dimanche 9 septembre 2012

What Hacking Victims Need To Know


If you use a website or online service that has been hacked there are a number of risks that you're now exposed to.

Depending on the level of access gained by the hackers and the information they were able to glean you could be exposed to some or all of the following:
1. Credit Card Fraud
Issue: If the site holds your credit card information then the hackers may have gained access to it. Most sites follow PCI-DSS guidelines but there are still online service providers who aren't very good at security and don't protect their customers correctly.
Risk: Your current credit card details were stolen and the hackers have been able to decrypt and use them or sell them on.
Precautions: Keep an eye on your credit card statements and notify your card issuer of any suspicious or unauthorised transactions. Alternatively, if you're very worried you could cancel your cards and get new ones. It's also possibly worth keeping an eye on your financial history and credit rating via someone like Experian to make sure you haven't been the victim of further fraud.

2. Identity Theft
Issue: If a lot of data was harvested in the attacks such as user names, passwords, email addresses, home/office addresses and dates of birth, then the hackers have access to a lot of potentially useful ID information.
Risk: The criminals behind this kind of attack are after exactly this type of information which they can use themselves or sell on to other professional ID thieves. You could become the victim of partial or full identity theft. This could put you at risk of significant financial loss or reputational damage and could cost you a considerable amount of money to put things right.
Precautions: Fairly similar to credit card fraud - you need to keep an eye on all your credit, bank and other financial transactions. In addition, it's a good idea to check your history on a regular basis and possibly even take out ID theft insurance - but check with your provider that you're covered retrospectively, otherwise you could be paying out for nothing.

3. Online Compromise
Issue: The hackers have gained valuable information on users, including usernames and passwords. Many users use the same username and password credentials across many different online and offline services. This can range from services such as Hotmail and Gmail to Facebook and your online bank account.
Risk: If you reuse the same credentials across multiple platforms and one of them is compromised then they are all at risk - it is only a matter of time before your other services are accessed. This can lead to a whole host of problems, from someone posting questionable "status updates" on Facebook or Twitter in order to lure your friends to a compromised website, to them attempting to access your online banking, or even taking over your whole online existence.
Precautions: Change your passwords! Don't reuse the same passwords on multiple platforms, particularly social and financial systems. And don't always trust that your friend is the only person using their social networking account - it may have been compromised.

4. Social Engineering
Issue: The number of people who have had some or all of their account details compromised makes it very attractive to criminals attempting different approaches. Some will use the simple ID theft and credit card fraud approaches. Others will attempt to gain access to other online resources. Yet another set may attempt to "socially engineer" the individuals concerned - which essentially means to "con" them into giving out other details by making them believe they are being contacted by a legitimate organisation.
Risk: You might take a call or receive a letter, email or social media contact informing you that you're the victim of a hack or some other related issue. If this happens you will be asked to prove you are the person concerned, and so you will be asked for other "security" details. All of this information can be used to further compromise you financially, steal your identity or access other online resources.
Precautions: Don't take off the cuff calls or other contact at face value. Be suspicious. Tell the caller that you will call them back, get their name and office details and then call the main switchboard number of the company they claim to be from. Do the same for emails and letters. Remember, no legitimate organisation will ask you for your full password or PIN number for an account.
This kind of attack, and particularly where major corporates are targeted, is likely to occur more and more as service provider's offer ever-increasing services to an ever-growing online community. All anybody can really do is defend themselves to the best of their ability and take precautions to limit the damage that can be inflicted.
What we also need to do, is force online service providers to improve the security of the services they provide. Designing them with security in mind from the start rather than implementing security as an afterthought would be a start.
Lee Hezzlewood is the founder of Secure Thinking, a UK company providing specialist services in Data Protection and Cyber-Security. Get help setting up your Security Awareness Programme.


Aucun commentaire:

Enregistrer un commentaire