PLEASE BE AWARE HACKER(S) ACTIVE (1 Viewer)

[JustinInMN]

I must admit to having been really sloppy in this case. My PCF password is one that I used to use frequently and in fact from checking

https://haveibeenpwned.com/Passwords

I can see that it has previously been exposed. I've now (using Bitwarden, handy feature) generated a unique password for PCF and enabled 2FA.

Wait, so the idea is you should enter a password you use into this box and see if it's been exposed in a data breech.

It seems to be entering the password in this box seems like a bad idea on the surface.

 

[navels]

Wait, so the idea is you should enter a password you use into this box and see if it's been exposed in a data breech.

It seems to be entering the password in this box seems like a bad idea on the surface.

Yep, however this particular site is generally trusted. YMMV.

 

[GianThaMan]

Wait, so the idea is you should enter a password you use into this box and see if it's been exposed in a data breech.

It seems to be entering the password in this box seems like a bad idea on the surface.

https://en.wikipedia.org/wiki/Have_I_Been_Pwned?#Pwned_passwords

In February 2018, British computer scientist Junade Ali created a communication protocol (using k-anonymity and cryptographic hashing) to anonymously verify if a password was leaked without fully disclosing the searched password.[10][11] This protocol was implemented as a public API in Hunt's service and is now consumed by multiple websites and services including password managers[12][13] and browser extensions.[14][15] This approach was later replicated by Google's Password Checkup feature.[16][17][18] Ali worked with academics at Cornell University to formally analyse the protocol to identify limitations and develop two new versions of this protocol known as Frequency Size Bucketization and Identifier Based Bucketization.[19] In March 2020, cryptographic padding was added to this protocol.[20]

Of course, it's good to be cautious, but in this case it's a well-known and secure site.

 

[jr8719]

You should always check the name of the person you're sending money to on PayPal. It shows the name of the recipient before you click send or confirm. If you're buying chips from Mel, and the recipient is listed as Mfiondu Okangwe, and they responded to your request for payment info with, "please for make send $500 to m4t67k@yahoo.com", then you should realize that something isn't right.

Shit! I just bought a haul of mint Pick Hobsons from a Mfiondu Okangwe. Phoencall below — I'm definitely getting those chips, right? Right?!

 

[ArielVer18]

Absolutely applaud the idea, but counter-point. This took me maybe 45 seconds. I'm sure someone who spent more time could do much better and at the end of the day I think the strongest preventative measures are vigilant password and account security precautions, which should be every day best-practices.

View attachment 677530

Adding a piece of paper with username and current date is old school, but it’s better than nothing. Crumpling the paper before handwriting the note or adding a barely visible watermark is better, but I’m sure there’s some more modern verification techniques.

 

[JustDogbert]

oh good news, this means passwords are uncrackible since there are not GPUs on the shelf.

im pretty sure this site has precautions setups for login attempts. theres no way you can brute force 12 character PW/. 475,920,314,814,253,376,475,136 thats how many possible entries there are. With my 6 3070s i get 370 mh/s that would still take 357297533 hours

Check your assumptions - 1x 3090 can do 669M/sec

https://www.extremetech.com/extreme/316266-the-nvidia-rtx-3090-gpu-can-probably-crack-your-passwords

and don't forget purpose built machines

https://securityledger.com/2012/12/new-25-gpu-monster-devours-passwords-in-seconds/

 

[ekricket]

https://en.wikipedia.org/wiki/Have_I_Been_Pwned?#Pwned_passwords

Of course, it's good to be cautious, but in this case it's a well-known and secure site.

Why don’t all sites use this kind of security encryption for logins?

 

[Pinesol13]

I'm going to request a hand drawn picture of a chinchilla fighting a robot on the moon next time I buy/sell.

 

[LeGold]

Why don’t all sites use this kind of security encryption for logins?

Because either they're using old technologies (that might have considered safe enough 15 years ago, but have since been cracked, and nobody wants to apend time and money for upgrading since it works) or because they gave the job to their son or cousin who knows computers, or a variation of the above.

