As more and more people fall victim to online hackers, David Crookes look at the defensive steps you need to take
Barely a week goes by these days without some sort of hacking story emerging in the news. Recently, there have been major security breaches at some of the best-known online companies across the world – from Sony, to Dropbox, to Ashley Madison – and all of them have led to disruption on some scale. Whether hacked accounts simply force users to subsequently change their passwords, or cause a major leak of information and prompt a major overhaul of the back-end system of the affected service, hacking leads to inconvenience and at worse loss of money and privacy.
The latest scandal has been the hacking of the system belonging to broadband and phone provider TalkTalk. It has been breached three times now, with customer data stolen by what would appear to be a Russian jihadist cyberterrorist group. As many as four million people have been affected by the issue and TalkTalk’s shares plummeted by 9% following the news. After all, when customers find that their name, address, date-of-birth, email address, telephone number, TalkTalk account information and credit card and bank details have been accessed, it is sure to have an impact on the business.
According to Sophos Labs, the problem of hacked accounts is vast. It says an average of 30,000 new websites are used to distribute malicious code each and every day and, while it used to be that people thought only dodgy areas of the web (such as gambling or pornography sites) would infect people’s computers, and therefore compromise the internet accounts they hold, that is not the case any more. Cyber criminals are infiltrating the sites of small businesses and seeking to smash down the doors of the larger concerns where the spoils are plenty. In America alone, half of all adults had been hacked in the year leading up to May 2014, with some 40 million credit card numbers and 70 million addresses compromised.
It is not set to get any better any time soon. The more devices there are connected to the internet, the greater the chance accounts will be compromised. People still gamble by logging on to services from public wi-fi zones and companies, despite their promises, still leave holes for criminals to exploit; people still write down passwords, use the same one multiple times, or both. We must avoid paranoia, but we need to be aware that there are people out there hellbent on getting our details and yet we can be woefully unprepared.
The problem is that our accounts are so valuable. Bank accounts are worth between 3% and 6% of the balance on the black market, and are bought by financial thieves who will attempt to withdraw cash or launder money. Gambling accounts sell for a couple of pounds each, but contain usernames, payment cards, security questions and bank account details. Twitter accounts sell for 0.02p, and tend to be used by spammers to post rogue adverts using your account. Facebook accounts are worth a bit more because spam under your name on the site can trick people into trusting the link. Meanwhile PayPal accounts tend to sell for £50 and eBay accounts for £8.
Dark web forums are awash with people who want to snap up compromised accounts. It is just a short step towards someone being able to impersonate and defraud a host of victims – and as we have seen with TalkTalk, it is already happening.
Experts are warning that customers with a compromised account are likely to be plagued by conmen for years to come, and yet the company hasn’t been making it easy to leave the service if their contract isn’t up. Reports say customers have been told they need to pay £245 to do that, which has caused an outcry among those who believe they should be compensated rather than penalised.
After all, the potential for damage is high: one elderly couple was reported to have lost £8,000 when someone called them pretending to be from TalkTalk offering to credit them with £200 by way of apology. They were tricked into handing over their bank details, after which the criminals were able drain the compromised account of cash.
Protect Yourself
Social Engineering, or fooling people into parting with their information, is the most common way for hackers to gain access to accounts. In truth, the mass hacking cases that we’ve seen with TalkTalk and Sony – and all of the other companies that have fallen foul – are actually less of a problem. It has been written about time and time again, but malware and phishing remain the biggest issues in the war against hacking.
By being very vigilant about the software that you download from the internet and install on your devices and computers, you are forming the first line of defence. You don’t want software searching your PC for saved passwords or a utility logging each and every keypress you make, so be sure to watch out for software that attempts to trick you into downloading another piece of software during the installation process – something that, unfortunately, is becoming far too common – and only download from trusted sources.
