You may recall news reports in early June 2023, regarding the hack of the MOVEit file transfer software by a ransomware extortion group based in Russia, known as “Cl0p” but more commonly referred to as “Clop”. Keeping in mind that the vast majority of ransomware instances are not publicly reported, in order to avoid both embarrassment of the victims and attention for the perpetrators, this one was disclosed for a number of reasons. For one, it was widespread, affecting a diverse group of victims that included the U.S. Department of Energy and other federal agencies, Johns Hopkins University and the Johns Hopkins Health System, the University System of Georgia, CalPERS (the California Public Employees’ Retirement System), the Province of Nova Scotia, Shell Oil, British Airways, the BBC, and the state motor vehicle departments in Oregon and Louisiana. A second reason was that Clop publicized the victims of its exploit on the dark web. Whether or not you had ever previously heard of MOVEit, software that is widely used by companies and organizations around the world to share sensitive data, you may very well have used similar file transfer products such as WeTransfer and Dropbox.
In the MOVEit instance, the hackers exploited a previously unknown vulnerability in the software, gaining access to users’ files before the software could be patched. This is what is referred to as a zero-day exploit, when software engineers have “0” days to patch a vulnerability prior to its exploitation. What made this extortion a bit atypical was the fact that the perpetrators did not follow the usual pattern of locking down victims’ computers until a ransom was paid, but instead threatening to release sensitive data that had been accessed unless their ransom was paid, as always, in the form of Bitcoin or another cryptocurrency. According to the latest information published by Palo Alto Networks, which monitors ransomware payment trends, the average ransom demand rose to $2.2 million in 2021, with the average payment rising to $541,010.
The Value of Your Personal Data
Ransoms are one thing, but the stolen data may be even more profitable when sold on the dark web. Let’s very conservatively presume that a hack discloses the private data of 5 million users. According to Privacy Affairs, an organization that monitors and compiles lists of prices for personal information when sold online, the following are just a few examples of the going prices for everything from social media logins to credit card accounts.
Credit card details, account balance up to $5,000: $110
Credit card details, account balance up to $1,000: $70
Stolen online banking logins, with a minimum balance of $2000 on account: $60
Stolen online banking logins, with a minimum balance of $100 on account: $40
Cloned Visa, MasterCard or American Express account with PIN: $20
USA hacked credit card details with CVV: $15
50 Hacked PayPal account logins: $120
Hacked Gmail account: $60
Hacked Facebook or Instagram account: $25
Hacked Twitter account: $20
US eBay account: $20
Netflix account, 1-year subscription: $20
Hacked Spotify account: $10
10 million USA email addresses: $120
Clearly, these international thieves are playing a numbers game. Although the hackers in the MOVEit incident exploited a software vulnerability, the majority of breaches occur as the result of human error. Most typically, those errors involve unwarily responding to a phishing scam, carelessly clicking on a link, or using the same (usually weak) password on multiple sites. Many phishing scams appear legitimate because they utilize data from earlier corporate hacks. For example, if an email service provider has been hacked, its subscriber list will have been compromised, leading to subscribers receiving suspicious emails. Because nobody wants their email service to be disrupted, many people will quickly comply with a request to divulge further personal information.
One of my clients recently received an email, indicating that his email account had been compromised, requiring him to click on a link to confirm his username and password. He did so, without a second thought, then had his email account disabled two days later because it was being used to send out massive amounts of spam, effectively turning his computer into a zombie device. When his password was reset and his account access restored, he received another email, no doubt from the same perpetrators who had lost access to his account, asking him to click on a highly suspicious link in order to “cancel the requested deactivation” of his account. Clearly, they were hoping that lightning would strike the same victim twice. Now you can see why a single hacked Gmail account sells for $60 on the dark web!
Take Precautionary Measures
I have said it before, and let me say it again, that we all need to be highly vigilant before clicking on links in an unsolicited email. If that email contains spelling mistakes or grammatical errors, you can be assured that it did not originate from the company whose graphics have been “borrowed” in order to enhance credibility. Hover over any links, and you will see how they go to some highly suspicious URLs. In addition, take the time to set up and utilize multi-factor authentication on every online account that involves either payments or passwords. Then be sure that you always use a secure and unique password for each site. Many of us tend to “recycle” our passwords, a truly lazy habit. In those instances, a hacked password on one account could lead to hacked access to multiple accounts, falling victim to what is referred to as a “stuffing” attack.
If you would like to learn more about the very serious nature of these online threats, I highly recommend a reading of “This Is How They Tell Me the World Ends: The Cyberweapons Arms Race” by Nicole Perlroth, a cybersecurity journalist for The New York Times and an advisor to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). This is a difficult book to put down (so you may want the audio book version), and it will keep you awake at night.
In recent years, just about every business in America was widely encouraged to engage with its customers through social media, Facebook in particular. I was guilty of offering that advice myself, until I decided that the potential marketing benefits were outweighed by the costs of having my personal privacy continuously invaded by the platform, leading me to abandon my use of Facebook four years ago.
If your business has maintained a presence on Facebook, as has almost certainly been the case, you have also maintained a Facebook personal profile that has allowed you to administer your business account. That personal profile most likely entitles you to participate in a class action settlement brought against Facebook, Inc., now known as Meta Platforms, Inc., for violations of your privacy through the sharing of your personal data, as well as data about your friends and associates, with third parties that included advertisers, data brokers, and business partners. These violations were made without your permission. Although Meta denies any liability or wrongdoing in this matter, it has agreed to an out-of-court settlement, and you are entitled to your share of the proceeds.
If you had a Facebook account between May 24, 2007 and December 22, 2022, there is a very simple online form that will allow you to participate in this class action and to receive your entitled share of the proceeds. Each user is eligible to participate, even former Facebook users with deleted accounts. Importantly, your form must be submitted before 11:59 PM Pacific Time this Friday, August 25, 2023. Go to https://facebookuserprivacysettlement.com/ and click on the “Submit Claim” option. Of course, individual shares in class actions such as this generally do not amount to a significant sum of money. Among other factors, your share will be determined by the length of time within which you maintained your Facebook account. If you value your personal privacy, see to it that you are awarded your share of the proceeds, sending a message to Facebook (and other even more invasive social media platforms) that enough is enough.
