While it used to be two, we can now say three things are for certain. Death, Taxes, and websites will get hacked into. When you sign up for various websites, including banks, Uber, email, shopping, and so much more, you're trusting that your information will be safe. The problem that we all face is that in our world where websites need to provide online access in order to function, they also have to allow bad people with some level of access also.
Using usernames and passwords are the primary means to keep non-authorized users for access your information and it has a significant weakness. The weakness is that most people re-use passwords, and almost everyone reuses usernames on the various sites and apps they use. Sites that may not hold much for confidential information may hold enough for a hacker to gain access to another, more confidential information rich website/app. By "springboarding" from one to another, gaining ever increasing amounts of information, a hacker can build a profile to take over your email account. Once someone has access to your email, then it's very email to gain access to EVERYTHING.
And by everything, I mean including your credit cards and banking info. A hacker with your email address can change addresses, request credit, and make purchases, all while deleting the notices that will alert you to such illegal activity. One of the best ways to mitigate your risk from hackers exploiting multiple websites into providing an accurate profile of you and/or your business is to use unique passwords on every site.
I know that sounds much easier than it is, albeit there are many tools that will allow you to do so seamlessly. For example, Chrome can store passwords and many anti-virus programs offer "password lockers" to store various passwords. You can also download paid and free software called "password managers" (if you want to do a Google search), and Chrome extensions (I'm sure other browsers offer similar features).
Recently, as reported by Graham Cluley, Imgur, an image hosting website was hacked and it appears about 1.7 million account details was stolen. Imgur announced the security breach in a blog post that can be summarized with the following.
Imgur realized on November 23, 2017 that a security breach occurred in 2014 that included the email addresses and passwords to about 1.7 million accounts.
Sometimes, websites choose to go another route and not inform their clients. In their estimation, it's better to hide the details and hope the whole thing goes away. There's an old saying that tends to prove this theory wrong through, and it goes something like this "The only way three people can keep a secret is if two of them are dead."
Uber, the car riding service, reportedly paid $100,000 to hackers to keep a security breach from becoming public knowledge. It appears that hackers took the personal data for about 50 million riders, and over 6 million drivers. The chief security officer lost his job (along with a deputy) over the October 2016 attack that appears to include names, email addresses and phone numbers of 50 million Uber riders around the world. The drivers appear to have had their driver's license numbers accessed, albeit Uber stated Social Security numbers were not part of the hack.
If you're an Uber driver with your name, email address, address, and driver's license number in the hands of someone hell-bent on taking over your identity, it doesn't take much more to have everything they need. If the same Uber driver also re-uses the same username and password on various websites and apps, it's only a matter of time before a hacker can track everything you do and learn what's needed to possibly begin buying items using credit in your name and also make wire and/or EFT payments from your banking accounts. For the right targets and a hacker who is smart, the theft could go on for a long time at small amounts until the hacker decides to go for the "big score." In fact, it's highly plausible that they may remain unnoticed for months or longer, waiting for some large event in your account that makes the availability of a large amount of money (like a home closing, or auto loan), and then seemingly "out of the blue," hit your account and really ruin your day.
The best things to do, along with only signing up for sites that you really want to belong to include the following.
1. Have multiple email accounts. For example, use one email account for basic stuff, like signing up for Uber etc….and use another email account for banking. Or even better yet, use a unique email address for each class of banking. This may include email@example.com for your credit cards, firstname.lastname@example.org for checking and savings, and email@example.com for all other things.
2. Use a two-factor sign in when available. Two-factor means that you sign in using a username and password, and also have a text message sent to your cell that you will also enter in. This is admittedly often a pain when you're just trying to get some basic information or the site isn't "that important," albeit again, it's the combination of websites that gives the hacker the most information. Using two-factor can help limit the number of sites a hacker can access of yours even if they have your username and password (at least in theory).
3. As discussed, having an unique password for each site. When available, use unique usernames too. It may appear that passwords are the only thing to worry about, albeit if that's all a hacker needs to guess, you're making their job so much more easy that if they have to try to figure out each username and password. In fact, it's not hard to subscribe to the low-hanging fruit theory when it comes to usernames. Think of it this way, if a hacker has what appears to the hacker as a person with all the same usernames and many repeating passwords, and another potential victim with unique usernames, passwords, and also two-factor sign ins enabled, the hacker is likely to focus on the lower hanging fruit and leave your account alone. This is especially true when so many others aren't doing all they can do to protect their passwords and identity. As long as there are so many relatively "easy" targets, why waste time going after a hardened target that isn't necessarily going to have a greater worth if exploited?
It's important to keep in mind that nothing you do if you're online is going to completely protect you, however, that doesn't mean you want to make the odds for yourself any worse than absolutely needed while still benefiting for the convenience of being online. For your business, you may want to consider cyber liability insurance coverage. If you would like a proposal or discuss what options are available, feel free to give us a call or have us call you by filling out a request for an insurance quote.