TMC is an independent, primarily volunteer organization that relies on ad revenue to cover its operating costs. Please consider whitelisting TMC on your ad blocker or making a Paypal contribution here: paypal.me/SupportTMC

Tesla security issue

Discussion in 'The UK and Ireland' started by PaulMac, Feb 7, 2015.

  1. PaulMac

    PaulMac Member

    Joined:
    Nov 13, 2014
    Messages:
    37
    Location:
    Surrey, UK
    As a warning to everyone...


    I am not sure if the following is legitimate, but it feels wrong and worth sharing.


    I received an email from someone this morning claiming that I wanted to join a Facebook tesla group, and should follow a link and enter my tesla password as log in. (paste from email below).


    This feels like a really really bad idea. Surely as soon as you release the username and password anyone can install the app, and then track your car, unlock it start it, and take it!!


    Apple get a lot of bad press for hacking, which is actually people cracking or guessing passwords and accessing photo streams, so there is extra authentication added to the process. I would hate for tesla to get the bad publicity, and there is no device authentication used.


    Sorry if this is a legitimate email and Facebook group, but it feels like we should be really careful with the username and password!!!!!!!! So that is worth repeating :)




    {You have requested to join the Tesla Owners Group on Facebook. Only Bona Fide owners and reservation holders can become members of the group so please visit http://l.facebook.com/l/jAQFNm4d0AQGKnfMnXjh4a1D2a5fwGiUtAiGkXqhwk4PWCg/my.teslamotors.com/en_GB/forum/forums/joining-facebook-owners-group and follow the instructions to get your request to join approved.


    The login for the forum is also the login for your Tesla Reservation page on My Tesla, simply use the same login email and password to be able to comment on the thread.}
     
  2. LuckyLuke

    LuckyLuke Model S P85DL

    Joined:
    Dec 14, 2011
    Messages:
    2,092
    Location:
    Eindhoven, The Netherlands
    Never enter your tesla user/pass on any sites except teslamotors.com or the official iOS/android app, ever! (Only exception perhaps verified safe apps like visibletesla)
     
  3. jerry33

    jerry33 S85 - VIN:P05130 - 3/2/13

    Joined:
    Mar 8, 2012
    Messages:
    12,766
    Location:
    Texas
    Luke is correct. You've received a phishing e-mail. Facebook never sends out requests like that. Best practice is to always go to the official Facebook/Bank/Tesla/etc. site and log in. Many phishing email look legitimate (displaying the full headers can show you where the email comes from, but you have to know how to read them). Never trust the From: address because those are easily forged.
     
  4. Shawn Snider

    Shawn Snider Member

    Joined:
    Jul 30, 2014
    Messages:
    205
    Location:
    BC, Canada
    .................................................................................................................................................................................................................................................................................................................................................................................................................................................................... wow.

    Either this thread isn't real, or the OP is 60+ with absolutely no experience whatsoever with the the internet / email. Who buys a $100,000 car and then gives some random person in your email your account number and password?? I'm sorry but you deserve to lose everything.
     
  5. bollar

    bollar Disgruntled Member

    Joined:
    May 1, 2013
    Messages:
    2,243
    Location:
    Southlake, TX
    Perhaps a re-read of the OP's message would be helpful.
     
  6. cgiGuy

    cgiGuy Member

    Joined:
    Jul 9, 2013
    Messages:
    985
    Location:
    Sacramento, CA
    What if he is 60+ and/or isn't all that up to date on phishing scams? Does he still "deserve to lose everything"? I work with a LOT of very smart and successful people (under 60) who don't know much about computers at all. It actually amazes me. But I don't think they deserve to be scammed...
     
  7. TexasEV

    TexasEV Active Member

    Joined:
    Jun 5, 2013
    Messages:
    3,796
    Location:
    Austin, TX
    Don't blame the victim. Phishing happens because it works.
    Mod note- perhaps change the title to something like "Beware Tesla phishing emails"
     
  8. bonnie

    bonnie Oil is for sissies.

    Joined:
    Feb 6, 2011
    Messages:
    14,241
    Location:
    Columbia River Gorge
    #8 bonnie, Feb 7, 2015
    Last edited: Feb 7, 2015
    And who says there isn't humor on the internet?

    :)
     
  9. ecarfan

    ecarfan Well-Known Member

    Joined:
    Sep 21, 2013
    Messages:
    10,402
    Location:
    San Mateo, CA
    To the OP: never give your Tesla Motors account login information to anyone. You are the the only person who needs to know it. Tesla of course also knows it so there is never a need to give it to Tesla. All other requests for that information should be ignored.

    And yes, if you have a spouse who also drives your Tesla they can have it if you wish to provide it, but they don't need to know it to drive the car.
     