Sometimes I think that the
Internet was invented by P.T. Barnum, the circus promoter and showman from New
Haven, Connecticut. A century and a half after his heyday, modern-day hucksters
seem intent on capitalizing upon the phrase “there’s a sucker born every
minute” that is commonly attributed to the great Barnum. So-called phishing
scams arriving via email are becoming more prevalent than ever. Phishing is an
attempt to steal personal information or hack online accounts through the use
of deception. Some are easy to spot, while others are more sophisticated in
appearance and subsequently more difficult to detect. The people behind these
schemes prey upon our fears and try to convey a sense of urgency to their bogus
messages. My main words of advice are to step back, take a deep breath, and
avoid the urge to panic.
Learn to detect
and comfortably ignore the lion’s share of these scams by using an effective
spam blocker on your email accounts. When a few slip past the filters and
appear in your inbox, take a close look. Learn to hover and not to click. Is
the actual sending address what it appears to be? One of the latest phishing
scams to be making the rounds is the “Best Buy / Geek Squad Service Renewal”
invoice. I will refer to three specific emails below, all alleging to be sent
from Geek Squad (or in one instance “Geeks Squad Inc.). The first came from edfg0823@gmail.com,
the second indicated that it came from messenger@messaging.squareup.com (and
included an option for payment through Square), with a 160-character cryptic reply-to
address, and the third came from dayaguena@gmail.com.
Although it is easy
to attach any corporate logo to an email, in an effort to make the message
appear to be authentic, would that familiar company really send out a message
with spelling mistakes and sloppy formatting? Just because a message implies
that your bank account, credit card, or PayPal account has been charged for a
product or service that you never ordered does NOT mean that the sender
actually has access to your account. What they are generally hoping is that you
will fall for their scheme, want that alleged charge to be reversed, and
unwittingly provide them with your account information in order to confirm the
“refund”. By doing so, you will have then provided the scammer with the means
to run up fraudulent charges on your account far in excess of the bogus charge
that caught your attention.
The perpetrators
behind the “Best Buy / Geek Squad Service Renewal” scams could possibly have
access to Best Buy customer emails harvested during a 2017 data breach that
exploited a vulnerability in the company’s online chat software; however, it is
more likely that the senders use random email accounts under the presumption
that a significant percentage of recipients will be recent or past Best Buy
customers. (They could also be pretending to represent Walmart, Costco, Target,
or any other well-known brand with an extensive customer base.) I have received
several of these emails recently. One lists an “Order ID”, “Product Code”, and
renewal fee of $417.00 that is ready to be charged to my account, telling me
that “YOUR SERVICE HAS BEEN RENEWED”. The email (which consisted of a JPEG
image) also reads, “According to our contact with you. Your plan will be auto
renewed with in 24hrs and you will be charged $417.00”. The punctuation errors
alone in that message should raise several red flags. Of course, they are
hoping that I will call the “Customer Support Team” using the toll-free number
included.
Another alleged
“Geek Squad Subscription Renewal” was convincingly professional in its
appearance, including a PDF invoice for a “Geek Squad Advanced Protection –
Annual Plan” renewal at $229.99. It claimed that my “account” had just been
charged, and included a toll-free number to call “if you want to cancel the
Renewal and claim the refund.” The telltale signs on this invoice were the
salutation of “Dear Dear”, my name listed as “Dear Customer”, and a random
return address that is a residential home in Mississippi according to Google
Maps. A third email followed the same modus operandi, had my name as “Existing
User”, a random return address in a residential neighborhood of Brooklyn, and
an alleged renewal fee of $299.87 for 3 years and up to 5 devices (the best
deal yet.) It, of course, included a toll-free phone number “in case you wish
to stop this transaction or stop auto-renewal”.
In the first two
of these three instances, the toll-free numbers (which I called from a
randomized phone number) were already disabled. The perpetrators hope that
recipients will panic and call them immediately while their temporary phone
numbers are still enabled. The third number was busy with other callers and
asked me to leave a return phone number. Of course, they will then ask for a
credit card or other account number in order to process the alleged “refund”.
Fight Back!
First of all,
pay close attention to unsafe content warnings in your email software. Then
never respond to requests for your private information, beware of messages that
convey a sense of urgency, and never click on unknown links. If you are one of
the millions of people who use Gmail as your email service provider, you can
report a phishing email that may have made its way to the inbox on your
computer by opening the message, clicking on the three vertical dots next to
the “Reply” icon, then clicking on “Report phishing.” If a phishing email asks
you to make a payment via PayPal, forward the entire email to phishing@paypal.com.
You may also
forward phishing emails to the Anti-Phishing Working Group at reportphishing@apwg.org. This organization includes ISPs, banks, online security
companies, and law enforcement agencies. You can also report phishing attempts
to the Federal Trade Commission at https://reportfraud.ftc.gov/. In the event that you have actually been a victim of a phishing
scam, first contact your bank or credit card company, where you will probably
want to change passwords and cancel your credit card. Then file a report with
the FBI’s Internet Crime Complaint Center (IC3) at https://www.ic3.gov/. In most instances, you may also file a complaint with the office
of your state attorney general.
Nobody
likes being a victim of what is essentially online crime, but it is good to
know how to protect yourself and how to take responsive measures when
necessary.
You might be surprised to
learn how much of your personal information is readily available online, easily
accessed by just about anybody, and being packaged and sold at a profit by over
100 data brokers, so-called public records providers. There are over a billion
searchable public records today, and both federal and state legislation passed
over the last 50 years ensures the public’s right to access. It all started
with the Freedom of Information Act, passed in 1967, guaranteeing that anyone
can submit a public records request to any federal agency, and that agency
(with few exceptions) is mandated to provide the information in a timely
manner. This federal legislation was followed by similar “sunshine laws” that
were passed in all 50 states, providing access to state and local public
records. The public has a right to know what is going on behind closed doors with
its elected officials and government agencies, but it is the access to public information
regarding specific people – routinely exploited by profit-seekers who sell
compiled data to marketers and others who have no business accessing your
personal information – that is troublesome.
