Though information security isn’t always convenient, ignoring it is worse

Think hackers won’t get you? Think again—and put best-practice measures to work

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

When you shop online do you type in account passwords you haven’t changed for ages? Are you ignorant of—or simply choose to ignore—security services offered by online merchants, such as email and text alerts?

If so, you’re certainly not alone. Convenience remains king for U.S. consumers.

There were more than 2 billion account credentials reported stolen in 2016—and that doesn’t count the 1 billion Yahoo users whose personal information, including account logons, were stolen as Yahoo only just disclosed last week.

Related podcast: Password vaults can protect your digital life

Earlier Yahoo had admitted that a half-billion Yahoo accounts were compromised in August 2014, in what the company described as a “state-sponsored” hack. This most recent disclosure by Yahoo relates to a breach the company says occurred in August 2013. Personal credit card information was not believed to have been affected. And Yahoo says it is working to reach out to affected users about corrective measures.

For many Yahoo users, it may be too little, too late. Analysts at Shape Security monitor the myriad ways criminals use automated tools to put stolen personal data and account logons to work to rip off consumers.

Hackers’ work began months ago

The preparation begins earlier in the year with a focus on finding and exploiting poorly protected web applications to mine user credentials stored by the website publisher. Some fraudsters take the easier route of simply shopping in the cyber underground to buy lists of stolen credentials.

On or about Black Friday each year, the focus shifts to botnets—networks of thousands of compromised computers at the command of an individual attacker. A botnet can be commanded to continually try endless combinations of ill-gotten usernames and passwords.

Shuman Ghosemajumder, Shape Security chief technology officer
Shuman Ghosemajumder, Shape Security chief technology officer

The end game is to use personal information to open unauthorized accounts. A botnet is very efficient at testing a stolen logon at dozens of different accounts to access as many as possible, says Shuman Ghosemajumder, Shape Security’s chief technology officer.

For example, a Yahoo mail username and password could be used to access a retailer site that has the victim’s gift card balance, he says.

Consumers have learned over the years to periodically change passwords. But many still use a single username for a multitude of their accounts, Ghosemajumder says. As many as 2 percent of all usernames and passwords on any given list are valid at other sites, he says.

Shape Security supplies technology that scrambles the exchange of information taking place between a web server and a website visitor in a way that disrupts botnet activity.

Automation works in fraudsters’ favor

A cyber criminal who has spent months preparing for the holiday season might be in possession of a million logons giving him the capacity to “take over tens of thousands of accounts,” he says.

And a finely tuned botnet can enable a single criminal to log in at thousands of websites instantly. To avoid detection, the attack script will vary login characteristics—such as using different IP addresses, operating systems, browsers, or even keyboard strokes. “It’s automated to an amazing extent,” Ghosemajumder says.

Once logged on, cyber criminals can leave a large swath of damage beyond running up charges on stored credit cards. They can change the victim’s shipping address, cash out rewards points or gift card balances or discover more sensitive personal information—income data, family information, spending habits—that can be peddled online.

Avoid getting got

Ghosemajumder chiefly recommends avoiding reusing the same passwords across online sites. While that’s more difficult to practice in reality, password management tools can help store and auto fill-in multiple sites.

Consumers also should opt in for email and text alerts offered by retailers, banks and other online vendors.

Alerts of failed logins, in particular, should be closely monitored, Ghosemajumder says. Credit card companies typically allow customers to adjust the dollar amount charged before the text alert kicks in, and such tools should be fully exploited.

When a website emails a link to recommend a password change, consumers should ignore it and go to the site directly to proceed with the change.

Ghosemajumder also advises that consumers should monitor accounts that dole out loyalty points or airline miles that can be converted into gifts or cash.

“Let the sites know if you notice an unexpected change,” he says.

More stories related to passwords and botnets:
What you should know about battling botnets
Create safer passwords for all your online accounts
Don’t give hackers a present this holiday season