  10. PaulMac

    PaulMac Member

    Joined:
    Nov 13, 2014
    Messages:
    37
    Location:
    Surrey, UK
    #10 PaulMac, Feb 7, 2015
    Last edited: Feb 7, 2015
    Yes, that is why I posted it....there are people out there...not me...who will give out all sorts of personal info if an email, call or visitor sounds legitimate. So it felt like the right thing to do to lift the profile of this risk.

    As it turns out the email appears legitimate although badly written, and was not actually trying to get my info, but to prove I had a Tesla by asking for communication with them via the tesla owners forum.

    So...my message still stands never give out your username and password!!!! Oh and Tesla, perhaps this system needs to be more robust, a simple username and password is not much to protect a £100k car.
     
  11. jerry33

    jerry33 S85 - VIN:P05130 - 3/2/13

    Joined:
    Mar 8, 2012
    Messages:
    12,766
    Location:
    Texas
    True. You should use a complex password and store it encrypted. The fly in the ointment is that Tesla expires the password and logs you out without warning. Not so bad if you are at home, but if you are on a trip or really need the App to start your car it's not good (no one, including me, memorizes complex passwords). However, hope is on the horizon:

    "Thank You for contacting Tesla Motors Technical Support. We can appreciate your input on the mobile applications limits. The two week notification for the password change seems like a great idea. I will go ahead and create a feature request for this immediately."
     
  12. mgboyes

    mgboyes Member

    Joined:
    Apr 16, 2014
    Messages:
    811
    Location:
    United Kingdom
    This is not a malicious or phishing email, though I can see how it looks a little bit suspect.

    The link you have been sent is a link to a conversation on the teslamotors.com forum. For some reason it's wrapped inside a Facebook link redirector but ultimately it takes you Joining the Facebook Owners Group | Forums | Tesla Motors

    The instruction to "log in with the same username and password you use for your My Tesla account" is telling you how to log in and add a comment to that thread on the TM forums (for which you do indeed need to use the same password you use with your app).

    The way you get approved to join the UK Tesla Motors FB group is by commenting on that thread on the teslamotors.com site (so the only place you type this password in is on a TM webpage).

    So while it sounds suspicious, it is in fact most likely a completely genuine request to you to verify that you are a reservation holder/owner.

    I will let the guy who runs the UK FB group know that this email is being misconstrued!
     
  13. deonb

    deonb Active Member

    Joined:
    Mar 4, 2013
    Messages:
    3,020
    Location:
    Redmond, WA
    Did anybody even read the OP's post?

    The post simply asks you to enter your Tesla username and password at teslamotors.com in order to make a post on the Forum hosted by ... wait for it... teslamotors.com.

    A lot of people doesn't know about that forum and doesn't know how to log into it.


    So take precautions and don't click on links - rather type in teslamotors.com directly in the browser. But if you don't trust teslamotors.com with your teslamotors.com username/password, then how did you buy the car in the first place...?
     
  14. HankLloydRight

    HankLloydRight Fluxing

    Joined:
    Jan 18, 2014
    Messages:
    5,793
    Location:
    Connecticut
    But it doesn't even do that! All that does is prove you created an account on Teslamotors.com. There's no validation or proof anyone that logs into the forums is an owner or reservation holder. I had a TM account log before I bought my car.
     
  15. cgiGuy

    cgiGuy Member

    Joined:
    Jul 9, 2013
    Messages:
    985
    Location:
    Sacramento, CA
    If it's a thread that's marked private, only reservation holders and owners can post. Was typically used to try to weed out "trolls" complaining about cars they didn't actually own.

    Screen Shot 2015-02-07 at 2.47.56 PM.png
     
  16. HankLloydRight

    HankLloydRight Fluxing

    Joined:
    Jan 18, 2014
    Messages:
    5,793
    Location:
    Connecticut
    Ok, learn something new every day. When was that feature enabled?
     
  17. jerry33

    jerry33 S85 - VIN:P05130 - 3/2/13

    Joined:
    Mar 8, 2012
    Messages:
    12,766
    Location:
    Texas
    At least two years ago.
     
  18. gdavison

    gdavison Member

    Joined:
    Sep 28, 2014
    Messages:
    84
    Location:
    Hampshire / Berkshire Border
    Jerry - have a look at lastpass from lastpass.com. Create and store different random very complex passwords for any web page (and some apps) .. the free version is for PC only and has adds, however the licensed version at 12 USD a year includes all mobile devices and is add free. Free version however is good enough to play with for a bit and then when you see the value its easily worth the 12 USD a year .. I can confirm it works with the Tesla App on android

    I am not associated with lastpass in any way, just as a happy user
     
  19. dsm363

    dsm363 Roadster + Sig Model S

    Joined:
    May 17, 2009
    Messages:
    18,235
    Location:
    Las Vegas, NV
    I'd throw in a vote for 1Password as well. Amazing program and for Mac and PC. Syncs to your phone so you always have your passwords with you. iOS versions uses TouchID if you have a newer iPhone.
     

Share This Page