At the same time, be wary of phishing. Each day, we receive numerous emails that tell us our bank accounts have been compromised or that we need to change our passwords to the services that we use most often. They are nearly always sent by tricksters who are hoping that we become worried enough to click a link and enter our details. With those in hand, the hacker basically has everything they need to start unlocking the account in question and, if you use the same details elsewhere on the web, other services too. It’s a frightening prospect. What’s more, it exploits the same principle as the hackers who target small websites – that may not have adequate security –in the hope of gleaning account information that can be checked against other websites.
Which brings us to the issue of passwords. It is important to use different, hard-to-crack, passwords for each of the services that you use online. Use a website such as How Secure Is My Password (howsecureismypassword.net) to check how secure yours is and, as an added security tip, don’t type in the actual password that you are going to be using in this site: create a test password that uses the same principles of capital letters, lower-case letters, punctuation, numbers and so on.
Yet what should you do if your account does become compromised and how would you actually know? In a lot of cases, people do not realise that they have a problem until it’s too late. They often check their bank account to find sums missing or they look at their credit card statements to see purchases they can not remember making added to them. They try to log in to social media, email, eBay, PayPal and Amazon accounts only to find they are locked out.
It causes stress and worry and so it should. If one account has been hacked, who is to say that other accounts have not been hacked as well. Again, as we’ve seen, fraudsters and criminals know that people tend to use the same information over and over and they won’t stop with one website. This leads to site after site becoming out-of-bounds to the user and it’s scary stuff.
Email Fixes
If this happens, you will need to go through the individual services you are signed up to, one by one, changing the passwords to them all. But sometimes is not always as easy as that. A hacker may cause untold damage to an account before you get a chance to sort it out, grabbing your details, deleting crucial files and so on.
With email, for example, Yahoo! says hackers who gain access to an account may use the opportunity to make changes to it and send spam or other messages. They may infiltrate your account so that you see multiple failed delivery messages or they may redirect emails elsewhere so that you never see them. Worse, they may change the password so that you can’t even get into your own account. It is not uncommon for hackers to do this either.
Thankfully many email providers do allow you to reset your account, but in a lot of cases you will need to have prepared the ground beforehand. Gmail uses the secondary email address, mobile phone or secret questions to help you regain control (go to www.google.com/accounts/recovery). This entails you having inputted these details in the first place. At the very least, you need to have a secondary email set up with your account and this should be something you seek to do right away. With a secondary email address, getting back up and running with a compromised account made far quicker and easier and you can then take the opportunity not only to check all of your settings to ensure that they are all in order – by looking at the signature, the auto-reply, the name on the email account and so on – but you can also reassess the way you access the account in the future.
It is also worth taking advantage of two-factor authentication. This provides an extra layer of security when you’re logging in by asking for a username, a password and a unique code that will be sent to your mobile phone either by voice or text. It may sound like a pain but there are ways to minimise the fuss. Two-factor verification can be turned off on certain machines such as the one you use at home. This means you will be able to log in as normal on the computers you use most often while locking out others trying to gain access on their own.
If your account is hacked, then you need only go to the relevant webpage of your email provider and let the service know. The Outlook email service allows users to go to account.live.com/password/reset, for instance, and select “I think someone else is using by Microsoft account”. Others have a similar kind of set up.
What happens during this process, though? In the case of Outlook, you will be asked to select the reason for your suspicion before inputting your email address or phone number and going through the security questions that enable the provider to verify you are who you say you are. When you do this, your account settings are cleared, which means email forwarding and auto-replies are stopped. You will have restore your emails and contact again too which, in the case of Outlook.com, you will find at the bottom of the Deleted folder in an option marked “recover deleted messages”.
One of the problems comes if you cannot actually remember the answer to your secret question or if you find that a hacker has changed it. Depending on the company, you may then have to write to the email service provider with proof or try again – sometimes you can indicate that you were unable to regain access and go down a different route. During the period where your email account is suspended, you need to use another email address to inform all your contacts that you are having problems and tell them to ignore any odd messages that they have received.
