In this day and age, the Internet has a close link with most aspects of our lives and identity. Virtually everyone has a Facebook profile, as well as possibly a Twitter account, LinkedIn page, online checking accounts, accounts with online retailers, and probably plenty of old profiles on other sites that just collect virtual dust. Most of us have come to trust the Internet with our information. We feel confident that global, sophisticated companies like PayPal, Facebook, Amazon and all the other big names won’t leave our information open to hacking. But the collective brainpower of hackers around the world is being put towards finding new and innovative ways to breach those companies’ systems.
It’s been said before, but I’ll say it again: security is only as strong as your weakest link. Exactly how weak is the chain that leads to your personal information? There are numerous vulnerabilities to account for in your online presence: some that you may be aware of and others that you’ve never thought of. Protection and prevention is key in your online security process—it’s much easier to prevent a hack than it is to repair the damage after one has occurred.
What is social engineering?
In this context, social engineering is a method used to manipulate people into divulging personal information. A recent article from Wired’s Mat Honan detailed how he was the victim of a social engineering hack that made his digital life come crashing down. Vulnerabilities in Amazon and Apple’s security protocol allowed a hacker to gain access to a series of the writer’s accounts. The hacker was able to break in to his Amazon account, which provided a billing address as well as the last four digits of a credit card number. This information was all that was needed to convince Apple that the hacker was Honan, and therefore allowed him to reset the Apple ID password. From there, the hacker gained access to his Apple email account, which then led to his Gmail account, which was the hub of even more online information. This is social engineering at work. How the hackers knew that Mr. Honan had an Amazon account isn’t entirely clear, but the chain of events that tipped them off to his vulnerability is worth noting:
“After coming across my [Twitter] account, the hackers did some background research. My Twitter account linked to my personal website, where they found my Gmail address. Guessing that this was also the e-mail address I used for Twitter, Phobia [the hacker] went to Google’s account recovery page. He didn’t even have to actually attempt a recovery. This was just a recon mission. Because I didn’t have Google’s two-factor authentication turned on, when Phobia entered my Gmail address, he could view the alternate e-mail I had set up for account recovery. Google partially obscures that information, starring out many characters, but there were enough characters available, m••••[email protected] Jackpot.”
Think twice about linked accounts
The string of your digital life starts and ends somewhere, and if an easy vulnerability is found, it will be exploited. Amazon has since claimed that it has changed its security procedures so that this type of exploit is no longer possible (however, after reading the Wired story, I have since deleted all my information from Amazon and will enter it manually each time from now on. There’s no such thing as being too careful). Apple, on the other hand, hasn’t said that it has changed any security policies—Apple’s only said its security measures weren’t followed completely. There are numerous other companies that are susceptible to social engineering tactics, and your linked accounts tell them where to start. Sometimes the easiest exploit can be your Facebook account.
The digital trail that leads back to your non-digital life
Assuming that your Facebook profile is public, or that you accept friend requests from people you don’t actually know, does your profile include your full birthday? Your personal email address, home address and phone number? Do you have pictures of an old family pet where you name them, or are you friends with your mom, who still uses her maiden name? Are there pictures of you from first grade that display the name of the school, you with your first girlfriend, or your BFF?
Yes, and why am I asking all these personal questions? Well, your birth date and address can give me enough information to begin impersonating you at other companies or online. In some cases I may need the last four digits of your social security number, but that’s not the stopgap you think it is. So, why should your first family pet, your mom’s maiden name, your first elementary school, first girlfriend, or the name of your best friend matter? They’re all answers to security questions for account recovery processes. If—unknown to you—I’ve cracked your email, but my real target is your bank account, I now have the answers to your security questions and I’ll be able to changed the password on your bank account to gain access. For good measure I’ll probably also change the password on your email, or if I’m done with exploiting it, I may delete the account completely. Of course, there are a lot of factors to make this situation ideal, and there are other methods that can be used to take over your identity.
If you have weak passwords like “bucketKid”, as a completely random example, a brute force attack on your account would take about eight days to crack your password (more on how I know that in the Recommendation section). Simply adding a number to make it “bucketKid7” adds six years to the time it would take a hacker to crack it.
