The information provided on this website does not, and is not intended to, act as legal, financial or credit advice; instead, it is for general informational purposes only. Information on this website may not be current. This website may contain links to other third-party websites. Such links are only for the convenience of the reader, user or browser; we do not recommend or endorse the contents of any third-party sites. Readers of this website should contact their attorney, accountant or credit counselor to obtain advice with respect to their particular situation. No reader, user, or browser of this site should act or not act on the basis of information on this site. Always seek personal legal, financial or credit advice for your relevant jurisdiction. Only your individual attorney or advisor can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. Use of, and access to, this website or any of the links or resources contained within the site do not create an attorney-client or fiduciary relationship between the reader, user, or browser and website owner, authors, contributors, contributing firms, or their respective employers.
Credit.com receives compensation for the financial products and services advertised on this site if our users apply for and sign up for any of them. Compensation is not a factor in the substantive evaluation of any product.
News that Uber got hacked and 57 million records were compromised may not seem like an overt threat after this year’s constant mega breaches—but it is. A recent study suggests that even something as “harmless” as a breach involving names, phone numbers, and email addresses can lead to account takeover.
The study, entitled “Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials,” was backed by Google and conducted in partnership with the University of California, Berkeley, and the International Computer Science Institute.
While the title may sound boring, the takeaway is terrifying: Account takeover isn’t happening the way many people think.
The first thing you need to know about account takeover is this: It’s an incredibly serious matter.
Account takeover is a form of fraud. A criminal attempting account takeover may target your bank account, your credit card accounts, or any other financial service where you do business. Once a criminal has control of an account, you will be robbed.
It’s easy to understand how your Social Security number can be used to defraud you, not to mention the time-suck of setting the record straight with whatever companies composed part of the digital “crime scene.”
Since the days of the rotary telephone, our Social Security numbers have acted as virtual skeleton keys to our financial realities. It was the way we proved that we were the right person to access our money at a bank or to be granted credit. For a long time criminals have found creative ways to use that same key to rob people—whether through the creation of new credit accounts or through account takeover.
Stolen credentials come in many forms, and they are not equal by any means. The importance of the Google study hinges on this new reality: Social Security numbers aren’t the worst threat to your accounts based on current statistics. And herein lies the kernel of what matters most in the study.
Account takeover can also zero in on your email.
How you can be robbed if a criminal has control of your email account? Think about how many of your active online accounts will send a link to reset your password via email—and then continue reading after you stop hyperventilating.
In a world where most of the day-to-day transactions we make are digital but two-factor authentication has not been universally adopted, the control of your email account by a third party may create an even greater vulnerability to fraud than the possession of your Social Security number.
The Uber hack was discovered more than a year before it was reported, and the company paid the hackers $100,000 to keep the incident under wraps. That such things aren’t considered serious crimes in the US is something to ponder, but that’s not the reason the hack matters.
The longer your information is “out there” unbeknownst to you, the longer you are unwittingly exposed to all stripes of crime—including account takeover.
There are many ways you can be attacked, but with the Uber hack, email would be the way in. The phishing ruse can be anything. Social engineering, or the art of tricking people into doing what you need them to do so you can rob them, can be endlessly creative.
Because the Uber hack included names and phone numbers in addition to email addresses, affected consumers may have spent the past 12 months being exposed to the more insidious threat of spearphishing and fraud via vishing (voice phishing).
In spearphishing attacks, the fraudster does a little research. For instance, using an Uber customer’s phone number, they may locate a Facebook account, and, from there, identify close friends and family. The criminal sends a spoofed email from what he or she guesses will be a trusted sender with a link that downloads keystroke-logging malware and thus puts the recipient one login away from account takeover. A majority of people use the same passwords at different sites, which means the fraudster will likely have access to multiple accounts once they determine one password.
Some questions you should always ask:
And of course, check the email address behind the display name on any email you receive before replying, and never be shy about asking a sender if they sent you something.
Another thing you should do whenever possible: Enable two-factor authentication. But bear in mind that even if you do everything right you may still be compromised. Unfortunately, there is no silver bullet. There is only vigilance and the three Ms (minimize your exposure, monitor your security, and manage the damage), which I discuss in my book, Swiped.
The violation of privacy associated with the takeover of an email account is disturbing, but it is nothing compared to the potential life disruption it can cause. Now more than ever, you need to be exceedingly careful about the links you click on in email and the calls you take—because you truly never know who’s on the other end.
If you fear you have been the victim of fraud, check your credit report for suspicious activity. You can get your free credit report at Credit.com.
Image: istock
April 11, 2023
Uncategorized
September 13, 2021
Uncategorized
August 4, 2021
Uncategorized