“You don’t know me, but I know your password. Let me get right to the point. I have access to your computer. I recorded you through your camera. You can pay me in bitcoin and I will disappear. If you don’t pay me I will send the video to everyone on your distribution list.”
Popular online scam
Have you ever received a threatening email by an unknown assailant who claims they have access to your accounts and have collected damaging information about you? Well sure, the email might be just a scare email with no real “meat” to it, or… it could be a bit more insidious. How can you know for sure whether this hacker really has control of your computer, or really recorded a video of you?
The answer is: You can’t.
By the time you get that threatening email or find out about a potential hack, it is too late to cover your tracks. You need to practice good online identity hygiene all the time, not just after you hear about the hack. In many ways having good online identity hygiene is much like any personal hygiene: Good “personal hygiene” results in better health, and good “online identity hygiene” results in better identity protection.
As with everything in life, having a plan before you need it is a good idea. Equally so, have a plan before being hacked.
Disclaimer
I need to start this article with a few disclaimers. No, I am not a lawyer. No, I do not play a lawyer on Television. And no, my opinions in this article in no way represent a binding solution for your particular situation. If you wish to have a personal and professional recommendation, by all means, consult me. But this article is just that — an article — and only represents the general opinions of the writer.
1. Have I already been hacked?
Let me make this simple. My recommendation here is to consider your information compromised. Whether it be by way of phish or by way of corporate breach, consider your information compromised. To name a few famous breaches:
- Equifax 143 Million, 2017
- Target 40 Million, 2013
- US Government Office of Personnel Management 25 Million in 2 breaches, 2015
- Ashley Madison 37 Million, 2016
You are likely in at least one of these famous breaches.
It also doesn’t matter whether today, at this limited moment in time, you have not been compromised. Chances are that your very personal information has been compromised, or will be compromised soon. Searching whether you have been hacked is an academic approach. You are wasting your time, and it is better to consider that you have been compromised.
Even worse, if you start poking around the dark web, you may wind up getting even more of your systems and your identity compromised.
But I REALLY want to know!
That said, if you really want to know if your information is out on the deep dark web and is available to the bad guys, one site to consider is have i been pwned . This will at least notify you when your email address is compromised. We’ll talk more about using Have I Been Pwned in the alert section later.
Expect you have been owned
Remember, you cannot get the information back, it is real information, you can’t sue the guy who stole your data, you can’t sue the guy who is selling your data, and you can’t call Google nor the NSA and demand that they take all your information off the web. It is there, and it is there for good. Or at least it is likely there, or will be there very soon.
I realize you might think this wasn’t very helpful, but it is important to understand that you cannot effectively research whether your information is out in the wild. It is an impossible pursuit. That said, I’m glad you asked what to do. This is both simple and complicated at the same time. And, there are two very different parts of a solution. First, what can you do, expecting that your data has been compromised. And second, what can you do to maybe help keep your data a little more secure.
2. What to do if you were owned
If you think you have been hacked, the first thing to do is panic a little. Then exercise your plan. Here is an outline for you to follow:
Notify IT!
Notify your IT department as soon as practical if you believe your work email account has been compromised. If a criminal has obtained your work credentials, they might be able to use those credentials to infect other machines and create a persistent presence in your company’s network. Also, your company is likely exposed to significant financial penalties if sensitive data is compromised. In addition, time critical, government mandated reporting may be required.
Change your passwords!
Remember to change your passwords quickly, but DON’T do it from the computer that you believe may have been part of the compromise. Instead, change your passwords from a clean computer (that is, one that is not infected). If you think this was a targeted attack against you, change as many passwords as you find necessary.
Call your bank!
Call your bank or credit card company if you experience financial crimes. Consider contacting the three credit bureaus TransUnion, Equifax, and Experian.
Know when to call law enforcement!
Generally speaking, the FBI or local police aren’t going to be the answer, but it is important to know when to make that call. Alert law enforcement if you feel in personal danger, or if you have been personally defrauded. For more information on when and how to contact law enforcement, check out this site: https://www.usa.gov/stop-scams-frauds
Cover your exposure!
Figure out where you were hacked. Manually change your password if the site hasn’t already forced you to do so. Review account details to confirm that your recovery email address and other personal information hasn’t been changed. Review account activity. Remove or resolve any posts made by “the bad guys”. The hackers are going to try to perpetuate the fraud, and will likely send emails to your contacts trying to get them to open virus files and links. Notify contacts who were sent emails from your compromised account to not open any of those emails.
3. Preventing another hack attack
It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.
