2-Factor versus Common Sense?

So, a funny thing happened as I was on my way out to Sunday lunch with a friend: I checked my e-mail. It’s actually not something I do all that often in the evenings or weekends, but there were a few notable message that took me by surprise. One was a message from Starbucks that an auto-reload transaction for $100 was completed, and an additional one was denied. And the other was from PayPal that my transaction was completely successfully.

Cue a camera pan to my face saying “HWAT?”

A friend recently said on his Twitch stream, “Get Two-Factor Authentication on everything. Do it now.” and I should have taken heed.

I didn’t really have time to manage everything, but I reported it to both PayPal and Starbucks, then headed out to continue my Sunday. Eventually PayPal restricted transactions on my account pending security review, password change, etc. and Starbucks started an investigation.

All normal stuff, I’m not super put out by it, but what’s most annoying is it just doesn’t pass a common sense test. Thinking about all the account breaches, security incidents, stolen passwords, nearly nothing that’s been allowed to happen and discovered by me after the fact made any sense.

For instance, I have a Starbucks card. I maybe put $20 on it every few months and go to the same two or three locations in DC. Because Starbucks logs everything, the activity went as follows:

• changed the first and last name (and nothing else) on my Starbucks account
• loaded up a card that’s not even on my account with $100
• immediately spent the entire $100 at a location in Texas
• tried to load it up with another $100

Based on my account activity, does that even make sense? I’d like to think that some part of security and noticing outliers has to be seeing patterns of behavior. And none of the above is how I act, at all.

Similar are all the gaming networks I belong to, that again I only log in from two or three places (IP addresses) in DC. Does it seem normal that I would try to suddenly log in from China, Japan, Ireland, Russia, Africa? Really? Thankfully, most of those game accounts I’ve had on authenticator apps or two-factor authentication for a while ever since my World of Warcraft account was hacked and I logged in to find myself naked in the middle of the ocean with all of my character’s belongings cleaned out.

Same with Spotify, a few years back someone logged into the account from South America, changed the e-mail address (but not the payment details), deleted my favorites, my playlists, started up new ones, listening patterns completely different. The only way this could have made sense is if I were trying to fake my death and create a new identity in Zihuatanejo or Cartagena.

In most cases, there’s never an answer because you’re usually dealing with a customer service representative, not a security one. I know that a bunch of my old passwords are probably out there for sale in databases, and of course I haven’t updated passwords everywhere. I probably can’t even remember how many sites I’m signed up for with my main e-mail addresses.

I do know that one scam e-mail that keeps saying they have broken into my machine and have video of me masturbating really needs to get a new pitch. It’s 2020, do you know how many people have their own websites filled with nothing but videos like that? COME ON.

So I’ll continue to try to desperately keep up with “strongly generated passwords” and will probably have to deal with things like this from time to time anyway, though I am strongly tempted to review my PayPal subscription agreements just in case.

Other than that, it was a lovely long weekend and being back at work is a struggle. I hope everyone is well!