Part of the Infospectives Diary Of An InfoSec Kid series.
Originally written about the Kiddicare hack, but now 117 Million LinkedIn usernames and passwords have been found for sale on the darknet
The Korelogic blog post lists everything compromised…and already the phishing attempts have started.
Advice posted about the Kiddicare hack is just as relevant to this dumped user data, so rather than repeat myself, I’ve repurposed this post:
News broke on the 9th May, of Kiddicare customer data turning up where it shouldn’t. Kiddicare weren’t aware of a breach. A third party told them about it. Then they tracked it back to a test server using customer data. Full details are still coming out.
The most immediate concern is that folk will use that information to try and scam you, or pretend to be you to run up debt and dupe other people. However it’s not yet clear how much data was stolen.
Kiddicare hack: UK retailer warns 800,000 users about data breach on test server –International Business Times 10th May 2016
In this particular case it’s parent’s data at risk, but recently there have been lots of stories about kid’s data getting stolen. The combination of both things prompted me to write this post.
If your child’s data is shared too freely online, picked up via a hacked account of yours (how much important information is filed in your email inbox?), or directly hacked, it could be used to socially engineer them, or damage their financial credibility before they’re even old enough to have a bank account.
Here’s TribLive talking about child ID theft earlier this month and below are articles about a couple of the more recent breaches:
- Toy firm VTech hack exposes private data of parents and children in The Guardian
- VTech Breach – Data Data Everywhere – by Cheryl Biswas, here on Infospectives
- Database leak exposes 3.3 million Hello Kitty fans
I’m not trying to scare you. This is simply the justification to make a little more effort with your family’s online security. In the context of this particular breach:
1. Change your Kiddicare password
If you haven’t changed it recently, or even if you have, now’s the time. Then change it on every site using the same username/password combo.
Priority passwords to change: Ebay, Amazon, Paypal, and any other site where you store payment card and bank details…it’s almost invariably a hackers first port of call after getting hold of credentials.
If you know the password you use on those sites has been compromised, or you spot unusual activity, immediately contact them.
A thought provoking piece in the New York Times on our password habits, and what a compromised password can really mean: The Secret Life of Passwords
Avoid using the same username/password combo for multiple sites.
If there’s a future breach of a firm you deal with, that dramatically reduces your risk of associated fraud…and it’s just the one password to change.
Does that sound like a nightmare? The best antidote is a password safe (e.g. 1Pass, LastPass, or a.n.other free or paid-for one). They help create and keep track of nice long and complex passwords. They then pop up in browsers and fill passwords in for you, or let you copy and paste them.
Great to avoid crazy-making “But I DEFINITELY typed it right!” logon fails. The kind that happen even if you write passwords down…the kind that make so many people choose simple, easy to remember, and easy to guess passwords…gold dust for fraudsters.
If there’s a future breach of a firm you deal with, this can dramatically reduce your risk of associated fraud…and it’ll just be the one password to change.
Extra benefits: You can access your passwords anywhere…instead of waiting to refer to that carefully maintained list you keep in your desk drawer.
Testing, Testing, Password 123456
There are many variables that can impact crackability of passwords, but if you have simple short password, like 123456, or even, P@55w0rd you ARE at risk.
It’s only when you check a great password (some practical password tips are here on the blog: Passwords: Long? Strong? Keep Getting Them Wrong?) and they tell you it will take 5 sextillion years to crack, you have to take it with a pinch of salt. And of course, if your machine is compromised by malware that logs what you type, all bets are off. That’s where operating system updates, anti-virus updates, and the kind of vigilance I recommend below comes in.
There is some evidence folk are trying hard to do better with passwords, but it’s not yet enough. This top worst password list is put together based on number of times a particular password appears in lists of hacked data (clicking the image downloads a full-sized pdf – courtesy of SplashData)
2. Keep an eye on the HaveIBeenPwnd site:
Troy Hunt’s site will give you a good indication of whether your personal data has been compromised. They do that by telling you if family email addresses have turned up anywhere worrying (his organisation ethically discovers and gets told about huge amounts of personal data being dumped and traded on darker bits of the internet).
