Data breaches keep on coming. Here’s what you can do to stay ahead of the hackers.
Money makes the world go around. It’s the glue that holds our society together and the engine that drives our economy. But it’s also coveted by a growing global population of highly resourceful and determined cyber-criminals. They’re out to get what they can and their route to riches usually begins with the theft of data—your data. While sometimes it’s stolen direct from individuals, there’s a far bigger potential pay-off from hitting a company that may be storing personal data on millions of customers.
These data breaches have become depressingly common in the 21st century. And over the past month or so another two firms have been found wanting – exposing a further 30 million customers. To keep ourselves insulated as much as possible from incidents like this we need to be alert, to track when breaches happen and if we’re affected, and we need to plan ahead to protect the gateways to our digital lives: our digital IDs and passwords.
Breaches are here to stay
So, what’s the scope of the problem? Well, if cybercrime were a country it would have the 13th highest GDP in the world, generating as much as $1.5 trillion each year, according to some estimates. And according to a new report, there have been nearly 4,000 data breaches already in the first six months of 2019, a 54% increase on the same period last year — exposing 4.1bn records.
A sophisticated underground economy offers hackers all the tools and expertise they need to launch attacks, and a thriving digital Dark Web marketplace in which to sell stolen data to fraudsters and other cyber-criminals. Many do not even need technical skills to get started, they simply rent hacking kits as a service, point and click.
This is what businesses are up against. As long as there’s money to be made, there’ll be a steady stream of cyber-criminals knocking at their door, testing their systems and trying to get in. The latest two to suffer major leaks of customer data are the popular online merchandise store CafePress and the e-commerce firm StockX.
We know by now that even the most secure business in the world can be hacked, as long as the attacker is determined enough. Instead, it’s how the business responds to an attack that matters. Unfortunately, these two firms have been heavily criticized for various deficiencies including:
- Failing to quickly spot and contain the leak. For CafePress, the intrusion is said to have occurred in February, but the leak only came to light in August. In the case of StockX, it happened in May but went unreported until August.
- Failing to come to clean straight away about the leak. In the case of CafePress, its 23 million affected users don’t appear to have been formally notified at all. Instead, they were urged to change their log-ins as part of an ‘updated’ password policy. StockX also sent out a general password reset for its customers, although a week later it did finally reveal what had happened.
- Failing to properly secure passwords. Half of those compromised in the CafePress leak are said to have been protected by a weak algorithm (SHA-1), meaning hackers could effectively still use them. Just days after the StockX leak was revealed, it emerged that decrypted passwords were already being sold on the Dark Web.
What could hackers do with my password?
Stolen identity data can be used to impersonate victims online in identity fraud attempts, or in phishing attacks designed to grab even more sensitive data from the victim.
However, a lot of the time it is the email-address-and-password combos that the hackers are after. Why? Because these are the virtual keys to our digital world – offering access to everything from online banking to our emails, cloud storage and even video streaming services.
We all own so many online accounts today that password reuse across these sites and apps is commonplace. Remembering hundreds of complex, secure log-ins is simply unfeasible, so we go for one or two simple ones, and use them for everything.
The problem is the bad guys know this, and use so-called “credential stuffing” techniques to try the log-ins they’ve stolen from CafePress, StockX, or the latest leaked company, across multiple sites. They can run these at great speed, and use huge volumes of leaked log-ins to try and crack open user accounts on other sites/apps. They only have to be lucky a tiny fraction of the time to make it worth their while.
This technique was behind an estimated 30 billion unauthorized log-in attempts in 2018.
With working log-ins, hackers could:
- Steal the personal identity information in your account to sell it to fraudsters
- Sell access to the account itself. The Dark Web is awash with stolen accounts for sale, offering free taxi rides (Uber), video streaming (Netflix) discounted travel (Air Miles) and much more. You might not notice until you next log-in that something is wrong.
What you can do
It’s important than ever for consumers to get proactive about their own data security, by utilizing an identity monitoring service, which notifies you when your credentials have been compromised or are being sold on the Dark Web; and by beefing up how you manage your online credentials—your IDs and passwords—using a password manager tool to create longer and stronger passwords. Trend Micro has solutions for both (see below).
You should also consider adding a second layer of security by switching on two-factor authentication for any accounts that offer it. This will request another “factor” such as a fingerprint, facial scan, or one-time SMS passcode* in addition to your passwords. You can achieve the same end-result by downloading a handy 2FA app, such as Google Authenticator or Authy.
Here’s a checklist of other data security tips:
- Change your password immediately if a provider tells you your data may have been leaked and make sure that all of your passwords across all of your online accounts are unique. Hackers will try to use stolen credentials to log in to other sites.
- Keep an eye on your bank account/credit card activity
- Only visit/enter payment details into HTTPS sites
- Don’t click on links or open attachments in unsolicited emails
- Only download apps from official app stores
- Invest in AV for all your desktop and mobile devices
- Ensure all operating systems and applications are on the latest version
*Note that one-time passcodes texted to your phone will not keep you safe if the hacker has access to your mobile phone number/account. This has happened multiple times in the past.
How Trend Micro can help
Data leaksat firms like CafePress and StockX may be happening on an almost regular basis today, but Trend Micro offers two services to reduce your risk exposure:
- Trend Micro ID Security, available for iOS and Android, monitors underground cybercrime sites on the Dark Web to securely check if your personal information is being traded by hackers. If an alert comes back, you can take immediate action, such as canceling a credit card or changing an account password. All personal data is hashed and sent through an encrypted connection.
- Trend Micro Password Manager provides a secure place to store, manage and update your passwords. It remembers your log-ins, enabling you to create long, secure and unique credentials for each site/app you need to sign in to. This means if one site is leaked, hackers will not be able to use that password to open your other accounts. If ID Safe alerts you of a compromise, simply open up Trend Micro Password Manager and update the relevant password. Simple and secure.
Staying vigilant about the integrity your online accounts, beefing up your access with 2FA, and using a password manager will contribute significantly to maintaining the safety of your identity in an unsafe world.