The week of August 10, 2014

How to tell if you’ve been hacked—and what to do about it

By Aaron Sankin

Welcome to 2014—you’ve been hacked.

Well, maybe you haven’t been yet. There are some people who have managed to avoid having one of their online accounts compromised, but among regular Internet users, those people may be closer to the exception than the rule.

Rarely a week goes by without news of an organization having its customer or employee data compromised—either through a malicious attack, accidental disclosure, or new vulnerability found in a security protocol. Even the government database containing information on all federal employees was recently compromised by Chinese hackers. Virtually no one is truly immune.

According to the Identity Theft Resource Center, there have been at least 4,643 recorded data breaches since 2005, which have exposed over 633 million individual user records in the United States alone. Other reports have noted that 13 million U.S. consumers were victims of identity theft in in 2013, with the majority of those incidents stemming from data breaches. The U.S. Bureau of Justice Statistics found that, the previous year, American identity theft victims suffered over $24.7 billion in losses—a number higher than burglary or auto theft.

Yet, for every Heartbleed or Target credit card debacle that captures major media attention, there are infinitely more that fly under the radar. Not all of these breaches are necessarily catastrophic—often it’s just something as simple as names and email addresses. However, by assembling a bunch of discrete data points about an individual, a dedicated hacker can often gain the information he or she needs to do some serious damage.

Knowing that your personal data has been compromised or your identity has been stolen is an important first step. There are a number of immediate actions you should take to limit the potential damage, but without timely knowledge of the breach, starting that process is impossible.

‟It’s in the attackers’ best interest for the breach to remain hidden,” explained Roel Schouwenberg, principal researcher at cybersecurity firm Kaspersky Lab. “In today’s world there are many different services and devices that can get compromised. We see announcements of major data breaches on an almost weekly basis. Without those announcements, it’s often hard to tell where the possible data leak resides.”

First, take a deep breath. It happens.

One of the best places to get those announcements is through a mailing list hosted by the Identity Theft Resource Center, which sends out regular emails detailing all of the data breaches the organization has seen in the previous week.

‟Generally, the best way to tell if your device has been compromised is to run anti-malware software and conduct a scan,” Schouwenberg said. ‟If malware is found, there’s a very high chance data has been compromised. For online and physical services, it’s not so easy. Checking your credit card and bank statements should allow you to spot most financial fraud.

‟There’s only one type of data you can be sure about that hasn’t leaked: non-existing data,” he added. ‟It’s impossible to tell otherwise.”

Reset your passwords

So, you’ve realized you’ve had your online data compromised. What next?

First, take a deep breath. It happens. It’s not the end of the world and, in many cases, won’t even be a big deal. The most important thing to do is change the password to whatever service was compromised.

If you used that same password for any of your other online accounts, change those too. And then, when you reset those passwords, don’t do that again. If someone knows your name, password, and email address, it’s far easier for them to get access to everything you supposedly do securely online than if you use a unique password for each site.

There are two schools of thought for setting strong passwords. The first is to outsource it. The most commonly used passwords for 2013 were “123456,” “password,” and “12345678,” all of which are inexcusably terrible. There are a handful of password managers, like the free-to-use KeePass, that can do all of that heavy lifting for you. Password managers are programs that let users keep track of complex, discrete, virtually impossible-to-crack passwords that are all unlocked by a single master password.

However, password managers have their drawbacks. If a hacker successfully attacks your password manager, you’re pretty much screwed, because they suddenly have instant access to every password you have. A recent study found major defects in a number of popular password managers that could potentially allow attackers to steal users’ passwords without leaving a trace.

The other method is to lovingly handcraft all of your passwords on your own. Things to avoid while creating new passwords are personal information (such as the names or birthdays of family members), words that can be found in the dictionary, simple patterns like “qwerty” or “123456”, and series of repeated letters of numbers.

Instead of using the complicated series of random letters and numbers that seem like the platonic ideal of a good password but present the problem of being impossible to remember (e.g., ‟irj78c$$f7B”), use a passphrase. Passphrases are a combinations of words, numbers, symbols that are longer than 20 characters and make actual, logical sense to a real, live human being.

The length is what’s really important here: Having a long string of diverse characters makes it really tough for a computer just trying random combinations to crack. The advantage of using a complete phrase is that, while being secure. it’s also easy to remember. A solid passphrase would be ‟ThanksKernel4MyNewPassword!”—something significantly less unwieldy than ‟irj78c$$f7B”. (Pro tip: Don’t actually use that exact phrase as your password.)

When you’re resetting your passwords, it’s important to do it from a secure computer that’s been recently scanned for malware. Otherwise, you run the risk of entering new passwords on a system that has a program installed that covertly records all of you keystrokes.

Red alert

ITRC President Eva Velasquez notes that the next thing to do is place a 90-day fraud alert with the three credit reporting agencies—Equifax, Experian, and TransUnion—as well as starting to regularly check your credit reports and credit card statements for suspicious activity. If you find anything fishy, cancel the affected credit card and order a new one.

Protect yourself

The question remains: How do you prevent this sort of thing from happening in the first place?

Noted cybersecurity expert Bruce Schneier has famously said, “Only amateurs attack machines; professionals target people.”

Cracking a well-constructed password with a brute force program can take years of nonstop effort, but tricking a poor rube into handing over his or her password can be accomplished in seconds. Avoiding what are called ‟phishing attacks”—the act of tricking someone into giving up personal information by imitating legitimate entities—can be difficult, but there are concrete steps you can take: Keep your antivirus programs up to date; use two-factor authentication (in which a PIN is sent to your mobile device) whenever possible; don’t click on links in any odd-looking emails, even from trusted friends and family members; and check website URLs to ensure that you’re only entering sensitive information over encrypted websites—ones with addresses starting with ‟https” rather than ‟http.”

Next steps

Being proactive against hacking and identity theft seems like a good idea. An ounce of prevention is worth a pound of cure, right?

However, that idea does have its apostates.

A 2009 study by Microsoft researcher Cormac Herley titled “So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users” argues that most Internet users are being entirely rational in their decision to use weak passwords and routinely ignore most cybersecurity advice.

‟The advice offers to shield … [users] from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort,” Herley argues. ‟If users spent even a minute a day reading URLs to avoid phishing, the cost (in terms of user time) would be two orders of magnitude greater than all phishing losses.”

The paper continues:

“It makes little sense to invest effort in password strength requirements if phishing and keylogging are the main threats. It does not pay to learn URL reading rules to recognize phishing sites when the direct losses borne by users average less than a dollar a year. It’s hard to blame users for not being interested in SSL and certificates when (as far as we can determine) 100% of all certificate errors seen by users are false positives.”

So maybe take all of this with a grain of salt.

Illustration by J. Longo