Moneybookers Fraud thread

[Andy]

Ouch, very worrying but I think a "one off". I obviously have no idea how they did it, but the account it was sent to (the incomprehensible one) would not be able to get the money out of moneybookers directly (not for a few days for the chq to be sent or whatever) so they would have to pass it on again (still in the moneybookers system though) OR more likely they will deposit it into a Poker room and "lose" it to themselves and get it out that way.

None of that is much help to you though, it is a worry, please keep us posted with what happens/what happened to cause it.

[Andy]

it would be relatively easy to hack your account.

It still wouldnt be that easy, you need to put the "touring number" in each time, and five tries at the same E-mail address incorrectly and its automatically locked, so you cant really force your way in.

[ChrisS]

It still wouldnt be that easy, you need to put the "touring number" in each time, and five tries at the same E-mail address incorrectly and its automatically locked, so you cant really force your way in.

Yes, the touring number was the safeguard I thought would make it as watertight as you would get at this level, but obviously not!

No, my password had no relation to area, family etc. so once again should have been hard to crack, certainly in 5 attempts as Andy reaffirmed.

It's going to be all the hastle now of re-registering a new mail account at 50+ bookies to accept the new e-mail address that Moneybookers now want - unless you can have a different MB funding address to the address registered with the bookies, anyone know?

Cheers guys for the support, after 20 years in IT this a first for me , fortunately!

[hazard]

Ouch, very worrying but I think a "one off". I obviously have no idea how they did it, but the account it was sent to (the incomprehensible one) would not be able to get the money out of moneybookers directly (not for a few days for the chq to be sent or whatever) so they would have to pass it on again (still in the moneybookers system though) OR more likely they will deposit it into a Poker room and "lose" it to themselves and get it out that way.

None of that is much help to you though, it is a worry, please keep us posted with what happens/what happened to cause it.

The money will be lost many times on poker rooms... the money right now is probably sleeping somewhere... and it will be moved a few times before it reaches it's final destination.

[munk]

To be honest the turing number is pretty much useless as a deterrent if someone's going to hack into your account using brute force, especially when big money is involved and they can afford to employ dedicated software engineers to create character recognition software to circumvent the captchas. No idea why MB bother with something as easy to crack as that!

However if you only get 5 attempts to login then that should be THE factor in stopping people getting in and if you've had money go missing and you're sure your machine isn't infected, have you used your MB account in public at all or does anyone else know your details etc?

My advice for securing online accounts:

Only use email addresses (especially on money based services like Moneybookers) that are NOT in use in public
If you can find your email address on google then so can the crackers. If they can find your email address they'll feed it into various online sites that are known to allow email addresses as usernames (like Moneybookers) and then look to see which 'light up' when they do so. They'll get an error message perhaps that's slightly different from the one you get when you use an incorrect username full stop, so that indicates it's a 'hot' account ID. After that it's just a matter of using brute force to fire lots of passwords with that account ID until one of them works.

Whilst this may sound far fetched, it does happen that this method is used to crack online accounts very regularly.

Use unique email addresses for each online account
Ideally, create a unique email address for every different single online account that you have. If you own your own domain this is fairly easy to do and just requires that you create a new email alias for each new account.

For example, create semi-random looking email addresses like 'qef901foobar@example.com' for a company that you use called 'foobar'. Since this is hard to remember, really you need to be using this method in combination with a password database like Keepass to 'remember' all of the different email addresses.

This method has several advantages:

• Security - using a unique email address for every online account means that if one email address gets 'discovered' by crackers, they can't access more than one account with that email address.
• Spam trapping - if you start receiving spam and it's directed to one of these unique email addresses, immediately you know who's responsible for selling on your email address.
• Email filtering - because each email address you use is unique, you can setup email filters on your email client to automatically filter email received from each address into it's own 'folder'.

If you don't have your own domain, Gmail does have a useful feature that allows you to create multiple email aliases from a single gmail address.

If your gmail account is example@gmail.com, Gmail allows you to create aliases using '+' as a separator - so for example all of the following:

• example+bank1do1kd@gmail.com
• example+cooking@gmail.com
• example+toast@gmail.com

will be delivered to the same gmail inbox for 'example@gmail.com'. Using this you can create unique email addresses for all the different accounts you have. The only drawback with this method is that quite often online sites don't allow '+' in the email field - they should do since it is an allowed character in an email address, but some sites don't.


Use unique usernames and passwords for each online account that you have
With similar reasoning to above, if one of your online accounts gets compromised by crackers then only that one online account will be compromised because all the other accounts have a different username/password attached to them. The 'rot' is stopped at that first online account that was broken into.

Again this is very hard to maintain unless you use something like Keepass, but is very worthwhile doing and investing the time into setting up.


Change passwords every 3 months (one month for specifically money based accounts like paypal/moneybookers/banks etc)
Yet again quite hard to keep track of unless you use a password database application like Keepass, but with keepass you get reminders when your passwords are 3 months old so whilst it's a chore updating them (especially when you have hundreds), I think it's worth doing.


Use an encrypted password database
Above all this is the most important aspect in maintaining a solid online security regime. A password database like Keepass allows you to maintain all your online accounts in one single file which is encrypted - as long as you secure the password database with a very strong master password (and preferably only allow it to be opened if a usb stick is present), the database cannot be read even if it slips into the wrong hands.

