

It makes sense, it was just so "out there" an idea at the time, people were taken aback. And of course, they rarely ever thought beyond their own noise to understand why it was a good idea.

[SurfD]

Not to get pissy with you Alluvian, but I did NOT ask the exact same question the first time around, and I am insulted that you think I just sat idly by and did nothing.

Whoa, touchy touchy.  We really need to re-evaluate our priorities when some random stranger on an internet board can make a mild statement that throws our panties in this much of a bind.  Lay off the coffee.

hehe, yeah, sorry about that.  I was still sort of in a near frothing rage state about the whole affair.  While i admit that it is just a hotmail account, it is still something I consider personally mine, and almost a part of my internet identity, and as such, I was rightiously pissed when someone fucked with it.

I was asking for ways to fuck with the person, but really, all I wanted to know was if i could IP trace him through MSN messenger.  Since I now have possesion of the account back, thats a moot point, but it would have been nice to know if i could find out where this person is from.

Knowing if he was a local or not would go a long way in verifying my suspicions as to who was doing this/where it all started.

[daveNYC]

Have you checked what passes for a sent mail folder in Hotmail?

[hirebrand]

Cashier Advice Time!

Just as a tangent, whenever I get a new credit card/checkcard, I never sign the back of it. If you don't sign it, the clerk at whatever place you buy stuff is supposed to check your ID just as if it was a check. They are required to do that.

This is actually less secure than you signing the card. You should never leave it blank because anyone who picks up your card can then sign the cardholder's name in their style of handwriting and go on to use it without any trouble. Also, technically, the card is void and unusable unless signed.

Practices, ordered Worst to Best:
- not signing at all
- signing
- writing 'CHECK ID' in large letters
- getting a card with the picture ID and printed signature on the front, plus signing the back AND writing 'CHECK ID'
- saying "screw credit", being smart and using debit with a secret P.I.N.

[Alkiera]

Cashier Advice Time!
...
- saying "screw credit", being smart and using debit with a secret P.I.N.

Except, at the grocery store, you put in your 'secret' P.I.N. in front of several gawking customers.  Sure, you can tell them to back off, but I'm just not a bitchy person.

--
Alkiera

[HeartBurn]

- saying "screw credit", being smart and using debit with a secret P.I.N.

So instead of racking up credit card bills that can be ignored your bank account actually gets drined? Great idea.

[Roac]

- saying "screw credit", being smart and using debit with a secret P.I.N.

Or go old fashioned and use cash, or write checks.

[cevik]

Or go old fashioned and use cash, or write checks.

I use my debit card for basically every purchase, I never ever use cash unless I'm going someplace that just doesn't take cards and I avoid those types of places 90% of the time.  I might use cash once a month at most (yes the gov't can easily track my every purchase, I hope their database of booze, porn, and video game purchases pleases them greatly, you hear that Ashcroft?).  I've never had my credit card stolen or tampered with in any way.

I use checks for the two or three bills I have to pay a month that don't take electronic payments.  I had two checks stolen, chemically erased, and re-written for 10x's the amount that they were originally written for.  I had to cancel my checking account, open a new one, and wait for over a month to get my money back (due to a fuckup with the bank).

I'm sticking with the debit card over checks.. :)

[Arcadian Del Sol]

The trick to never having your password hacked is to memorize a random string of letters and numbers and use it.

For example - I took my driver's liscence number and randomly jumbled the letters and numbers and I use that as my password when I have to be uber secure. Its hella long, and entirely random - it would take the CIA 4 weeks to crack it, and thats if they worked full time.

Of course they could read this post and do it in 3 minutes.


At work, we had a civilian contractor who used the value of Pi to the 18th decimal as his password.

[Snowspinner]

I'm fond of taking sensible passwords and displacing them some number of keys. So, for instance, isntead of Snowspinner (Which is not a password I use on anything, as I am not dumb) I would use dmped[ommrt or f,[rf]p,,ty

Neither of which are particularly guessable.

[Roac]

The trick to never having your password hacked is to memorize a random string of letters and numbers and use it.

That would be ideal - a 10 char random alphanumeric + symbol string.  Generally not going to happen though.  Almost as secure, and far easier to remember, is to pick a handful of letters/numbbers/symbols (at least one of each, and 3-4 total) plus 2-3 words.  String them all together.  It's complex enough to not be guessable, dodges dictionary attacks, and cripples brute force attacks (due to the symbol and length).