About Identity, Part 1: Protect your mailbox, protect your digital identity
Trust is eroding — making safeguarding identities critical.
Growing up, I was used to having an unlocked house mailbox and trusting others to not pry into my mail. I took the safety of an unlocked mailbox for granted — not anymore. In the last few months, multiple neighbors and relatives have had their mailbox broken into by adversaries wanting to view, steal, and even move mail to an unknown location, far from the mailbox owner.
Because the US Postal Service is a federal agency, mail theft is charged as a federal offense under US Code Section 1708. Imagine if a criminal were to use information they learned by opening someone else’s mail: their name, personal identifying information (PII), and other sensitive information from bank statements, healthcare bills, and other mails. Imagine how access to that information could lead to other crimes, such as impersonating strangers to file insurance claims, activate a credit card, cash a check in the bank, or rack up fraudulent purchases. For potential mail criminals, these “rewards” seem to outweigh potential punishment.
On other hand, not everyone has malicious intentions. In cases where my friends came across discarded stolen mail as they were taking a stroll in the neighborhood, they quickly informed the mail’s owner. Nevertheless, such incidents have prompted many of us to use lock-and-key mailboxes, to deter would-be thieves. Some of us monitor our mailboxes and front doors with cameras.
In the cyber realm, we may also not realize until too late that our identity has been compromised. For example, you could become a victim of phishing by clicking on a malicious link or opening a malicious attachment that unknowingly exposes your identity to the adversary. This can give a cyber criminal the means to use your credentials to take actions that impact your user experience, or worse, steal your data.
Similarly, you might be searching for a particular item using a search engine that turns up a website that looks strikingly similar to a legitimate ecommerce site, but is actually fake. If you visit the site and create an account login and password, the malicious site owner could take your credentials and use them for nefarious purposes: emailing you to confirm your account creation and subsequently having you submit credit card information to “purchase” something on the site. While you never receive your item, the criminal will be laughing their way to the bank!
I am not suggesting that the ultimate panacea for avoiding identity exposure is to avoid being online. That simply is no longer practical in today’s modern workplace. Instead, cyber security solutions — including those which detect suspicious and malicious communications, monitor web sites for potential or known harm, and warn also block people from accessing such content— can help reduce the risk of threats. Additionally, training people to be aware of suspicious communications and web sites, and implementing easy processes to report such incidents to IT security teams, can help minimize exposure and harm. If an incident or breach does take place, you want to be able to execute an incident response plan to detect and repair damage as soon as possible.
Building trust is important, yet maintaining trust is hard. By effectively harmonizing people, processes and solutions to be prepared for potential identity-related threats in the physical and cyber world, organizations can increase attacker cost, if not completely deter would-be criminals. Doing so can make it harder for the cyber criminal to steal identities of people who are trying to make an honest living.
Watch out for the next blog post in this series for more detailed overviews of Identity related cyber attacks and recommendations for mitigation, including: spear phishing, credential dumping aka. breach replay, and password spray (brute force or dictionary).
To learn more about identity-related cyber security threats, check out Microsoft Security Intelligence Report.
