You receive an email about resetting your password. Then you see a rumor in the news. Then sometime in the next 30 days, the Business has an announcement saying that, despite their great security, and it really is the best, somehow a sneaky hacker found a way into one of their servers and through some technical magic, which they totally couldn’t have prevented, stole all of your information. The Business doesn’t know the extent of the glitch, they won’t call it a breach yet, as that has legal ramifications, but they are sure it’s minimal. Finally, they reveal that the breach was much larger than they expected.
It’s happened to all of us, and sadly, it will happen again. We can’t stop breaches including our data any more than we can stop the wholesale buying and selling of our data. But the question is, what if anything can we do about it.
Well, that’s the good news, because not all hope is lost. People can recover from a hack and come out the other side stronger in some ways. Not only that, but there are a series of repeatable steps that can be followed, eventually building up your security muscle memory until security recovery becomes second nature.
Let’s say that you have an account at ACME and they were just breached. Here’s all you need to do: PANIC!
No, more like P.A.A.N.I.C.
P: Reset your password
Most security-minded businesses should automatically reset your password if they have a breach, but since they were just breached, we can’t really expect ACME to be security minded, can we? So the first thing that you need to do is to go to the ACME service and reset your password. There should be a convenient link near the login screen, something like “Forgot your password?”. It should send you an email with further instructions on how to reset your password.
If it’s a company that’s bad at security or bad at technology in general, it might just email you a new password. As anyone and their cousin could have watched that email float through the Internet, you’ll want to change that new password at ACME ASAP.
A: Change your stolen password at all sites
Are you the type of person who likes things to be easy? Maybe you use your birthday for your locker combination or your parent’s phone number as your credit card pin? Then you are probably also the type of person who uses the same password multiple places. Or even worse, you have one email and one password that you use everywhere.
Well, if that’s the case, then a Hack Notice Day is an especially bad day for you. Because now that hackers have your credentials for ACME, which means that they now have your credentials for everywhere. The technical term for this is FUBAR and a Hack Notice Day just turned into Change My Password at Every Website Day. Because that’s what you’re going to do…all day long…and it’ll be surprisingly difficult.
What’s even worse is that you need to change your password, and change it right now. Like, drop everything right now. Working with a social networking company (not saying which one), we found that resetting passwords within an hour of them showing up in the hacker community, we were able to cut down on account takeovers by 25%. So sooner rather than later can mean the difference between your account being stolen or not.
Still not convinced that you need to reset your password a few dozen times today? Let’s talk about what hackers do when they get your credentials from the ACME data leak. They share them. They post them publically and allow tens of thousands of other hackers (and security professionals like us) to see them. That hoard of hackers then take those credentials, load them up into one of the many brute force programs, and try them against some of the most popular banking, payment, and social sites. So when your password was stolen from ACME, it became a race against time between you and a hoard of angry password robots. My money’s on the robots (I always bet on the robots).
So, make a list of the banking, financial, social, email, gaming, shopping, etc. sites that you use and go through them one by one, resetting and changing your password.
This is also a good time to advise that you should never, ever, reuse the same password between websites. Go ahead and make each password different as you reset them, you’ll be happy you did when you receive another Hack Notice next week.
Extra Security Note
If you want to be extra secure, you should use a unique email per website. Did you know that with common email providers (like Google), you can add a “+” to the end of your email and it’s still valid? So you could set your email for ACME to firstname.lastname@example.org, and your email for Facebook to email@example.com. There might be some site-specific restrictions, but as much as you can make your credentials different from site to site, the safer you will be.
A: Turn on Two Factor Authentication (2FA)
There’s two A’s in P.A.A.N.I.C, and the second one is for the second factor of authentication. Isn’t that fun? Well, it’s about the only fun thing about 2FA, which everyone should use, but also everyone (secretly) hates. It’s the best bad solution that we have.
You see, when the security community was trying to deal with the password problem, they came up with 2FA, which has the shorthand “something you know, and something you have (or something you are)”. That makes sense, it’s way harder for a hacker to pretend to be you if they need your phone and your password to pretend to be you, right? Well, mostly.
The problem isn’t in the logic, which is sound. The problem is in the implementation. Hey, did you like it when you had to come up with a unique password for each of those websites? Wouldn’t it be great if you not only had to come up with a unique password but also set up a unique TOKEN GENERATOR as well? Not only that, but the token expires every 30 seconds. Wouldn’t it be great if you had to type in your password, and a token, and you only had 30 seconds to do it in? It’s like Guitar Hero, but without the guitar, or the music, and if you don’t press the keys in time, you can’t access your bank account.
