Password Theft

Password theft is a common occurrence in today’s digital age and is often the precursor to much more serious crimes like identity theft and fraud. It is important to not only pick very strong and complicated passwords that have nothing to do with your personal life, but it is also important to change your passwords frequently. If all of your passwords are the same, all a computer hacker needs to do is figure out one password and he or she will have access to everything else.

Password use is nothing new, for centuries mankind has been using passwords as a means of protection, protecting the castle from intruders is one example that comes to mind and makes a good metaphor for the present; sentries posted at the castle gate would only allow those seeking entry into the castle walls if they knew the watchword. That metaphor is a perfect example of exactly what a password is meant to do for our computer operating system and user accounts today, keeping unwanted intruders out.

We now live in a culture of technology where more and more of our daily lives include being online, whether it is banking, paying bills, signing up for healthcare, shopping, information and news, or even paying your taxes. In today’s society most people are doing many or all of these, every day things online, utilizing every tool you have to protect your cyber kingdom is simply what must be done to stop cyber thieves at the gate.

Because many of these tasks require you to provide personally identifiable information (PII) about yourself it is important to protect it from others who might seek to use that private information for illegal purposes. Passwords are an important part of the protocol for protecting your personal cyber information.

Today, passwords are our modern day sentry, helping to keep our (technological) properties secure and cyber intruders out. A password should be comprised of a random string of at least eight letters, numbers and symbols used to create a unique password. Passwords are used in combination with a user name to verify your identity on a computer operating system or web site, which then grants you access to log onto your computer or into your account online while denying access to others who do not have the password. In essence your password is your own personal sentry.

Just as in Medieval times only those loyal to the king were given the password, thus keeping out enemies who might do harm to the king. Though this metaphor may be ancient the concept is present day. Today you are the king or queen and your modern day password should only be shared with those you know will do you no harm; a spouse or close family member(s) and only if it is absolutely necessary, otherwise you should never share your password with anyone. Legitimate companies or entities will never ask you to share your password in an email or by telephone.

Why Are Passwords Stolen and by Whom?

When you hear of a major cyber breach where millions of user names and passwords were compromised, but no financial or other personally identifiable information was exposed you may be thinking it’s no biggie right, just change my password and you’re good to go? WRONG!

When a hacker(s) are only able to acquire unauthorized access to your user name and password its not likely because they didn’t try to get full access to your records, it just means they couldn’t this time. That doesn’t mean the cyber thief will stop there or won’t put your password to good use, unfortunately many of us do not create a new unique password for every site we register on. If you are one of those people who use the same password for more than one website, it is possible your highly sensitive data could be at risk. Cyber criminals have hacking tools they can use to try your password and user name on tens of thousands of sites in hopes of gaining more personal information, the more information they can gather on you the higher your risk of identity theft.

If you have used your password for more than one website, you should:

  1. Change your password on every site you have used the stolen password for. If the password was for your email it is highly recommended that you change the password on all your accounts, especially ones that contain payment information such as your bank, utilities, Paypal and the like.
  2. Contact the companies you suspect may have been accessed with your stolen password and maintain a record of who you spoke to and when.
  3. Notify your friends and family (contacts) that your account has been compromised and tell them to be wary of any emails seemingly from you containing links or schemes or asking for personally identifiable information.
  4. Monitor your credit card and bank statements very carefully for any unusual charges or activity.
  5. Get a free credit report to make sure there have been no new accounts, loans or negative activity on your report.
  6. Create new unique strong passwords for each site you change your password on.

Creating A Unique Password

Your password is the key to your castle and just as you would protect your castle with strong locks to prevent a break-in, you want to have a strong password to prevent cyber intruders from breaking in too. Creating a unique strong password is an important part of protecting your information and password from cyber criminals, below are tips on how to create a STRONG unique password:

  • Select a random mixture of letters (both upper and lower case), numbers, and symbols, do not use common words, names, birthdates, etc. for example a strong random eight character password might be #wF3bg?S. Or you could select an odd, funny or unique phrase only you would know and then use numbers, letters and symbols to create it; i.e. I’m Late for a Date with The easter Claus! – 1mL84aD8wTeC!. You want to make your password as difficult to guess and as long as possible. Just by combining random mixed-case letters, numbers and symbols your password has 30,000 times as many possible combinations than if your password were all lower case letters. A password like this may be a bit harder to memorize, but is well worth the added protection.
  • Do not create passwords that are associated with your personal information such as children’s or grandchildren’s names, dates of birth, sequential numbers or common words i.e. eviecolin5/9/16, password12345, keystothegate1098765. Passwords created like this are very easy for cyber thieves to crack.
  • When creating a password never use the same password for different accounts or websites, if your password should be stolen on one site and you have used it for others the cyber thief could then access all the accounts you used that password for and compile information on you that could lead to identity theft or other malicious activities.

