Forgot your password?
typodupeerror
Security Crime Privacy

Ask Slashdot: Identity Theft Attempt In Progress; How To Respond? 239

Posted by timothy
from the burrs-on-the-heel-of-the-foot-would-be-mercy dept.
An anonymous reader writes "It appears that two weeks ago my email address got into the wrong database. Since that time there have been continuing attempts to access my accounts and create new accounts in my name. I have received emails asking me to click the link below to confirm I want to create an account with Twitter, Facebook, Apple Games Center, Facebook mobile account, and numerous pornographic sites. I have not attempted to create accounts on any of these services. I have also received 16 notices from Apple about how to reset my Apple ID. I am guessing these notices are being automatically generated in response to too many failed login attempts. At this point I have no reason to believe any of my accounts have been compromised but I see no good response."
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Identity Theft Attempt In Progress; How To Respond?

Comments Filter:
  • by Marxist Hacker 42 (638312) * <seebert42@gmail.com> on Tuesday February 26, 2013 @02:40PM (#43016675) Homepage Journal

    Sometimes, it becomes necessary to change your e-mail address.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      First things first:

      Is it a gmail address ?

      Is there another exact address from a different country ?

      It could be as simple as foo.bar@gmail.com being confused with foobar@gmail.au

      Happened to me.

    • by Bearhouse (1034238) on Tuesday February 26, 2013 @02:59PM (#43016935)

      Indeed. Keep the old ones, of course, but change the passwords to something very, very secure and different for each one.
      Backup then delete all information associated in the Cloud with these addresses, (Android, iCloud, Gdrive...)

      Do not reuse any of the old accounts for anything. Use a "one-time" account for verification each of the new accounts, then nuke it and change to a new one.
      Do not be tempted to have one master account for verification of all the child ones.
      If you're using gmail, or similar, do NOT use some variation of your name, home town, company, whatever.

      Finally, pony up for your own domain etc. and get a nice email account you can totally control. Cheap, too.

      • Self hosted email... (Score:3, Informative)

        by guevera (2796207)
        ...is a bitch to administer. Configuration, authentication, making sure you do all the crap so you don't get flagged as spam. I'll admit that the first time I played with Postfix it took me like two solid days to get everything set up right. You got any recommendations for deployment and admin to save me the headache next time? (Cuz the best part is, it's now been long enough that I've forgotten most of it and it'd probably take me another two days to set up...)
    • by danomac (1032160)

      Firstly make sure there's a damn good non-guessable password on his existing email account!

      • by mccrew (62494)
        Second, make sure your "Forgot Password" recovery question is non obvious as well. I recently had a Gmail account stolen out from under me because I had an extremely obvious secret question (e.g. on the order of "What does f-o-o spell? foo") going way back to the Gmail prehistoric times. Seems like this has been an attack vector that has been employed a lot recently.
    • by Aardpig (622459) on Tuesday February 26, 2013 @03:10PM (#43017077)

      One does not simply change one's email address...

      • by Lazere (2809091)
        No, when I feel the need for a new address, I simply add it to my growing pile of addresses. It's as simple as; create new address, make new address the contact for all the important stuff (bank/icloud/whatever) and keep the old one for things/people you may have forgotten.
      • by hAckz0r (989977)
        You can if you always use throw-away addresses (such as sneakemail.com provides for a fee, there are many others as well).

        Whenever I sign up for a new service I use a custom throw-away address, labelled for that particular site, and if it gets hacked/used for spam or other I can go back to change the address (and/or password) with that service to an new throw-away address. All email get forwarded to my real address(s) of my choice, and when I start receiving mail I don't want I automatically know who got

  • I would contact my local police force and talk to the financial crimes desk. They may not be able to do anything at this point, but you should establish a paper trail ASAP, which would certainly work in your favor while explaining things to your bank or whatever if the bad guys do manage to hurt you in some manner.
    • by Anonymous Coward on Tuesday February 26, 2013 @02:47PM (#43016769)

      Um... yes... There's this person, probably in another country, that I suspect is trying to gain access to my facebook account. LOL.

      • Um... yes... There's this person, probably in another country, that I suspect is trying to gain access to my facebook account. LOL.

