It seems a new hacking or security-breach story is erupting into the national and international headlines every week, lately. With people increasingly doing business and managing their personal lives online, it's an issue that affects nearly everyone, whether they realize it or not. But should you really be worried about whether your information is safe?
The short answer to that question is yes. But the longer answer is more complicated and a much more qualified yes.
While people hacking into computer systems is far from a new phenomenon, with the increasing numbers of people and businesses using the Internet on a daily basis, it only makes sense that the potential impact of hackers on the average person is increasing. But many people got a wake-up call back in April, when hackers gained access to the customer files of client businesses of the online marketing company Epsilon.
Epsilon, according to tech Web site Switched, sends out about 40 million ads and offers by email each year, typically to users who have registered with a client's Web site or provided their e-mail address to the companies when they shopped online. Their clients included financial companies CitiGroup, Capitol One and J.P. Morgan, and retailers such as Brookstone, Best Buy, TiVo and Walgreens – even the College Board, which administrates the SAT test so many high-school students take during the college application process.
Now, despite the bulk of those businesses being finance-oriented or having access to many customers' credit card information, the April hacking incident wasn't a dramatic threat to the millions of customers whose information may have been compromised by the hack. Why? Because the information the hackers gained access to was primarily the email addresses in the companies' databases, along with some first names, which would have been used to personalize the emails sent to the customers.
Epsilon and its clients told customers that there were no credit card numbers, Social Security numbers or passwords revealed to hackers – information that categorically would be worrisome for consumers should it have been obtained. Still, those who were impacted in most cases received notification from the companies, at least notifying them of the issue, assuring them there was little, if anything, to be concerned about.
Low-level hacks encourage prudent behavior
So, is there really anything to be worried about if you are a customer of one of Epsilon's client companies?
Well, not much. The main issue with this type of information being available to hackers, or on the Internet at large, is that unscrupulous characters may now know what email address you used as a customer of Best Buy.
While that information lets Best Buy send you their latest sale ad, it also gives a thief who would like to steal more of your information an easier way to believably pretend to be Best Buy when they send you an email, since they will now know which address you'd normally receive such email at, that you are or have been a customer of the company and, perhaps, what first name that email would come addressed to – something that's typically used as a key differentiator between a legitimate email from a company you do business with and a fake email looking to steal your information.
Think of an email notice you might get from your credit card company. Does it say “Dear Customer” or “Valued Customer”? It shouldn't. In fact, if you see an email from a company you do business with – especially if you might buy anything from them online – and it doesn't come with your name in it somewhere, that chances are good that it's actually a phishing scam, rather than a legitimate email.
Phishing scams typically try to appear to a consumer as if they are legitimate companies – or even government agencies, such as the FBI or IRS. They ask you to reset your account password, contact them about suspected fraud, confirm a big purchase (one that you didn't make), aid them with an investigation (as if you'd be able to do something for them that they wouldn't be able to do themselves!) or respond to an unbelievable sale.
In fact, all the scammers want you to do is sign in to their fake Web site with your legitimate credentials or provide them with other personal information that will help them – now or later, directly or indirectly – steal your money.
You click on that link in the e-mail, type in your user name and password, as per usual, and, rather than doing what the email implied, they're simply collecting that information so they can then log in to your real account on the real Web site and do anything from taking your stored credit card information, address and other information to apply for credit in your name to making purchases that will be sent directly to them and their accomplices.
So, assuming you were one of those millions whose information was made available through the Epsilon hacking incident, what – if anything – should you be worried about?
If you're already a savvy user of the Internet, not much. As a savvy user, you're already looking for the signs of a phishing scam and being cautious whenever you type in your information – including user names and passwords – online. You're checking to see whether each email from a given company includes the things their legitimate emails typically do, such as your first name and proper spelling and grammar (which are frequently absent in phishing emails sent by non-native English speakers).
Assuming they do, you're also checking where any links included in the messages go where they should – to the company's legitimate Web site – before you click on them. If your email from CitiGroup includes a link to citigroup.genericsite.com, where the generic-site name isn't the real company's Web site, that's a hallmark of a phishing scam. They're assuming you're going to either click without looking or assume that just because the address says CitiGroup in it, that it's really their site. The truth is anyone can create a Web site that has another company's name as part of the Internet address.
And you know, as a savvy Internet user, that hovering your cursor over a link in an email or on a Web site will generally show the address linked, even if it's hidden by HTML coding to make it look pretty (or be deceptive) rather than show the actual address. Even if the address is shown, you're still hovering over it to see if the link is legitimate, because they still could be different from each other.
