by Jeff Mertz, Senior Network Engineer
With the increase in targeted online and internet security attacks, I thought an article explaining what is going on and how best to protect yourself might be timely. Recently, there have been major hacks relating to Personal Identifiable Information (PII) and Personal Financial Information (PFI). Most of you know of the attacks at Target last year. Since then, a similar attack at Home Depot was executed, though they are still sorting out the details.
While all these big companies are being targeted, the individual is not being ignored. The recent celebrity photos hack shows that linked accounts and shared passwords and usernames can let a cracker (a hacker who performs illegal activity) gain access to our most personal information online. Just this year a good friend of mine, who is very safe with their personal data, had their IRS refund stolen! The attackers filed their tax return with info stolen online and had the refund sent to them. They still have not gotten it straightened out.
Knowing HOW a cracker performs an attack against an online account is the first step in preventing it. It will normally start with reconnaissance, in other words, a search for any information about a person they can find online. This will be through Google, Facebook, LinkedIn, or any other public website. They will try to use those sites to then gain access to an online email account using the “Reset My Password” option on the site. Crackers hope to find information on those sites that answer your security questions. Lastly, they try to connect to sites that use that email address and again reset those passwords.
As an example, if someone were to try to get into John Doe’s online banking account, they would first look him up on Facebook, browse any personal information he is sharing and maybe even send a friend request from a fake account to be able to see any hidden information. They might get job history information from LinkedIn or Google and a current address or phone number from an online white pages. Once they have that, they will try to change the password of any email accounts associated with Facebook or LinkedIn. Let’s say in this case it is firstname.lastname@example.org. They will go to gmail.com, put in email@example.com, and click reset password. Gmail may ask for information such as first pet, mother’s maiden name, or current phone number as security questions. If they were able to find this information online, they can now reset his password.
Now that the attacker has access to the email, they see what banks or websites John is using, go to those webpages and use the reset password links to send the password reset request to the now compromised email. In the case of a banking website, they now have access to John’s account. A cracker can send John’s money wherever they want, they can open new credit cards in his name, or use his information to start stealing other peoples’ info, all while pretending to be John!
The issue now is how to protect yourself. The attackers are smart, motivated and have time, but a few simple steps will greatly reduce your risk of becoming a victim. Most attackers will give up if they can’t get access quickly, especially if you aren’t a target of great worth like a celebrity or company CEO. I will provide some tips to help protect yourself and still have the online presence modern life seems to demand.
Protect your Facebook
- Don’t share publicly – Only allow friends to see your posts. If you want to have a public page for a personal business, use a business page and don’t share personal information on it.
- Do not overshare – All those posts about the 20 things you may not know about me (that seem innocent) are phishing posts to get people to post their security question answers. Think about what they are asking: street you grew up on, first pet, favorite book/movie, etc. If you post that online, almost anyone can use that information to reset a password as if they were you. Also, don’t share when you are going on vacation ahead of time, robbers will know when your house is empty. If you want to show off photos of your adventures, email them directly to friends, or wait until you get back to post them to Facebook. A vacation may also be a clue that you have a lot of cash in your checking accounts for travel. No one carries cash anymore, we all keep it in an account to be accessed by a debit card, and this can make you an inviting target.
- Do not put personal information on Facebook – Your friends should all have your address or phone number, so there’s no need to share it with the world. Never post your phone number or pictures of your house address, social security number, etc. Even if your page is set to “friends only,” Facebook is always changing its rules. Just remember to be careful, anything you put online is there forever. You should assume if you post something online, it will end up on a billboard in the middle of town. There is no difference.
Create more secure passwords
Use strong passwords that change regularly. Check out last month’s staff blog for more information on password security.
Separate emails used for social media from banking
Use different email accounts for banking and social media. Yahoo, Gmail and outlook.com emails are free. You can even link them. It’s infinitely harder to guess which email an account uses if it’s not up on Facebook. For example, firstname.lastname@example.org is what John Doe uses to communicate with all his friends and as his login on Facebook, but he has an email of email@example.com for banking.
Keep track of your online banking
Make sure to regularly balance and monitor your online financials. Follow up on odd transactions you don’t recognize. Read the informational emails sent from your bank. Get regular credit reports and know how to read them. It’s a pain, but if you don’t know that you’ve had your personal info stolen, you can’t repair the damage.
It’s important to always stay vigilant when online. These simple recommendations can go a long way toward protecting you from potential cyber threats.