        Laugh, but the GP is correct. File the paperwork. It's a CYA move, just like you'd do if something fishy was going on at work. Not only does this cover YOU, but it also provides a jumping off point, should some computer crimes force actually stumble on the perp. They can't do a thing against them in many cases unless someone has reported it first. Having a report on file unties all sorts of red tape for their investigations.

        That said, reporting it to a local county office isn't going to do much; you need to find the closest computer crimes division that will actually file your report and also add it to the federal/international databases so it can be cross-referenced by other investigators.

      • by Anonymous Coward

        404 in progress, all units respond!

    • by ShanghaiBill (739463) * on Tuesday February 26, 2013 @03:08PM (#43017037)

      I would contact my local police force and talk to the financial crimes desk.

      You would go to the local police because someone (probably on the other side of the world) knows your email address? If you are lucky, the police will just laugh and hang up. If you are unlucky, they may get pissed at you for wasting their time on something so frivolous. What are expecting the police to do?

      Just make sure you have good passwords on all your accounts, install a spam filter, and get on with your life.

      • As a few others have pointed out, the point the original poster was making was NOT that the police would do anything about the problem. The OP's point was that by contacting the local police and filling out a police report, you have a paper trail that something is going on, so that down the road, if this person is successful you can document that you were aware of it and took steps to address the problem. Of course it is important that when you contact the police you make it clear that you do not expect tha
    • by Anonymous Coward on Tuesday February 26, 2013 @03:09PM (#43017055)

      I've been down this road.. The local police are likely to tell you unless you are under threat of imminent bodily harm, you should contact the FBI. When you contact the FBI, they will tell you computers get viruses all the time and you should ignore the problem or contact your local police if you feel your life is in danger.

      I'm not trolling or being sarcastic. This was what actually happened when I contact LEOs to try and help solve the problem. Like others said, change your email address and get on with your life. Unless you want to spend a bunch of time chasing ghosts on your own time.

    • by Dahamma (304068)

      As I'm sure about a million other people who have tried this before could tell you, this is a complete waste of time.

      Most police departments couldn't care less if you report your car being burgled or your cell phone stolen (two cases I have tried to report and they basically acted like they couldn't be bothered), let alone someone just trying to use your email address on a web site. At least in the former case it is useful if you want to make an insurance claim.

      As for any Internet fraud claims, etc - as an

      • IANAL, but if you have their identity couldn't you sue them in small claims court? I'm assuming that they would be unlikely to show up, and you would get a default judgement. Then I think you could get a court order to have the sheriff (?) go and ransack their property to retrieve $XXX worth of stuff. Probably much more satisfying than just getting your $500 back.

    • by crazyjj (2598719) *

      Lol, you think my local cops have a "financial crimes desk"??? hahahahahahahahah Shit, I doubt my state police even have that.

      • by Fjandr (66656)

        My city doesn't even have a property crimes division, let alone a financial crimes division. Unless it's a traffic infraction or a violent crime, they do not investigate anything.

    • by Technician (215283) on Tuesday February 26, 2013 @05:20PM (#43018445)

      For part of your paper trail, look at the lower right corner of Gmail. I bad guys were in your account recently, you may find some evidence on the "Last account activity: 13 hours ago
      Details".. Click on the Details link and it will open your most recent login times and IP addresses. If you were not on a trip and you were logged in from Florida or somewhere else, it is time to save the info and change your password. Knowing the IP adderess of someone using your account is good evidence. Contact their ISP with time, date, timezone, with the info. It may be against his ISP's terms of service to hack from his account. For those without Gmail, this is what it looks like. Note IP addresses altered to protect my privacy. I checked my mail from work, home, and on a recent trip.
      Browser * United States (WA) (192.25.69.00) 1:11 pm (4 minutes ago)
      Browser United States (OR) (10.134.137.00) Feb 25 (13 hours ago)
      Browser United States (WA) (192.25.69.00) Feb 25 (20 hours ago)
      Browser United States (WA) (192.25.69.00) Feb 25 (20 hours ago)
      Browser United States (WA) (192.25.69.00) Feb 23 (3 days ago)
      Browser United States (OR) (127.34.103.00) Feb 22 (4 days ago)
      Browser United States (OR) (127.34.103.00) Feb 21 (5 days ago)
      Browser United States (OR) (127.34.103.00) Feb 20 (6 days ago)

  • Your options are (Score:5, Insightful)

    by Press2ToContinue (2424598) * on Tuesday February 26, 2013 @02:43PM (#43016707)

    1) Wait and see if they succeed, then create new online and financial accounts and deal with the personal and financial fallout
    2) Create new online accounts, transfer all information to new accounts and delete the old ones before they succeed

    Up to you.