If you do a search on Google
for your name, city, and state, you are likely to be shocked to see how much
personal information (some of it highly inaccurate) is available with just one
click, where public records are consolidated with information that you may have
voluntarily provided on platforms such as Facebook and LinkedIn. You will probably
find your full name and address, former addresses, family members (including
births, deaths, marriages and divorces), phone numbers, email addresses, year
of birth, estimated annual income and net worth, real estate and property
records, property taxes, professional licenses, voter registrations, campaign
contributions, court records, arrest records, prison records, sex offender
registrations, bankruptcy records, educational level, general credit status, liens,
and corporation and LLC records. Is that enough? About the only records that
are generally off-limits are your tax returns, school transcripts, library
records, health records, and juvenile court records.
How
Public Records Providers Operate
If you go to one of these
public records providers’ websites, you will first be asked enter the first and
last name of the person for whom you are searching, along with his or her city
and state. You will then be presented with a list of results that likely include
that person, along with links for “more information” or a “full report”. You
will then wait several minutes for the report to be allegedly generated,
teasing you with the categories of information that are being compiled, and
presenting you with one or more payment or subscription options. If you are
like me, you realize that public information must remain accessible, but you
would like to see your personal information removed from websites that are
packaging that information for profit and selling it to anybody willing to pay
their fee.
If you live in California,
you are in luck because the California Consumer Privacy Act (CCPA) protects the
rights of California residents regarding their personal information, including
the right to easily request access to or deletion of their personal
information, as well as the right to demand that businesses stop selling that
personal information. Whether you live in California or elsewhere, you
basically need to go to the website of each public records provider and click
on the link (usually at the bottom of the page) that says “Do Not Sell My
Personal Information”. You will then be directed through a multi-step process
that will include email or text authentication in order to be removed from that
one seller’s database. (If you live in California, there will be a secondary
link that will streamline the process.) Of course, there are businesses that
are willing to capitalize on anything, and there are companies online that will
do the work for you for a substantial fee. Two of those are companies called
DeleteMe – https://joindeleteme.com/ and
OneRep – https://onerep.com/ that
will provide that service for one person for one year at prices of $129.00 or
$99.00 respectively.
Presuming that you would
like to avoid that kind of fee and would like to go through the process of
removing your personal data from these websites yourself, here is a list of
some of the major culprits, along with their removal URLs:
Several additional websites do not maintain their own databases, basically repackaging the information from larger data brokers and earning a commission on sales. In those instances, getting removed from the source of the data will remove you from more than one site. Examples are the PeopleLooker, PeekYou, and PeopleSmart websites that run off the BeenVerified database, and InstantPeopleFinder that runs off the Intelius database. Then there are other companies – such as FreeBackgroundCheck.org (with a bald eagle in its logo and which at $19.95 per month is anything but free) – that seem to spit in the eyes of privacy rights. According to the FAQ page of their website: “As a courtesy (sic) we can ‘opt out’ your specific information. Contact customer support and request the procedure instructions to be removed from the database. Each individual that wishes to be opted out of must be accompanied by proof of identity and address. We will only be processing opt out requests we receive by fax or mail and no request will be processed without complete information. Requests for opt out will not be processed over the phone or via email.”
You probably already knew that we are living in a world where personal privacy rights are continually swept under the carpet, and where there are countless companies and individuals that are willing to compromise those rights through the use of dubious profit-based services. Although you may very well feel like David vs. Goliath, you can at least attempt to fight back!
If you are aware of ongoing
news events, you know about the recent online cyberattacks at big companies
like Colonial Pipeline and JBS. In both instances, ransomware was involved.
Colonial Pipeline reportedly paid $4.4 million in ransom, after shutting down
the delivery supply of gasoline, diesel, heating oil and jet fuel across much
of the eastern United States, causing a spike in prices that you have paid at
the pump. In the case of JBS, the meat processing network across the United
States, Canada and Australia has been affected, with the impacts being felt by
consumers at grocery stores and supermarkets. It has not yet been disclosed at
the time of this writing what ransom, if any, was paid by JBS, but it joins a
wave of ransomware attacks against businesses and organizations since the start
of the year that includes Molson Coors, E & J Gallo Wines, Kia Motors USA,
and the District of Columbia Police Department. Most victims prefer to keep
their companies’ identities anonymous for obvious reasons.
Lest you think that these attacks only target big businesses and our national infrastructure, think again. Also recently, a ransomware attack targeted the Steamship Authority, the Massachusetts transportation entity that runs the primary transportation network that connects Woods Hole on Cape Cod with the islands of Martha’s Vineyard and Nantucket, disabling its reservation system. You may be seeing a connection there that suggests that the tourism industry is more vulnerable than you may have imagined.
According to Cybercrime
Magazine, the fact is that a new business will be targeted by a ransomware attack
every 11 seconds in 2021. The primary points of entry are vulnerable software
(generally the result of a failure to apply security patches or the
installation of apps than are either unsecure or intentionally contain malware)
and email phishing. According to Fortinet, 1 in 3,000 emails sent to businesses
and that pass typical security
filtering, contain malware that includes ransomware. The average downtime for a
business that has been attacked is 19 days, and the average ransom paid is
nearly $250,000.00. An attack on a small business would have a smaller ransom,
but could you afford to pay $25,000.00 or be unable to access your reservation
system for days on end? A large percentage of these ransoms are covered by
cybersecurity insurance, for businesses that carry that coverage. The ransoms
always require payment using cryptocurrency, making the perpetrators totally
untraceable other than generalities regarding their country of origin.
