Protecting Your Accounts from identity theft, scammers, and hackers

[Glenn]

Reflecting upon the recent and ongoing thread regarding a data breach and theft of personal information from Tacklewarehouse, it became clear to me that:

• There are some misunderstandings regarding identity theft
• Few people secure their accounts with Two Factor Authorization (using two credentials upon login)

 

So begets this post about hackers specific to your risk on BassResource.com.

 

To be clear, there have been no successful security breaches in the 25-year history of BassResource.com, due to our advanced security protocols.  But our security systems can only go so far. The following information is provided to help you secure your own information on BassResource and other websites/apps.

 

Evasive bad bots are on the rise

Bots continue to evolve and are becoming more sophisticated and designed to evade detection of less sophisticated bot protection solutions. In 2021, Evasive Bad Bots accounted for the majority of bad bot traffic (65.6%). This breed of bot is a grouping of both moderate and advanced bad bots that can evade common defenses. They use the latest evasion techniques, including cycling through random IPs, entering through anonymous proxies, changing their identities, mimicking human behavior, delaying requests, and more.

 

Many of these bots use the same VPN IP's and anonymous proxies you may use to hide your browsing behavior. BassResource blocks these IP's and proxies.  This means sometimes you may be blocked as well.

 

I strongly urge you to whitelist BassResource.com if you use these systems to avoid using blocked IPs or proxies when visiting BassResource.

 

Account Takeover attacks across the Internet are more prevalent than ever

Imperva, a web security firm, recorded an increase in the prevalence and sophistication of Account Takeover (ATO) attacks in 2021. Known as the identity theft of the digital age, ATOs involve bad actors attempting to gain illegal access to user accounts belonging to someone else. This is usually achieved using brute force login techniques such as credential stuffing, credential cracking, or dictionary attacks. These attacks use bots to run a list of stolen credentials against a login page (credential stuffing) or perform mass guessing of weak passwords (e.g. credential cracking, dictionary). If successful, the implications of an account takeover are extensive. For customers, a successful ATO can lock them out of their account, while fraudsters gain access to their sensitive information such as email address, password, and more.  To date, this has never happened on BassResource.

 

During the second half of 2021, Imperva Threat Research monitored an increase in ATO attacks. It started with a massive spike in attacks on Financial Services in June, which generated a 3,000%+ increase in malicious login traffic compared to the previous month. In October, attacks on Healthcare websites spiked (77%), coinciding with the general availability of the COVID-19 vaccine booster. At the end of the year, attacks on Gaming websites peaked (207% increase), coinciding with the holiday shopping season.

 

Over the past year, as investigated throughout this report, bot attacks became more prevalent than ever before, using advanced tools and techniques to break records for attack intensity. For example, in January 2022, Imperva Advanced Bot Protection detected and mitigated the largest bot attack in Imperva history. Over the course of four days, a web scraping attack targeted a global job listing website, pummeling it with no less than 400 million requests, originating from almost 400,000 unique IP addresses. The attacker used a large volume of IP addresses in an attempt to evade detection. With nearly 400,000 unique IP addresses at their disposal, each IP was making just 10 requests per hour, on average, with the intent of remaining below the rate-limit threshold of the site’s bot defenses. For context, the traffic spike during the attack was 30x compared to regular traffic on this site.

 

The Account Takeover (ATO) threat is bigger than ever

Of the many bot fraud use cases, ATO remains the most prevalent and perhaps most impactful. In the UK, ATO was the most common online fraud in 2021. In the US, 22% of adults have been victims of Account Takeovers, which amounts to over 24 million households. Social media and banking accounts were the most common accounts taken over. Imperva Threat Research recorded an increase of 148% in ATO attacks throughout 2021. 64.1% of these attacks made use of advanced bad bots, armed with the latest, most sophisticated evasion techniques. The US was targeted by 55% of attacks.

 

How To Secure Your Account On BassResource

BassResource has offered optional two-factor authorization (2FA) for several years. 2FA requires an additional login credential – beyond just the username and password – to gain account access. 2-Step Verification provides stronger security for your BassResource Account by requiring a second step of verification when you sign in. With 2FA, a potential compromise of just one of these factors won’t unlock the account. So, even if your password is stolen or your phone is lost, the chances of someone else having your second-factor information is highly unlikely.