Every time you create a new online account, create a new entry in the password database:

• Create a unique username - Keepass has a useful random password generator which is useful for creating random strings that can be used as usernames (just copy/paste the random string from Keepass's password generator into the username field). Having a random username is a pain if you have to ring up a call centre, but it stops crackers from guessing your username easily.
• Create a unique password - as above, use the password generator functionality in Keepass to create a random password. The longer the better, although a lot of sites do limit the password length. I find it useful to keep a note of how long the password can be in the 'notes' field for each entry in Keepass.
• Create a unique email address - reasoning for this is as above. Once you've created the unique email address, keep a note of it in the 'notes' section for each entry in the Keepass database.
• Set the password to expire every 3 months - Keepass can be configured to automatically set passwords for new entries to expire by default after 3 months. When passwords are about to expire, Keepass can be configured to remind you so that you can go and change the password on the site in question which makes it a little harder for passwords to be compromised.
• Add any extra notes about the account - Keepass is a great place to keep site specific notes and memos to remind you what you did when you signed up or how to change the password etc etc.
• Above all, change the passwords regularly - as above, Keepass can expire passwords every 3 months so that you have to go in and change each password. This is quite a task to get on top of especially if you have hundreds of online accounts, but it's a small price to pay for peace of mind and isn't that hard once you get used to doing it (I generally spend an hour at the start of each month updating all the passwords that are due to expire in the first month).

Keepass can be found here:

Keepass


Since I've been doing the above I've not had any problems (I had fraud on a couple of cards prior to doing the above and I'm pretty sure it's through brute forcing because I definitely never had any malware/spyware on my machines, nor did anyone else know details, didn't use them in public etc etc ... BUT I did use a publicly visible email address each time and coincidentally on each time I got defrauded it was on a site that that public email address was the username for).

It IS a massive PITA doing the above, I admit totally... and sometimes I really can't be arsed with it and end up putting off changing passwords for another 3 months etc... but touch wood it's adding some extra hassle in there for the mafia crackers to get around.

[munk]

I've just been thinking about this... I just made a deposit online and remembered that Moneybookers send you an email to let you know that you've made a deposit, didn't you see these emails or was it just too late? That would be another addition to the above, make sure the Moneybookers primary email address is one that you check very regularly.

I have to admit in a rather kneejerk reactionary stylee I've withdrawn a fair chunk out of Moneybookers now even though I do take a fair few precautions as above. As Kahne said in the chatbox, it's really not a big deal if you have VIP status because you get your withdrawal fees repaid anyway, so it makes sense to keep your Moneybookers float in your bank current account and whenever you want to make a payment, just make the payment via visa debit card via Moneybookers. Plus my bank (Lloyds) seems to have just implemented a new Vantage account upgrade that means you get 4% on balances between £5-7k, so makes sense to keep most of the float in there anyway.

[MITK]

One can never be positively sure his details are safe from hackers... Do you employ phishing-detecting software such as ZoneAlarm ForceField e.g. when you use your browser? Since you say you scanned for viruses, malware and spyware, this seems to me the only option left for the hacker to obtain your pass?

I got stung by a hacker a year ago and got few hundreds transfered out of my MB account. I called MB and they, to my surprise frankly, acted very swift and blocked the account my money went in and after some security checks and id verification, sent the money back to me from his account minus some administrative fee for investigation of 20-25 euros. So its a good idea to give MB a push to block the account the money had gone to, if the money are still there of course.

[MITK]

To add to munk`s very useful tips, never store your login data such as usernames and passwords on a PC or in any online form, since they are vulnarable to hackers, just use a pen and a piece of paper

I always put my data on two separate notebooks, kept in different places, so my wife is the only likely hacker of it

And never leave big money in your MB account just in case you get hacked, always try to have them on the move and to have less than 100 sitting in

[chriso]

Unfortunately, if the hacker has managed to install a keylogger, which can record every character you enter, keeping your login data separate will not protect you. Personally, I keep mine on an encrypted memory stick and cut & paste user names and passwords where possible. Obviously, the encryption pass phrase also has to be cut & pasted too otherwise it rather defeats the object. If the hacker is breaking the password by brute force, increasing the number of characters in your passwords, if possible, makes it more difficult. We have password cracking software at work (perfectly legitimate - I work for a Government fraud investigation agency and we sometimes have to access computers that we have seized, for which we do not have the password) and it doesn't really work for anything over 15 characters. However, as Munk says, since most sites give you a limited number of login attempts, that doesn't seem a particularly likely scenario here. Of course, an "inside job" is another possibility - that is how most thefts from bank accounts come about.

[munk]

To add to munk`s very useful tips, never store your login data such as usernames and passwords on a PC or in any online form, since they are vulnarable to hackers, just use a pen and a piece of paper

I always put my data on two separate notebooks, kept in different places, so my wife is the only likely hacker of it

And never leave big money in your MB account just in case you get hacked, always try to have them on the move and to have less than 100 sitting in

Yes using a password database is a tricky one in terms of security - a lot of banks say that you should never record your login details on a computer for example. However Keepass does use an encryption protocol to keep the data secure so if your machine was accessed without your permission and the file was stolen, as long as you've password protected the actual database then it will be safe (the encryption used is very secure).

Keypass does have a variety of tricks to circumvent key logging I believe HOWEVER having said that if you do get a keylogger installed by malware then it's entirely possible for the hacker to record the password for the actual password database itself I suppose and then steal the database/use the master password... but then again if it's got to that point then anything you do online is vulnerable anyway since the keylogger will be picking everything up eventually anyway.

One other thing you can do with Keypass is to have your password database ONLY open if a specific portable device is present - ie the database will only open if you enter the correct master password AND have a specific USB stick plugged into the PC. I don't actually do this since I only really use the database at home, but if I used the password database say in an office I would definitely use the USB stick option.