Although it is true that the
reports that we see covered by the national news media involve larger
organizations where the impacts are more broadly disruptive, smaller businesses
are generally far more vulnerable and even more likely to be targeted. The
recent surge in employees working from home, where security standards are
usually less stringent, has also contributed to the proliferation in attacks. The
smaller your company, and the more personally associated you are with that
business, the more likely you are to be an easy target. If you are one of the
hundreds of millions of people with an account on either Facebook or LinkedIn,
your personal data has already been stolen since the start of this year and is
being freely distributed on the Dark Net. That data likely includes your name,
address, email address, phone number and more. There is a connection between these
data breaches and the phishing emails and scam phone calls that you receive.
One common point of entry in
recent weeks has been email that allegedly comes from your email service
provider, claiming that your email account has been put on hold pending some
sort of “verification”. While writing this, one of my clients forwarded me one
such email that she had just received. The “verification” link was a cryptic
200-character URL based in India. How many people, through either carelessness,
naivety, or a sense of panic over the thought of losing their email access,
will click on those links?
Email service providers are
getting far more vigilant about trying to stop malicious emails before they reach
your inbox, but it is a frustratingly endless task. Users get upset if legitimate
emails they either send or receive are falsely flagged. One of the large email
service providers that my company uses for many our clients’ email accounts
found itself blacklisted by Microsoft about a month ago, after a single user
had sent out an email with malicious content. As a result, thousands of
subsequent legitimate messages were not reaching their intended recipients with
either Outlook or Hotmail email addresses. Then yesterday, an email account for
one of our clients was automatically disabled after she had sent out an email
to a couple hundred seasonal campers with a Microsoft Word document attached, a
risky violation of typical email terms and conditions. She was unaware that
Word documents are frequently used to harbor malware and that this would
trigger a red flag.
In other instances, we have
clients who ask us to set up email accounts for every new employee, typically
designating a weak password to be used. We reluctantly follow instructions, but
include a link to Security.org’s HowSecureIsMyPassword.net
website, which can show that the designated password could be cracked by any
computer in a day or less.
When it comes to employee
email accounts, the questions you should ask yourself are:
Does this employee actually need his own email account?
Are you prepared to pay the costs and
disruption to your business if your network is breached as the result of using
a weak password?
Are you prepared to pay a ransom because a
minimum wage employee with little or no training in cybersecurity standards
clicks on a malicious link?
Do you give every employee a key to your
front door and access to your cash register?
Ignoring these concerns
comes at your own peril. Would you leave your car unlocked on a city street,
maybe with the windows open, and maybe even with the keys left on the seat? If
your car would be stolen, you would only have yourself to blame; however, if
the car was then used to intentionally drive into a crowd of people, you would
be guilty of criminal negligence. Another example would be somebody working the
night shift at a convenience store, having a handgun for security and leaving
it on the counter. That would be an invitation for an armed robbery and
potential injuries or deaths.
If you would never think of
doing anything as careless as either of those two examples, why would you use a
weak password, or use the same password for multiple purposes? Using the same
password to access more than one email account or online application is like
leaving those keys on the seat of your unlocked automobile, except that the key
ring including the keys to every other vehicle that you own, the front door to
your office, and the front door to your home.
You think it can’t
happen to you? Think again!
Let me be the first to admit
that I am guilty. It was not that long ago that I was presenting seminars and
writing how social media advertising –
Facebook, in particular – was the greatest new development since the
Internet itself. As recently as four years ago, I was offering suggestions on
how to beat Facebook at its own game, using guerilla marketing techniques on
the platform. Sure, we all recognized that the intrusions into our personal
privacy were a bit creepy, but the ability to reach targeted marketing
prospects seemed to be worth the compromise. After all, when I was a child
watching television in the 1950’s, Captain Kangaroo would seamlessly segue from
visiting with Bunny Rabbit and Mr. Moose to selling Kellogg’s Rice Krispies and
Schwinn Bicycles, and what was wrong with that? Actually, there was plenty
wrong with it, prior to a Federal Trade Commission (FTC) ruling in 1969 that
prohibited children’s show hosts from directly promoting commercial products.
In the beginning, Facebook (originally called Facemash) seemed to
represent little more than an awkward attempt by nerdy Harvard undergrads with
a lack of actual social skills to meet young women at neighboring colleges.
When you think about it, even that original concept (an extension of the sexist
freshman photo books that had been sold on college campuses for decades) violated
the personal privacy of the young women whose photos were being used. From that
start, it did not take long for Facebook to reinvent itself into a money making
machine that would be built upon ever-increasing exploitations of personal
privacy.
On a personal level, I
stopped using Facebook in its entirety in early September of 2020. I actually
experienced what I would describe as a 7 to 10 day period of withdrawal,
missing the ability to stay in daily touch with countless friends both old and
new, but my sense of newly discovered freedom afterward was absolutely refreshing.
Over the course of the 10 years or so when I remained active on the platform, I
would often joke about how Facebook would “coincidentally” show me advertising
that was related to one of my recent posts or comments. When I, along with
millions of other people, started using ad blockers, Facebook started showing
paid posts in lieu of paid advertising. These paid posts represent advertising
content that is being disguised as editorial comment, even when that
advertising is originating with foreign governments or other unscrupulous
characters. The only way this can happen is by Facebook’s algorithms monitoring
every word that you type, just as craftily as the National Security Agency
(NSA) monitors the telephone conversations of known terrorists.
What made me see the light
was when I realized that Facebook’s business model was designed to amass huge
profits by intentionally sowing discord among its subscribers. Regardless of
where a person falls within an increasingly polarized political spectrum,
Facebook will show that person paid content that pours fuel on the fire while
demonizing those with opposing viewpoints. By being fed a one-sided diet that
is often based upon disinformation, subscribers’ opinions and beliefs are reinforced
in a manner that continually enhances the polarization. It should not require
an insurrectionist attack upon the U.S. Capitol for reasonable people to
understand that this represents a rapidly accelerating downward spiral.
Let us be clear that
Facebook advertising is not a bargain. In the early days, businesses would pay
to advertise on the platform in order to get users to “like” their page and
then see their posts. Soon afterward, advertisers needed to pay Facebook so
that even people who had already “liked” their page could actually see their
posts. Think about it. This means that you are paying Facebook so you can reach
your existing customers. Why would anybody pay to do that when there are
countless alternate means of reaching your existing customer base at a far
lesser cost? In the campground industry, some of the same people who willingly
pour money into Facebook advertising question the rationale for offering Good
Sam and similar discounts that they feel cut into thin profit margins. I would
rather offer a customer incentive than to take that same money and pour it into
Facebook’s coffers.
