Help! Attempted hacks of my Vanguard, Fidelity, PayPal and Amazon

[Dee18]

Four days ago I received an email that my Chase credit card was declined at Amazon.Fr.  I called Chase saying that was not me and they immediately cancelled my card and are sending a new one. I called Amazon.com and asked them to close my Amazon.fr (which I attempted to use in Dec. to buy gifts for my sister who lives in France, but abandoned because my French was not adequate to navigate that) and Amazon said they could not do anything with the France account including giving it a different password. The next day I received an email alert that my PayPal account was used to buy bitcoin.  I replied and explained it was fraudulent and the Chase credit card associated with my PayPal account had been cancelled.  I still thought the problem might just be the credit card.  Yesterday morning I received emails that my password was blocked at Vanguard and Fidelity because of multiple attempts to get into my accounts between midnight and 1 a.m.  While I have often re-used passwords, the one on my Amazon account was a random computer generated password.  This made me think that somehow the hacker had access to my computer. (How else would they have my unique user names for Fidelity and Vanguard?)  I took my MacBook and iPhone to Apple and they said there was no security issue with them.  I of course called Vanguard, who seemed unconcerned, and Fidelity, who seemed much more concerned and advised me to change passwords and user names and not store them on my computer. I have followed that advice with respect to all financial logins. I also locked withdrawals on Vanguard (they said it's for 10 days only) and Fidelity (where it lasts until I unlock it) since I am not taking any money out this year.  I have an alert on my primary credit card (Capital One) that texts me for any purchase over $50.   

My adult daughter (who lives on her own) had a fraud attempted purchase on amazon.fr the same day, but no other suspicious activity.

I am turning to the expertise of MMM to advise me what other steps to take at this time.  Among my questions:  should I put a lock or freeze on my credit reports?  (if so, are there still just 3 of those to deal with?) Is the Apple genius guy correct that there is nothing wrong with my MacBook or iPhone?  Do I need to change login information for every site I have ever signed up with?  (many more sites than I previously realized TBH). Do I need to not have a credit card linked to my Amazon account? or other accounts? 

I welcome any explanation of what is going on (a friend suggested info might have been obtained when I used a hotel wifi for 5 days while visiting my mother in December) and advice of what steps to take.  Thanks!

[Dee18]

Someone also suggested I use a VPN.  Can someone explain what that is and how to use it?  Thanks

[yachi]

I welcome any explanation of what is going on (a friend suggested info might have been obtained when I used a hotel wifi for 5 days while visiting my mother in December) and advice of what steps to take.  Thanks!

That seems likely to me.  A hacker can establish what looks like a hotel's wifi, but connects to his own computer before connecting to the internet.  Then, he can just watch what you connect to, or serve up custom webpages that ask you to sign in.  I think changing usernames on anything you might have signed into on the visit is a good step.  For future trips, use only your cell phone's data plan for anything banking or amazon related.  I don't know enough to use my own VPN, but that's a way to get around these types of attacks while still using wifi connections.  It connects you computer to a server instead of directly to the websites, so the connection is more secure.

https://www.jamf.com/blog/what-is-a-man-in-the-middle-attack/

[Blackeagle]

Four days ago I received an email that my Chase credit card was declined at Amazon.Fr.

While I have often re-used passwords, the one on my Amazon account was a random computer generated password.

Was the attempted charge on your Amazon.Fr account, or was someone using your credit card on some other account?

[Dee18]

Thanks Yachi!
Blackeagle, Good question.  I had not thought about that.  Since the transaction was declined, I would not have received an email from Amazon.  Could Chase tell me?  I only received an email Chase with subject:  Action needed: Please confirm you made this purchase,  and the following content:

"D....,
Please tell us if you, or someone you authorized, used your Chase card for:
 
Declined Transaction(s)
 
 Amazon Prime FR   $55.68   01/10
        
 
 Do you recognize this charge?
 
 
yes,I recognize it
 
-   Your card remains active.
-   If a purchase was declined, you will not be charged unless you try again.
    