 

[ekricket]

Someb

Because either they're using old technologies (that might have considered safe enough 15 years ago, but have since been cracked, and nobody wants to apend time and money for upgrading since it works) or because they gave the job to their son or cousin who knows computers, or a variation of the above.

hmm I imagine a company would only have to go through a breach once to want to upgrade to whatever is the latest.

 

[LeGold]

Someb

hmm I imagine a company would only have to go through a breach once to want to upgrade to whatever is the latest.

The system is only as secure as its weakest component, which are usually users who, let's say reuse their username+password combination on different sites. Then, unless 2FA/MFA is active for everyone, it doesn't help if your company has the latest bestest securest solution, if another one (with much worse security) got a data breach, and you have users in common who didn't bother using a different password.

And don't get me wrong, I am not attacking users here - it's not easy for non-experts to understand the importance of such a small (yet significant) detail, and having to remember many passwords is a royal PITA. Here I also assume that many users don't even know about the existence or usefulness of password managers.

LastPass, with its last corporate-greed-move, removing possibility to share between different types of devices in their free plan, definitely didn't help to make us all safer.

 

[Easylife]

Yep, however this particular site is generally trusted. YMMV.

Always check the link is for the right site though. People set up sites with similar names to the correct sites to catch info or money. Remember there was a big thing in the UK when someone set up a website for the dart tunnel. When you use it you are meant to log on to the site and pay or you get a fine. People had set up similar sites with similar names and people kept logging in and sending them money for use of the tunnel.

 

[John_Higgs]

Not if you send friends and family with you’re PayPal balance you don’t .

Yes, this is the only thing I do not like about using paypal FF. I purchased the other day and I was glad to take the fee to get a piece of mind

 

[philhut]

Wow odd they went big or went home. I’ve heard of a lot of ones that buy a lot of mid-range stuff they launder and resell but $3.4K is going for the gold! Glad if got caught though.

I am in Canad the last time my credit card was run up it was over $17,000 (not a typo) mostly paypal and some eBay charges from about $3 to a few hundred multiple times on all sorts of stuff. this was about 3 years ago, I still had my credit card in my possession like had happened at least two other times in the last 10-12 years. The MO each time was a small charge then shortly after another charge once at local businesses and the other times online purchases of some kind.

Sadly in an age where they can scan your face, digitally recognize your voice and seemingly track every purchase you make......why is fraud so prevalent? It would seem the technology is targetted in the wrong place.

 

[JustinInMN]

And don't get me wrong, I am not attacking users here - it's not easy for non-experts to understand the importance of such a small (yet significant) detail, and having to remember many passwords is a royal PITA. Here I also assume that many users don't even know about the existence or usefulness of password managers.

LastPass, with its last corporate-greed-move, removing possibility to share between different types of devices in their free plan, definitely didn't help to make us all safer.

Well in fairness, they got me to switch to BitWarden and I think it's much better .

 

[Poker Zombie]

I would agree 100% - however if you use your credit card and pay F&F doesn’t it charge as a cash advance..?
Given the risk of hacks - I would gladly add the the service fee for G&S onto the price paid.

The downside - Starting in 2022, if you receive PayPal Goods and Services totaling $600 or more for the year you must also pay taxes on it.

You may pay the fees, but are you covering the seller's loss of 10-37% (with the vast majority here in the 22-24% tax bracket?

Technically, this isn't a new rule - US citizens have always been required to report every dollar of income from whatever source. The new rule is that PayPal must now report it if you exceed $600 (the old rule was $20,000+).

 

[cpiaaq]

Checking the link is good, but not using links (when possible) is better. Got an email that says there’s something wrong with your PayPal Acct? Manually type in PayPal.com in your browser to follow up. Phishing / links / attachments in email is the primary security hole in most networks.

 

[Tommy]

Still looking into possible links and one of the things that came to mind is the lack of SSL on the CPC chip tool site. Be sure that you don't use the same info on both sites.