Yes, Facebook and the other
social media may be capable of sending you customers, but at what price and in
what environment? If a drug dealer approached you and said, “Yes, my main
business is selling heroin, but I can also send you customers”, would you do
business with that person? I doubt that many of us would enter into that sort
of deal with the devil.
The Federal Trade Commission
(yes, the same people who ruled that Captain Kangaroo should not be hawking
breakfast cereal) is currently proposing the breakup of Facebook, a process
that is long overdue. Facebook has steadily grown – with the acquisition of Instagram, WhatsApp and related platforms –
and a breakup of its monopoly would be the first such action since the breakup
of AT&T four decades ago.
Many of my peers in
the advertising industry will disagree with me, and I welcome that debate. I
remember the days when tobacco products were extensively advertised on
television, a practice that contributed to countless deaths. Today, I believe
that many other types of advertising should be banned because they either
mislead consumers or actually prey upon vulnerable segments of our population,
typically the elderly. These include the advertising of prescription
pharmaceuticals, advertising by class-action attorneys (think “mesothelioma”),
advertising directed at children (think about Saturday mornings), and
advertising directed at senior citizens (think about Medicare supplements and
the aforementioned pharmaceuticals). In the meantime, it is your decision as a
small business owner to decide whether or not to continue financing a business
model that you may agree is inherently wrong.
Most people realize that the ultimate in cyberwarfare would be for one country to take down the power grid, telecommunications network, financial industry, or military and defense networks of a foe country. There is no doubt that the United States, Russia, China and other countries maintain this capability but wisely withhold use of this “nuclear option” in cyberwarfare, although there have been instances where the waters have clearly been tested. As has been recently demonstrated, cyberwarfare tends to take a much more subtle and individualized approach, exploiting weaknesses in things like social networks and ballot tabulations. The same sort of approach, where individuals are targeted, is generally practiced in cybercrime, the aggressive bully that is the awkward little stepbrother of cyberwarfare.
Cybercrime takes a variety of forms but generally targets either individuals or individual companies. Small businesses, where there is often only a subtle distinction between a business and its owners, can be particularly vulnerable. In most instances, the criminal activity exploits vulnerabilities in the security practices of the target. These vulnerabilities include the failure to apply software patches and updates, unsecure office practices, and the use of weak, old, and/or repetitive passwords. The results include the easy entry of computer viruses and malware that can turn a computer into a bot on a criminal network or install ransomware that will hold a computer and its files hostage. The same vulnerabilities lead to the proliferation of phishing attempts and other email and telephone scams where the senders or callers impersonate trusted companies in an attempt to obtain passwords, secure information like social security numbers, your credit card numbers, or remote access to your computer.
One of the latest trends in cybercrime exploits a combination of known hacks and personal fears and anxieties. As most of us know, there have been a number of major websites that have been hacked in recent years, some instances more widely publicized than others. The ultimate victims are the individuals whose personal data has been breached and compromised. The term “pwned” originated in early online gaming as a typographical error in the word “owned”. If you have been “pwned”, it means that your personal information is now “owned” by others. To see if your personal data has been “pwned”, visit the “Have I Been Pwned?” website and enter your email address. At the time of this writing, there are 296 websites that have been “pwned” with over 5 billion accounts compromised. Some of the websites that have been hacked include Adobe, Ancestry, Avast, Comcast, Dropbox, Exactis, Experian, Forbes, Kickstarter, LinkedIn, MySpace, River City Media, Snapchat, Ticketfly, tumblr, and Yahoo. This list includes websites that you have probably used, and in all likelihood, your personal information has almost certainly been hacked. In my own instance, my email address has been compromised in 10 of these major hacks, most recently the Exactis hack in June 2018. That recent hack disclosed credit status information, dates of birth, email addresses, income levels, marital statuses, names, phone numbers, physical addresses, and much more from 340 million personal data records.
Stolen passwords are then readily exchanged, sold, or even made freely available on a number of forums and so-called “pastes”, utilized by cybercriminals who are well aware of the human tendency to reuse usernames (many simply the users’ email addresses themselves) and passwords across a variety of websites. Security breaches like the Yahoo and Dropbox hacks go back to 2012. Although savvy Internet users will have changed their passwords on those sites long since then, if those same passwords were used on other websites, the vulnerability remains. More recent hacks will expose passwords that are currently in use, demonstrating a strong argument in favor of changing passwords on a regular basis.
With this combined background information in mind, you will understand how I felt both alarmed and violated when I received an email one evening back in July that made it past the Gmail spam filter. The subject line included a username and password combination that I frequently used 10 or 15 years ago, indicating that somebody had gained access to my personal information, even though it no longer represented valid credentials. The email had successfully caught my attention and, at first glance, seemed like there could be cause for concern. It went on to allege that a visit to pornographic websites led to the installation of remote access and keyboard logging software on my computer that gave the hacker complete access to my email and social media address lists, as well as my computer’s microphone and camera. Cutting to the chase, the sender was threatening to send a compiled split-screen video of the sites I had visited, along with my “interactions” with those sites, to my friends and family members as allegedly compiled from access to my computer. The only way to prevent this from happening was to pay $3,200.00 in Bitcoin (a cryptocurrency that is popular with online thieves) using a key that was provided.