    • by X0563511 (793323)

      3) change all your passwords and such securely and watch as they flail against your login

      • by pentalive (449155)
        Use a password locker like LastPass, let it geneate the longest, most complex passwords the apps/websites will allow and a different one for each website or app.
        • by X0563511 (793323)

          I am a fan of KeePass, personally. Same idea, different tool.

          • by achbed (97139)

            Can't say enough about mSecure - it's one of the few that do NOT require an online sync of any kind. It'll sync across a local LAN/WLAN without sending traffic to the Internet. Of course, it has integration with a few services for that too if you want. One downside for some folks - it's an application, not a Web Service. Another downside - it does cost money ($10 on iOS and/or Android, and $20 for the mac or Win version, no linux one). But it's been reliable as hell for me and my business.

            • by X0563511 (793323)

              Well, KeePass just stores into a file. How you move that file around is up to you :)

              It has some kind of internet thing, but I've never touched it.

              Open source as well, if you care about that (I do)

      • 3) change all your passwords and such securely and watch as they effortlessly use the forgot password feature on the site.

        FTFY. You don't brute-force an account, you maybe try a few common passwords then attack the weak link.

        • by X0563511 (793323)

          How is that link supposed to be used without first getting into the now-secured email account?

          • How is that link supposed to be used without first getting into the now-secured email account?

            Perhaps because not all "forgot password" links work that way [schneier.com]? Now, of course, that particular method no longer works and it did require some "personal" info and a physical call. However, it's not an isolated story, it's just the first that came up in my admittedly haphazard search. Online password cracking is too easy to detect and stop unless you have a large botnet at your disposal. Crackers are going after alternate channels. While you and I can pick our complex passwords to protect the front door, we c

  • by alen (225700) on Tuesday February 26, 2013 @02:44PM (#43016735)

    to something not in the dictionary?

    after that i would just ignore the failed attempts. after a while the perp will stop and move on to easier prey

    • by Anonymous Coward on Tuesday February 26, 2013 @03:12PM (#43017091)

      No, but he did change them all to "honest equine capacitor fastener"

      • by pentalive (449155)
        XKCD password regimen!
        • Stupid instant moderation applying shit.
          My bad. I didn't mean to mod you troll. Maybe /. could actually require a confirmation for moderating rather than just a stupid drop down and automatically applying bullshit.

      • by Muros (1167213)

        No, but he did change them all to "honest equine capacitor fastener"

        I know XKCD made a good point, but that's still nowere near as good as passwords could be. It is extremely easy to memorise a fairly long gibberish sentence and use it as a password, eg. "The moon that afternoon was violently passive." Thats a 47 character password and I didn't even bother mangling any words, it could be made much better. I don't understand why accounts on some computer systems that have disk quotas measured in gigabytes have such arbitrarily small limits on the password. Is 1KB too much to

        • by cdrudge (68377)

          Is 1KB too much to ask for?

          Probably. Because no one in their right mind is going to have a password that's 1KB long. Average word length in English is about 5 letters per word. Add in a space and you're at ~166 words for a 1KB password. An excellent typist types at 80WPM so that's 2 minutes to type in your password if you're really fast, you remember it, and you type it correctly.

        • by Fjandr (66656)

          Yeah, in addition to other reasons to hate Comcast (depending on where you live), they have an arbitrary 11-character password limit. At least a couple years ago, anyway.

      • by Hentes (2461350)

        If somebody was attacking me with this persistence, I would consider using randomgenerated passwords that are written down in an encrypted file on my machine.

    • by Cigarra (652458)
      I'm not sure "ignore the failed attempts" is the right thing to do here. It SHOULD BE, in an ideal world, but there's more than one case where persistent hackers get to reset an account [wired.com], not by guessing the password, but by social engineering the support people from Apple, Amazon or whatnot.

