You can be the most security-conscious PC user ever, but that makes no difference when hackers steal millions of people’s details from websites and buy and sell these for everything from tax fraud to cloning cards.
Barely a month goes by without at least one major company announcing it has fallen victim to hackers. Tesco,eBay, Sony, LinkedIn, EverNote, Adobe and Domino’s Pizza have all been victim to cyber-criminals with private details of their users had been put at risk.
Cybercrime has changed and it means that staying safe is much harder. Hackers go after big companies and massive amounts of information which means it’s harder for you to take control of your data. You can - but you have to be alert.
For users of these sites, it’s not always clear what sort of risks they face - or even what a “data breach” might really mean. Much of the advice on offer is complicated and companies often simply don’t know enough to be able to keep you safe.
Stolen passwords aren’t used right away to break into your accounts: instead, gangs will use software to break the encryption. One gang, known as “Cybervor” (“Vor” is thief in Russian) had a haul of 1.2 billion usernames and passwords, stolen from 420,000 sites.
This data will be used to break into sites to create false identities and for credit card fraud. Decrypting passwords takes time and a lot of computing power, so users may not be affected until months later.
[Everything You Know About Passwords Is Wrong]
[Police Reveal The Worst Smartphone Mistakes We Make]
Visit the company website, blog and Twitter feed
In the case of a major breach, these will be your best sources of information and advice. Most companies know that keeping customers updated with information and advice will ensure the damage to their reputation is limited. Watch out in particular for updates telling you WHAT information has leaked - this can help you decide what to do next.
Do not trust the first details you hear
Often the company itself will be unaware of the scale of an attack or how it happened. The first reports you hear may not be accurate or may even be played down by executives keen to minimize damage to the firm’s reputation. American retailer Target, for instance, underestimated the numbers affected badly.
Read any emails you are sent by the firm - but be careful
Companies will often send out emails to victims of such attacks - particularly if not all their customers were affected. It’s common for companies to force a password reset if that information was stolen. But be careful. Cybercriminals send out fake versions, often very quickly. If in doubt, check the company website. Do they mention that passwords are being reset? Check the address the email came from: if it looks suspicious, don’t click. If you asked to change your password, type in the web address yourself, and find the page - that way, you’ll be safer.
If you’re not emailed, don’t assume you’re not affected
Many companies deal with breaches via emails to the specific users who have been affected. If you don't receive an Email you should not take this as assurance you are safe. The full extent of leaks often comes out long after the breach itself. Follow the steps below - even if you were not emailed.
Don’t imagine “encrypted” means “locked up”
There are various levels of encryption - but none are unbreakable. It just takes time. Companies will reassure customers that data was “encrypted” but criminals will immediately use software to break the encryption, by guessing passwords one by one (known as a “”dictionary attack”). This is why passwords such as “Password1” or “123456” - the two most common current ones, are a bad idea. Password crackers will guess those first.
Phrases such as “salted and hashed” don’t mean “safe”, either
These are techniques which make encrypted data harder to guess, but it’s still not impossible. Again, it just takes more time. When companies use such words, they’re relying on customers being reassured by the technical-sounding phrases.
[Is Your Wi-Fi Router A Security Risk?]
[12 Online Privacy Questions Answered]
Change passwords immediately
Don’t just change it on the site that’s been hacked. Change it everywhere you might have used it. Cybercriminals are organized gangs, who will test the name/password combination on other sites, such as Email and banking sites worldwide.
Stay in contact with the company
It’s wise to stay in touch. this is not only to ensure you know the full extent of the details that were leaked (if any additional information comes out later), but also to ensure you benefit from any offers the company makes to fraud victims. Insurance against identity theft and card fraud is common, and many firms offer free monitoring.
Beware of tax fraud and identity theft
Many breaches also involve the theft of data such as your Email address, physical address, phone number and date of birth. Leaks from government departments can reveal previous addresses and even social security numbers. These can then be used for tax fraud - an increasingly common form of fraud in the UK. Last year, Email fraud relating to tax rose 50% in the UK. Tax authorities communicate via post to prevent fraud. Gareth Lloyd, HMRC’s head of digital security, said: “HMRC never contacts customers who are due a tax refund via email – we always send a letter through the post.”
Stolen details can also be used for phishing
When hackers get away with information such as home addresses, phone numbers and places of work, it allows gangs to craft convincing phishing emails. In this year’s Microsoft Computer Safety Index Survey, polling 10,000 consumers, 15% said they had been victims of phishing, losing on average £95 each.
Change your card
Contact your bank for this, and cancel the card quickly. Password cracking can take a significant time, so it’s worth watching your account for fraud for a long time after the breach itself. Criminals may also not want to ‘flood the market’ with cards (which are sold as codes on hacker websites), so as to keep prices high.
Change your PIN
The software used to steal credit and debit card data directly from the terminal which swipes your card - can also steal your PIN code. This data will be “encrypted” (see above) but criminals will work hard to break it. Such information could be used for fraud even if a card is replaced. Call your bank, and change the PIN to be safe.
Fraud? Contact your bank
If your card HAS been used fraudulently, contact your bank and explain the situation. The bank is responsible for reimbursing funds that may have been lost. If they do not, contact the police’s Action Fraud.
Check your credit report
If you’re worried, contact a credit agency and check whether anyone has used your details to attempt fraud. You can also “freeze” your credit, so no one can borrow money in your name - most agencies offer this service. CallCredit, Experian and Equifax are the main companies in the UK.