Instead of sugar for your coffee, we're offering some info and tips on how to protect your identity. This is an especially timely issue, since the internet has become a veritable bazaar for identities and access data for various platforms. And the selling prices are cheap. Keep your data safe.
I understand "identity" to refer to combinations of email addresses including usernameor alias and passwords, because such combinations often provide access to other relevant data such as real names, home addresses, dates of birth, etc.
Need an example? In November of last year, Disney launched a new streaming service. Within just a few hours after it had gone online, access data for it were being offered for sale on the internet. My team and I took notice, wondering how the service could have been compromised so quickly. After all, it is our job to protect customers against all types of online abuse.
According to ZDNet, a business technology news website, the Disney access data were being offered at prices ranging from 3 to 11 US dollars – or for little more than the price of a coffee to go. In other words, the rates were temptingly affordable.
But why would hackers want to make such data available at such low rates? And why is it so easy for them to do that? In my experience, hackers steal identities or access data for a number of different reasons. Here are two of them:
Money! It's always about money
With access data, a hacker can gain access to a wide range of different accounts. By accessing other people's accounts, he can access services for free. He can order products, for example, or – as in the Disney example – watch videos from a subscription-based service.
When hackers get lucky, the access data they steal can provide access to additional useful data, such as address and date-of-birth data. In my experience, such cases happen all the time; they're a mass phenomenon. Once a hacker gets inside another person's email account, additional security measures won't help the victim. The "second factor" that many authentication systems use is then no obstacle whatsoever. This is the case, for example, when a code is delivered and requested by email.
In many cases, hackers do not use stolen data themselves, however. Instead, they offer it for sale on the internet, in "combo lists," which are collections of username and password combinations. The prices for such lists, like the prices for many other types of products, depend on the quality being offered. And quality criteria include such factors as the victims' nationalities and the platforms for which the data are valid. Access data for an online-banking account in Germany, for example, will be considerably more expensive than a username and password combination for a social media platform in Asia. This makes sense, to some extent.
We appreciate your encouragement
Small laptop, big ego – an oft-seen correlation! Be aware that hackers also have an affinity for "followers" and "likes." In hacker forums, reports on successful illegal penetrations of major platforms quickly go viral. They can give hackers their "5 minutes of fame," so to speak. And they provide plenty of motivation for further hacks. Such reputation-oriented hype is another reason why stolen data get distributed again and again. Old access data often resurface and get hawked as "brand new."
How can we protect ourselves? It's really quite easy
Every day in my job as a fraud manager, I come across all kinds of reasons why hacks succeed. I find outdated programs with security vulnerabilities. Unpatched versions of Windows are a prime example. And I come across databases with no security whatsoever. I even encounter cases in which users get influenced or manipulated via phishing, for example. As a psychologist, I find such influence and manipulation especially interesting, and I'll discuss it in detail another time.
In addition, I often see cases in which no sophisticated plan is involved – the mechanism at work is simply all-too-human behavior and force of habit. Laziness also comes into the picture. All of us like to use shortcuts. But many platforms require us to formally log in. Out of habit, we keep using the same old passwords, without taking the time and trouble to learn about principles for good passwords. When your "favorite password" finds its way onto one of those combo lists, your fate can be sealed. Such a password opens many – too many – doors at once. Computers today can run through and test such lists in seconds. Entry by entry. Suddenly, it's not just your email account that has been compromised. Your social media accounts are in trouble, too. This is why I like to say that habits often stand in the way of security.
We help out wherever we can
In sum, this is about protecting your identity/identities. This includes your email account, your social media account(s), your bank account(s), and more. Every day, I literally see hundreds of cases in which people have been victimized by such identity theft. So please take it from me: use a separate password for each identity and each account. That is easy to do, but I know it can also get tiresome. I'm also well aware that the advice I'm offering here is not new. I'm offering it nonetheless, because it's so important! Note that there are tools to make the task easier. All kinds of "password managers" are available in your favorite app store. Password managers have certainly made my life much simpler. I'm also happy to offer tips on how to construct passwords that are both effective and easy to remember.
My team and I, along with many colleagues at DT Security, keep working to protect all of our customers. Day in and day out, we work to find combo lists with stolen identities and then assist any of our customers who might be affected. With such efforts, we help to make cyberspace a little bit safer for its users.
Are you still confused about the whole issue of passwords and password rules, or do you have any pressing questions about it? Then please write a comment under this blog – and I'll do my best to answer promptly. And I'll be happy to take the opportunity to report soon about the topic of passwords in general – and, specifically, about passwords at Deutsche Telekom. As part of that, I'll also discuss the "user behavior" aspects I mentioned above.