I Got Hacked - A Lesson in Better Password Security
It’s a bad time for evening productivity at the moment because it’s a great time for television. All over the world, binge-watching is seeing household chores unfinished, hobbies gathering dust and the garden being reclaimed by nature.
Orange is the New Black currently has the Pickett household glued to the TV and we watch at least one episode every evening. Last week, we’d come to a particularly exciting cliff-hanger, so we decided to fire-up Netflix early and make ourselves comfortable.
What happened next was… confusing. Netflix was displaying a message saying that we could not use the application as both my allowed streams (I can watch shows simultaneously on two devices) were already in use. As we don’t share the password with anyone, I thought this might just be a glitch, but resets and trying other devices reiterated the same message.
Then the evening went from confusing to frightening. I received a message from Facebook asking to confirm a successful login attempt from an unusual location in Northern Ireland. I’ve not been there in years and from my living room in the South East of England it was dawning on me that much more was going on than mere app glitches.
I immediately reset the password on both Netflix and Facebook and posted a message online to my Facebook friends that my account might have been compromised and to please look out for anything odd that purports to be from me.
As I completed that message, the attacker, be it human or robot mounted its next phase - an attempt at my Dropbox account.
Now NetFlix had told me nothing until I’d used it, Facebook’s security goes beyond just relying on a username and password and also uses advanced threat detection and so saw the logon from Northern Ireland as an anomaly that should be checked.
When it came to Dropbox, I’d fortunately enabled multi-factor authentication, so although the initial username and password to my account had been entered correctly, without the access code that had been sent to my smartphone, there was no entry possible. Thank goodness for that - the idea of someone watching shows on my Netflix account is annoying. The idea of them rifling through my files on Dropbox is truly terrifying!
I was now fully aware that I was being targeted and the attacker was working his/her/its way through all the big web-services with at least one of my correct passwords. It had become a race between us as I logged on to each and every account I remember having, which given that I’ve been online since 1998 was a fair few and changing them to something different and more complex.
At the same time, I was starting to receive some advice from friends on Facebook and amongst some of the more obvious things I want to share, there may be a couple of points you haven’t considered. Let’s start with some obvious ones that you and I know, but perhaps, like me, you haven’t actually followed.
Add Password Complexity and Minimise Repetition
All in all, I must have changed passwords on 30+ online accounts. The standard advice is never to repeat a password online. This is good advice, but I wouldn’t blame you if you found it impossible to follow. I would suggest an acceptable compromise is to make sure your most important accounts (email, finance, anything that holds personal information) should be unique, but a bit of repetition elsewhere (free accounts to access site content for example).
Those passwords should have a level of complexity too. Memorising random alphanumeric is hard though, so consider developing a simple code to turn your passwords into something more complex that a dictionary attack at least won’t get past.
The most important password is probably the one to your email. If you think about it, all other accounts will use your email address to verify your identity online and will send unique reset links to you over email for you to manage your account. If that one is lost, the attacker can likely get into every account you have online, if you’re not paying attention.
If you’re really keen to use long, complex passwords, consider a password manager. There are many well regarded ones available either for free in limited form, or for a fee. Or, consider having your browser remember them. For example, Google Chrome users can have their passwords stored in their Google account. Again - this is only as secure as that initial set of credentials, so make sure you’ve followed all best practices for managing Google accounts, including enabling multi-factor-authentication.
Add Multi-Factor Authentication
MFA has been around a long time and is well known in tech circles, but sadly much less well known amongst the general internet user population. Basically it adds another layer of authentication after your username and password. Most commonly, this involves registering your phone (your phone number being a reliable unique identifier) and each time you logon to a service on a new device, your phone will receive a time-limited code for you to enter after your username and password. Alternatively some services will supply you with a key-fob that generates the codes. If the device you’re using is something you own or trust, you can usually designate it as a trusted device and you won’t have to bother with the MFA stage every time. Simple and clever.
If you already know about this, then like me, you probably look for MFA each time you sign up to a new service, but have you reviewed all the services you’re signed up to just in case they’ve added it since? I hadn’t either. One of my Facebook friends passed me a link to this handy site, which tells you all the services that offer MFA:
We’re approaching a time where there is no excuse for sites like banks, social networks and paid-for services not to offer MFA, so I’ll be seriously considering looking elsewhere when a service chooses not to.
Website Connections Should be Encrypted - Be Suspicious at All Times
I really hope that if you use online banking, that you’re well used to checking that the address in the browser shows that the connection is encrypted, meaning the data your computer passes to and collects from the site is private.
This is usually denoted by seeing HTTPS at the start of the address line (instead of HTTP) or a padlock symbol. Any site that includes authentication should use this technology and more recently, Google has been suggesting that all websites should encrypt their connections regardless and that protected websites will do better in Google Search results.
I wouldn’t expect every website to be there yet, mine isn’t - but this is something to look out for.
Know If You’ve Been Compromised
There’s a long list of other things you should be doing to protect yourself online and probably the most important after the above is to ensure that you’re only accessing these services from PCs that are bang up to date with their security patches, antivirus and anti-spyware tools. Despite dire warnings, smartphones are not as high risk as PCs. They’re powerful computers, but they’re also much more locked down and their operating systems do a great job of keeping applications away from the important stuff - that doesn’t mean you should be careless though.
Although I’m clearly guilty of having used the same password far too often across the web, I’ve been very good at maintaining my computers, but I still got hacked. Why?
Well, my details aren’t just in my head, they’re on the service’s servers that I’ve been accessing and those million dollar companies also get lazy about their security, leaving millions of account details leaked into the darker corners of the web for bad guys and programs to exploit.
So how can you know if you’re at risk? Well, another FaceBook friend drew my attention to this:
Recommended on Wired, this service will let me know if my email address or a username I know is mine has been leaked in any of the major data breaches that have happened.
I ran my details against it and discovered that they had been leaked in a major breach in 2013 and that it’s perfectly common for years to pass before these data get used in attacks.
Had I been aware of this site before, I might have been more thoughtful to review my password situation more speedily, rather than putting it off indefinitely, so give yours a try.
Small Efforts - More Netflix
So there you have it, hopefully you knew some of this already, but maybe there’s something new for you to consider. I’ve certainly learned my lesson and will be more careful to vary my passwords and check that I’m not part of a data theft regularly.
A couple of hours reviewing your accounts online and ensuring they’re managed properly should give you more time to focus on what really matters - Game of Thrones and Orange is the New Black!
Jp