      It's a little unnerving, but I have no idea what exactly a user can do to prevent such things from happening to one.
    • by bitt3n (941736) on Tuesday February 26, 2013 @04:01PM (#43017629)

      to something not in the dictionary?

      I don't know about this advice. I once fell for one of those nigerian scammers who duped me into giving him my email password. then I changed my password to 'gullible', since I've heard that's not in the dictionary. somehow it was the first thing he guessed. what's worse is I used it for all my accounts, and now he posts idiotic comments as me on slashdot.

  • by jerdenn (86993) <jerdenn@dennany.org> on Tuesday February 26, 2013 @02:48PM (#43016775)

    I believe that Jason Bateman was in a recent documentary on this topic - seemed very factual, and you should probably consider his plan of action:

    http://www.imdb.com/title/tt2024432/?ref_=sr_1 [imdb.com]

    -jd

  • Taken? (Score:5, Funny)

    by eldavojohn (898314) * <eldavojohn.gmail@com> on Tuesday February 26, 2013 @02:52PM (#43016809) Journal
    Okay you need to listen to me carefully and to be focused. Do you have access to a bathtub? Good, take your laptop into the bathroom and fill the bathtub full of water. I need you to log into your Facebook and open your Farmville tab. You need to do this quickly before they gain access. Take each of your animals from your farm and love them and nuzzle them and say goodbye to them. Then hold them under water in the bathtub until they stop struggling.

    Are you done? Good, leave them in the tub, they're in a better place now.

    Go back into your room and crawl under your bed so the satellites they have control of cannot see you. Open up your Apple account and start forwarding your e-mails to your Gmail account. Yes, I know it will take forever, no there is not an easier way to do this. Okay, once you have all of those out delete your Apple account -- you'll get a new one later. You never really owned that stuff you bought on iTunes so just forget about it now, it's gone. Now log into iCloud on your laptop and start the laptop on fire. It's better to destroy all of those photos, tax returns and documents then to let them have them.

    Now listen carefully because this part is important. These men are going to access your accounts. They're going to send your friends messages and make you seem like a jerk -- just for fun. There's nothing you can do about that. Just make sure to leave the Slashdot chat box open when they take you ...

    Hello?

    Hello? Anonymous Reader?

    I don't know who you are. I don't know what you want. If you are looking for ransom, I can tell you I don't have money. But what I do have are a very large amount of Slashdot karma; karma I have acquired over a very long career. Karma that make me feel like I can stand up to people like you. If you let the anonymous reader's accounts go now, that'll be the end of it. I will not look for you, I will not pursue you. But if you don't, I will look for you, I will find you, and I will ask you politely to stop messing with people.
    • by black3d (1648913)
      :O Awesome...
    • by realsilly (186931)

      I see what you did there....

    • I don't know if it is sad or not, but I did this a very long time ago.

      I have a throw away email address that I forward (and delete) everything from to one I actually use. When I use my online identity I only use the throw away account (Slashdot included). If it ever becomes compromised (or even just too much spam, which I think was my orginal intent before filters became very good), you can just drop and delete it (if possible), then if you like start a new one and continue the same process. Sure you may h

    • by lurker412 (706164)
      Funniest post I've seen here in years. Bravo!
  • by koan (80826)

    "but I see no good response."
    You can stop using that email, monitor your credit cards and other accounts, you can also freeze your credit cards and who can check your credit, change all your passwords, there are entire web pages dedicated to helping with this issue.

  • More Likely (Score:5, Insightful)

    by g0bshiTe (596213) on Tuesday February 26, 2013 @02:54PM (#43016851)

    An anonymous reader writes "It appears that two weeks ago my email address got into the wrong database"

    Or two weeks ago you pissed someone off and they are just plugging your email address into everything.

    • by DarthVain (724186)

      It does sound a bit like ordering pizza's and magizine subscriptions to an address of someone you loath.

