Though information security isn’t always convenient, ignoring it is worse

Think hackers won’t get you? Think again—and put best-practice measures to work

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

When you shop online do you type in account pass­words you haven’t changed for ages? Are you igno­rant of—or sim­ply choose to ignore—security ser­vices offered by online mer­chants, such as email and text alerts?

If so, you’re cer­tain­ly not alone. Con­ve­nience remains king for U.S. consumers.

There were more than 2 bil­lion account cre­den­tials report­ed stolen in 2016—and that doesn’t count the 1 bil­lion Yahoo users whose per­son­al infor­ma­tion, includ­ing account logons, were stolen as Yahoo only just dis­closed last week.

Relat­ed pod­cast: Pass­word vaults can pro­tect your dig­i­tal life

Ear­li­er Yahoo had admit­ted that a half-bil­lion Yahoo accounts were com­pro­mised in August 2014, in what the com­pa­ny described as a “state-spon­sored” hack. This most recent dis­clo­sure by Yahoo relates to a breach the com­pa­ny says occurred in August 2013. Per­son­al cred­it card infor­ma­tion was not believed to have been affect­ed. And Yahoo says it is work­ing to reach out to affect­ed users about cor­rec­tive measures.

For many Yahoo users, it may be too lit­tle, too late. Ana­lysts at Shape Secu­ri­ty mon­i­tor the myr­i­ad ways crim­i­nals use auto­mat­ed tools to put stolen per­son­al data and account logons to work to rip off consumers.

Hack­ers’ work began months ago

The prepa­ra­tion begins ear­li­er in the year with a focus on find­ing and exploit­ing poor­ly pro­tect­ed web appli­ca­tions to mine user cre­den­tials stored by the web­site pub­lish­er. Some fraud­sters take the eas­i­er route of sim­ply shop­ping in the cyber under­ground to buy lists of stolen credentials.

On or about Black Fri­day each year, the focus shifts to botnets—networks of thou­sands of com­pro­mised com­put­ers at the com­mand of an indi­vid­ual attack­er. A bot­net can be com­mand­ed to con­tin­u­al­ly try end­less com­bi­na­tions of ill-got­ten user­names and passwords.

Shuman Ghosemajumder, Shape Security chief technology officer
Shu­man Ghose­ma­jumder, Shape Secu­ri­ty chief tech­nol­o­gy officer

The end game is to use per­son­al infor­ma­tion to open unau­tho­rized accounts. A bot­net is very effi­cient at test­ing a stolen logon at dozens of dif­fer­ent accounts to access as many as pos­si­ble, says Shu­man Ghose­ma­jumder, Shape Security’s chief tech­nol­o­gy officer.

For exam­ple, a Yahoo mail user­name and pass­word could be used to access a retail­er site that has the victim’s gift card bal­ance, he says.

Con­sumers have learned over the years to peri­od­i­cal­ly change pass­words. But many still use a sin­gle user­name for a mul­ti­tude of their accounts, Ghose­ma­jumder says. As many as 2 per­cent of all user­names and pass­words on any giv­en list are valid at oth­er sites, he says.

Shape Secu­ri­ty sup­plies tech­nol­o­gy that scram­bles the exchange of infor­ma­tion tak­ing place between a web serv­er and a web­site vis­i­tor in a way that dis­rupts bot­net activity.

Automa­tion works in fraud­sters’ favor

A cyber crim­i­nal who has spent months prepar­ing for the hol­i­day sea­son might be in pos­ses­sion of a mil­lion logons giv­ing him the capac­i­ty to “take over tens of thou­sands of accounts,” he says.

And a fine­ly tuned bot­net can enable a sin­gle crim­i­nal to log in at thou­sands of web­sites instant­ly. To avoid detec­tion, the attack script will vary login characteristics—such as using dif­fer­ent IP address­es, oper­at­ing sys­tems, browsers, or even key­board strokes. “It’s auto­mat­ed to an amaz­ing extent,” Ghose­ma­jumder says.

Once logged on, cyber crim­i­nals can leave a large swath of dam­age beyond run­ning up charges on stored cred­it cards. They can change the victim’s ship­ping address, cash out rewards points or gift card bal­ances or dis­cov­er more sen­si­tive per­son­al information—income data, fam­i­ly infor­ma­tion, spend­ing habits—that can be ped­dled online.

Avoid get­ting got

Ghose­ma­jumder chiefly rec­om­mends avoid­ing reusing the same pass­words across online sites. While that’s more dif­fi­cult to prac­tice in real­i­ty, pass­word man­age­ment tools can help store and auto fill-in mul­ti­ple sites.

Con­sumers also should opt in for email and text alerts offered by retail­ers, banks and oth­er online vendors.

Alerts of failed logins, in par­tic­u­lar, should be close­ly mon­i­tored, Ghose­ma­jumder says. Cred­it card com­pa­nies typ­i­cal­ly allow cus­tomers to adjust the dol­lar amount charged before the text alert kicks in, and such tools should be ful­ly exploited.

When a web­site emails a link to rec­om­mend a pass­word change, con­sumers should ignore it and go to the site direct­ly to pro­ceed with the change.

Ghose­ma­jumder also advis­es that con­sumers should mon­i­tor accounts that dole out loy­al­ty points or air­line miles that can be con­vert­ed into gifts or cash.

Let the sites know if you notice an unex­pect­ed change,” he says.

More sto­ries relat­ed to pass­words and botnets:
What you should know about bat­tling botnets
Cre­ate safer pass­words for all your online accounts
Don’t give hack­ers a present this hol­i­day season

Posted in Data Privacy, Data Security, Featured Story