 

Enabling 2FA For Your Account

To enable 2FA, click your name on the upper right, then click "Account Settings", then click "Security and Privacy". You will be prompted for your password.

 

Next, choose which 2FA method you prefer.  In addition to your password, you can use one of two options to enable 2FA:

• You can answer a question you created and only you will know the answer, or
• Enter a code generated by the Google Authenticator app on your phone.

Click "Enable" and follow the prompts to set up 2FA.

 

Both of these options were presented to you if you created your account after 2015, or you were notified when we initially enabled these protocols if your account is older than that. However, after that occurred, you were not reminded that 2FA was available.  Today, that changes.

 

Upon initial login of a new session, you will be reminded to use 2FA if you do not currently use it.  2FA is optional and you are not required to use it, but note the reminder will appear each time you login.  We believe this notification will help you keep your account secure, and give you peace of mind that BassResource is keeping your best interests in mind - as we always have throughout the decades.

 

Hope that helps!

 

Glenn May

Founder/Owner

BassResource.com

[A-Jay]

2FA for may Account "Enabled"

Thank You @Glenn

A-Jay

[Mike L]

Yes indeed, Thanks 

 

 

 

 

 

Mike

[jbsoonerfan]

Something must be wrong with my settings. The popup that asks for a code isn't fully visible on my screen, only the bottom half and it won't let me scroll up or down. I had no choice but to opt out. I don't even know what the top information said. 

[Cgolf]

This is good. It must have been activated today as I got a pop up to set it up. Glad it was a real thing because I stupidly trusted the site and set it up. Glad I was ok in letting my guard down this once. Shows how even super anal people about security get caught and trust a known:)

[Mike L]

1 hour ago, Cgolf said:

This is good. It must have been activated today as I got a pop up to set it up. Glad it was a real thing because I stupidly trusted the site and set it up. Glad I was ok in letting my guard down this once. Shows how even super anal people about security get caught and trust a known:)

I felt the same way. 
I read it and thought about it twice. 
 

 

 

Mike

[schplurg]

Suggestion - I think there should be a better security question then "what is your favorite lure company?" Is this the only question available?

 

Then again you can always make your answer something like "blfgdpl1@#t^" instead of Strike King.

 

I worked for a motorcycle shop and needed to get into the USPS account. It asked for a password but I didn't know it. It then asked me a security question.

 

"What is your favorite sport?"

 

I typed "racing" and got in with one try.

 

 

3 hours ago, Cgolf said:

This is good. It must have been activated today as I got a pop up to set it up. Glad it was a real thing because I stupidly trusted the site and set it up. Glad I was ok in letting my guard down this once. Shows how even super anal people about security get caught and trust a known:)

 

True but nobody is going to steal your credit info from most message forums. 

[PressuredFishing]

Don't put your credit card in for tacklewarehouse... I trust my credit card more with chinese yaliyabas at this point over them, paypal works too.

[Cgolf]

1 hour ago, schplurg said:

Suggestion - I think there should be a better security question then "what is your favorite lure company?" Is this the only question available?

 

Then again you can always make your answer something like "blfgdpl1@#t^" instead of Strike King.

 

I worked for a motorcycle shop and needed to get into the USPS account. It asked for a password but I didn't know it. It then asked me a security question.

 

"What is your favorite sport?"

 

I typed "racing" and got in with one try.

 

 

 

True but nobody is going to steal your credit info from most message forums. 

This is a one off password and Glenn doesn’t have me CC info, at least I hope he doesn’t. 

[Glenn]

2 hours ago, schplurg said:

Suggestion - I think there should be a better security question then "what is your favorite lure company?" Is this the only question available?

Good point.  I added a few more.  Try now.

 

1 hour ago, Cgolf said:

This is a one off password and Glenn doesn’t have me CC info, at least I hope he doesn’t. 

Nope, I don't have your CC number, but the Bait Monkey and I are really good friends, and he has your card info. 

 

btw - I can't even see your password.  It's encrypted.

[TnRiver46]

I failed many times with the QR code and time sensitive google Authenticator 

[Jigfishn10]

Done

Thank you