October 2017 Letter

Hack Attack

Last month, secured data breaches again made headlines with the news that consumer credit reporting agency, Equifax, had been compromised.  The breach allowed cybercriminals access to personal information of over 140 million U.S. consumers.  Stolen data included full names, addresses, Social Security numbers (SSN), birthdates, credit card information, and in some cases driver’s license numbers.  Equifax is one of just three U.S. credit reporting agencies and the news wiped away over one-third of the company’s market value, about $6 billion.  Previous headline grabbing breaches have included well known retailers, social media companies, health insurers, and even Hollywood studios.  Many of these breaches involved credit and debit card information, passwords, logins, and proprietary intellectual property.  The Equifax breach, however, is thought to be one of the largest and most damaging from a personal identity standpoint and it’s fair to assume that at least some of your information was compromised in this or earlier attacks.

What to Do:  Play Defense

If you haven’t done so already, The Federal Trade Commission (FTC) recommends going to Equifax’s website set up for this incident: www.equifaxsecurity2017.com and check to see if your information has been compromised.  The FTC further recommends that you obtain a free credit report by visiting www.annualcreditreport.com.  Another step to consider, if you don’t anticipate any borrowing or credit needs, is placing a credit freeze on your credit report.  This denies lenders and creditors access to your credit report, effectively making it more difficult for new accounts to be opened in your name.  You’ll have to contact all three credit reporting agencies; Equifax, Experian and TransUnion.  Also, a credit freeze applies to only the SSN given, spouses and other household members will need their own credit freeze.

If a credit freeze is too restrictive, the FTC recommends you consider placing a fraud alert on your credit files.  This notifies lenders that you may be a victim of identity theft and that credit applications should be verified directly with you.  Additionally, the FTC recommends close monitoring of all your credit and bank accounts for unusual activity.  The FTC also operates a website, https://www.identitytheft.gov/ where you can report identity theft and develop a comprehensive recovery plan.  Make sure to always use a secure network connection when accessing sensitive information online, not public or unknown wi-fi networks.  Lastly, consider identity theft protection services, such as, LifeLock, Credit Sesame, IdentityForce, or Identity Guard, to name a few.  

What to Watch For: Unfamiliar Items

Unfortunately, the Equifax breach is unlikely the last major compromise of personal information that we’ll have to live through.  Identity theft is the fastest growing crime in America.  Someone’s identity is stolen every 2-3 seconds resulting in an average loss of nearly $5,000 per incident.  Time, however, is an even bigger loss with an average recovery effort of 600 hours.  With those numbers in mind, let’s look at the most common ways cybercriminals steal identities with an emphasis on email vulnerabilities.

  • Email Account Takeover.  This occurs when a cybercriminal hacks an email account and reads emails to learn about the victim and their habits so they can pose as the victim to steal money.  For example, a cybercriminal could email your bank, stock broker, credit union, or any other financial institution, pretending to be you and request a funds transfer.  Ways to defend yourself include password protected email, phone call voice verifications, and video chats.
  • Malware.  Malicious software is created to damage/disable computers and computer systems, steal data, or gain unauthorized access to networks.  Examples of malware include viruses, worms, trojan horses, ransomware, and spyware.  Malware most often occurs when a user clicks an unsafe link or opens an infected file.  Malware allows cybercriminals to delete files and directories and/or covertly gather personal data, including usernames and passwords.  The best defense is to install the most up-to-date antivirus software on all devices that connect to the internet and to run regular scans to update software when available.  Additionally, only open links and files from trusted sources.
  • Phishing.  Phishing refers to cybercriminals pretending to be a trustworthy source in order to acquire sensitive personal information such as usernames, passwords, social security numbers, and credit card information.  Approximately 70% of all cyberattacks use a combination of phishing and hacking.  The example below looks like a customer service inquiry from amazon.com, but it’s not.  When receiving something like this, especially unsolicited, look for misspellings and hover your mouse over website addresses to reveal its true location.

Password Theft.  Most people reuse passwords and usernames.  Cybercriminals obtain these login credentials and test them in large numbers against financial institutions’ websites looking for a match.  Unfortunately, large numbers of stolen login credentials are readily available for sale.  The best way to protect yourself is to use a unique password for each account to prevent quick access to all of your accounts.  Additionally, make each password unique and long and strong.  Use 8-12 characters, upper and lowercase letters and symbols.  As a general rule of thumb, change your passwords every 90 days, and never use your social security number as a username or password.  You may also consider a password manager, such as, Dashlane.

  • Social Networks.  It’s important to remain diligent on social networks as cybercriminals are able to manipulate data and impersonate others.  Be selective about who you allow to join your social networks and be cautious about personal information you share on all social media.

Tips for Surfing the Web

  • Use wireless networks you trust and know are password protected. 
  • Be cautious when using public computers. 
  • Ensure you are downloading apps from trusted publishers. 
  • Be aware that secure websites start with https, not http. 
  • Be sure to log out completely (which terminates access) when exiting all websites to prevent cybercriminals from obtaining your personal information. 
  • Consider purchasing a personal wi-fi hot spot. 
  • Hover over questionable links to reveal its true destination.  

This is by no means a complete list of both the risks we have online and the ways we can mitigate our exposure.  But, it is a good starting point to assess our vulnerabilities and try to stay one step ahead of the cybercriminals.  Our challenge will only grow exponentially in the future, particularly as we add connected cars and expand the internet of things (IOT).  Cars in the not too distant future will all have embedded internet modems, wi-fi routers, Bluetooth, near-field communication, hi-definition radio, and USB ports.  Many of these same points of connectivity will extend throughout our homes and into our appliances and climate control systems.  By the end of this year, over 5.2 billion consumer devices will connect to the web, a number that is expected to grow to nearly 13 billion by 2020.  Stay diligent!

Additional Resources

Online Security:

Identity Theft Protection Services:

Password Managers:

To report a cybercrime: