Google Wallet/Checkout security breach

Teagwee

An attempt was made last night to access my Gmail from Indonesia - Gmail claims to have intercepted and denied this and I changed all my passwords immediately they informed me. An hour later, a series of rapid emails arrived telling me that I'd just purchased a number of gambling chips from a company called Zynga via Google Wallet. I rarely use Google wallet - maybe twice in the last year - and have never bought anything from Zynga. These were purchased and applied via an Android phone, which had been registered to 'my' account.

I am very security conscious - all my anti-virus, firewall, and malware software is up to date. I never use a laptop or a mobile phone for financial transactions - just my desktop PC at home. I contacted my bank and was told to cancel all my credit cards, with the usual delay and angst this will cause. I went through all of my other internet accounts and changed those passwords too.

Google are being very cagey about this breach, telling me to review all my activities and more or less implying that the problem is mine. They have suspended my wallet account, which is no big loss to me. A Google search tells me that Zynga have a dodgy reputation for this kind of thing. I am very concerned as to how much information has been sourced on me - did Google really block access to my email, for example? My name, address and phone number is on the Zynga email receipts :mad: How could this breach have happened, does anyone know? How worried should I be?

CreepingDeath

Teagwee wrote: »

How could this breach have happened, does anyone know? How worried should I be?

Do you have a LinkedIn account and use your GMail e-mail address for it?
"Linked In" got hacked and lost 6.5 million checksums of peoples passwords last week.
The hackers would've been processing all those details and cracking the easy passwords first.

I had been using the same password for a number of sites and immediately changed them all.
I now use "LastPass" to generate random passwords and I log into all sites via that.

PogMoThoin

All the LastFM passwords were also leaked last week and these are just the sites who went public, thousands of sites get hacked and say nothing to the public. It's very unwise to use the same password on any two sites, it must be unique to each and every site. Take time out and teach yourself a method, I use Lastpass myself for most sites, but I also have a system I use for those few I need to remember.

Teagwee

CreepingDeath wrote: »

Do you have a LinkedIn account and use your GMail e-mail address for it?
"Linked In" got hacked and lost 6.5 million checksums of peoples passwords last week.
The hackers would've been processing all those details and cracking the easy passwords first.

I had been using the same password for a number of sites and immediately changed them all.
I now use "LastPass" to generate random passwords and I log into all sites via that.

I had a Linked In account but terminated it more than a year ago - I don't think it was linked to my Gmail account. I've tweaked all my passwords so that none are the same, but maybe that LastPass is worth looking at. There's no doubt in my mind that this security breach is an issue caused by some failure in the system that was exploited, possibly by Zynga.

Teagwee

PogMoThoin wrote: »

All the LastFM passwords were also leaked last week and these are just the sites who went public, thousands of sites get hacked and say nothing to the public. It's very unwise to use the same password on any two sites, it must be unique to each and every site. Take time out and teach yourself a method, I use Lastpass myself for most sites, but I also have a system I use for those few I need to remember.

I agree - not only do I have different passwords for different sites, most are linked to different emails to be sure to be sure. This isn't a fault that can be laid at my door - this is defintely a system failure and it's worrying.

PogMoThoin

Teagwee wrote: »

I agree - not only do I have different passwords for different sites, most are linked to different emails to be sure to be sure. This isn't a fault that can be laid at my door - this is defintely a system failure and it's worrying.

Not necessarily, it's as simple as logging on to Google in an internet cafe or using your phone on public wifi.

Teagwee

PogMoThoin wrote: »

Not necessarily, it's as simple as logging on to Google in an internet cafe or using your phone on public wifi.

Never use an internet cafe or my mobile to log on to any internet site. Only use my PC or laptop on my own wifi connection - only use desktop PC for anything financial.

yoyo

If you use Google services I would highly reccomend activating Two-Step Verification. This will make it more difficult/if not impossible for a hacker to access your Gmail account, even knowing the email and password. Also use unique passwords for your email services/paypal/online banking etc and even try with other sites (although the issue with this can be you get forgetful of hundreds of diferent passwords, something that annoys me massively having to password reset). Lastpass will help if you use multiple passwords, but its not always feasible and convenient if logging in on someone elses computer, devices etc.

