This is a staging forum for AgileBits, not an official support forum. Visit http://discussions.agilebits.com instead.
Security Issue
Just informed by Amazon.com that my account may have been accessed by bad people. Changed password, removed credit info, etc. I have 1password installed on my iMac, Macbook, iPhones and iPads synched via Dropbox. I use Witopia's personalVPN pro for WiFi security on handhelds and computers when traveling worldwide. My Amazon account used a 1password generated password. This password was used to get into my account.
I cannot figure this out. Is is possible for someone to hack into my 1password stuff?
Or is this more likely a security breach at Amazon?
I cannot figure this out. Is is possible for someone to hack into my 1password stuff?
Or is this more likely a security breach at Amazon?
Flag
0
Comments
-
I'm sorry to hear that this happened, sthurner. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/skype_worried.png' class='bbc_emoticon' alt=':S' />
I very much understand your concern. I certainly don't wish to dismiss the possibility that your 1Password data has somehow been compromised, but in once sense 1Password is the strongest part of the system as a whole, and so we also need to look at the possibility that the compromise happened elsewhere.
If you could answer a few questions, this will help narrow down what may have happened.
(1) How do you know that particular logins were compromised?
(2) Did the compromised site have a unique password or was it used elsewhere (website, computer login, etc.)?
(3) Do the sites use secure (HTTPS, SSL) connections or unencrypted connections (HTTP)? (Amazon does this well, but this could come into play depending on your answer to (2) above.)
(4) What was the password strength?
(5) Does you ever connect to your email using an unencrypted process (webmail to HTTP)?
The single most common way for passwords to be compromised is through password reuse. If you use the same password on multiple sites and one of those sites gets compromised, then the attacker can guess your password for other sites.
The second most common way is through things like unencrypted login sessions in public Wi-Fi locations. This is why I asked about HTTP vs HTTPS, though you did mention a VPN solution above. If this is not used with 100% reliability, it only takes one time for an attack to occur.
Another thing is that if someone gets access to your email they can do "password resets" on many sites. Unfortunately many webmail providers allow unencrypted authentication so that passwords can be sniffed in the process.
Finally some intrusions don't actually involve actually stealing the password, but instead stealing browser cookies.
Again, I don't wish to dismiss the possibility that someone got at your 1Password data, but breaking 1Password (which is unprecedented) is far less likely than the kinds of things that we know happen all the time. So if you let us know more about the situation we can try to help you figure out what happened.Flag 0 -
1. Amazon sent me a security alert email saying they thought my account may have been compromised and that as a precaution they had assigned me a new temporary password and removed any credit cards from the account. I telephoned Amazon. They said that someone had used my account name (an email address) and my password to log into my account. They made a purchase and specified delivery to someplace in Texas. For some reason Amazon thought this odd, cancelled the purchase and sent me the email.
2/4. This site had a 7 digit password of numbers and small/capital letters generated by 1password. This password was only used on this site.
3. I thought always HTTPS at Amazon when I was signed in, but I just switched pages to Amazon and noticed I was logged in and it was HTTP.??????
5. If you are asking me do I ever go to an HTTP site by clicking an email link, then yes , often.
Thank you for trying to help.
If you need more info please advise...Flag 0 -
Thank you for the information sthurner. For #5, Khad was asking about how you access your email itself. Do you use webmail? Is that protected by HTTPS? Or do you use a mail client, such as Apple Mail or Thunderbird? If the latter, do they download your email over an encrypted connection?Flag 0
-
Hi sthurner,
Thanks for your answers to Khad's questions. Before you read any further, please change the password on your email account. Do that now.
OK, now that you have changed the password on your email read on.
[quote name='sthurner' timestamp='1315050401' post='44144']
3. I thought always HTTPS at Amazon when I was signed in, but I just switched pages to Amazon and noticed I was logged in and it was HTTP.??????
[/quote]
Although this may look suspicious, Amazon is pretty good about only taking user username and password over HTTPS. However, they don't necessarily do the same with cookies (more on that later).
