“You don’t know me, but I know your password. Let me get right to the point. I have access to your computer. I recorded you through your camera. You can pay me in bitcoin and I will disappear. If you don’t pay me I will send the video to everyone on your distribution list.”Popular online scam
Have you ever received a threatening email by an unknown assailant who claims they have access to your accounts and have collected damaging information about you? Well sure, the email might be just a scare email with no real “meat” to it, or… it could be a bit more insidious. How can you know for sure whether this hacker really has control of your computer, or really recorded a video of you?
The answer is: You can’t.
By the time you get that threatening email or find out about a potential hack, it is too late to cover your tracks. You need to practice good online identity hygiene all the time, not just after you hear about the hack. In many ways having good online identity hygiene is much like any personal hygiene: Good “personal hygiene” results in better health, and good “online identity hygiene” results in better identity protection.
As with everything in life, having a plan before you need it is a good idea. The same goes for being hacked: It is a good idea to have a plan before you are hacked.
What to do if you’ve been hacked
If you think you have been hacked, the first thing to do is panic a little. Then exercise your plan. Here is an outline for you to follow:
- Notify IT! Notify your IT department as soon as practical if you believe your work account has been compromised. If a criminal has obtained your work credentials, they might be able to use those credentials to infect other machines and create a persistent presence in your company’s network. Also, your company may be exposed to significant financial penalties if sensitive data is compromised, and time critical government mandated reporting may be required.
- Change your passwords! Change your passwords quickly, but DON’T do it from the computer that you believe may have been part of the compromise. Find a clean computer, one that you know is not infected. If you think this was a targeted attack against you, change as many passwords as you find necessary.
- Call your bank! Call your bank or credit card company if your financial credentials were stolen. Consider contacting the three credit bureaus TransUnion, Equifax, and Experian.
- Know when to call law enforcement! Generally speaking, the FBI or local police aren’t going to be the answer, but it is important to know when to make that call. Alert law enforcement if you feel in personal danger, or if you have been personally defrauded. For more information on when and how to contact law enforcement, check out this site: https://www.usa.gov/stop-scams-frauds
- Cover your exposure! Figure out where you were hacked and if that site hasn’t already been protected, seal up that hole. Review account details to confirm that your recovery email address and other personal information hasn’t been changed. Review account activity and make sure to remove or resolve any posts that were made by “the bad guys”. The hackers are going to try to perpetuate the fraud, and will likely send emails to your contacts trying to get them to open virus files and links. Notify contacts who were sent emails from your compromised account to not open any of those emails.
Online Identity best practices
Most of us have a vast number of online identities, ranging from social media at Facebook and Instagram, to online shopping at Amazon and Walmart, food delivery with Uber Eats, banking, Fitbit and healthcare sites, work credentials and LinkedIn, not to mention Gmail and Outlook and Yahoo Mail. All of these identities are potential “account hacks”. By compromising any of your accounts, an adversary can literally “take over your identity”.
In the world of high profile data breaches such as Target, Marriott, Anthem, and Equifax, you might wonder what you can do to help prevent you from being the target of the next hack. While there is no foolproof immunization, there are many ways to harden your defenses against identity theft. Here are some of the best practices:
Accounts and credentials
- Don’t use Work email address for personal business: Certainly there are times when it is reasonable to use your work email address for personal business, but in general… just say no. In general, keep your personal life separated from your business life. Remember, your work emails are tracked by your company “to protect the company”. Sensitive personal business is best kept personal and not in your company’s mail exchange.
- Use different login names when possible. Just like with passwords, it is convenient to reuse login names. On the other hand, using different usernames on each site makes it more difficult for a hacker to capture your online identity.
- Multi factor wherever possible: Multi factor authentication (MFA) makes it more difficult for an attacker to successfully get into your accounts. MFA requires a combination of something you know (e.g., a password, a PIN), something you have (e.g., a phone, a card), and something you are (e.g., biometrics) to permit access to a site. Many companies such as Banks, LinkedIn, and Facebook now provide MFA options. Engage multi factor account protection wherever possible.
- Alerts when logging in: If possible, turn on text or email alerts when login is detected, especially when logging in from unrecognized devices. This way you will be notified that someone has hacked into your account as soon as it happens. Most banks and many other sites offer this type of protection.
- Use strong passwords and long passphrases: Long passwords are harder to crack than short passwords.
- Don’t reuse passwords. This might sound obvious, but if your password is compromised, the “bad guy” will likely try other sites using that same password. It is always better to use different passwords on each of the sites you log into.
- Avoid common passwords. This might not be obvious at first, but it is true that human beings are really not all that creative when it comes to passwords. Consider, who would use “Fall2018” or “abc123” for a password? Turns out, a lot of folks. Don’t be one of them!
- Use a password manager: Using a password manager is better than writing your passwords on a sticky note under your mousepad! Google Chrome has a built in password manager.
- Be aware of where you’ve left your online identity. There are websites whose only purpose is to harvest identity information. You happen by the site, it says if you enter your information you’ll be submitted for a raffle for a free phone or free cruise, but there really isn’t a raffle. The site is set up to collect personal information. If you don’t know the pedigree of a website, it is best to just avoid it and not enter your personal information.
- Monitor for suspicious activity: The “Have I been pwned” site is a great site to check whether your accounts have been compromised. In fact, you can register your email account in the site, and if your email is compromised you’ll get an alert. See https://haveibeenpwned.com/
- Keep aware of the news. When you hear that Target or Home Depot has been compromised, consider whether your credentials are likely in that batch. If so, it is time to change your passwords.
While you can’t protect yourself from identity theft, you can protect yourself in the event of identity theft. Protecting yourself in the event of identity theft requires vigilance and reasonable precautionary planning. The “bad actors” will continue to look for opportunities. There is no reason to make those opportunities “easy” for them.
When it comes to Cyber Security and Identity Protection, we can all take a little advice from Sargent Esterhaus (Robert Conrad) on Hill Street Blues: “Remember, let’s be careful out there.”
- Your identity is for sale, https://www.nbcnews.com/tech/security/your-identity-sale-dark-web-less-1-200-n855366
- “What to do when you’ve been hacked”, https://www.pcmag.com/g00/article2/0,2817,2454554,00.asp?i10c.encReferrer=aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbS8%3d&i10c.ua=1&i10c.dv=12
- “8 Things to Do Right Now if You’ve Been Hacked”, https://www.intego.com/mac-security-blog/8-things-to-do-right-now-if-youve-been-hacked/