How Often Do Cyber Attacks Occur

According to statistics provided by CBS, in 2014 it is known that 47% percent of American adults had some form of their personal information stolen by cyber thieves, the majority having occurred when a major company was the victim of a cyber security breach. Cyber crime continues to be on the rise with 1.5 million annual cyber breaches occurring the threat to individuals is very real today and growing. Every two seconds another American’s identity is stolen. Data breaches targeting individual’s personal information increased 62% percent during the period of 2012 to 2013. In terms of identity theft during that same time frame there was a shocking 594% percent increase, costing $18 billion in credit card fraud, these numbers are unsustainable in the long term.

In the past there were large numbers of small or individual breaches, today we see an increase in the hackers focusing on large corporations and entities more consistently. Cyber criminals have fine tuned their abilities to utilize the information they glean from these large data breaches, statistics indicated that about 46% percent of customers whose card information was accessed through a data breach became a victim of fraud within the same year. Some of these victims, about 28%, had their accounts taken over entirely by the data breach thieves, a record high.

Unfortunately, much of the cyber crime that occurs goes without punishment to the perpetrators as the hackers are often committing crimes across national borders making prosecution a complicated international endeavor that globally we have not yet instituted a standard for. And as the digital global frontier continues to grow it certainly appears so too will cyber crime, your best defense is to be prepared.

How to Protect Your Password From Theft

There is no absolute guarantee that you can keep your password from being stolen; cyber criminals today have sophisticated tools  and machinery that they utilize to decipher passwords, given enough resources and time no password is ever going to be completely undecipherable, as yet anyway.

But, there certainly are decisive proactive cyber practices you can implement to make your password a much harder target. And let’s face it, hackers don’t want to actually have to work hard for your money, they prefer the easy pickins … so don’t be one.

 Below are tips on how to protect your password and identity:

  • Before you even begin to create a user name and give your email address to any business, website, forum, or entity be certain to carefully read the entity’s Terms of Service (TOS). The fine print in the TOS may give you some insight as to how seriously this entity takes protecting your personal information and who they share it with. You need to know whether or not your information will be removed from their database if you decide to unsubscribe. What their notification policy is if they should fall victim to a cyber breach. All of these factors should be an important decision maker for who you share your personal information with. If they don’t have their users or customers best interest foremost you may want to reconsider giving them any of your information, even something as simple as an email address.
  • Create strong unique passwords of at least eight mixed-case letters, numbers and symbols and never reuse it for other sites.
  • Once you have created a strong unique password you may want to consider a second layer of protection (where available) such as two-factor authentication.
  • Do not share your passwords
  • Change your passwords every six months
  • Avoid public Wi-Fi connections
  • Shred mail containing personal documents
  • Monitor your credit card and banking statements carefully
  • Get a free credit report at least once a year

How Cyber Criminals Steal Passwords:

Data Dumps

Professional hackers, hacktivists and cyber criminals often sell mass quantities of people’s personal information on what is known as the dark web, a sort of underground cyber black market. The hackers typically find vulnerability in a software program or lax security protocol in the web site they are trying to hack into. Once they find their way into the data system they can execute what is called a data dump. This is the act of copying raw data from one place to another with little or no formatting for readability unless you have the computer training skills to read code. Typically, the term dump refers to copying data from the main memory of a computer database to a display screen or printer.

Today most web sites store user names and passwords in encryption, but not all. There have been many major cyber intrusions that have occurred where we have learned the web site did not have adequate cyber security and that user names and passwords were stored in plain text, but even the encrypted passwords can be deciphered given enough time, technology and manpower (hackers).

Typically, the hackers then let it be known that they have executed a hack on a particular entity by publishing a small portion of the dump on a dark web forum where the hacktivist either makes the activist statement they are putting forth with the data dump as proof of their assertions or to let it be known that the entire or increments of the data dump is for sale.

Depending on if the site (that you joined) that was hacked used encryption, hashed and salted passwords, and the strength of the password you chose will determine how easily your password can be deciphered by the hackers before you have a chance to change your password (and user name possibly). That is provided the site or entity has notified its users that they have experienced a breach of security.

Brute Force Attack

A brute force attack is simply when the hacker(s) use automated software to generate a vast number of password or PIN number consecutive guesses. There are different types of software that hackers use to conduct a brute force attack i.e. a dictionary attack will try all the words in the dictionary or another will try all the commonly used passwords with a combination of letters and numbers such as password1234 or letmein5678.