Unsocial Hacking
Securing your email is important because so many other services rely on it. When you reset passwords, you are usually asked to verify you want to go ahead via an emailed link so, without a working email account, you can end up in a vicious circle. Let’s say that a hacker managed to hack your eBay and email accounts. You would go to change the eBay password, the verification would be sent to your email and the hacker would be able to see what you’re doing and intervene. In all hacking cases where any non-email account is compromised, it is always a good idea to immediately change your email password too even if the email account actually seems unaffected.
That’s because it is not always apparent that someone is accessing your accounts. You may spot rogue posts coming from your Facebook or Twitter account or your friends, family or colleagues may be getting messages from you that you didn’t send. You may also find that your friends and following lists look suspicious: on Twitter, it could be that you’re suddenly following a lot of new and unknown people. Even YouTube can be an issue since you may discover that videos are being watched that you would never normally view.
A hacker may have only accessed your account to grab your details, though, in which case an obvious trace may not be left. Thankfully there is a good way to check if someone has access to your social media account. Check the location of your recent logins (see below). If they are coming from an unknown area or a country that you haven’t visited then you will know there is an issue.
If you do find your social media account has been hacked, you need to report it. For users of Facebook, the place to go is en-gb.facebook.com/hacked. The sooner you act, the less likely any further damage will be caused. Who knows what a hacker is doing with your account – he or she could be deleting personal information, contacting people or accessimg your private messages.
Facebook will want you to enter your email or phone number, your Facebook username or your name and friend’s name. An email will be sent to you with details of how to reset your password but things could become more complicated if your email is also hacked, as we’ve seen – yet again reinforcing why you should have different passwords for different accounts. Don’t think all is lost if this is the case, though: you’ll be shown a link to a page that lets you report a more complex case of hacking. It asks you for a new email, which breaks the tie with your hacked email account before going on to assist you in the recovery of the Facebook account.
Instagram offers a similar similar service you can access by visiting tinyurl.com/lbw5kd2, as does Twitter (go to support.twitter.com/forms/hacked and email the ticket number to hacked@twitter.com). Twitter also advises that you go through third-party applications you don’t recognise and revoke their access to the service if you fear you’ve been compromised. This is because apps can be used by hackers to get to your Twitter account via the back door. You can find the options to do this by going to the Apps tab of your account settings and clicking on the Revoke Access button next to the application. It is also worth noting that Twitter wants to know if you have been a victim of a phishing attempt. If you have, send the phishing email to hacked@twitter.com and include the word “Hacking” in the subject line.
How Much?
Things start to become more serious, though, when money is involved. In a lot of cases, hackers are looking for access to your bank details. Many accounts from Amazon to eBay have payment details attached to them so a hacker gaining access to them could change the address, buy items and divert the goods. You get a whopping bill and they get the expensive items that they want.
If changing the password does not work or if you are locked out of your account because the hacker has already changed the password, then you need to contact Amazon’s customer service team, which is usually very quick to respond. You should also let your bank or provider know that your credit or debit card could be used fraudulently and ask them to issue you with replacements. Any payments made on it should be refunded depending on how the account was compromised.
Indeed, when it comes to online payment accounts, Kaspersky Lab says people need to regularly check what is coming in and out. Always keep an eye on PayPal, Amazon, Apple Pay and other such payment services for any unauthorised activity and watch out for notifications saying your account details have been changed. Being alerted to suspicious activity on your account gives you an early tip-off that can be crucial in minimising the potential for damage.
If you have not actually authorised a change, then it points to a problem, and suggests that you need to start taking some action. Just be careful to read the emails properly to ensure that they are actually legitimate and, if in doubt, always go direct to the website in question and change the password there rather than through a link.
Cat And Mouse
You cannot fully protect yourself from hackers – you can only make it harder for your accounts to be compromised. It is akin to a game of cat and mouse and no-one can be sure where the next attack will be. People think that anything to do with Apple is 100% secure, but it isn’t, especially if you’ve tinkered with the operating system.