 

[Nuhockey]

FWIW I'm naming my next child Mfiondu Okangwe

Don’t you men Prince Mfiondu Okangwe? Most of these people who contact you are Nigerian Princes.

 

[Tommy]

So far 3 of 6 have confirmed that they used that same pw on the CPC chip tool site. Could just be a coincidence ATM.

 

[Nuhockey]

So far 3 of 6 have confirmed that they used that same pw on the CPC chip tool site. Could just be a coincidence ATM.

Tommy does your ISP for the PCF Site have a Security Log for how many unsuccessful Login attempts there were for accounts since yesterday or the day before to see which accounts they were trying to login with?

 

[JMC9389]

So far 3 of 6 have confirmed that they used that same pw on the CPC chip tool site. Could just be a coincidence ATM.

I may be missing something, but I never saw a reason to sign up for an account on the chip design tool. Without an account, I'm able to save and go back to and edit and save my changes on my projects. Only difference is that the projects don't carry over from browser to browser.

 

[Saoliver]

I'm going to request a hand drawn picture of a chinchilla fighting a robot on the moon next time I buy/sell.

@BonScot I may need to hire you for this one.

 

[Coyote]

So far 3 of 6 have confirmed that they used that same pw on the CPC chip tool site. Could just be a coincidence ATM.

Same here, before the change.

 

[IaHawk]

So far 3 of 6 have confirmed that they used that same pw on the CPC chip tool site. Could just be a coincidence ATM.

Make sense too if they were active users of it or have used it recently?

 

[tootsmagoots]

Check your assumptions - 1x 3090 can do 669M/sec

https://www.extremetech.com/extreme/316266-the-nvidia-rtx-3090-gpu-can-probably-crack-your-passwords

and don't forget purpose built machines

https://securityledger.com/2012/12/new-25-gpu-monster-devours-passwords-in-seconds/

ok 1st of all, OP said years ago.. so 3090's were not out years ago. and as for cracking passwords, i dont do that, but using ETHhash the 3090 hashes out around 120 MH/s 3080 100, 3070 60, I was just proving a point its not gonna happen in a few days.. even at 1 gh/s

 

[Rakrul]

One more data point:

I had a forced password reset this morning. My guess is that someone was trying to get in and failed too many times. Thankfully, I use a password manager and very secure passwords. (Shoutout 1Password!) Thanks for the 2FA suggestion -- I didn't know that this site supported it. Enabled now.

All users' password were reset by the admin as a security measure in case someone dumped their DB.

 

[Davism72]

All users' password were reset by the admin as a security measure in case someone dumped their DB.

Noticed that after I wrote my note. Good callout.

 

[Budha]

The downside - Starting in 2022, if you receive PayPal Goods and Services totaling $600 or more for the year you must also pay taxes on it.

You may pay the fees, but are you covering the seller's loss of 10-37% (with the vast majority here in the 22-24% tax bracket?

Technically, this isn't a new rule - US citizens have always been required to report every dollar of income from whatever source. The new rule is that PayPal must now report it if you exceed $600 (the old rule was $20,000+). there are lots of “rules

The downside - Starting in 2022, if you receive PayPal Goods and Services totaling $600 or more for the year you must also pay taxes on it.

You may pay the fees, but are you covering the seller's loss of 10-37% (with the vast majority here in the 22-24% tax bracket?

Technically, this isn't a new rule - US citizens have always been required to report every dollar of income from whatever source. The new rule is that PayPal must now report it if you exceed $600 (the old rule was $20,000+).

Yes - I get the rule change. As we are still 8 months away from the new rule taking effect, I would gladly pay the additional fee for G&S until then - seems a practical thing to do given the circumstances - no?

 

[Poker Zombie]

Yes - I get the rule change. As we are still 8 months away from the new rule taking effect, I would gladly pay the additional fee for G&S until then - seems a practical thing to do given the circumstances - no?

Agree - just keep in mind, hackers and scammers aren't going anywhere in 8 months, and I suspect very few people know that that change is happening. It will be a bitter pill to swallow for people that buy and sell a lot of sets id G&S becomes the norm.