You would also know not to download any files that you're not already expecting. If “your bank” is asking you to fill out a form through an attached file – especially if that file is an executable format, such as .exe – err in favor of not downloading or opening it. Call the bank through a number you already have – not one provided in the suspect email or on a linked Web site – and confirm the email and attachment are legitimate. You might ask if you can come by and fill it out in person, if you were really concerned.
And you would also be monitoring your email for emails confirming you've changed your password, user name or email address on a Web site, or your billing or mailing address or phone number on that site, when you haven't done so, as that could indicate that someone has obtained not just your email address and/or user name for a site but has also managed to hack your password – which is a topic we'll address later. You'll even be checking in your “junk” or “spam” folder for these emails, as they might easily end up there.
If you're following these rules consistently, you've got little or nothing to fear about Epsilon's breach or any other one that only reveals an email address and your name. Beware of a likelihood of increased numbers of phishing emails (as well as regular-old spam emails), follow your usual precautions consistently, and you should be just as safe as you were if you weren't impacted by a breach.
Sony hack attack exposes sensitive information
The Sony hacking incident at the end of April is a different matter. While it impacts fewer people – primarily customers of Sony's online gaming networks – the amount and types of information that was accessed was much more comprehensive and sensitive.
According to the Wall Street Journal, the cumulative total of a series of attacks on Sony Online Entertainment's systems revealed the names, addresses, telephone numbers, email addresses, gender, birth dates, user IDs and passwords from some 24.6 million accounts. Reports also said that nearly 13,000 credit card numbers had been obtained by the hackers, though a substantial number of those numbers were reportedly those of Japanese consumers, rather than Americans.
To heap misery on top of misery, the attacks took down Sony's servers, meaning that along with not being able to play the games they'd paid to play, customers system-wide were unable to move immediately to change their passwords on Sony's systems, which might at least have made them feel better about Sony continuing to have their information, or to delete their accounts entirely. (The attack also took down a substantial number of sites hosted on the same servers as SOE's systems, impacting a wide segment of Internet for a day or two.)
Now, obviously, with these kinds of information available to the unscrupulous, the potential for identity theft and outright theft are tremendous, especially for those who had their credit card numbers accessed. Anyone exposed should be monitoring their credit carefully, and those who had a credit card number exposed should have already moved not only to have the affected card canceled but to change or remove that information from any other accounts where they might have used or stored it.
I do want to point out that, while this kind of incident could scare timid Internet users right offline, not making purchases online won't prevent you from becoming a victim. Even if you don't have an account you use online with a bank, service or retailer, it's likely your information is being stored on a computer that is hooked up to a network that, at some point, is also connected to the Internet.
If someone manages to hack into these systems, it doesn't matter if you've never bought anything online or used a Web site to check your credit card balance, you're still vulnerable. That is the reality of the computer age.
Prevention comes in many forms
So, what can we do to help prevent these kinds of incidents in the future? Well, certainly the bulk of the responsibility for that falls upon the companies and organizations. They must not only secure the information they have but ensure that they communicate with their customers in such a way as to clearly establish their identity and help prevent phishing scams from being successful.
How can they do that?
Well, Delmarva Power is a good example here. The company's Web site allows customers to check and pay their bills online. It stores their bank information if they do want to pay online. But when customers put in their user names to sign in to their accounts, they're asked to check an image displayed on the sign-in page before they even enter their password. If the image doesn't match one that they've picked when signing up for the account, they know the site is not the legitimate Delmarva Power site (or, at least that they themselves didn't input the correct user name, since that will also get you a different image).
That kind of security system is one that allows customers to proactively protect their information from potential phishing scams.
Companies should also be storing sensitive information in encrypted formats on their internal systems, to help decrease the potential for hackers accessing it. Ask if you're concerned, but be prepared for limited information to be offered, as details of a system's security can be used to help hackers access it.
Recently, the cloud-storage and syncing company Dropbox has been embroiled in controversy about whether it was storing customers' files as securely as promised.
On top of that, it came to light that the company had left a hole in its sign-in process for about four hours, during which time anyone could have signed in to any user's account, with or without the proper password. They found the problem and fixed it quickly, but what if you'd stored your credit card number in a file in your Dropbox, for safekeeping?