The facts that I do not spend my time visiting pornographic websites, do not have either a camera or microphone installed on my computer, would immediately know if somebody had remote access to my computer, my passwords are highly secure, and Trend Micro Maximum Security software shows that my computer is free of any malware, spyware or viruses, still left me feeling personally violated. The following morning, I spoke with an agent at the Federal Bureau of Investigation’s Boston field office who told me that this extortion scam had been circulating quite widely throughout the month of July 2018. (In fact, I found a variation in my spam folder a couple days later, with this second thief only seeking $250.00 in Bitcoin.) The agent also told me that there were people who reported receiving variations that were sent through the mail. I also have friends and clients who told me that they have received the same sort of email during the same time period and as recently as last week. I went on to file an online complaint with the FBI’s Internet Crime Complaint Center, commonly referred to as the IC3. There is also a page on the Krebs on Security website that outlines the “Sextortion” scam and currently includes nearly 1,000 comments from people like me who have received the emails and are trying to warn others from falling victim.
The lessons to be learned are to:
Be aware that your personal information has been stolen, probably on multiple occasions.
Your personal information can be used in extortion attempts.
Minimize vulnerabilities on your computer and run up-to-date security software.
Never trust any email that sets a deadline or seeks payment in cryptocurrency.
Never make an extortion or ransom payment.
Notify legal authorities if you are a victim.
It is challenging enough running a small business these days. Nobody needs to waste time, worries, or money with the perpetrators of online scams, who are going to continue to evolve into using more creative and credible formats.
In recent months, I have been taking the “10 Steps for Securing Your Digital Identity” seminar – that I first presented at the National ARVC Outdoor Hospitality Conference & Expo in Raleigh in 2017 – on the road, with presentations before several state association meetings. The information in the seminar, drawing parallels between the 2017 Equifax security breach and the risks that face small businesses like yours and mine, seems to continually grow timelier with each presentation.
Equifax has admitted that more data was compromised than was originally disclosed, the Internal Revenue Service (which cancelled a no-bid contract with Equifax) urged taxpayers to file their returns as early as possible in 2018 because a stolen identity can lead to a stolen tax refund, and Facebook admitted that it profited from personal data that was exploited by Cambridge Analytica for nefarious marketing purposes. That latter instance forced Facebook CEO Mark Zuckerberg to uncomfortably don a suit and tie, and led to the May 1, 2018 announcement by Cambridge Analytica that it was shutting its doors and initiating bankruptcy filings in both the United Kingdom and the United States.
Some people have suggested disconnecting from the Internet and deleting their social media accounts. The former suggestion is highly impractical in today’s interconnected world, and the latter suggestion – perhaps laudable – in unnecessary if some common sense precautions are exercised. Let me share just two of the highlights from my seminar that will help you to secure your digital identity.
Passwords
There is no easier way to ensure that your identity will be compromised than by using weak passwords, the same password for more than one account, or a password that you have not changed since the sun started rising in the East. A weak password is like the old skeleton keys that could open every door in the neighborhood when I was a child. If you think that your password is secure, you can quickly test its strength online at https://howsecureismypassword.net/. You do not want a password that can be cracked in seconds, minutes, days, weeks, months or even years, but a password that would require millions, billions or trillions of years to crack. I recommend tools that generate secure random passwords, such as the one at https://passwordsgenerator.net/, where secure passwords typically consist of a minimum of 16 characters that mix upper and lower case letters, numbers, and special characters.
Another option is to use four totally random and unrelated words in succession, such as kitten, faucet, maple, and magnet: kittenfaucetmaplemagnet. According to the online test, that example would take 277 trillion years to crack. The only problem is that most of us find it difficult to think in such a random manner. However, if you make a conscious effort, you can generate a highly secure password that should be relatively easy to enter into a keypad. The most common complaint even then is that secure passwords are difficult to remember.
The solution is to use one of several available password safes, including LastPass, Dashlane, and Keeper. These all work with Windows, Mac, iOS, and Android operating systems, have plugins for popular browsers, include two-factor authentication, offer fingerprint login on mobile devices, and have free versions which are usually all that you need. You only need to remember one highly secure master password. Even if that master password could somehow be hacked, nobody could log into your account thanks to two-factor authentication. If somebody attempts to log into my own password safe (which has happened more than a dozen times from hackers around the globe), they would have to know my master password (good luck!), then – because they would be logging in from an unrecognized device or IP address – they would also need to steal my phone AND know how to unlock that device in order to enter the two-factor authentication.
Software Updates
The massive Equifax security breach was the result of the company’s failure to install a patch in universally used Apache Struts open-source software in a timely manner. The Apache Foundation discovered a vulnerability in its software on March 7, 2017, announcing and patching that vulnerability the same day and issuing a subsequent patch three days later. Equifax failed to apply those urgent security patches for at least two months, resulting in a hack that compromised virtually every consumer in America, including at least 209,000 credit card numbers. Offering free identity theft protection and credit card monitoring service is a poor substitute for basic responsibility. In the fallout, Equifax’s CEO was forced to resign, its stock value plummeted by over 30% almost overnight (only recovering half of that loss at the time of this writing), it lost that multi-million dollar no-bid contract to provide taxpayer identity services for the IRS, and the company’s name is now almost always followed by the words “security breach.”
What are the lessons to be learned by your small business? First and foremost, it is critical to run the latest operating system and updates on all of your computers and mobile devices. If you are running a Windows computer, this means running the latest version of the Windows 10 operating system. Microsoft’s support for Windows Vista ended on April 10, 2012; support for Windows 7 ended on January 13, 2015; and support for Windows 8/8.1 ended on January 9, 2018. If you are running any of those operating systems, your computer and the files that it contains are at high risk. It is also important to be running the latest version of Internet browsers, such as Chrome, Firefox, Edge, and Safari; plug-in software such as Adobe Reader, Adobe Flash Player, and Java; and a reliable anti-virus software suite from companies like Avast, Trend Micro, Webroot, or Bitdefender.
Hack attacks are continuous and ongoing, seeking out vulnerable passwords and vulnerabilities in software. Without taking basic precautions, you could become the next victim of identity theft, be subjected to ransomware demands, have your credit card information stolen, or compromise the personal information of every one of your customers. The resulting impact could be devastating for your business. The days have long past when any business, large or small, can afford to take anything less than a vigilant stance when it comes to securing its digital identity.
