Skip to main content

How to check your identity hasn't been sold to the hackers

How to check your identity hasn't been sold to the hackers




Database breaches, in which giant corporates such as Adobe, eBay, or Sony lose track of copies of their user and billing databases, are becoming almost weekly news items in late 2014.
Sometimes this is given a hacker spin, other times it’s just a dull case of not knowing where all those USB keys or backup tapes have gone.
Consumers are meant to respond to the news – which manages to be simultaneously both worrying and vague – by meekly changing their passwords, even if they don’t think they’re included in the database that’s been stolen. eBay’s alleged database theft triggered a mandatory password change for everyone, right across the system.
I have some problems with this approach, because, to be honest, I have a whole lot of different web identities. Once you’ve signed up to enough services for review, this becomes inevitable: I have a slew of login names and emails, and figuring out which one goes with which service becomes a daily trial.
haveibeenpwned
This is partly down to disorganisation on my part, but it’s also a matter of personal security: just because the entire IT service business has declared that a single email address ought to be the arbitrator of identity, doesn’t mean that this approach is in my best interest. You’d be hard-pressed to deduce my username for my principal online banking account from the one I use to divert the inevitable marketing spam that follows a trial software download these days.
This approach puts me in a very rarefied group. Most people are encouraged by both daily advice from lazy e-commerce operators, and their own memory limitations, to have only one username/email combination and maybe a few different passwords, reused over and over again on various services.
As this count rises (and industry studies show a straightforward trend –  one service 3 years ago, between four and six now, and nine or more in 3 years’ time), so does the insecurity. The nasty black-hat hackers know this very well, and this increases the value of a stolen list of usernames: not because the hackers want to sign in to your Adobe account (to cite the largest recent breach as of the time of writing), but because they want to hit your Mastercard login, on the assumption you’ve reused the same credentials.
So it really does become essential to know whether your name(s) feature on those stolen lists. But how to check?
Enter Troy Hunt – he’s the operator of http://haveibeenpwned.com. Type your email or user ID into his site and it looks through his cached copies of the stolen lists to see if you’re at risk. As is becoming habitual for me with this type of investigation, none of my identities trip the alarm, but I made a wild guess and put in a former client’s email address to produce the screengrab you see here.
pwned1
I know what you’re thinking: why should you trust a site that a) has no www, and b) uses hacker-speak as part of its domain name? Aren’t all these people in it together? Who is this guy? Mr Hunt, however, has an easily traceable identity on the net and a very useful blog where he discusses the curiosities and vicissitudes of running such a thing as a public service. He is, in the jargon of this field, a “white hat”.
This is a vital role, given how e-commerce and customer relations have developed – certainly none of the affected businesses have taken steps of this nature to help you figure out whether your personal security plan has actually ended up working against your interests.
In an ideal world, the likes of Adobe and eBay would be paying Troy Hunt’s hosting charges on Azure (which is where haveibeenpwned.com lives), because most breaches appear to be failures of duty of care, and most of the cleanup processes seem to be left to a loose alliance of commentators, rumour-spreaders, paranoids and white-hatted hackers.
In fact, havibeenpwned.com has been around for a few years already, but Troy has been adding further lists to the resource as the thefts and breaches continue, which makes it a progressively more useful and relevant utility – although I suspect that the way the man in the street reacts to technology and the mixture of risks from hacking won’t change very much, even if you do the public-spirited thing and let them know if their name comes up as being in the at-risk group.
This is one of those classic “you know you’re a nerd if…” moments, where the most you can hope for is that some of the people you put through the checks might go so far as to change their passwords, a little bit more often

Comments

Post a Comment

Popular posts from this blog

10 Important Cybersecurity Practices for your Business

  10 Important Cybersecurity Practices for your Business 1. EDUCATION  It’s much easier to prevent a hack than it is to recover from a hack. Once your company’s sensitive data is stolen through a ransomware attack, recovering it is often a long and arduous process. Teaching employees about basic security, personal cybersecurity, and the prevalence of cyber threats goes a long way in stopping ransomware attacks before they can really do damage. Your employees should understand that they might be targets of malicious actors, eager to exploit any entry they can find in your company. The average cost of a cyberattack is 3.86 million and the cumulative total for global cybercrime is expected to cost $6 trillion. If you don’t pay to train your employees about cybersecurity best practices eventually you may end up paying more in the long run. High quality and free trainings for your employees are available from several government resources including Department of Homeland S...
Post a Comment
Read more
Top 20 Most Asked Third Party Risk Questions for Vendors  These questions help organizations assess the overall risk posed by third-party vendors, covering critical areas like data protection, regulatory compliance, and incident response. Here’s a list of the Top 20 Most Asked Third-Party Risk Management (TPRM) Questions for Vendors in TPRM questionnaires: 1. What types of sensitive data do you handle for our organization? Vendors should clarify the types of data they collect, process, or store, such as personal information, financial data, or intellectual property. 2. How do you protect data at rest and in transit? This question probes into the encryption methods, protocols, and security controls in place for safeguarding data during storage and transmission. 3. Do you have a formal Information Security Program in place? Vendors should describe their overall cybersecurity framework, including policies, procedures, and governance. 4. How do you manage user access to our data and s...
Post a Comment
Read more

Nearly 500,000 workers are needed in cybersecurity roles around the country

The push to work from home during the coronavirus pandemic is straining cybersecurity professionals around the country tasked with ensuring workers are able to not only work efficiently from remote locations — but to do so safely. This rapid shift is a tall order for an industry that was already in need of skilled professionals long before the pandemic took hold.  Cybersecurity workers were taken off some or all of their typical security duties to assist with other IT-related tasks, including equipping mobile workforces, according to an April survey from global nonprofit (ISC)2, the largest association of certified cybersecurity professionals. The survey of 256 cyber pros found nearly half were re-tasked and that a quarter said cybersecurity incidents increased since the transition to remote work, with some seeing as many as double the number of incidents. Separate data from another nonprofit cybersecurity group, the Information Systems Security Association, found a 63% increase in...
Post a Comment
Read more