Now, Dropbox is a leader in this type of service and was already trusted well above some other providers, so many people are sticking by the company through this, but others are deleting their accounts, or at least removing any sensitive information from their files. It's an example of a company that needed to pay more attention to its security systems.
Any company subject to revenge or “statement” hacks should also be on high alert. Hacking groups Anonymous and LulzSec have been linked to the SOE hacking incidents, as well as to a hack of an FBI Web site and several other high-profile hacking incidents in recent weeks. Meanwhile, Fox News had its Twitter account hacked this week, whereupon the hacker falsely reported that President Barack Obama had been assassinated.
It has been suggested that the SOE hacking incidents were in revenge for Sony's lawsuit against youthful iPhone and PS3 game console hacker George Hotz, who was known for “jailbreaking” both devices so that they could perform functions not authorized by their developers. Hotz eventually settled the lawsuit with Sony, shortly before the attack on the SOE systems (and, just for trivia purposes, is now reported to be working for Facebook).
The FBI, as a government intelligence agency, is rife for hacking attempts either as a political statement or as a high-profile prank. LulzSec has also been connected to hacking of police, Fox.com, the U.S. Senate and PBS (an equal-opportunity organization, it seems) Web sites. Anonymous has been linked to attacks on Visa and Mastercard systems, in apparent revenge for the company's refusal to continue to process donations made to the WikiLeaks organization.
All these companies and agencies know they are prime targets for hackers, or should have. They should also have been prepared to fight off such attempts, though low security on a publicly accessible Web site can be shrugged off as generally a minor issue. But it really is up to the companies we entrust with our information to take all possible precautions to ensure it is kept safe on their end.
The issue has gotten attention from legislators. U.S. Sen. Tom Carper (D-Del.) responded to the SOE hack by suggesting that legislation designed to improve federal agencies' security, as well as that of private companies that hold onto consumer's information, be enacted.
“It's no secret that criminals and terrorists are constantly targeting both government and private sector information networks to steal information and inflict damage on our critical infrastructure,” he said. “I've long been a proponent of taking a series of steps to improve the way federal agencies protect the networks and sensitive information they control and to work with the private sector to better secure their sensitive networks, as well.
“I've introduced legislation with Sens. Lieberman and Collins to achieve these goals. I've also introduced legislation in the past to set nationwide standards for the actions that entities – such as Sony in this instance – that hold sensitive information must take when their networks have been breached. It is my hope that this issue can be addressed in the context of a comprehensive cyber security bill as soon as possible this year.”
Weak passwords pose a security threat
Customers and companies both share responsibility when it comes to secure user names and passwords.
Companies can offer a user-name sign-in, as opposed to an email, account number or phone-number sign-in. Emails are vulnerable to discovery through hacks like the Epsilon one or simply culling the Internet. Account numbers are printed on bills that can be stolen from a mailbox. Phone numbers are printed on business cards, read aloud and even made available on the Internet and in phone books.
Using a user-name sign-in allows customers to use a multitude of character combinations – the more options the better – and to create different user names for every site and company they use. It avoids tying them to an easily-discovered static identifier, such as a phone number. Short of high-tech identifiers, such as fingerprint or retinal scans or facial or voice recognition, giving users the ability to take their user IDs into their own hands is a big step for companies to help keep their customers safe.
Passwords might seem like something that is solely the responsibility of the consumer. You sign up for a service, you pick a user name (since the company is smart and doesn't force you to use an account number) and you select a password. Maybe you have to change it a little from what you first picked because the company requires more than six characters or that it include a number. But other than that, it's solely up to you to pick that password and make sure it's not one that's easily discovered, right?
Well, not so fast. Gone are the days when a four-digit PIN gave you access to your bank account online, even if it still works at the ATM machine. But does your bank limit your password to eight characters? Does it even limit you to a password specifically between six and eight characters?
If so, they just made hackers' jobs a lot easier, because you've limited the number of combinations a hacker – or rather their automated hacking software – will have to try before they've discovered your password by process of elimination. (Time limits, attempt limits and CAPTCHA image tests are among the methods companies use to fend off these kinds of hack attacks, but they're not perfect.)
With passwords, the more characters the better. The more types of characters the better. According to the National Institutes of Standards and Technology (NIST), a user-selected eight-character password with numbers, mixed-case letters and symbols has only one billion permutations and would currently take an average of just 16 minutes to crack on a desktop computer. So, if I want access to your account and its information, and I have your user name and your password is eight characters or less, with the right program, I could have it in 16 minutes. Think about that.
