January 31, 2014
Over the past few years there have been a few high profile cases of people having their online identity stolen, often for silly reasons.
In 2014 Josh Bryant had his almost twitter name stolen through an attack exploiting Amazon and Apple customer service. By being vigilant and contacting customer support immediately he was able to thwart the attack.
In 2014 Naoki Hiroshima had his twitter name stolen through a sophisticated attack exploiting PayPal, Amazon, and GoDaddy customer service.
In 2012 Mat Honan had his entire digital life destroyed through an attack exploiting Amazon and Apple customer service.
Fortunately there are number of things you can do to help protect yourself.
Protecting Domain Names
- Use a registrar incorporated in your country of residence. If you need to initiate legal action it is much easier if both parties reside in the same jurisdiction. It is also much easier to use a consumer protection watchdog to get a resolution.
- Enable privacy guard features on your domain names to hide your physical address and e-mail address which can be used as part of social engineered attacks.
- Use an accredited registrar rather than a reseller. Registrars do go out of business, again it is much easier to initiate legal action when they do if they reside in the same jurisdiction.
- Avoid GoDaddy
Protecting your other accounts
- Remove all credit card numbers held on account where not needed. You can use pre-paid gift cards for iTunes, and disposable pre-paid cards for most other services. Most attacks involve an individual having the same credit card number on file with two organisations.
- Enable two-factor authentication. Make sure the provider collects your phone number so you have a backup token collection method. If one-time recovery codes are provided, print them out and store them in a physically secure location. Unfortunately the customer service provided by mobile providers is weak, so do not publicly publish your mobile phone number.
- Use a free e-mail account from a blue chip publicly listed company for online signups. Hackers have used weaknesses in customer service to re-route vanity e-mail domains. If you do use a vanity e-mail address, Naoki recommends setting a reasonably long TTL.
- Use guest checkout where available. This reduces your online footprint of accounts, passwords, and stored credit card numbers.
- Serious users of AWS should consider using a separate account for Amazon.com purchases to prevent their AWS instances being exposed in customer service social hackings.
- Use different passwords for each online identity you have. Using a KeePass database synchronised with cloud storage can help you generate secure unique passwords for all your sites. There are other services out there some commercial, but you will likely keep your accounts for decades so use KeePass as it is opensource to reduce risk of losing all your accounts. Make sure to keep a backup of this password database. I would recommend under all circumstances memorising your primary e-mail password.
- Treat secret questions as a password. Do not enter information that you would be happy to hand out to anyone if engaged in a conversation.
- Use HTTPS where provided. If a vendor that accepts payments does not use HTTPS, do not use under any circumstance. The EFF's HTTPS everywhere makes this easy with a browser extension for Chrome and Firefox which forces sites which default to HTTP and support HTTPS into HTTPS mode.
- Only use online vendors that utilise a trusted payment gateway as the payment processor. This reduces the number of databases your credit card information is stored in.
If you see a password reset notification, someone is trying to get access to your account. You should report these login attempts to the service provider where possible. You should feel safe that your account has not been compromised, but the attacker may try to use other methods, so be alert.
Generally the game is to make database record matching difficult. Different e-mail addresses, payment methods, and passwords make it difficult for attackers to correlate records and use information from weaknesses in one site to break into all your other sites. If one site is compromised, it should not compromise any other site.
As for online banking, make sure to be familiar with your bank's policies, most banks will cover personal losses from unauthorised use of your account as the banking system has reasonable measures in place to limit transactions to unlinked accounts, and reciprocal agreements let banks reverse most kinds of transactions within a reasonable amount of time.
Never respond to cold calls. Always start the conversation by asking for a phone number where you can call the person back. Find the switchboard number of the company on their website and call that number. If the call was legitimate they will be happy to take your call, if it is a scam you can report it to the company for further investigation.