Warren Buffett
Most of us have a vast number of online identities, ranging from social media at Facebook and Instagram, to online shopping at Amazon and Walmart, food delivery with Uber Eats, banking, Fitbit and healthcare sites, work credentials and LinkedIn, not to mention Gmail and Outlook and Yahoo Mail. All of these identities are potential “account hacks”. By compromising any of your accounts, an adversary can literally “take over your identity”.
In the world of high profile data breaches such as Target, Marriott, Anthem, and Equifax, you might wonder what you can do to help prevent you from being the target of the next hack. While there is no foolproof immunization, there are many ways to harden your defenses against identity theft. Here are some of the best practices:
Account names
DON’T use Work email address for personal business
Certainly there are times when it is reasonable to use your work email address for personal business, but in general… just say no. In general, keep your personal life separated from your business life. Understand that your work emails are tracked by your company “to protect the company”. Sensitive personal business is best kept personal by avoiding your company’s mail exchange.
DO use different login names when possible
Basic authentication is accomplished by way of a username and a password. Figuring out your username is half the battle! Just like with passwords, it is convenient to reuse login names. On the other hand, using different usernames on each site makes it more difficult for a hacker to capture your online identity.
DO enable multi factor wherever possible
Multi factor authentication (MFA) makes it more difficult for an attacker to successfully get into your accounts. MFA requires a combination of something you know (e.g., a password, a PIN), something you have (e.g., a phone, a card), and something you are (e.g., biometrics) to permit access to a site. Many companies such as Banks, LinkedIn, and Facebook now provide MFA options. Engage multi factor account protection wherever possible.
DO enable login alerts
If possible, turn on text or email alerts when login is detected, especially when logging in from unrecognized devices. This way you will be notified if someone has hacked into your account as soon as it happens. Most banks and many other sites offer this type of protection.
Password authentication
DO use strong passwords and long passphrases
“All your base are belong to us”
1992 Mega Drive port of arcade video game Zero Wing
Long passwords are harder to crack than short passwords.
DON’T reuse passwords
Once a password is compromised, the “bad guy” will try other sites using that same password. While sites normally “salt” passwords to prevent this type of replay attack, not all sites “salt” adequatly.
How to protect yourself from this type of attack? Use a different password on each site. t is always better to use different passwords on each of the sites you log into.
DON’T use common passwords
This might not be obvious at first, but it is true that human beings are really not all that creative when it comes to passwords. Consider, who would use “Fall2018” or “abc123” for a password? Turns out, a lot of folks. Don’t be one of them!
DO use a password manager
Using a password manager is better than writing your passwords on a sticky note under your mousepad! Google Chrome has a built in password manager.
Financial protection
DO file your taxes early
Come next year, file as early as possible. What is going to happen is that any personal data that is lingering out there will be used to file false tax returns. Do whatever you can to file them as early as practical. Get the information you’ll need together even this year, so you can quickly fill out the forms as soon as you can next year.
DO enble alerts for your bank and payment card accounts
Add SMS Text and Email alerts on all your accounts. If anyone tries to use your cards or lift money from your bank accounts, you’ll know quickly. If you get an alert for a transaction that you did not complete, then call the associated credit card company or bank as soon as you can — immediately if at all possible.
DO consider emplacing fraud alerts and credit freezes
A fraud alert makes it more difficult for a bad guy to open credit in your name. Initial fraud alerts are enforced for 90 days. You can call any of the three credit reporting companies to implement an initial fraud alert, and that first company you call will alert the other two. Click here for FTC guidance on fraud alerts.
A credit freeze makes it even more difficult for a bad guy to open credit in your name. Note though, that it also makes it more difficult for you, yourself, to open credit in your own name. Credit freezes are in place for 7 years. If during that seven years you wish to open a line of credit, buy a home on credit, buy a car on credit, lease a car, or perform any number of other credit related activities, you’ll have to temporarily lift the freeze. It is often the case (and it varies state to state) that in-placing a credit freeze and performing the temporary lift costs money.
Account protection
DO be aware of where you’ve left your online identity
There are websites whose only purpose is to harvest identity information. Let’s say you happen by a site. Win a free cruise or a free phone if you enter your credentials. But not so fast. It is likely that there really isn’t a raffle. The site is part of the scam to collect personal information. If you don’t know the pedigree of a website, it is best to just avoid it and not enter your personal information.
DO monitor for suspicious activity
The “Have I been pwned” site is a great site to check whether your accounts have been compromised. Register your email account in the site and you will get an alert f your email is compromised. See https://haveibeenpwned.com/
DO keep aware of the news
When you hear that Target or Home Depot has been compromised, consider whether your credentials are likely in that batch. If so, it is time to change your passwords.
