closing tag is in template navbar
timefactors watches



TZ-UK Fundraiser
Page 2 of 2 FirstFirst 12
Results 51 to 60 of 60

Thread: Paypal and Amex deary me

  1. #51
    Grand Master Saint-Just's Avatar
    Join Date
    Apr 2007
    Location
    Ashford, Kent
    Posts
    28,935
    Quote Originally Posted by Captain Morgan View Post
    You totally agree yet haven’t reinstated your original post or clarified if 2fa was actually originally enabled or not...
    I may be wrong but I believe it is impossible to disable 2FA without the legitimate account owner being informed, even if a hacker has managed to crack the PW.
    Basically you are informed of every change on your account (like PW, email address or indeed 2FA) and given a number to call if it’s not you.
    'Against stupidity, the gods themselves struggle in vain' - Schiller.

  2. #52
    Master
    Join Date
    Jan 2010
    Location
    Coming Straight Outer Trumpton
    Posts
    9,385
    Quote Originally Posted by Saint-Just View Post
    I may be wrong but I believe it is impossible to disable 2FA without the legitimate account owner being informed, even if a hacker has managed to crack the PW.
    Basically you are informed of every change on your account (like PW, email address or indeed 2FA) and given a number to call if it’s not you.
    Completely my understanding too & that a email alert should be sent to the register email address when changing account details.

    Which is why those undertaking these scam/hack have also started attacking the associated mobile service where they in essence re-register the service to a different imei number so the sms alerts /2fa get sent to a different mobile. I’m unclear what steps (if any) are taken to address the email aspect.

    These are certainly less frequent & more sophisticated attacks but seem to be on the increase, hence asking the op about the nature of 2fa & advising a quick check on his mobile operation.

  3. #53
    Master Christian's Avatar
    Join Date
    Dec 2008
    Location
    London
    Posts
    9,878
    Quote Originally Posted by Saint-Just View Post
    I may be wrong but I believe it is impossible to disable 2FA without the legitimate account owner being informed, even if a hacker has managed to crack the PW.
    Basically you are informed of every change on your account (like PW, email address or indeed 2FA) and given a number to call if it’s not you.
    Technically it is possible to hack 2FA but it is quite an involved scam. The 'SIM-swap' method would be to convince your mobile operator they were the genuine account holder and get a SIM-swap so that they receive the text messages. The other method is to use a server that sits inbetween your computer and the site they want to hack. I think their server acts as a relay between you and the site and they can then gain access.

    I think both are pretty unlikely when scammers have easier targets of people who don't use 2FA.

  4. #54
    Quote Originally Posted by Christian View Post
    Technically it is possible to hack 2FA but it is quite an involved scam. The 'SIM-swap' method would be to convince your mobile operator they were the genuine account holder and get a SIM-swap so that they receive the text messages. The other method is to use a server that sits inbetween your computer and the site they want to hack. I think their server acts as a relay between you and the site and they can then gain access.

    I think both are pretty unlikely when scammers have easier targets of people who don't use 2FA.
    Your comments make total sense to me, I did at one time enable 2FA so I genuinely do not understand how it was not in force at time of unauthorized activity, if what you are saying is true then I would have had to go in the account and turn it off, so for me to enable it and I did because I remember being at work and receiving alerts asking me to verify when I made transactions, I admit I would have had to be stupid to have then turned it off and for what reason? The truth is I am at a loss how this happened but this has been a wake up call to me to ensure every password is changed, to ensure bank accounts are not stored on any platforms since they can be at risk. I appreciate the input that many have given and I think it is a worthwhile thread if nothing else it has alerted a few to 2FA and prompted others to take a look at dormant accounts.

  5. #55
    Master
    Join Date
    Dec 2014
    Location
    Unknown
    Posts
    5,719
    Blog Entries
    1
    Quote Originally Posted by stevecross View Post
    Your comments make total sense to me, I did at one time enable 2FA so I genuinely do not understand how it was not in force at time of unauthorized activity, if what you are saying is true then I would have had to go in the account and turn it off, so for me to enable it and I did because I remember being at work and receiving alerts asking me to verify when I made transactions, I admit I would have had to be stupid to have then turned it off and for what reason? The truth is I am at a loss how this happened but this has been a wake up call to me to ensure every password is changed, to ensure bank accounts are not stored on any platforms since they can be at risk. I appreciate the input that many have given and I think it is a worthwhile thread if nothing else it has alerted a few to 2FA and prompted others to take a look at dormant accounts.
    I think based on your posts and obviously confusion about the difference between 2FA and transaction notifications I think on balance it’s likely you did not have 2FA enabled and it’s unlikely you are the victim of a sophisticated scam. You simple had an unprotected account and used a compromised duplicate password.

    Seems like lesson learned and hopefully Amex will sort you out.

    My best recommendation is to use a separate email address for all financial matters that you never use elsewhere and have the address secured well. Proton mail is my recommendation. Then use an alternate for day to day stuff.

  6. #56
    SydR
    Guest
    I’ve just bought something using Amex via PayPal.

    I had to go through 2FA to log into PayPal and go through a second 2FA when my Alex was selected.

    Both above resulted in 2 SMS messages and 4 emails to me. The system works if set correctly.

  7. #57
    Master Christian's Avatar
    Join Date
    Dec 2008
    Location
    London
    Posts
    9,878
    Quote Originally Posted by Montello View Post
    My best recommendation is to use a separate email address for all financial matters that you never use elsewhere and have the address secured well. Proton mail is my recommendation. Then use an alternate for day to day stuff.
    I think thats a good idea which I really should be doing. Not difficult to set up aliases on icloud either.

  8. #58
    Master
    Join Date
    Dec 2014
    Location
    Unknown
    Posts
    5,719
    Blog Entries
    1
    Quote Originally Posted by Christian View Post
    I think thats a good idea which I really should be doing. Not difficult to set up aliases on icloud either.
    You’d hope that the banks etc would have decent security so the address should remain private. Proton mail is all about privacy so they should be good.

    So if no one knows your email apart from banks etc there is a decent chance it won’t be available for purchase on the dark web.

    I work on the premiss that my every day email is know by all and sundry.

    The email account is the gateway for resetting passwords so it’s your highest priority for security imho.

    I only use Proton email oh the iPhone app and have 2FA enabled.

    I never use the Proton mail for anything but banking or other financial services.

  9. #59
    SydR
    Guest
    I have my own domain and accosiated email address to which I can add as many aliases as I wish.

    Every sign-up / login uses a unique address. Something I've been doing for over a decade.

  10. #60
    Master
    Join Date
    Dec 2014
    Location
    Unknown
    Posts
    5,719
    Blog Entries
    1
    Quote Originally Posted by SydR View Post
    I have my own domain and accosiated email address to which I can add as many aliases as I wish.

    Every sign-up / login uses a unique address. Something I've been doing for over a decade.
    Sounds like good practice. Takes a bit of effort but you need to protect your assets.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Do Not Sell My Personal Information