If you attended my “10 Steps for Securing Your Digital Identity” seminar at the 2017 Outdoor Hospitality Conference & Expo, you learned that my lead segment involved the importance of keeping your passwords secure. Passwords have been around since ancient times, when the first sentry asked “Who goes there?”, becoming essential for admission to a speakeasy during Prohibition, and playing a vital role in military security during World War II.
When I was growing up in the 1960s, the doors to our house had old mortise locks and keys that gave our family a sense of security. I recall that the logic when the doors were locked at night was to keep the key turned 90 degrees in the keyhole on the inside of the lock, under the presumption that this would prevent a thief from inserting a key into the outside of the lock and gaining entry. Of course, if somebody got locked inside, we knew that it would only take a couple of minutes to jimmy the key out of the lock. When we were away from home, the key came with us, leaving the lock even more vulnerable.
If a key got lost or broken, we simply walked to the neighborhood hardware store (yes, they existed back then!) and bought a skeleton key for 50¢ that would probably open every lock in our house, including the outside entry doors, as well as the locks on most every other house in the neighborhood. It is no wonder that we relied on neighbors to keep an eye on our houses back then. Sadly, many people today do not even know the names of their neighbors.
Nowadays, passwords are almost exclusively associated with computers and Internet security, and a lame password is essentially the equivalent of a skeleton key. Like those families sleeping soundly behind the security of a mortise lock, a majority of computer users think that their passwords are securely protecting their accounts from getting hacked.
Before I go any further, I would like you to test one of your passwords. Go to this URL and enter your password: https://howsecureismypassword.net/. As an example, I just tested “JBDayton62”, which is exactly the type of password that many people use, so falsely confident in its security that they use it on every account that requires a password. According to the test, a computer could crack this 10-digit password in only 8 months; however, anybody who researched the Internet and social media and already knew that John Brown was born in Dayton, Ohio in 1962 could crack this password in no time flat. If a password is convenient to remember, it is easy to crack!
What Constitutes a Secure Password?
Quite simply, for a password to be secure it should consist of a minimum of 16 characters; never contain a word or a combination of words found in the dictionary; never contain the names of family members, friends, pets, sports teams, and the like; and be made up of a random combination of uppercase letters, lowercase letters, numbers, and special characters. You can also often use spaces in passwords, although it is unfortunate that many websites still prevent users from choosing truly secure passwords, by precluding the use of special characters, for example.
The next rule is to always use a unique password for each and every site, and then to change each password on a routine and frequent basis. Apply even stricter standards for sites that provide access to highly secure information, such as your online banking or the IRS’s Electronic Federal Tax Payment System (EFTPS) website. The time to change your old, reused, vulnerable, weak, or compromised passwords is now, not next week or “when you get around to it.”
Before you naively presume that nobody is out there trying to crack your password, consider the fact that password cracking software is readily available online for use by hackers (and occasionally by companies that are on the lookout for weak passwords being used by employees.) Those programs include L0phtCrack, Cain, and John the Ripper … all designed to crack passwords (and sometimes credit card numbers) using brute force, dictionary attacks, rainbow tables, and other means.
How to Create a Secure Password
Never trust yourself to generate your own secure password. Our brains are simply not programmed to think randomly, and any password that makes sense to you is easy to crack. Some people even think that including a foreign-language word in their password will make it secure, perhaps presuming that hackers only reference English language dictionaries (even though English may be far from their native languages.) My recommendation is to use a secure online password generator such as the Secure Password Generator: https://passwordsgenerator.net/
The Secure Password Generator will allow you to choose any length of characters (from 6 to 2,048) and choose the types of characters that will be allowed (or excluded, if a site does not permit certain characters), then generate it on your own computer.
How to Store Your Passwords
Once you generate a highly secure password, keeping it written down on a sheet of paper or in a Word document on your computer is like leaving the keys for Fort Knox at a lost and found counter. You need a way to store and access your passwords safely, relatively easily, and securely. I recommend the use of a password safe. Three of the best are LastPass, Dashlane, and Keeper.
All three work with Windows, Mac, iOS, and Android operating systems; have plugins for popular browsers; include two-factor authentication; include form-filling; offer fingerprint login on mobile devices; and have free versions.
The idea with a password safe is that you have only one highly secure master password to remember. Thanks to geolocation, if you login to your account from an unfamiliar IP address, the two-factor authentication will kick in, requiring you to confirm your identity before being allowed access. In my own instance, 12 attempts to login to my account over the last 6 months have been thwarted – 3 from Vietnam, 2 from China, 2 from Brazil, and one each from Argentina, Georgia, Ukraine, The Philippines, and the United States (North Carolina). Do not think for a moment that there are not people out there actively trying to hack into your accounts. They are out there and they are everywhere.
Access to our personal data is far too important to be left to chance, and I am hoping that this article might help to open the eyes of a few disbelievers. People who are ahead of the curve when it comes to planning are already taking measures to ensure the longevity of access to their data, even as new biometric methods such as fingerprint and iris recognition are coming into play. According to a survey taken by the University of London and cited in Wikipedia, one in ten people are now including password access or recovery information in their wills. My best advice is to think toward the future, but to start changing your way of thinking today.
Update, July 29, 2019: The following post was written about the Equifax security breach when it first came to light back in October of 2017. The wheels of justice often turn very slowly; however, in an agreement reached on July 22, 2019, Equifax has agreed to a $700 million settlement that includes $425 million that has been set aside as compensation for the 150 million people affected. You were probably one of the 150 million, now entitled to compensation. If you are unsure whether or not your data was compromised, click here to determine your eligibility to participate in the settlement: https://eligibility.equifaxbreachsettlement.com/en/eligibility
Presuming that you were affected, it will take all of 5 minutes of your time to submit a claim for a minimum $125.00 settlement payment following this link: https://www.equifaxbreachsettlement.com/file-a-claim
Every so often, a truly important news story breaks into the public consciousness through an information overload that seems more and more obsessed with partisan issues, celebrity news coverage, and YouTube videos gone viral. One of these recent stories involved the unfolding cybersecurity breach at Equifax, one of the three American companies that compile the personal information that determines your credit-worthiness, your ability to obtain a loan, and the interest rate that you will pay for that privilege.