[quote]
5. If you are asking me do I ever go to an HTTP site by clicking an email link, then yes , often.
[/quote]
One (small) option is that you were the victim of a phishing attack. That is, you were tricked into logging into a site that pretended to be Amazon but was actually run by the bad guys.
One reason why I think this is unlikely is that 1Password will not fill in you password on a site that doesn't match properly. So in order to have succumbed to this trick you would have needed to manually copy and paste your Amazon password out of 1Password.
But Khad's question was actually about looking at whether your email account may have been compromised. A "typical" pattern is that someone gets to your email account and then initiates an "I forgot my password" procedure on a site like Amazon. They do this to reset your Amazon password. Meanwhile, they delete the messages from Amazon about this in your email.
I really hate to say this, but this really is typical. It happens far more often then you'd imagine. The process is also semi-automated. The Amazon password will get reset and the order processed within minutes of the capture of your email password. Connecting to your webmail without using HTTPS over a public WiFi is one common way these things get stolen. Another is if you used a computer that was already compromised (like something in a library or Internet cafe) to access your mail.
There is also the possibility that your Amazon password was never captured or reset, but that someone got in using "cookie jacking". Basically someone captured your web browser's cookies in transit and used them to get Amazon to talk to them as if they were you. This is less likely because Amazon (usually? always?) requires a username and password before you can change a shipping address, even if a user has authenticated using browser cookies. Although that isn't the most likely avenue of attack, it's worth noting.
If your email account was compromised (by any of the means above, including cookie jacking) then other sites that have a password reset mechanisms may be vulnerable. This is why I insisted that you change your email password immediately.
The security of 1Password really is the strongest part of the system. It's not where attacks happen. We know in the security business to never say that something is impossible, but the kinds of attacks that I listed above are things that we know happen and are all vastly more likely than a breach of 1Password. Also, consider what data you have in your 1Password data. If it really were breached, would someone go after your Amazon account? (1Password may put all your eggs in one basket, but that basket is defended extremely well.)
Because 1Password is something that you have explicitly purchased and used to prevent this kind of thing, it is natural that that is where your attention goes when an on-line account gets compromised. But again, it is import to remember that 1Password is the [i]strongest[/i] part of a very complicated system.
I like illustrating this point with a couple of pictures that I took at the Grizzly and Wolf Discovery Center just outside of Yellowstone National Park. They test various designs for bear proof trash bins by putting something that grizzlies really like to eat inside and let the bears go at it for 90 minutes. They have a display of bins that have been tested. Here's one.
[img]http://i.agilebits.com/blog/bear-proof-front-393x360.png[/img]
As you can see, there is some minor damage to the lid, but the mechanism appears to have held up well.
Of course, even bears know not to bother too much with the strongest part of a system:
[img]http://i.agilebits.com/blog/bear-proof-back-330x528.png[/img]
Please do keep us all informed about what happens. Certainly post back as soon as you've changed your email password to let me know that you've done that.
Let me also add my voice saying that I'm really sorry to hear that this happened to you. But also know that we are here to help and advise.
Best of luck with this,
Cheers,
-jFlag 0 -
Any time! The best thing you can do is only use a trusted system to log into your accounts and make sure you check for a secure connection to the correct website before entering your login credentials. And, as always, if you have any other questions, please do not hesitate to ask. <img src='http://forum.agilebits.com/public/style_emoticons/<#EMO_DIR#>/smile.png' class='bbc_emoticon' alt=':)' />Flag 0
-
This is the reply from Amazon. I'm closing my account.
Greetings from Amazon.com.
Thank you for keeping in touch with us regarding this matter.
Although we are not permitted to provide you with any additional
details regarding this unauthorized activity, we will provide this
information to any law enforcement agency investigating the matter, as
well as to any applicable financial institution.Flag 0 -
I went though something similar with Bank of America many years ago. Although nobody ever got the password, someone was trying to log in so often (with an incorrect password) that I was regularly locked out. (After a certain number of failed log in attempts; the system prevents additional attempts.)
I begged them to let me know the IP addresses of the failed attempts, but they didn't release any information. Eventually they recommended we change my username.
Cheers,
-jFlag 0