It seems as though we are constantly hearing about new data breaches at various companies. Usually, by the time the media has exhausted its coverage of one breach, there is a new breach revealed for the media to cover. While the media has done an excellent job at keeping everyone up-to-date on where these breaches have occurred (and who has been affected), we hear very little about what to do if your information is stolen. Most of the time, companies respond by offering identity protection--certainly a benefit you should accept--but identity protection will only help you clean-up after your information is used. There are many more concrete steps you can take to protect yourself after you learn of a breach but before your information is used.
I have personal experience as a victim of several recent data breaches. I shopped at Home Depot during the period where their systems were compromised, but I only shop there occasionally and generally pay in cash, so I cannot say with certainty that I was a victim of the Home Depot hack. However, my information was compromised by the Chase hack revealed last year, and again in the Anthem breach earlier this year. (Ironically, the insurance program for state employees in Kentucky switched to Anthem at the beginning of the year, and just over a month later, they had to inform us of this breach.)
The first step is to learn exactly what was stolen. The proper response to these breaches will vary based on what data was compromised. For example, in the Chase hack, no account data or passwords were compromised; the only information taken was contact data for customers. The steps you take in this case are radically different from the ones you would want to take if your credit card or bank account numbers were exposed.
In order to keep these tips to a manageable length, I will be splitting up my suggested responses based on what information was compromised. In part one, I will discuss what to do if your username, password, or other contact data is breached; part two will contain what to do if your credit card or bank account number is stolen; and part three will list actions to take if your social security number is compromised.
Part One: Username, Password, or Contact Information Stolen:
Obviously, no data breach is ever good, but if some information is going to be stolen, this is the type of breach you want. Most of these suggestions only deal with compromised user names and passwords. If only your contact information (name, address, phone number, email, etc.) is stolen, your account online is probably still secure, but you could see an increase in phishing attempts and other scams. If your password or other information has been stolen, here are some steps to take:
1) Change Your Password - This should be a no-brainer. If your password has been stolen from a site, change it as soon as possible! In many cases, it may be best to change it twice: once upon the first reports of the breach, and then again once the company has strengthened its security. The first password change will not lock attackers out of your account if they are still exploiting the breach and grabbing more data.
2) Check Your Information - If someone else has your username and password, they might be able to log in and change personal information, such as your address. If you are not careful, you could quickly place an order using your account and find that it was set to ship somewhere else during the time your account was compromised. (Obviously, sites clearly show you the shipping address to prevent this, but if you click through without checking, it could be a possibility.)
You will also want to know what other information might be available to someone who snooped inside your account. Sure, your banking site may have only had its user names and passwords compromised, but someone can use that information to log in and see your account numbers. If you can access any of this information from the user interface, assume that it has also been compromised.
3) Use Extra Caution with Email - Have you ever thought about how much access our email accounts grant us? If your email account has been compromised, review what information you might have stored in your inbox. Also, check accounts that use that email address for signs of tampering. If someone has access to your email, they can use the "Forgot my password" link to change your password to many other sites. (Some sites are becoming smarter about this and requiring more information before sending a link to your email, but many are slow to follow this increased security.)
4) Enable Two-Factor Authentication - Two-factor authentication requires more than just a user name and password to log in. In most cases, this will be a code you will receive via email or text message. My bank requires two-factor authentication the first time you log in to an account from a particular device, and then it places a cookie in your browser identifying your device as a trusted device and permitting you to log in with just your user name and password. If an account offers two-factor authentication, it is a good idea to turn it on, even if your account details haven't been compromised.
5) Watch Your Accounts - If your account has payment information stored with it, it is possible that someone could have placed an order with your account and charged it to your stored payment method. Review your bank statements and your order history with the site to see if there is any suspicious activity.
6) Review Your Personal Password Policy - We all know we shouldn't use the same password for multiple sites, and we have all probably broken this rule. A smart attacker will make checking for reused passwords one of the first activities after obtaining your password. Additional accounts could be compromised using this technique, and you might not realize it until after damage has been done. (As a follow-up note, someone recently shared an excellent tip with me about how to manage and remember your passwords, and I will share this with you next week.)
7) Beware of Scams - Less than 24 hours after the Anthem hack was announced, emails came out asking people to click the link and verify their Anthem account information. The scam could come through a variety of methods: email, phone, postal mail, or even text message. In many cases, attackers will simply send out batches of emails mentioning that your information has been compromised on a particular site. (I received one for Skype last year, even though I have never used or had an account with Skype.) However, attackers are starting to launch more personal attacks with the data they have obtained.
Imagine that your password was compromised at some company. An attacker could use that to log into your email (which used the same password as the hacked company's site), and see that you placed an order with Amazon for a new vacuum on January 27th. Now that they have your name and address from the receipt, they can do a simple search to get your phone number (if it wasn't also listed on the receipt) and call you with a "customer satisfaction survey." Since they ask you specific questions about "your order from January 27th" and "your new Hoover WindTunnel vacuum", you have no doubt that they are actually from Amazon, and you give them your password when they say they need you to "confirm your identity". You never suspect anything until you see charges on your credit card from Amazon, where you had saved your card number for convenience. It might sound complex, but an experienced attacker with some software help could probably have the orders placed in less than 10 minutes.
No comments:
Post a Comment