Hackers targeted jailbroken iPhones in September this year, for instance, stealing more than 225,000 Apple accounts using malware called KeyRaider. These details could be used to make purchases, send iMessages, access iCloud data and more. What’s more, having access to an Apple ID and password could even allow a hacker to remotely erase a device or permanently lock it. Meddling with something that holds such crucial data will compromise your safety, but if you do jailbreak a phone or tablet, then at least use two-factor verification. It saves you having to mess around setting up a new Apple ID account or, as a last resort, restoring the device to factory settings (do this via iTunes if you are using an iPhone, then restore from a safe back-up and set up a new Apple ID).
Of course, none of this will completely stop accounts from being hacked. As long as there are people who do not secure their machines, the issue will continue. We do tend to be lazy at times and assume that we won’t be affected and one of the problems of the modern era is that are devices are almost permanently logged in to services. If you have a strong password set on your computer, phone or tablet, this isn’t that troublesome, but it can lead to bad habits – like remaining logged into accounts when leaving work, or even on public computers. Many people also habitually forget to untick the ‘Remember Me’ box on login pages. Don’t be one of those people, though, because the easiest way to compromise an account is to leave the front door to it open. The next computer user could easily change your password or post things on your behalf without you realising it until it’s too late. Don’t have nightmares...
Check For Hacked Accounts
One way for you to see if any of your accounts have been compromised is to check your email address at haveibeenpwned.com. It will be cross-referenced against 223 million potentially compromised accounts drawn from 56 hacked websites. Best of all, it is safe and easy to use.
The site covers some of the largest breaches in history. It will let you check your address against the 152,445,165 Adobe accounts that were hacked in 2013, see if you were one of the 4,609,6145 Snapchat accounts compromised in 2014 and even go as far back as 2011 when 37,103 accounts from Sony were breached. You can also set up an alert, which gives you instant notified of future breaches.
As you may expect, this website became rather popular after 30,811,934 Ashley Madison accounts were hacks, but some visitors would have been disappointed to see that they had to subscribe and be verified to discover the affected accounts. “The discovery of one’s spouse in the data could have serious consequences,” wrote site owner Troy Hunt.
Are You Under Government Surveillance?
Your account is not only under threat from criminal hackers, government agencies are also known to try and access the personal details of people signed up to various online services. It’s not a new problem by any means: in 2011, The Guardian reported that governments across the world were infecting targeted computers with spyware so that they could covertly monitor Skype conversations and see the details of accounts.
Acutely aware that this kind of thing could put people off divulging personal information on websites, particularly social media, some websites have been hitting back. Facebook is now warning users if it feels that a nation-state or a state-sponsored actor is compromising their account. The details were revealed in a blog post written by Facebook’s Chief Security Officer Alex Stamos.
He wrote: “While we have always taken steps to secure accounts that we believe to have been compromised, we decided to show this additional warning if we have a strong suspicion that an attack could be government-sponsored. We do this because these types of attacks tend to be more advanced and dangerous than others, and we strongly encourage affected people to take the actions necessary to secure all of their online accounts.”
An example of the notification Facebook will be using was also shown. It advises those whose online accounts are being compromised to turn on Login Approvals which means a security code will be needed in order to access an account. Facebook will not explain how certain attacks are attributed to suspected attackers though. This, it says, is “to protect the integrity of our methods and processes.”
Where Are You?
Facebook keeps an eye on your location when you use it on your iPhone or Android device. These details are for your own information and while you may not want Facebook to log your whereabouts, it can be an effective tip-off that someone is hacking your account. If a strange location shows in your feed, then you need to immediately change your password. You should also go to the Security Settings in your app and look for Active Sessions. If you see anything unusual there too, you may have a problem. Finally, you can also check the recognised devices associated with your account and remove any you don’t recall.
Affected By The TalkTalk Hack?
If you are a TalkTalk customer, Action Fraud has put together some solid advice on what you need to do next. It says you should change your password, contact your bank and credit card company, keep a check on suspicious or unexpected activity, be wary of phishing emails and people calling for personal information – never reveal bank details or passwords. It says you should check your credit rating at Experian, Equifax or Noddle and report any fraud at www.actionfraud.police.uk/report_fraud.