Dictionary words are generally the first and easiest passwords to get cracked. If your password is your hobby or your favorite flower, you're low-hanging fruit to a hacker. But easy-to-guess passwords don't stop there. Is your bank account password your grandchild's or pet's name? Someone knows that information – probably a lot of someones. An easy-to-guess user name gives anyone with enough time, ingenuity and knowledge of you the ability to do some serious damage, no matter their hacking credentials.
And are you using your user name as your password, too? That's easy to remember – and even easier to crack.
Did you password-protect your wireless network with 123456789 as the password? Bad idea. How about “network” or “yourlastname”? A no-no. Is your password on your work computer, with its sensitive documents, your company name? How about “password”? Really – people have really used “password” as their password, and, astonishingly, not infrequently. It's actually one of the most common passwords out there, according to studies and some of the information revealed by the recent hack attacks.
The key in developing a secure password is to avoid dictionary words, predictable series of numbers and information that people around you might know or guess (such as your favorite food), and to come as close as you can to a seemingly random combination of characters (uppercase and lowercase letters, numbers and symbols, wherever possible) that is at least 10 characters long – preferably 12 to 14 characters, which starts to push brute-force cracking times to weeks and months.
Already, a desktop computer with a high-end graphic processor can use commercial products to hack a 10-digit single-case password in a single day. Adding just a few characters increases that cracking time exponentially.
Users can start protecting themselves with strong passwords
So, how do you come up with a password that is practical for you to use but secure enough to stand up to a hacker? The easiest way to do it is to generate a truly random password. There are a multitude of programs and Web sites that will do that for you.
Probably the most practical way for the average consumer (someone without a truly photographic memory) to do that is to use a password “wallet” program that will generate and store all your passwords for you and even fill them in on the appropriate Web sites – provided you've signed in to the program itself with proper credentials. That's just a single password you actually have to remember, though it should itself be a well-designed one.
These programs can go mobile with smartphone apps that can sync passwords across from your desktop computer to your phone and back again. E-Wallet, SafeWallet and 1Password are just a few of the providers for these services. And on many notebook computers, you can now include an option for a fingerprint scanner that will let you store your Internet passwords and recall them with a swipe of your – and only your – finger.
If you want to generate your own passwords – ones that you can remember – keep in mind that you want to use that combination of uppercase and lowercase letters, numbers and symbols. Each one adds security. Can't remember a random combination of 12 characters? Use mnemonics to create and --
Here's a password: MNIMPTaIWaCPa111AA. It's not one I actually use, of course. But I could remember it, because it translates as My Name Is M Patricia Titus and I Work at Coastal Point at 111 Atlantic Avenue. If I change it up a little and go with @ symbols, to get MNIMPTaIW@CP@111AA, that's even better. How about I change the I's to 1s and the “and” to an ampersand? MN1MPT&1W@CP@111AA – that's even better. And so on. That's a password you could remember. Create one of those, and you can use software to randomly generate the rest. Or make more using that method.
(The folks at 1Password offer a great tutorial on how to make a secure password that you can remember, at http://blog.agilebits.com/2011/06/toward-better-master-passwords/. Check that out for more tips. Also try out Microsoft's password strength checker at https://www.microsoft.com/security/pc-security/password-checker.aspx to see how well you did and tweak as needed.)
As a reminder, you should also avoid ever using the same password for any two Web sites or accounts. Remember our hackers? If they happen to get your password and email address for, say, your Facebook account, they'll try it at any bank Web site they can find. If you're using the same password and email address at your bank's Web site, you could find your account emptied.
Also be careful with your email passwords. If your email is easy to break into, a hacker could use your email to reroute your emails from your bank to their own account, whereupon you wouldn't be notified when they also change your password, mailing address and phone number to ones they use and hijack your bank account and any other sensitive account they don't already have access to.
If you need to use similar passwords so that you can remember the bevy of passwords we all have these days, think about associating part of your password with the site or account. For your iTunes account, perhaps use the word “fruit” as part of your mnemonic, referencing Apple. For your Mediacom account, maybe include “rabbit,” referencing the lack of rabbit ears on your TV.
Creating strong passwords is easy, and creating strong passwords you can remember is easier than it seems. It's also the first line of defense for your finances and identity in our computer-driven age. Back that up with wary, savvy use of email and Web sites, and you'll be as safe as you can get these days from hack attacks, phishers and anyone else who might try to get at your information.