If it says one or more of your addresses have been pwned (nicked) – follow step 1. You can also register your addresses and they’ll send you a note if they turn up somewhere iffy in future.
3. Be healthily skeptical about anyone unexpectedly emailing or cold calling.
Trying to con you by email is usually called Phishing and by phone it’s often called Vishing, and it’s far more common than you may think. The simple rule is to always think twice about online and phone interactions:
Especially if they try to scare you into clicking links, or ask for personal information:
- “Who am I speaking to?” – Uh, you called me, so tell me what you want and who you were calling.
- “Can you tell me your date of birth/postcode/national insurance/social security number just to confirm I’m speaking to the right person? – Uh no.
Even more especially, if they ask you for payment details, or ask for your password:
- “Can you just confirm your bank account details for me” – Ummm nope.
- “We think we’ve had a breach and need your password/account details to check if you’re at risk” – Really!?
It could just as easily be:
- Incredible offer ending today!
- Wow! See what [insert most headline-worthy celebrity] revealed today!
- This survey totally nailed my personality type! (a fave way to get hold of your personal data via Facebook too) or
- A mail coming from a known contact with an unusual subject (normally an indication they’ve been hacked, or someone who has them in their contact list got compromised)
You get the idea…
If it’s a company you’ve dealt with before, but you’re uncomfortable with questions (always ask yourself ‘why’ they need the information asked for), you could ask callers for their number and do an internet check for known scams. Alternatively,
email or call that company’s official customer service team to check if it’s an email/call campaign they approved
If asked to do stuff online for a known organisation, go directly to their site by typing their address into your search bar, instead of clicking links in emails (some scammers are hugely skilled at making email addresses look like they come from very respected companies and creating fake sites that look EXACTLY like the real ones).
If there’s a genuine need to update details, make sure logon and data entry screens have the little padlock that tells you it’s secure.
Ideally, and most simply…ignore and bin.
If it’s a genuine contact on the phone, they’ll understand your caution and get in touch some other way. If it’s an email you’re not expecting, don’t even open it. Check with the person or organisation if you’re concerned it might be credible and important, but otherwise, file it in the bin.
That’s good practice to avoid all kinds of attempts to compromise your computer. Including the current and growing risk of ransomware arriving via email and locking (encrypting) your files until you pay a specified amount to get the key (you can read more on that here).
4. Use two factor authentication (2fa) wherever you can
It’s an extra check to go with your password. It makes gives everyone more confidence that you who you say you are and scuppers casual hackers: Even if they have your password, they won’t get to your stuff unless they have a code too. Usually you’ll get a 6+ digit temporary code via:
- A phone app like Google Authenticator (free via your usual app store),
- A small hardware token (banks and businesses often issue you one of these) or
- Via SMS*
Here’s a recent PC Magazine article telling you how to set 2fa up for popular sites.
*Texting also isn’t super secure, so if you ever exchange confidential data that way, perhaps worth installing something like Signal (for Android or iPhone). It takes over from your normal SMS app and protects (encrypts) SMS messages between Signal users. Simple, free and really easy to use. It’s also possible to encrypt your calls if you would like to. But even that doesn’t help if someone spoofs your phone so they get sent your code. The very best practice is therefore to use a token like a Yubikey.
Those are just a few tips to help keep family data safe, because personal data loss can affect everyone more than they realise. Here’s another article published just today about fallout from identity theft and other ways to reduce that risk.
In general, it’s good to view this kind of thing as a new, but natural parental responsibility. Your kids will need a good security example to confidently and safely navigate the internet, and when you put their details online, their digital welfare is in your hands.
More from Diary Of An InfoSec Kid coming soon, including a primary school student who can school you when it comes to good passwords.
Featured Image Copyright: beebright / 123RF Stock Photo
Categories: Security for all