What you should know about CyberSecurity Issues and how it affects Lego buying

What you should know about CyberSecurity Issues and how it affects Lego buying

I think at this point, we all know about all the scams that exist out there that we must tread as Lego buyers: Drop shippers, shipping scammers on Ebay, Craigslist scammers who want you to wire them money, and even companies that are somwhat deceitful in their practices.

But there are more parts to being safe as a Lego Investor/Collector that we must be aware of: CyberSpace issues. It seems silly that this amazing thing called the internet has brought us all of this joy, made this site possible, and absolutely changed the way we do everything to do with our money, could also be the thing that ruins us completely. I am a member in this industry as a networking engineer. I have studied CyberSecurity quite a bit and it is something I want to eventually pursue as a higher level of education in my field. It is a fascinating field and we are in the golden age of CyberSpace growth.

However, the unfortunate realization of living through this era in technology is how woefully behind the Cyber criminals we all are. For one, everyone has to react to the new things they do. We wont be able to just guess what they are going to do next: they are calling all the shots. On top of this, our economic systems, our credit systems, and most of our business industry is not built to cope with how fast people are coming up with ways to game the system.

So do we just shut down and not buy on the internet? Of course not, but we can be smart before making certain decisions. And most importantly, we can be vigilant for the inevitable times that this happens and be ready to act to correct any issues we come across. Here are some thoughts in this direction:

Don't use any service unless you know it is secure.

This is a tough one; how will you ever know for sure? Well, you won't. But you can make a pretty good decision with a little bit of research. Paypal and Ebay both offer buyer and seller protection. They both have great track records in the field as well. Things like Western Union and other money wiring services have a history of being scam vehicles and the companies themselves have a track record for saying "its not our problem". Only use things you trust for your transactions.

Do not put in purchasing and credit card information into a website on a Public WiFi connection

This is one most people don't think about. You are sitting at StarBucks and you jump on WiFi. See a great deal on BP deals page and click the link. You put in all your credit card information and make the purchase.

Unfortunately the guy next to you, with little effort at all, can see every little bit of information you type into your PC or phone with free programs downloaded on the internet. Its unbelievable how easy it is for someone to do this. Yes you are protected by your credit card company most likely, but is it worth the trouble thinking about it?

In general just avoid it. If you are on your phone, it is worth switching to data for the purchase.

Set up credit card alerts

This is a extremely simple one with how many people have the ability to text on their phones. I don't know an actual statistic, but I would say the majority of people on this site who use credit cards a lot have had a fraudulent charge once or twice. My wife's card was stolen out of her supposed-to-be-locked classroom at school once, and before we knew it they had rattled off a grand in purchases. Most credit card companies now have pretty robust alert systems. Everytime I make a purchase, my credit card companies texts me and says my card was authorized for this amount of money at this location. I immediately know if something is not right and can actually reply and say "this isn't me!".

I can also keep better track of what my Wife is buying :)

Get a credit monitoring service

These are annoying. The credit monitoring and reporting companies have about turned into insurance companies as far as commercials go - except no one can beat Geicos Hump Day. They do serve a great purpose though. Whenever I do anything that has an impact on my credit (or if someone else does) I immediately get an alert of exact what the inquiry was about. I pay 10$ a month for it and it is very much worth it.

My wife did not have it and someone stole her identity and massacred her credit. It wasn't her, so no big deal right? Heh - I wish. It took more than a year to get her credit fixed back to where it was supposed to be. This being right before we were about to buy a house, we had to drop her from the loan because she was dragging my credit down!

Think about the effect this could have on you if it happened. All of a sudden, your credit cards get frozen, you can't open any new ones, and you can't purchase those lego sets like you used to. Most monitoring services also offer services where they will help you fix credit problems much quicker than you could ever do on your own.

Be smart with your passwords for all those sales sites

So many people carrying legos now means more and more people have your personal information from all those sweet deals you have gotten. Unfortunately, we just have to trust them with it.

However, we can put ourselves into position to keep ourselves as safe as possible. Passwords really come into this. Everyone has heard it - change your passwords every 90 days, make sure they have special characters, blah, blah, blah. I am not preaching that at all.

Actually you should absolutely use a password that is easy to remember. And unfortunately, special characters and numbers really don't mean a lot at all to a password's security. Passwords are normally cracked when attackers steal the payload of a password exchange between a site and a user and run a password cracking program on it. So understanding how this works is important. In most programs, you give the application a list of common possible words or letters and then let it try all its possible combinations. For example, some may feel this is a good password:

p@ssw0rd!

By adding special characters into the application, a password like the above could be broken within less than a minute in most cases.