  • There has been not account compromise that you know of right? So there isn't much you can do. You should get your free credit report https://www.annualcreditreport.com/cra/index.jsp [annualcreditreport.com] This is the truly free ones. You can get one free one each year from each agency, there are 3 agencies so you can get one every 4 months. Just keep track of your financial info. You might disassociate the address they are trying to get into from any financial accounts. Change all your passwords to something good and use a passwo
    • by zerosomething (1353609) on Tuesday February 26, 2013 @03:05PM (#43016995) Homepage

      Found some old recommendations I sent out to friends that weren't too tek savvy. It's fairly basic info that most should know.

      I was looking into Life Lock and started reading what they actually do, which is in the fine print of their terms of service here.

      http://www.dmachoice.org/ [dmachoice.org] it's the primary service Life Lock uses to get you off of mailing lists and it's free. They also have some good info on how to keep secure online. There are several items you can go through to have your self removed form email and mail lists.

      Then go to https://www.donotcall.gov/ [donotcall.gov] and register your phone numbers for the do not call list.

      Then go to https://www.optoutprescreen.com/ [optoutprescreen.com] to remove your self from the credit card pre-approval lists.

      If you want free credit reports use this site. https://www.annualcreditreport.com/cra/index.jsp [annualcreditreport.com] You can get 1 free report every year from each of the 3 reporting agencies. If you break it up you could get 1 every 2 month. I could get one from Equifax this month. Then in 2 months my wife could get one for them. Then in 2 months I could get one from TransUnion. etc... The reason to get them is mostly to see who has been looking at your credit. Then make sure all the loans are yours.

      Now for your online stuff. Get an email account at google or some place else that you can use for those online registration things that you need to do from time to time. Use that account only for things that you are unsure about. Keep another account for the more important stuff like the banks. You could even have a 3rd account for your general email.

      Most web browsers have an option too clear the cache and cookies. Look for it. In Safari on Mac look under the Safari menu then select Reset Safari... On Windows it's under the File Menu. In Firefox you need to look in the Preferences and the Security tab. Resetting and clearing out the cookies will also clear saved passwords. The reason to do this is because many web sites set tokens on your web browser called cookies that allow them to track you and what you do online. They can see where you are going and what you do online. For Windows this is a big problem because there are ways to install applications on the system without you knowing. Then your computer can be used to send email spam to others or even be used remotely to take over other computers. This is really only a problem on Windows but for Macs they can still track your online usage and figure things out about you that might make it easier to get you to click on something that would install an application that could take over your computer.

      For email. Set your email program to not automatically read your mail and try to use the built-in spam filters. Also set the options to not download in-line pictures and such. The pictures in spam can be used to also track you and verify your email address. If you and I get the same piece of spam the picture will actually not be in the email it's actually a picture on a web server someplace. The name of the picture is unique to each spam email so when your mail program tries to access the picture from the internet the spammers computer ticks off the unique name your computer used to get the picture. That unique name is associated with your email address.

  • by twotacocombo (1529393) on Tuesday February 26, 2013 @03:00PM (#43016949)
    It looks like you've pissed somebody off and now they're just screwing with you. What would motivate a stranger to randomly open free online accounts under your email address, which they presumably don't yet control, when they can get one of their own just as easily? The days of breaking into and squatting somebody's paid AOL account are long gone. If this was true identity theft, things would start showing up on your credit report, you'd be getting nastygrams in the mail, and the collectors would start calling. Go change your passwords and move on with life.
  • by g0bshiTe (596213)
    I'd be willing to bet AC poster used thisname@gmail.com and thisname@apple.com and thisname@whatever.com
    Are all your usernames the same between all these sites?
    Have you responded to any of the 16 notices from Apple about resetting your password? Are the emails actually coming from Apple and not some type of phish.
  • by AK Marc (707885) on Tuesday February 26, 2013 @03:03PM (#43016975)
    You can change your passwords on every site to different random strings of unbreakable length and store them in a password manager, to guarantee that breaking one wouldn't affect the others.

    Or you can attempt to close any accounts tied to that email.

    Other than closing the accounts, there's nothing you can do. I've called the FBI in a similar circumstance. "Yes, we are tasked with enforcement of that nature. No, we will not act unless you've suffered actual monetary loss."

    If you want to prevent this, use different email accounts for each service (you can forward them all to the same "main" account to make checking them easier), so if one email gets abused, you only risk one service. But that's too late for the submitter.
  • by Rhys (96510) on Tuesday February 26, 2013 @03:03PM (#43016977) Homepage

    Having a fairly common name and a early gmail where I snagged first initial + last name I get a lot of junk there. Password reset attempts aplenty, people's airline tickets, house listings, closing documents...