Of course, a legitimate question could be asked regarding what gives Equifax, Transunion and Experian the right to gather hyper-sensitive personal and financial information on every American citizen alive today. We have certainly come a long way from the idealized days of George Bailey and the Bedford Falls Building and Loan, when financial decisions were local and finalized with a handshake. In our modern times, it would seem that the minimum responsibility on the part of credit reporting agencies would be to maintain iron-clad security standards to prevent our personal information from falling into the hands of malevolent third parties.
In the recent Equifax incident, the personal security information of 143,000,000 Americans was compromised. According to the Federal Reserve Bank, there are only about 125,000,000 households in the United States. Without question, you were personally impacted. Essentially, the names, addresses, dates of birth, social security numbers and more for virtually every adult citizen in the United States were compromised. In addition, investigations have disclosed that credit card numbers of 209,000 individuals were hacked, along with personal identification numbers (PINs) for another 182,000 consumers.
According to testimony prepared for a House Energy and Commerce Committee hearing, Equifax CEO Richard Smith admitted that the breach was the result of a failure to apply a software update, despite warnings from the Department of Homeland Security, followed a day later by a warning from the company’s own security team. The company’s policy was to apply such patches within 48 hours, but this failed to happen. The patch was designed to repair the vulnerability in the open source Apache Struts software that the company was using in one of its systems. Even following the company’s internal software policies, hackers would have had three days to exploit that vulnerability – a virtual lifetime in the world of hackers. The Apache Software Foundation had issued a patch for the flaw in March, two months before hackers began accessing sensitive information on Equifax’s servers on May 13. Clearly, Equifax had no excuse for its failure to have taken immediate corrective measures.
This all occurred two years after a similar, but smaller, security breach occurred at Experian, compromising “only” 15,000,000 Americans. What did the credit reporting industry learn over that time? Apparently how to wait months before reporting the incident, while providing an opportunity for three top Equifax executives to unload $1.8 million worth of company stock, after the breach was discovered but prior to its announcement. It also forced Smith to resign, albeit with an over $90 million golden parachute, according to Fortune Magazine.
The impacts of the Equifax security breach upon individuals have been well-documented, including advisories to subscribe to free credit monitoring services, change all of your passwords to unique strings of characters that are more difficult to crack, to pay to freeze reports on your credit (only unfreezing the reports in specific instances, such as when applying for a loan), and to join into one or more of the class action lawsuits against the company. As a small business owner, on the other hand, what measures should you take to ensure that you are safeguarding the information of your customers to the best of your ability? There is no question that international cybercriminals tend to pursue the larger and more lucrative targets; however, every business that conducts business online (not necessarily through its website, but through any Internet-based transactional application) is vulnerable and bears a responsibility for protecting its customers.
The Federal Trade Commission offers a series of five areas of recommendation for how businesses should handle their customers’ personal information.
The first is an assessment of how your company handles personal information that is gathered from a variety of sources, including credit reports, employment applications, and customer-provided data. How is it delivered to your business, how broadly is it accessed within your company, and how and where is it stored? A particular area of concern is the processing of credit cards. Above all else, cybercriminals are looking for credit card information, social security numbers, and banking information. There is no reason for most businesses to maintain records of that information in any form.
Stop gathering information that you do not need. With the exception of very specific matters including employee tax accounting, there is no reason to ever ask for anybody’s social security number. Do not maintain records of credit card numbers. Those should only be gathered through a secure point of sale terminal or via a secure online payment gateway, where you do not actually see the number, its expiration date, or the security code. Never ask people to provide that information via email, and discourage the common practice of taking that information over the phone. Because “we’ve always done things this way” is no longer an excuse.
Keep all physical and electronic records secure. Paper records and backup files should be stored in locked rooms or file cabinets, with limited employee access to a limited number of keys. Electronic files should be encrypted and password-protected. Individual computers should be password protected, put into password-protected sleep or screen saver mode when left unattended, and shut down at the end of each business day. Scan the computers on your network for vulnerable open network services. For example, if a computer is not intended to be used for the sending or receipt of email, the ports for those services should be closed on that computer. Every computer should also be running real-time anti-malware and anti-virus software that includes scans of incoming email messages for malicious content that might be disguised as routine file attachments. Never allow an employee who is untrained in basic security precautions to access and open email messages.
A highly secure password is almost worthless if an employee is allowed to write it down on a Post-It Note, typically attached to his computer monitor. Educate employees (and yourself!) on the importance of password security, use a “password safe” application with a highly secure master password, and lock out users after a limited number of incorrect login attempts on any computer and any online application. Laptops and mobile devices are particularly vulnerable due to their portable nature. They should never be left where they would be even momentarily visible to thieves, and their access to secure information should be carefully limited. Using unsecured Wi-Fi access at airports and other public places is an extremely risky practice.
Always maintain proper disposal practices. We have all heard the old adage about one man’s trash being another person’s treasure. That was never as true as it is today. Paper records and disposable electronic media containing sensitive data should never go into the trash. These need to be run through cross-cut shredders or incinerated. When disposing of old computers and storage devices, all data must first be removed with a data wiping utility. Simply deleting files leaves them recoverable by a thief. Did you realize that your office copier or fax machine contains a hard drive that stores its data? That data probably includes copies of your tax returns, and that data also needs to be wiped prior to the disposal of any such device.
Finally, maintain a response plan in the event of a security breach. If a computer is compromised, immediately disconnect it from Internet access, remove it from your network, and then shut it down. Bring in an expert to identify and correct the vulnerability and assess any threats to personal information. If there have been compromises, immediately notify your customers and anyone else who may have been impacted by the breach of security. Do not repeat the Equifax mistake of hiding disclosure for months.
This is a brief summary of what occurred in the recent Equifax security breach, how you should react to that breach, and some of the measures that you should implement to tighten the security standards at your own business. If you would like to learn more, be sure to attend the “10 Steps for Securing Your Digital Identity” seminar that I will be presenting at the Outdoor Hospitality Conference & Expo, in Raleigh, on November 8, 2017.