 
No, Something's Wrong
 
-   We will close your current card and send you a new one.
-   If you need to speak with us, please call the number on the back of your card.

[reeshau]

1)  Was the notice actually send from Amazon in France?  Check the sender from the email header.  If it's some bizzare garbage account, then it's the notice that started the fraud.

I get garbage "fraud" notices from Amazon.in and paypal all the time.  The Amazon.in is easy to spot--never shopped that.  The others get a quick check of the sending email, and out they go.

2)  You checked your computer.  What about your phone?  Have you installed any new apps recently?  Do you have apps for these accounts on your phone?  What kind of antivirus does your phone have?

[Dee18]

Thanks Reeshau,

I did not receive any notice from Amazon, just Chase.

Thinking about my hotel use, I am sure I did not go to PayPal or Amazon.FR while at the hotel. 

Re: antivirus protection.  The Apple guy said that iPhones have built in antivirus protection. True?

Re: new apps: Garmin connect and Spectrum TV.

[reeshau]

Re: antivirus protection.  The Apple guy said that iPhones have built in antivirus protection. True?

Well, yeah, every OS has countermeasures against viruses.  In IT, the saying is the best antivirus is any two.  (you can't run two on a machine, they will interfere with each other.  But you can run one on servers and the other on your PC's)

I see both Norton and McAfee have iOS versions.  And plenty more.  Seems to be a market for it.  Download either of those, or something like Lookout, and scan during their free trial period.

[FLBiker]

The hotel theory seems reasonable.

Re: the VPN, I don't think that would help.  To me, that's just adding a layer where someone could snoop (I'm not an expert, though).  I'm a big believer in a password manager and different passwords for every site.

[SailingOnASmallSailboat]

The hotel theory seems reasonable.

Re: the VPN, I don't think that would help.  To me, that's just adding a layer where someone could snoop (I'm not an expert, though).  I'm a big believer in a password manager and different passwords for every site.

Same here. As well as making sure 2FA (or even 3FA) is set up everywhere.

[Dee18]

Thanks Reeshau, FLbiker and SOASS!

I will run the virus scans.

Can you recommend a password manager?

[SailingOnASmallSailboat]

We use LastPass - 1Password is another one I've heard good things about.

[neo von retorch]

I recommend BitWarden. Excellent free open source with no profit motive, just excellent software.

[AccidentialMustache]

+1 bitwarden. -1 lastpass.

Lastpass likes to hork up its on-disk database and then eat 100% of a cpu core failing to load. Bitwarden has never given me this issue. Oh, and I can use bitwarden on both my PC and phone without paying them. I'm probably going to pay them for a family account (for the timed account takeover feature) and because I'm good with supporting folks doing open-source.

It is possible you have malware, or got MITM'd, but this looks a lot more likely to me as someone skimmed your credit card (which could have been months ago) and maybe got a username on a user/pass list that happens to match yours at vanguard/fidelity. It doesn't mean they got you, it could just mean your username isn't that unusual.

For MITM, you don't need a VPN. You need to pay attention to your browser telling you if the site is safe or not. The little lock icon being absent, or popups warning you about untrusted certificates are a bad sign. Otherwise, the bad guys just need to successfully MITM the VPN and then you're back to square one. The VPN is likely to throw similar warnings, but if you ignore them, well, its your personal info.

2-factor and random passwords would be my advice. Ideally, 2-factor not with a text message (or email) because that isn't as secure. Bad guys who target you specifically will con some low paid phone support lackey to reset or transfer your phone number and then they win. It requires a dude with a wrench to persuade me to give up my yubikey -- no amount of calling a low paid phone support lackey gets that.

[neo von retorch]

My concern with multiple accounts would be a shared email address, and compromised email. If you can ensure that's not the case, that should give you some peace of mind.

Also research how you can use unique email to log in different places. That works well with a password manager. Though if you do what I do, your unique email is all one account, so there's still a weak spot. But actual multiple email accounts would be a pain, so at least unique addresses/aliases may make it harder to crack.