- 1 Why Should I Care?
- 2 Stolen Credentials
- 3 Data Breaches
- 4 Phishing
- 5 Bad Password Hygiene
- 6 Identity Theft
- 7 What Can You Do to Protect Your Accounts?
- 8 Best Practices for Protecting Your Accounts
- 9 The Big Picture
- 10 Reference
- 11 Data Breaches
- 12 Hardening WordPress
- 13 This post was the basis of the talk I gave at WordCamp NYC 2019
Why Should I Care?
Learn how much you’re at risk, and what you can do to protect your accounts from getting compromised or identity theft.
Attempting to recover access to your compromised accounts, or handling the fallout from identity theft, and the wasted time in doing so is stressful.
Stolen credentials are as valuable as cash to cybercriminals. Whether they sell the stolen data or use it to takeover accounts, a single data breach can result in years of profit if cybercriminals are able to infiltrate multiple accounts.
Data breaches have exposed users’ personal information, such as e-mail addresses, passwords, names, addresses, social security numbers, dates of birth, and credit card information.
Some notable data breaches/leaks where customer information was exposed are:
- The 15 biggest data breaches of the 21st century
- Equifax Credit Reporting (150 million)
- US Office of Personnel Management (OPM) (22 million)
- JP Morgan Chase (76 million)
- T-Mobile (2.5 million)
- eBay (145 million)
- Marriott (500 million)
- Yahoo.com (3 billion)
- Orvibo IoT Smart Home Devices Leaked 2 Billion Records
- 5 million personal records belonging to MedicareSupplement.com exposed to the public
In addition to data breaches/leaks, phishing attacks are becoming increasingly sophisticated and that’s just the tip of the iceberg.
Phishing is a fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication. A phishing attack could even come from someone you know, without their knowledge, if their account or system was compromised.
Bad Password Hygiene
The problem with stolen credentials, which is the number one cause of compromised accounts every year, stems from Internet users using the same, or similar, passwords across multiple accounts.
If you’ve used the same password, or a similar password, for your e-mail account that you’ve used on Web sites that were breached, then it’s a trivial exercise for a cybercriminal to take over your e-mail account. And once they have access to your e-mail account, then all your other accounts are fair game. They’ll search your e-mail to determine which Web sites you’ve registered with, then request password resets from those Web sites, which gets sent to your now compromised e-mail account.
Identity theft is the deliberate use of someone’s personal data, usually to gain a financial advantage in the other person’s name, or to harm the person whose identity has been assumed.
Once identity thieves have your personal information, they can drain your bank account, run up charges on your credit cards, open new utility accounts, or get medical treatment on your health insurance. An identity thief can file for a tax refund in your name and get your refund. In some extreme cases, an identity thief might even give your name to the police during an arrest.
To learn more about identity theft, check of the Federal Trade Commission’s site at: IdentityTheft.gov.
What Can You Do to Protect Your Accounts?
Using multiple layers of protection is the best way to protect your online accounts, as nothing is 100% foolproof.
Best Practices for Protecting Your Accounts
Your time is valuable. Trust that it’ll take a lot longer to recover access to your accounts, if that’s even possible, than to make some changes before you get hacked:
- Enable Multi-Factor Authentication (MFA), also referred to as 2FA (Two Factor Authentication), on all accounts that have that option. MFA/2FA requires something more than just a username & password to log in, e.g. a text message/PIN sent to your phone, or an authenticator device/app that generates a one-time code every time you log in. An authenticator app is preferred over text/SMS messages.
- 2FA Directory: List of websites and whether or not they support 2FA
- Generate new unique strong passwords for every Web site and account.
- A strong password consists of 4 or more random words, plus symbols and numbers.
- A strong password consists of 12 or more characters, with upper and lower case letters, numbers, and symbols.
- Alternatively, you can use a passphrase, like a sentence from a book.
- Use a password manager to store your passwords. Make sure to use a very strong passphrase to access your password manager. This is critical, because if a bad actor gets your master password, then you’ve lost the keys to the kingdom.
- Do NOT save your passwords in the operating systems, Web browser, or your Google Account. Use a password manager.
- Do NOT click links or open attachments in unsolicited e-mails from people you don’t know, or seem out of character from your trusted contacts. It could be an attempt to phish you, or install malware on your system.