Whats the answer? More complicated? Simple actually : longer. The more letters in a password, the more time (exponentially) it takes to crack it (which means people give up). So I use phrases for passwords - spaces included. Consider:

I love to use brickpicker for lego prices

A password like the above is insanely more secure, even without special characters, and most people don't insert spaces into password cracking applications by default. Plus they are really easy to remember!

On top of this, do not use the same password for every site - or at least spread it around pretty well. If you do, one is hacked - they all could be. Now maybe the attacker wont know you are on entertainment earth and toysrus.com - but the first thing someone does when they hack a google password is take the same user and password and pop it into paypal, ebay, major bank sites, etc. Easier to just avoid these problems.

Conclusion

Its an unsafe world in general, and we have to live with it. There are many more ways things can go sour for people like us who spend a lot of money, and most likely have a lot of credit and spending habits that are harder to track. But by being vigilante, we put ourselves in a position to prevent issues from happening, and ultimately be able to react when they do. Though Cyber space has brought all these new worries upon us, we still have the Human intelligence to stay ahead if we consider and study the consequences of not doing so.

Thanks for reading.

Share this post

Comments (10)

  • MartinP

    Great article. I like the part about the passwords. All my passwords are long like the example above. I check to see if the password is secure enough by typing in a similar password in this website. It should give you an idea of how secure it is. Just do not type your real password into it. Anyways, good job.

    November 3, 2013 at 4:04 pm
  • TabbyBoy

    Nicely written DNIIM.  I only make financial transactions from my work or home secured WiFi connections.  My bank also alerts me literally within a minute if my purchase patterns change.  Regarding passwords, I use a special 2-word phrase unique to each website to prefix my standard special-character password.  This means that I can easily remember the many passwords for every site I visit.

     

    For example (I don’t actually use this!) my Brickpicker password would be:

     

    Lego%Investing£99$88€77

     

    Long passwords are a pain but, we have no other choice right now until websites start using secure tokens registered to each user.

    November 4, 2013 at 6:03 am
  • gregpj

    DNIIM .. Its great of you to share, but I’d like to argue your first point about public WiFi. It is somewhat misleading – and by all means, prove me wrong if you can. :)

     

    - If the web site you are connecting to over WiFi is using the https protocol, it absolutely is secure enough to use over a public WiFi connection.

    - If you are using the “apps” on your phone or tablet such as eBay and PayPal, you need to know whether they are using secure connections under the covers.. which unfortunately is impossible to know.

     

    I would like to add a couple more:

     

    - Avoid using the “please remember by username and password” options for sites such as your bank or credit card online accounts! Just memorize the numbers, they aren’t that long!

    - Have multiple email addresses .. one that you use for secure sites (like eBay, PayPal, banks, etc) and one that you use for general purpose web surfing. When you get that eBay payment reminder email to your general purpose email address, you know something is wrong.

    - Be familiar with the email policies of your financial institutions… eBay, PayPal and most banks NEVER ask you to “click this link to logon” in an email!

     

    Greg

    November 4, 2013 at 2:10 pm
    • TomOOO

      This is probably too much information, but SSL (used for https web sites) secures the data transfer from server of the wifi provider and the server of the “bank”. It does not provide security to the wifi service. Wifi is only secure if it is encrypted and only you know the key – ie the person sitting next to you has the wifi key (it is public), and the data is transferred to the public wifi server using only the security that the wifi key provides – none in this case.

      April 19, 2014 at 7:27 am
  • TheOrcKing

    Here is one password no one would think of…. :mosking:
    http://www.youtube.com/watch?v=_JNGI1dI-e8

    November 4, 2013 at 3:44 pm
  • DoNotInsertIntoMouth

    DNIIM .. Its great of you to share, but I’d like to argue your first point about public WiFi. It is somewhat misleading – and by all means, prove me wrong if you can. :)

     

    - If the web site you are connecting to over WiFi is using the https protocol, it absolutely is secure enough to use over a public WiFi connection.

    - If you are using the “apps” on your phone or tablet such as eBay and PayPal, you need to know whether they are using secure connections under the covers.. which unfortunately is impossible to know.

     

    I would like to add a couple more:

     

    - Avoid using the “please remember by username and password” options for sites such as your bank or credit card online accounts! Just memorize the numbers, they aren’t that long!

    - Have multiple email addresses .. one that you use for secure sites (like eBay, PayPal, banks, etc) and one that you use for general purpose web surfing. When you get that eBay payment reminder email to your general purpose email address, you know something is wrong.

    - Be familiar with the email policies of your financial institutions… eBay, PayPal and most banks NEVER ask you to “click this link to logon” in an email!

     

    Greg

     

    Your extra points are great – definite must knows as well.

