Friday, April 3, 2020

Unique Passwords

After reading this post, it is my hope that you consider using unique passwords for websites. The following is a true story.

I look forward to Saturday mornings. We get to sleep in and don't need an alarm clock to wake us up. We have a good breakfast and then begin cleaning the house. This particular Saturday morning, my wife wakes me up at 8am and says, "We've been hacked. Our Netflix is in Spanish!" Around 2am on Saturday morning, someone in New Jersey logged into our Netflix account. Moments later, they changed the password. When we pulled up Netflix on our TV, someone had changed all of the profile names and changed the language from US English to Spanish. My limited Spanish skills were enough that I was able to change the language back to English. This did not change the fact that we did not have control of the account and worse, they had access to our credit card we use for Netflix billing.

To make matters worse, this coincided with many stay at home orders where leaders were telling us to "chill at home and watch Netflix." Perhaps they should have been more clear and included instructions to NOT use someone else's account! We could not use the help.netflix.com website because we did not know the new password on the account. Also, chat was disabled on the site. When we called Netflix, there was a recording that "due to overwhelming call volumes, we cannot take anymore calls. Please go to help.netflix.com for assistance."

Since we did not know if they accessed the billing information on the account, my wife called the credit card company for assistance. She was on hold for over an hour and got disconnected. She waited on hold for almost another hour before someone finally answered.  To be on the safe side, we cancelled the card and asked them to send us a new one.

Around 5pm on Saturday, my wife tried to see if chat was working on the Netflix site again. To her surprise, chat was enabled and she was in the queue. Finally, she reached a customer service representative. She explained everything that had happened to them. They were able to see that someone had changed the email address and password. We thought they could just change it back. No so easy! She had to prove who she was. They wanted the entire credit card number. 

We were leary of doing this because our neighbor gave his credit card info to Amazon...or so he thought. He actually gave his credit card info to hackers who put up an Amazon support page and pretended to be assisting him. What they had done was install malware on his computer that looked for passwords and banking information. His wife ran into the room because she was getting texts that someone was using their credit card for purchases and wanted to know if he was on the phone buying stuff. He asked the guy on the phone to confirm his identity and asked if he was using the credit card info. The man started cursing at him. At this point, my neighbor hung up the phone. He ended up taking his laptop to Best Buy and spent $250 to have the malware removed and his data restored.

By this time, my wife had been on chat for almost an hour and it didn't seem like we were getting anywhere. Then we remembered that we cancelled the card, so what could it hurt giving the card info to him. So, my wife entered the cancelled credit card info into a "secure chat screen". A few minutes later, my wife got a call from the credit card company. Netflix was trying to bill the card for $15. When my wife asked what was going on in chat, he explained that he canceled the service, issued a refund and then charged back for a month of service. We were able to confirm with the bank that there was a refund of $15 and then a charge of $15. He was able to change the email address back to ours and he set a temporary password that we then changed to a very strong password. Finally, we had our account back! Or so we thought.

He then explains to us that they could restart the service. There is a button on the screen that you can click to restart the service. To keep this from happening, I went in to the settings in Netflix and logged out all devices. When I restarted Netflix, the restart service button was gone and the login screen appeared. Now we have our account back! When we confirmed through chat that everything was working, she asked him to cancel our service. By this time, she had been on chat for 2 hours.

You are probably asking yourself why she would go to all of the trouble to then cancel the service? Listed below are our reasons.

1. It was too easy for someone to change the email address and password on the account. My wife setup the Netflix account years ago before two-factor authentication. It should be enabled by default, but it wasn't.

2. Their support was severely lacking at a time when everyone is at home. They could have provided better support.

3. We don't watch Netflix that much anyways. Our neighbor (same one that got hacked) mentioned "The Crown" to us, so we started watching it. We were halfway through season 2 when this happened.

To be clear, Netflix was not hacked. The password we had been using was not strong so that we could share it with our family and entering passwords with a tv remote is cumbersome and time-consuming. My wife used that password on multiple accounts where high security wasn't really needed. One of those sites was hacked, so her email address and that password were out on the DarkWeb. Hackers then take that info and try it on other sites to see if it will work. Because a lot of people reuse passwords, it works more times than not. 

My wife spent 2 days changing passwords on every site she uses. She keeps a spreadsheet with the site info and hints for the password, not the actual password. She backs up the spreadsheet to a flash drive and I have a copy as well. Now she has done what I have been telling her for a few years now. You need to have strong, unique passwords for every website. It took her a while, but she can check that task off her list.

Then I wanted to see if I had been practicing what I had been preaching. I have been using a password manager for years, so I opened it up and ran a security test. To my dismay, I had been reusing passwords too. Some passwords were not strong and more frightening was that a few of them were compromised passwords. Even though I had secure passwords on most sites, most of them had not been changed in quite some time. I hate to admit it, but I will tell you now so it may help you. My Google password had not been changed since 2011. That's right, that password was over 9 years old. It took me 3 days, but I have changed every password, made them unique and all passwords are more than 12 characters, use upper and lower case, numbers, punctuation and special characters. A lot of the passwords I do not know. I let the password manager generate the password and fill it in for me. The only password I need to remember is the master password. 

So, while you seem to have some time on your hands, please consider doing something about your passwords. Do you have unique passwords? Are they strong? Do you remember them? If you answered no to any or all of them, please do something about it!


No comments:

Post a Comment