How Hacking Works in 2017
Why you should care at least a little bit about “Cloudbleed.”
Step 1: Get your email address.
This can be done pretty easily. Giant lists of “known valid” email addresses are available all over the Internet. A hacker using this information starts a “profile” of you. Sometimes, this is not the first piece of information, but it is the most “key” piece of information. It is what you use to sign into Google, Facebook, PayPal, etc.
Step 2: Get a password matched to that address.
“Cloudbleed” as some are calling it was spraying random information out to the Internet like a coffee-drinking tomcat in a new territory. The nature of how a hacker gets a password doesn’t matter. They have one, and it matches your address. Now they have a profile they can really use.
Step 3: Check these credentials elsewhere.
Once they have this information, the first targets are social media outlets, not your bank account. Why? Well, this has the really good stuff: Your birthdate, your mother’s maiden name, where you went to high school, the make and model of your first car, your favorite movie, and basically all the answers to security questions that other places ask. If you are answering “Who really knows me and my favorite things?” chain-posts, then you are giving up free information for a hacker’s profile.
Don’t worry, even if you use a secure password for Facebook, not all of your friends do. A lot can be inferred from names and posts in Facebook and added to profiles before they every have your email address or a password. It is easy and cheap to hold a large database, these days. You can set up a cluster storage and hold profiles on nearly everyone on the planet for about $10,000. Just in case you wanted to get started harvesting those “Who really knows me” posts.
Step 4: Low-hanging fruit.
Now these profiles really get to work. The easy pickings are sites that use the same password. Did you “Like” Home Depot to get a freebie? Let’s see if you have a Home Depot credit card with the same password. No? Okay, let’s see if we can get them to do a password reset for the card. After all, we have answers to most of the security questions, already … Oh, there we go. We can order stuff straight from Home Depot on-line. Any gift cards for sale? Yep.
Step 5: Advanced efforts
Some things can be inferred, and machines are getting better at making these sorts of connections. While guessing passwords outright is not quite there, a lot of focus can be put on family connections, important dates, and other data in your profile to come up with some common guesses. Words based on your kids’ names.
Sometimes, this information is put to use directly: There are a few scams going around, and one, the “Grandparent Scam,” even targeted my dad after someone in my daughter’s circle had their phone stolen. They used the information they got from Facebook to paint a realistic picture for him, and he is still shaken up from the experience months after the fact. The flaw in their scheme was that I’m reasonably close to my adult children. “No, you can’t tell dad,” just didn’t pass the smell test.
The information has value. You may think, “Oh, this is just Facebook,” but it is important to know just how easily this kind of information adds up. Companies that may have been compromised include Uber and FitBit, so you can add “where did this person go?” to the other information. “They took a car to Macy’s. Let’s see if they have a Macy’s credit line.” Rinse. Repeat.
Change your passwords.
Never use the same password for two different sites. Use a password manager like “Lastpass” to keep them all secure, sorted, and strong. Use 2-factor authentication with your financial companies if they support it. And be smart about what you put on social media.