Locals At Risk Due to Data Breaches – How to Protect Yourselves 

A data breach that occurred in 2021 could be affecting readers today.  On the dark web, a hacker named ShinyHunters is attempting to sell personal data of 73 million people who were customers of AT&T.  After initially denying the data was theirs, AT&T confirmed that the data appears to be from 2019 and impacts approximately 7.6 million current AT&T account holders and 65.4 million former account holders.   The data includes names, address, phone numbers and for some, even social security numbers (SSN) and birth dates.   Additionally, the security pass codes for 7.6 million accounts were also leaked.   If you were a DirectTV customer, your data may be included.   The subscriber base at the end of 2019 was almost 202 million subscribers, so it appears to be a partial data dump. 

At this point you may be thinking, “Big deal, that was 5 years ago. What use could that information be for hackers?”  Good question.  There is a treasure trove of data that hackers can use that may impact you.  First, hackers could have access to your current account if your security passcode has not changed since then.  AT&T is aware of this and are reaching out to these customers.  Hackers can use phishing and other social engineering techniques claiming to be AT&T support.  If you get an email or SMS text from someone claiming to be an AT&T representative, we recommend that you go “out of band” instead of replying or clicking the link.  Go to AT&T’s website that you know is valid. Contact them through the methods provided on their website.   

One of the biggest dangers of this breach was the stolen SSN and birth date information.  Along with your name and address, hackers can apply for credit cards in your name and run up debt in your name.   Hackers can use your SSN to access your bank accounts.  They could pose as you with the bank’s customer support performing fraudulent transactions and transferring funds.   Using your SSN, a hacker can access your credit reports and subsequently apply for a loan for themselves in your name.  There’s more, but you get the point. 

Vigilance is the optimal option.  We recommend setting up multi-factor authentication on all accounts that offer the option.  Your bank and your credit cards definitely have this available.  It is a little more work to access your account but more than worth the effort. Most accounts use a username and password for access.  Multi-factor authentication uses a second method to verify that the user is authorized.  This may come in the form of a code sent via email or text or using an application like DUO or Authenticator.  Monitor your credit card and bank accounts regularly.  Report suspicious activity right away.  Consider using credit monitoring services. 

Of course, good cyber hygiene with your passwords is always recommended.  Do NOT reuse the same password on multiple sites.  That makes it very simple for hackers to try that password on other accounts. If your information was part of a breach, change your passwords.  To see if your email address has been involved in a breach, visit this site, https://haveibeenpwned.com, and enter your email address.  This provides a list of breaches the account was involved.   

If the AT&T hack is too old to have you concerned, Circle K was hacked in January of this year.  Loyalty data and partial credit card information was revealed. 

Don’t think that you are not a big enough target.  Hackers go for the low hanging fruit. If it’s too easy to pass up, they will not.  The old adage, “an ounce of prevention is worth a pound of cure,” rings very true in the cyber world.   

You can view the original article from the Sierra Vista Herald here.

Passwords Are Like Dental Floss

Flossing is Hard: Passwords are the dental floss of the internet. They take precious time to use, everyone hates them, they cause mild discomfort, and the consequence of negligence could spell doom. Not immediate doom. But eventual in inevitable doom. Oh and by the way, China knows your password! Your favorite one. The really complex one you made up 6 years ago that combines your sister’s phone number, your son’s birthday, and the exclamation point at the end. They also know your other favorite one. “Sweetie”.

Password Strength: Last week I gave you a tripwire you could use to foil a ransomware attacker with a strong password.  Continuing the theme, this week we discuss the importance of password hygiene.  Password hygiene involves the strength, uniqueness, and practices of passwords.

The Longer the Better: Compare password hygiene to dental floss hygiene – make them long, change frequently, and don’t share. When it comes to length, longer = stronger. In fact, length is more important than complexity.  So instead of using a complex array of gibberish letters, numbers and symbols, the best practice is to create a passphrase.  A passphrase is a list of unrelated common words. It is easier to for you to remember and harder for a computer to crack. In this example from www.xkcd.com/936/ , the password Tr0ub4dor&3 is difficult to remember but can be cracked in 3 days.  However, if we tie four common unrelated words together like “correct horse battery staple”, it would take 550 years to crack.

Don’t Re-use Your Floss: You may question, “If I create one strong passphrase, I could use it for all my accounts and I’ll be safe?” Well, not exactly.  That’s where the second part of “treat-passwords-like-dental-floss” comes in. Don’t share. Today, you have so many accounts with passwords to remember.  You have your email, company login, bank, investment, social media, gaming … the list goes on.  Major breaches like LinkedIn and DropBox have exposed your username (typically your email address) and password.  The information from these breaches eventually ends up on the Dark Web available for any cyber-criminal to peruse. To see if your email address is on the Dark Web, you can check it at www.haveibeenpwned.com.   A trusted advisor can offer Dark Web checks for your business domains. 

Try It Everywhere: When the hacker acquires your credentials, they will test them against popular websites hoping you reused the password. Maybe you have a Wells Fargo, or Merrill Lynch account with the same username and password. If they succeed, the consequences could be disastrous.

Password Managers: You may want to reconsider letting your browser manage your passwords. The saved password feature of browsers is great for ease of use for you – and a cyber-criminal.  These passwords are stored in clear text in the browser can easily be stolen.  

Consider the Consequences: Since there are so many long passwords to remember, using a Password Manager can ease your password woes.  A Password Manager can create, encrypt, store, and autofill your passwords for multiple accounts and make it harder for hackers to get them.  Password managers can also protect you from Some recommend free managers are:  Apple Key Chain,  Bitwarden and KeePass.  You may hate to floss. You may hate password hygiene. But until there is something better, consider the consequences.