Nick

Teagwee

yoyo wrote: »

If you use Google services I would highly reccomend activating Two-Step Verification. This will make it more difficult/if not impossible for a hacker to access your Gmail account, even knowing the email and password. Also use unique passwords for your email services/paypal/online banking etc and even try with other sites (although the issue with this can be you get forgetful of hundreds of diferent passwords, something that annoys me massively having to password reset). Lastpass will help if you use multiple passwords, but its not always feasible and convenient if logging in on someone elses computer, devices etc.

Nick

Yes, I will have to reactivate that 2 step process again - I had it until a few months ago and then got fed up with the process of waiting for a code on the infrequent occasions that I used my laptop in bed to access email. I had it linked to an old bog standard mobile phone, which I kept forgetting to charge
Ah well, don't suppose there are going to be any definitive answers as to why this happened, though I feel I've been doing more than most to avoid it. Just goes to show that there is no such thing as perfect security and there's no substitution for vigilence for damage limitation.

Sir Oxman

You can print off ten backup emergency codes for that Google 2-step verification in case you don't have your mobile handy.

Khannie

PogMoThoin wrote: »

Not necessarily, it's as simple as logging on to Google in an internet cafe or using your phone on public wifi.

How so? All their password exchanges are done over https, or am I missing something?

This lastpass business sounds interesting. Had never heard of it before but it sounds like just the ticket. For google I use the 2 step login myself. Turned it on only a few days ago but I'm glad I did.

CreepingDeath

Khannie wrote: »

How so? All their password exchanges are done over https, or am I missing something?

I believe there's ways of spoofing clients on the lan, that you're the router/gateway. So someone malicious could impersonate that pc, and all traffic would go through their machine first.
They could then perform various attempts at a man in the middle attack, which might fool someone who didn't understand Http versus Https in their browser.

Khannie wrote: »

This lastpass business sounds interesting. Had never heard of it before but it sounds like just the ticket.

Steve Gibson on the excellent "Security Now" podcast completely evaluated it in episode 256 and recommends it constantly.

Note: while the pc version is free, I paid about €10 for the premium account (for the year), allowing me to use the Firefox plugin on my Android phone.
Although you could just print out and enter the randomly generated password and type it in manually too and avoid paying anything.

PogMoThoin

Khannie wrote: »

How so? All their password exchanges are done over https, or am I missing something?

Internet cafe's - risk of keyloggers
Public wifi - risk of phishing with fake login sites not using https
When I said phones I meant web login on any smartphone, not Android which would be secure.
I'd love try something as an experiment in a college of somewhere like that. Setup an access point for a few hours, call it "free public wifi" just to see how many people you catch with redirects to fake facebook or google login sites. I'm always weary for on free wifi. I use a vpn or ssh tunnel to my own home router for this reason.

Khannie wrote: »

This lastpass business sounds interesting. Had never heard of it before but it sounds like just the ticket. For google I use the 2 step login myself. Turned it on only a few days ago but I'm glad I did.

I've been using both Lastpass and Xmarks for years as they work across all platforms, Windows, Linux and Android, on any browser, IE, Chrome, Firefox and Dolphin HD. I've no problem with $10 per year for the use I get from it. Lastpass also supports 2 step authentication with the Google Authenticator app: http://blog.lastpass.com/2011/11/introducing-support-for-google.html

Teagwee

PogMoThoin wrote: »

I'd love try something as an experiment in a college of somewhere like that. Setup an access point for a few hours, call it "free public wifi" just to see how many people you catch with redirects to fake facebook or google login sites.

One of those real hustle TV programmes did something like that about a year ago - amazing the number of people who were caught out. It made me totally leery of using any public access point to the extent that I wait until I get home or just text. It didn't save me though, which is why I'm absolutely convinced it's a system failure with Google Wallet. They will never admit that though ...

RUCKING FETARD

LastPass is after getting an update.

uncle_sam_ie

I totally recommend LastPass. I had a harddrive fail on me last year and all my passwords were safe because I was using it.