It’s also possible that your information may be exposed as collateral damage in the hack of another company. If you use the same password on multiple sites, one of which includes your email, then it’s time for you to change all your passwords and investigate how far the damage might trickle out. Now, that you have the worst-case scenarios in your mind, let’s move on to how you can actually protect yourself.
Never use the same password twice! I know you’ve heard that a million times before, and you might think it’s not practical to have dozens of unique passwords over numerous sites. Well, there are two things you can do to make it practical:
The first is you can use a program to help you create and store unique passwords for all your sites. 1Password is a one such program—when logging in to one of your online profiles, you can simply select the login you need and 1Password will supply the password and grant you access. However, maybe you don’t want all your passwords stored in one database—that’s a valid concern.
The next option is to create a series of related passwords. One password can be “Treez4Eva” the next “Trees4eVer” and so on. Remembering which site uses which version can be a little tricky, but it’s doable and definitely worth trying. Remember that you can always recover passwords that you forget. That may be time-consuming, but don’t let forgetting passwords stop you from creating unique, secure ones.
Now on to the password itself: you can use How Secure Is My Password as a handy reference to gauge how secure you really are. Always use alphanumeric combinations along with upper case letters and special characters. If the site allows it, use spaces as well. “bucketKid” is a lot more secure when it’s “bu(k3t K!4 15 r3a!” That password would take 3 quintillion years to crack, according to How Secure Is My Password, which is so many years it sounds fake. You may think it would take you as many years to remember a password like that—but think about how you can use memory tricks to make the process easier. The example above reads: “bucket kid is real”, all you have to remember is which letters you’ve capitalized and how you replaced letters with numbers or special characters. If you still wish to use the same password over numerous sites, use your strongest one, like the example above, for sites you use frequently such as email. Then create throwaway passwords like “umbrella boy 15 fake” for other sites that you don’t use often or feel aren’t as secure.
Always use two-step verification for any site that supports it. Remember the Wired writer’s account of how he got hacked because he didn’t use two-step verification? Don’t make the same mistake. Google supports it, as does Yahoo and Facebook. Two-step verification means that when you log into your account from an unrecognized computer or IP address, you will be prompted to put in a code that was sent to your phone. What’s great about this too is that it also works as an alarm system for your accounts. If someone tries to access your email, and you suddenly get a text supplying you with a login code, you know it’s time to batten down the hatches.
Lastly, if you have any concerns at all about your online safety, check Should I Change My Password. This site lets you enter your email address and see if it’s shown up on any lists that hackers have compiled after cracking a site. They’ve just added a new feature where you can store your email address with them and they’ll cross reference it with any future attacks.
This all may seem like going off the deep end and being too paranoid to you, but being paranoid on the Internet can sometimes keep you safe. There are numerous other measures you should take to protect yourself, such as: encrypting your hard drive, creating disposable email addresses and names for sites you don’t trust or feel are lacking in security and changing passwords every few months. This guide should be taken as a jumping off point to making you more secure, and if all you do is create one strong password and register your email with the Should I Change My Password database then that is at least a good first step to protecting yourself from identity theft on the Internet.
Ryan Disraeli, VP of Fraud Services at TeleSign:
“The average person is shockingly very hackable, but the reality is that hackers will look to attack the easiest target. This isn’t dissimilar to offline. Will a thief rob a home with 24/7 security guards or a home that always leaves the front door unlocked? The reality is that a good thief can still rob a home with superb security but will prefer to go after an easier victim. Just like you would take precautions to safeguard your personal property, individuals should look to add a few layers of prevention to secure their online identity.”
Dodi Glenn, GFI Software’s VIPRE Antivirus product manager:
“Treat your smart phone like a computer. If you perform any sort of financial transactions on your phone, the same security “best practices” will apply as with a computer.”
Shuman Ghosemajumder, VP of Strategy at Shape Security:
“Pay attention to how you access web sites. Part of making sure you trust a site is verifying that the organization behind the web site is reputable. Another part is making sure you trust your connection to that web site. You should ensure that the URL is correct, that you navigated to it directly, and did not click on a link from an unsolicited email, IM, or pop-up. If you can, only use your own devices and connections. You should avoid public WiFi connections and shared public computers if you can, since it is easy for attackers to sniff network traffic or install keyloggers to capture passwords. If you must use a public WiFi connection, make sure that you don’t submit any login or personal information to a site that doesn’t use an HTTPS connection.”