Brute force attacks typically are very time consuming and require considerable computing machinery as well as manpower (a hacking group). Surviving a brute force attack once again may depend heavily on the strength of the password you chose. There is no clever algorithm that cracks the code here; it is simply the amount of computing machinery working at it and the number of combinations the software tries, hence the term brute force attack.

Phishing Attack

A phishing attack can come in various forms and typically (but not always) will follow a large security breach on a major company where user names, passwords, and other non financial information have been compromised. A phishing attack is exactly what it sounds like, cyber criminals fishing for your personal information with some sort of lure, most commonly attempting to get your banking, credit card, social security number, mother’s maiden name or other highly sensitive personally identifiable information for the purposes of identity theft or other malicious criminal activity.

A phishing attack could come as an email, advertisement with a link to click on, phone call, or even correspondence by snail mail (postal service). When hackers breach a large entity say such as the JP Morgan Chase breach and obtained personal information on 83 million accounts, but no financial information it’s almost a certainty that the pilfered information will be used by cyber criminals in some form of phishing scheme against the victims of the breach.

Phishing attacks used to be easily identified, they were typically an email or letter with improper grammar, misspelled words and an announcement of some sort that you have just come into a lot of money, all you have to do is pay the taxes on your new found wealth, all they need is your social security number and your credit card information blah blah blah. Of course most people wouldn’t fall for that, but when you’re mass emailing 83 million people they will still catch some fish, believe it or not.

The phishing schemes of today have gotten much more sophisticated and harder to detect, your best defense against phishing is public awareness. Familiarizing yourself with the various types of phishing schemes is the single best strategy to prevent you from ever becoming a victim of one, click on the link above to get educated today.

What Companies Do to Soften The Blow Of A Cyber Breach

Announcements from companies revealing a cyber breach has occurred has become so common place you can probably recite the lines by heart, but below is what a company or entity that has inadvertently exposed your personal information due to a cyber breach should do:

  1. Investigation & Assessment – Immediately begin an internal investigation to secure the system network database, even temporarily shutting it down. Contact all appropriate law enforcement authorities. Engage the services of a competent forensic cyber security firm to investigate the origin of the breach and eradicate any intrusion tools or malware that may be present and operational and make a plan of action to install necessary security protocol upgrades to existing security systems to prevent further attacks. Notify possibly affected banking and payment authorities if financial information has been compromised in the particular breach.
  2. Notification – Make a public announcement as quickly as possible (preferably within 24 hours of discovery of the attack) that a breach has occurred and that a forced system wide password reset is mandatory for all users of the site. If the company or entity does not require a password reset you should reset your password anyway when ever there is any kind of security breach. Provide as much information about the breach as is advised by law enforcement and the forensic security team. Provide a toll free number for customer assistance, questions and concerns. Emails should be sent to notify potential victims of the breach. Hard copy notification letters should be mailed to possible victims who have current postal addresses listed with the company. Notifies the media for broader out reach to help ensure possible victims are aware of the cyber breach as quickly as possible.
  3. Mitigation of Damage – In the instance of the cyber breach of a company or entity that inadvertently exposes customer’s personally identifiable information it is incumbent upon the company or entity to minimize the current and future potential harm to the breach victims where possible, this would include providing free identity theft protection and resolution services for 12 to 24 months to those who were affected. Providing a detailed FAQ web page for victims to access to address questions, concerns and tutorials on steps they can take to protect their identity is highly favorable as well. Addressing the timeline of the incident, how it occurred and what has been done to reinforce security protocols since is also important information that should be relayed to the victims. Updating victims as to the current status of the investigation and who is responsible for the cyber breach is also advisable for victim resolution.

Protecting The Castle Is Everyone’s Responsibility

Naturally, the responsibility of keeping our personally identifiable information safe is not solely in our hands, if it were that would make things a bit simpler, but short of you completely removing yourself from the internet and that still wouldn’t completely protect you, it’s just a fact we have to face. Of course we must diligently set and follow best cyber security practices standards and live up to them. But, we must also make certain that the companies, web sites, and other entities that we give access to our precious kingdom, deserve the keys. It will do you no good to have the sentry at the gate if there is someone in the kingdom letting enemies in the back door. Make certain the entities you trust with your information, value and protect it as much as you do.

Have You Been Hacked?

*Cyber breach data provided by Have I Been Pwned

Enter your email or username to see if your information was compromised.

Have You Been Hacked?