20 September 2009

No such thing as "Secure"

I logged onto FB this morning to a note from a friend asking me if I had received the email from myself asking money to be wired to London. Apparently I had been attacked and mugged by "street orchids". Those damned British flowers are pretty aggressive from what I understand. So with a deep sigh I attempt to get my gmail account back. First problem I run into is that in order to get your account back they send an email to your backup email address. Well that's funny because I didn't set one up at hotmail which is where they sent it. Which means whomever got my account was savvy enough to change that. Makes sense. The next step? Wait over 24 hours and try to reset using the account security question. Yeah, cause I'm sure they didn't change THAT. So then I fill out a form to try to get my account back. Shit, they want some esoteric information. Like 5 email addresses I frequently email. Problem is I only use that for _receiving_ things like bank statements, credit card statements, TEP bills, etc. I don't actually email anyone from it. So that question is tough. Then they want to know the month and year I created the account. It was 5 years ago. I could tell you for certainty if I could log the fuck in. Then they want four labels. I am pretty sure I only have two, so I list them. I also gave them my most recent password. Which they may not have BECAUSE SOMEONE FUCKING CHANGED IT!!!! Oh, and most recent successful login. Well MY last successful login was Friday, but I'm pretty sure whomever has my account has successfully logged in more recently since they are sending emails to people asking for money.

Realizing all the financial data that I have attached to this account, I go to change my info on my bank. I change the username. What do they do? "Confirmation of your username change has been sent to your primary email address." Well fuck. So now the douchebag that has my account has my NEW username for my bank. Super. I then go to change my primary email account but I realized that given their response when I changed my username that they would probably send ANOTHER email to my compromised account informing them of my NEW email address. Bah. And double fuck.

I got an email back from Gmail, apparently I don't know enough to get my own account back. As a consolation prize they suggest I can make a new account. No thanks. I have four other ones. NONE OF WHICH HAVE MY FINANCIAL DATA!! I need THIS account back, god dammit. How many times can I fill out the form to get my own fucking account back?


***UPDATE***
Finally got my account back. I tracked down the email that had originally invited me to Gmail (thank you Corianin). With that information in hand I was able to successfully convince Google Account Services that it was, in fact, MY email address and they returned it to me. I logged in and saw the email that the douche had sent out as me. I also saw that he/she/it had read the email Well Fargo sent informing me that I had changed my username. Fortunately all it said was that I had changed it and needed to use the new one to login next time. No details about what it had been changed to. UNfortunately there was an email from the bank a few days prior that had copies of a deposit that I made so it's possible that the crackers have my checking account and routing numbers. And since I am in the middle of buying a home I can't just freeze my accounts and start over. Too much shit is linked to that account. So I will have to be extra vigilant for the next few weeks. Still not sure how all this happened. My password was of a decent strength and length and my Mac has no spyware on it. ::Sigh::

On a not unrelated note, I discovered something about Wells Fargo's alleged "security". The password to login to your account can only be between 6-14 characters, making it well within the limits to be easily brute forced. Oh, and case sensitivity is irrelevant. That shit is scary. Even AOL's antiquated shit was case-sensitive. It didn't read anything past the 8th character, but it at least respected case.

No comments:

Post a Comment