    As far as the point about HTTPS – its actually sort of a give and take here. So in general, the difference on your computer hard wired at home is the data goes straight through your router onto the internet routers and on to its destination without any intervention (you hope) that could cause someone to get hold of it.

     

    It is called “Secure”, but unfortunately nothing is. Everything can be cracked. It just comes down to how hard it is to do it. So unfortunately, the fact that you are using a “Secure” protocol really doesn’t matter – its more of a question of how secure, which you really wont know either way. Most of the time, these payloads that are encrypted can be captured and may not be able to be deciphered in a reasonable enough time period because there are tons of others not using the strong encryption for these people to bite on. But in the end, they could all be broken, so the difference between wireless and wired just becomes if someone can capture it or not. Wired, it is very hard while with wireless, it isn’t.

     

    So the short answer is – yes, you are more protected and are probably ok as long as your connection is a site secure type. But how secure is really a big question. Currently attackers are breaking encryption faster than people can think it up and lengthen it, which is a growing concern. That is why I don’t take the chance.

    November 4, 2013 at 4:16 pm
  • sadowsk1

    I’m always surprised to hear people having problems with their credit cards and not knowing why.  Most of the time they got sloppy somewhere, that’s why I avoid the internet.

    November 4, 2013 at 4:53 pm
    • Curtis

      Most of the time maybe, but this is not always the cause. Not that long ago we had a case where local law enforcement were able to expose what turned out to be a large scale credit card fraud ring that ultimately involved the FBI. The intrusion targeted a specific brand of merchant services equipment used at a some very popular chain restaurants. So simply eating out at one of these places and using any form of credit put you at risk regardless of your well mannered credit habits. The only way one could have avoided the hit was to use cash.

      I realize your comment was posted back on Nov. 4th so there’s no way you could have known about the Target intrusion, but that would be another example of risk regardless of diligence.

      December 20, 2013 at 12:02 pm
  • gregpj

    I’ll concede that most encryption could be broken and you never really know what you get from a site…. Take Facebook for example. Even if you login using their https login page, you are redirected to their http site. So someone may not be able to get your login credentials, but they can still hijack your requests.

     

    The thing is, sites like PayPal are pretty strict about using https for obvious reasons. As a pseudo financial institution they are liable for any fraud that occurs.

     

    The crappy things about phones and tablets is they aren’t very good with showing you when do and don’t have a secure connection so I hear ya on just not taking the chance!

    November 5, 2013 at 11:56 am
  • TomOOO

    I work for an international organization in big (biological) data world, I hope the following is useful; many thanks for the original post – very good starter.

    Security of information is a many component thing not just a password, not just https (SSL). I agree completely with the blog on passwords:
    1) Long – passwords are guessed by programs – they have a scratch list of stupid ones (password and all variants of special characters that have been harvested), then they start scanning. Longer ones add another power of complexity.
    2) Humans need to remember them, or they choose an easy one or write it down. It makes no difference to an algorithm if there are special characters or not, it increases the search time as the number of characters is larger to try, but there might be special characters – in which case the algorithm has to try them anyway. Writing them down is the problem – below.
    3) Password breaking beyond the “stupid” set is is not worth it – there are much better ways to get into accounts.

    Encryption : Essentially encrypted data using SSL (private/public key) standard cannot be broken. Even the NSA and GCHQ do not “break” the encryption. You data is safe if encrypted – but SSL (ie and https web site service) ONLY secures the data between the client computer (ie the wifi server) and the server of the service (ie your bank). Even the latest heartbleed bug is not problem of SSL data transfer, but a problem that the data can be got from the server running the SSL (please read official discussion on this – too much for here). I know this might sound pedantic – but it is important in security. WEP2 and other wifi security protocols are secure too (just another form of encryption), but if you know the key – you have access to all the data on the wifi. And then there is the thought that most wireless routers have admin account with PW = “admin” (doh… ), there is even a wireless router virus that takes advantage of this.

    4) Psychology problems are the biggest issue with data security, or rather the human factor. That is not the fault of the person, how can the general public ever know the details of data security beyond the basic – don’t open any attachment you don’t expect and run an anti-virus even on a Mac computer. Small form factor devices are a big problem at this time, especially with so many apps discussing details with other phones near by. In general, nearly every loss of data/money for a person is because they made a mistake – went to a clone site, opened an attachment from a friend – and their computer was sending spam emails. In general this mistake is not the problem of the user as they cannot be expected to know all the issues.

    5) There are negligent companies doing bad things with security – best not to mention some recent ones, but most people are not going to have a problem with these companies loosing their details; this is rare. Anyway, they are liable ! This is a problem of using very old operating systems that are insecure, or just bad design of their systems that will allow data to be accessed easily.

    I need to go do practical stuff – like shopping – now.

    April 19, 2014 at 7:56 am

Leave a comment