- Create a new e-mail account that you never use for any Web sites, then set the new e-mail address as your recovery e-mail address for your accounts.
- When you set up responses to security questions on Web sites, do NOT use information that may have been exposed in a data breach, such as current or previous addresses, your date of birth, names of family members, previous schools, etc. Make sure to save your answers in your password manager.
- Never give out personal, banking information, or passwords in response to an unsolicited phone call, e-mail, text message or fax, even if the caller or sender identifies themselves as being from a trusted source, like your bank or credit union.
- Never allow someone access to your computer in response to a message in your Web browser, an unsolicited phone call, e-mail, text message or fax.
- Make sure all your devices, operating systems, and software applications are fully patched and up-to-date.
- Follow the Principle of Least Privilege by never running as an administrator/root user unless absolutely necessary. Use a standard user account for your day-to-day access.
The Big Picture
One cannot escape the fact that, data breaches have already exposed your personal information, and will continue to happen.
Make the effort to understand, implement, and share what you’ve learned to protect yourself, and others, from the fallout of data breaches, phishing attacks, and identity theft.
- Password Managers
- r/PersonalFinance – Identity Theft Action Plan
- Principal of Least Privilege
- Nothing to Hide – The documentary about surveillance and you
- How a trivial cell phone hack is ruining lives: This is a personal security red alert.
- The Scrap Value of a Hacked PC, Revisited
- Phishing (Wikipedia.org)
- Whitepaper – Understanding the Underground Market for Stolen Credentials
- Identity Theft | Consumer Information
- Threatlist: 68% of Overwhelmed IT Managers Can’t Keep Up with Cyberattacks
- Hackers Stole our Camera! Learn to Protect your Gear & Photos
- Protecting Against Ransomware Attacks: A Checklist
- Chloe Chamberland, is a Threat Analyst for Wordfence, who talked about the specifics of hardening WordPress at WordCamp NYC 2019. Her slide deck and links are available at: http://ChloeChamberland.com/wcnyc/
- Check out these WordPress tips
- Data Breaches Expose 4.1 Billion Records In First Six Months Of 2019 (Forbes.com)
- Hackers gain access to millions of T-Mobile customer details (2.5 million)
- The 18 biggest data breaches of the 21st century
- Have I Been Pwned? (HIBP) Check if you have an account that has been compromised in a data breach. (A Troy Hunt project)
- The SolarWinds cyberattack: The hack, the victims, and what we know (Summary)
- SolarWinds – ThreatWire w/URLs to additional coverage
- U.S. Treasury, Commerce Depts. Hacked Through SolarWinds Compromise
- Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
- Security Now – Episode 797: SolarWinds (Skip to 1:38:17)
- “The SolarWinds Orion Platform is a powerful, scalable infrastructure monitoring and management platform designed to simplify IT administration for on-premises, hybrid, and software as a service (SaaS) environments in a single pane of glass.”
- T-Mobile confirms fifth data breach in three years
- In an advisory published on its website, the telecoms giant warned cybercriminals had accessed customers’ names, driver’s license details, government identification numbers, Social Security numbers, dates of birth, T-Mobile prepaid PINs, addresses and phone numbers.
- Scope of Breach: 100 million T-Mobile users.
- Search: 2022 Data Breaches
- Search: 2021 Data Breaches
- Search: 2020 Data Breaches
- Search: Biggest Data Breaches
You should do the following to harden your WordPress installation:
- Use a SSL/TLS certificate. (LetsEncyrpt.org)
- Force https: only. Redirect all http:// traffic to https://
- Install a Web Application Firewall (WAF), such as Wordfence or Securi, that can help block malicious attacks.
- Make sure the firewall locks out a user from signing in or using the password recovery form if an invalid username tries to sign in.
- Chloe Chamberland, is a Threat Analyst for Wordfence, who talked about the specifics of hardening WordPress at WordCamp NYC 2019. Her slide deck and links are available.
- How to Password Protect Your WordPress Admin (wp-admin) Directory
- Do not display usernames as authors of posts, pages, etc.
- Create a “Nickname” for the user account which is not the same as the username
- Set “Display name publicly as” to the Nickname.
- If your Web site is not brand spanking new, then consider changing usernames.