Others
DON’T believe anyone who calls telling you they are from a company who got hacked
These calls are likely social engineering, looking for ways to get more information from you!
DO be VERY careful with entering your information on any web sites
Especially web sites that say they are going to research whether you are breached, or whether your information is on “the dark web”, just avoid them. These are often “social engineering web sites”. My honest recommendation is that this is a pursuit in unhappiness. Many, many, many of these are trumped up companies that are in fact just bad sites themselves! There are many scams out there, don’t be a double victim. If that isn’t enough, consider this one. These companies are going to ask you for personal information to check against sites in the dark web. What happens when they, themselves, get breached? Just not worth it. My recommendation is to just say no.
Identity theft protection companies
Many people are asking me about LifeLock, and other identity theft protection companies. This is neither legal advice nor financial advice; however, my recommendation is the same as for providing personal information to any web site or company: In general, just say no. For frame of reference, the FTC reports, “LifeLock will pay $100 million to settle Federal Trade Commission contempt charges that it violated the terms of a 2010 federal court order that requires the company to secure consumers’ personal information and prohibits the company from deceptive advertising. This is the largest monetary award obtained by the Commission in an order enforcement action.”
A few famous last words on sharing personal information
Remember. When you enter your personal information on a web site – any web site – you are opening yourself up to being compromised.
Do you have a shopping account at Wal-Mart, or Amazon, or Target? Probably. Did you provide your social security number to Comcast, or AT&T, or T-Mobile, or Dish Networks? Probably. Is your personal information retained at your favorite hospital, or clinic? Probably. Have you signed up for an “Rewards” accounts with an airline, or train, or local bus service? Probably.
All these places are sources of leaks. Every time you provide your personal information to anyone, anywhere, you are opening yourself up to potential leaks.
When faced with a request for your personal information, consider alternatives. Instead of signing up for postpaid cell service, opt for prepaid where your identity is not provided to that company. When signing up for services, ask about alternatives. Discuss what the company has in place to accommodate foreign nationals, who do not have a social security number and are still here in the United States legally. There are usually options, but most companies are going to try to hard nose the request for your personal information.
If in doubt about providing your personal information, Just Say No. You might just be saving yourself from a load of problems.
4. Concluding remarks
Remember… Only YOU can prevent identity theft… or at least try to!
Mark Satterfield, channeling Smokey the Bear
There are no guarantees when it comes to protecting yourself from identity theft. However, while you can’t protect yourself from identity theft, you can sure go a long way in reducing your exposure, and you can plan your defense in the event of identity theft.
Planning in the event of identity theft requires vigilance and reasonable precautionary planning. The “bad actors” will continue to look for opportunities. There is no reason to make those opportunities “easy” for them.
When it comes to Cyber Security and Identity Protection, we can all take a little advice from Sargent Esterhaus (Robert Conrad) on Hill Street Blues: “Remember, let’s be careful out there.”
5. References
- Your identity is for sale, https://www.nbcnews.com/tech/security/your-identity-sale-dark-web-less-1-200-n855366
- “What to do when you’ve been hacked”,
https://www.pcmag.com/article/321338/what-to-do-when-youve-been-hacked - “8 Things to Do Right Now if You’ve Been Hacked”, https://www.intego.com/mac-security-blog/8-things-to-do-right-now-if-youve-been-hacked/
- “The Equifax Data Breach: What to Do”, https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do
- “When Information Is Lost or Exposed”, https://www.identitytheft.gov/Info-Lost-or-Stolen
- “Target Pays Millions to Settle State Data Breach Lawsuits”, http://fortune.com/2017/05/23/target-settlement-data-breach-lawsuits/
- OPM data breach, https://www.opm.gov/cybersecurity/cybersecurity-incidents/
- “World’s Biggest Data Breaches & Hacks”, http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
- “Credit freeze”, https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs
- “Fraud alert”, https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs#difference
- “Security Freeze”, https://www.experian.com/blogs/ask-experian/credit-education/preventing-fraud/security-freeze/
- “LifeLock to Pay $100 Million to Consumers to Settle FTC Charges it Violated 2010 Order”, https://www.ftc.gov/news-events/press-releases/2015/12/lifelock-pay-100-million-consumers-settle-ftc-charges-it-violated
- “FTC, how to place a fraud alert”, https://www.consumer.ftc.gov/articles/0275-place-fraud-alert
Leave a Reply
You must be logged in to post a comment.