    Those I want off of I send a nice mail to support at the company and claim fraudulent use of my email address to register with them. You'd be amazed how fast your email will be off their account (sometimes the account survives that, sometimes... the id10t gets to get a new account -- have fun with that!).

    • Having a fairly common name and a early gmail where I snagged first initial + last name I get a lot of junk there. Password reset attempts aplenty, people's airline tickets, house listings, closing documents...

      Those I want off of I send a nice mail to support at the company and claim fraudulent use of my email address to register with them. You'd be amazed how fast your email will be off their account (sometimes the account survives that, sometimes... the id10t gets to get a new account -- have fun with that!).

      Same here. Once got onto a string of lawyers emails. Most people are nice and thank you when you reach out, as I do when it is an obvious mistake. Only once did an id10t insist it was the right address. I said fine, but I have no responsibility to protect all that private information you are sending me. Eventually it stopped, I assume when the intended receipient asked about it and was told 'but I've been sending it for months...'

  • Chill out... (Score:5, Informative)

    by bazmail (764941) on Tuesday February 26, 2013 @03:04PM (#43016981)
    It is just someone who doesn't like you trying to fuck with you. That's not how identity thieves operate. Hopefully one of those automated emails sent you you includes an IP address of whomever is submitting the forms, and that may lead to something. I would say relax, it will pass.
  • When this has happened to me before, also with the apple ID resets, etc, I've simply hardened the passwords on all my accounts and happily kept on going. As long as you're not following any phishing links, you should be fine.
  • Most everyone is saying similar things, one thing I missed if anyone said it.... put a fraud alert on your credit. Lifelock does this, in fact, its really their main product. Basically, if you write a letter to the credit reporting agencies to tell them that you have reason to believe that someone is trying to steal your identity, they will post an alert on your records, which makes them actually do things like ask for ID when someone claiming to be you asks for a credit report.

    The main nice thing about lif

  • I started getting multiple "you have reached the maximum number of login attempts" from my bank. I changed the account name, and it ended.

    Create a new email address, and switch iTunes over to that account. Keep in mind that when hackers got into Mat Honan's life, they did it by exploiting weaknesses in Apple and Google's authentication schemes. Neither weakness was enough on its own, but when combined hackers were able to get full access.

    http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/

  • Order a free copy of your credit report [annualcreditreport.com] pronto and check for suspicious activity. Call the credit reporting agencies and put a fraud alert on your account - by providing a phone number only you have access to, any financial institution attempting to open a credit line or loan from someone using you stolen identity will see the fraud alert and call the phone number listed before approving. The fraud alert stays on your record for five years.

    My soon-to-be-ex-wife attempted to open a $13,000 credit card in
  • You're fucked :D

  • by pitchpipe (708843) on Tuesday February 26, 2013 @03:48PM (#43017501)
    They done goofed this time. You need to set up a backtrace. I can help you. Send me all of your log-in information and I will get the backtrace set up. Then I will forward your case on to the Cyber Police. These hackers aren't going to know what hit them.
  • Not hard.

    How do I change my Apple ID [apple.com]

    You can also change the e-mail address on your Apple account. No loss of your previous purchases.

    I think I would do this on anything where they had my CC info on file. Then pick a strong password for both your old and new e-mail address and wait for them to go away.

  • by boskone (234014) on Tuesday February 26, 2013 @04:11PM (#43017735)

    So, were you wifi leaching, using an evil twin and got MTM'd?

    Honestly, sorry my friend, this kind of stuff is a PITA.

    I would do the following
    1. make sure your pc and router are not pwned
    2. change the email address that all of your services use NOW
    3. for good measure, change all of your passwords.

  • Did you recently piss-off a female? Break up with your girl? Pack up your toothbrush? Suggest you be just friends?

    Thought so.
  • Twitter.
    Apple.
    Facebook.

    Those three have something [slashdot.org] in [slashdot.org] common [slashdot.org].

It is impossible to enjoy idling thoroughly unless one has plenty of work to do. -- Jerome Klapka Jerome

Working...