18 Sep There She Breaches! Watch Out For Your Identity Data!
September 18, 2019
ks, and a thriving digital Dark Web marketplace in which to sell stolen data to fraudsters and other cyber-criminals. Many do not even need technical skills to get started, they simply rent hacking kits as a service, point and click.
This is what businesses are up against. As long as there’s money to be made, there’ll be a steady stream of cyber-criminals knocking at their door, testing their systems and trying to get in. The latest two to suffer major breaches of customer data are the popular online merchandise store CafePress and the e-commerce firm StockX.
We know by now that even the most secure business in the world can be hacked, as long as the attacker is determined enough. Instead, it’s how the business responds to an attack that matters. Unfortunately, these two firms have been heavily criticized for various deficiencies including:
- Failing to quickly spot and contain the breach. For CafePress, the intrusion is said to have occurred in February, but the breach only came to light in August. In the case of StockX, it happened in May but went unreported until August.
- Failing to come to clean straight away about the breach. In the case of CafePress, its 23 million affected users don’t appear to have been formally notified at all. Instead, they were urged to change their log-ins as part of an ‘updated’ password policy. StockX also sent out a general password reset for its customers, although a week later it did finally reveal what had happened.
- Failing to properly secure passwords. Half of those compromised in the CafePress breach are said to have been protected by a weak algorithm (SHA-1), meaning hackers could effectively still use them. Just days after the StockX breach was revealed, it emerged that decrypted passwords were already being sold on the Dark Web.
What could hackers do with my password?
Stolen identity data can be used to impersonate victims online in identity fraud attempts, or in phishing attacks designed to grab even more sensitive data from the victim.
However, a lot of the time it is the email-address-and-password combos that the hackers are after. Why? Because these are the virtual keys to our digital world – offering access to everything from online banking to our emails, cloud storage and even video streaming services.
We all own so many online accounts today that password reuse across these sites and apps is commonplace. Remembering hundreds of complex, secure log-ins is simply unfeasible, so we go for one or two simple ones, and use them for everything.
The problem is the bad guys know this, and use so-called “credential stuffing” techniques to try the log-ins they’ve stolen from CafePress, StockX, or the latest breached company, across multiple sites. They can run these at great speed, and use huge volumes of breached log-ins to try and crack open user accounts on other sites/apps. They only have to be lucky a tiny fraction of the time to make it worth their while.
This technique was behind an estimated 30 billion unauthorized log-in attempts in 2018.
With working log-ins, hackers could:
- Steal the personal identity information in your account to sell it to fraudsters
- Sell access to the account itself. The Dark Web is awash with stolen accounts for sale, offering free taxi rides (Uber), video streaming (Netflix) discounted travel (Air Miles) and much more. You might not notice until you next log-in that something is wrong.
What you can do
It’s important than ever for consumers to get proactive about their own data security, by utilizing an identity monitoring service, which notifies you when your credentials have been compromised or are being sold on the Dark Web; and by beefing up how you manage your online credentials—your IDs and passwords—using a password manager tool to create longer and stronger passwords. Trend Micro has solutions for both (see below).
You should also consider adding a second layer of security by switching on two-factor authentication for any accounts that offer it. This will request another “factor” such as a fingerprint, facial scan, or one-time SMS passcode[i] in addition to your passwords. You can achieve the same end-result by downloading a handy 2FA app, such as Google Authenticator or Authy.
Here’s a checklist of other data security tips:
- Change your password immediately if a provider tells you your data may have been breached and make sure that all of your passwords across all of your online accounts are unique. Hackers will try to use stolen credentials to log in to other sites.
- Keep an eye on your bank account/credit card activity
- Only visit/enter payment details into HTTPS sites
- Don’t click on links or open attachments in unsolicited emails
- Only download apps from official app stores
- Invest in AV for all your desktop and mobile devices
- Ensure all operating systems and applications are on the latest version
How Trend Micro can help
Data breaches at firms like CafePress and StockX may be happening on an almost regular basis today, but Trend Micro offers two services to reduce your risk exposure:
- Trend Micro ID Safe, available for iOS and Android, ID Safe monitors underground cybercrime sites on the Dark Web to securely check if your personal information is being traded by hackers. If an alert comes back, you can take immediate action, such as canceling a credit card or changing an account password. All personal data is hashed and sent through an encrypted connection.
- Trend Micro Password Manager provides a secure place to store, manage and update your passwords. It remembers your log-ins, enabling you to create long, secure and unique credentials for each site/app you need to sign in to. This means if one site is breached, hackers will not be able to use that password to open your other accounts. If ID Safe alerts you of a compromise, simply open up Trend Micro Password Manager and update the relevant password. Simple and secure.
Staying vigilant about the integrity your online accounts, beefing up your access with 2FA, and using a password manager will contribute significantly to maintaining the safety of your identity in an unsafe world.
 Note that one-time passcodes texted to your phone will not keep you safe if the hacker has access to your mobile phone number/account. This has happened multiple times in the past.