It was pretty naive to believe that 2FA, which is way harder than one-factor authentication, would save us all from account takeovers when the reason so many accounts were being taken over was that people were too lazy to come up with more than one password. I say this with love, as one of the people championing 2FA.
So, we all hate 2FA to varying degrees, but it’s the security equivalent of flossing: you still need to do it. So go to ACME and turn on 2FA, if they have it. If they don’t have it, it’s time to write them a nasty-gram asking why they don’t have 2FA. Feel free to site a random ISO standard and how their “lack of compliance borders on negligence”.
N: Notice what has been stolen
Now that we’ve taken some steps to prevent account takeover, it’s time to take note of what the hackers stole. What information did you give ACME? If you don’t know, ask them. It’s safe to assume they had your name, email, password. But how about a home address, phone number? Credit card number(s)? Social Security or other government ID number(s)?
Account takeovers are not the only threat people face when they are in a breach. In fact, hackers break into companies hoping to find information to sell, which is financial information or identification that can be used to commit fraud/identity theft.
Did you just have your credit card number stolen? It’s time to report the card as stolen and get a new number.
Social Security Number?
Did you just have your social security number stolen? Well, be prepared for a lifetime of panic attacks and checking your credit score at odd hours at night, as there is very little you can do about a stolen social security number. You only get one, so get used to it being public.
Still not sure what has been stolen? That’s where digital identity monitoring services (like HackNotice) come in. You can put in your email address, usernames, and other digital identity items into your watchlist and we will tell you what we see being shared in the hacker community. We will also alert you to any new pieces of information about you that are being shared as we see them.
Beyond digital identity monitoring services, there are some credit monitoring services (like Credit Karma, which is free), or identity theft monitoring services (like LifeLock, which is not free), which can be used to help ease your mind about what hackers might or might not be doing with your information.
None of the above is going to catch 100% of the hacker/fraud activity. You could do all of the above and still be the victim of fraud or identity theft. The above will help reduce your risk and better prepare you for what to do in the case that you do end up as a victim. In the end, sometimes we can never remove all of the risks.
(This is written for the US market, but it’s safe to assume the fraud technique could still work with other government agencies)
Unfortunately, hackers have figured out how to combine your two favorite things: dealing with the IRS and financial fraud. See, some smart hackers that probably spent too much time reading through the IRS tax code figured out that if they could steal your social security number, they could file a bogus tax return, make it look like you are owed a huge tax return, and then collect your tax return on your behalf. So nice of them, right?
The problem is that once the IRS accepts a tax filing, they really aren’t set up to deal with people sending in a second, entirely different tax filing unless it is a corrected tax filing, and in which case you’ll have to explain why you need to correct your first filing. Further, the IRS is optimized to take in a massive amount of paperwork, usually, all coming at the last minute, and processing it.
So dealing with IRS tax fraud by hackers is a nightmare situation. Can you call the IRS and find out if you have already filed your taxes? I have no clue, from what I’ve read online, maybe. Can you lock down your tax return with some sort of code? Not that I know of.
The best advice everyone has is “file early”, but since you have to wait for W2, 1099s, 1098s, S4, etc. before can file, that’s not really actionable advice.
The best advice I can give you: If you go to file your taxes and you get some weird responses from the IRS, pay attention, it might be fraud.
C: Freeze your credit
Finally, the last step.
Not planning on getting a new credit card? Not refinancing your house or taking out a mortgage? You need to freeze your credit.
The good news: You only need to freeze it with three different credit agencies. You will be issued a pin that you can use to then “thaw” your credit when you need to use it. It’s like 2FA for your credit report!
The bad news: Freezing your credit may cost you money, and you may need to pay to “thaw” your credit every time you submit an application for credit and credit dependent services. But recent legal changes should make thawing your credit free, probably. So you would only have “thaw” your credit at each use.
The FTC provides guides for each credit agency, so instead of repeating what they say, you can learn more about how to take the steps here: https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs
More bad news: There might be a 4th agency that you should also freeze your credit at, the NCTUE. They do…stuff. Here’s their information:
NCTUE Security Freeze
P.O. Box 105561
Atlanta, GA 30348
And that’s it! See, easy! You’ve recovered from the ACME breach, and if you aren’t more secure, you certainly know more about how insecure you are.
If you would like a service that provides you with hack notices, leak notices, and helps you keep track of these security recovery steps, you can sign up for HackNotice (free!), or learn more about HackNotice.