Bill’s first sign of trouble came with a few unexpected “authentication” requests — you know those follow-up texts or emails that banks, Amazon, or Google send when your account is accessed from an unknown computer? A few of his online accounts were being logged in from such faraway places as Armenia, San Paolo, and even Muncie, Indiana.
(For the record, Bill lives in San Diego and has never been to those places)
Bill wasn’t sure what was going on but was soon locked out from a number of his social accounts, and now needed to validate his identity, change a few credentials, keep track of the new creds, etc. While it was an imposition on Bill’s already busy day, resetting access to his Twitter feed wasn’t really a huge deal.
That said, it was a little unnerving to Bill to think that someone actually got into his accounts, but from what he could tell, no real harm was done. No one posted anything crazy in his name, Bill’s status wasn’t changed to “separated” on Facebook, his LinkedIn profile still reflected his current job — all looked pretty ok. Bill figured all this must have just been a glitch in the matrix…
It was not a glitch in the matrix.
After a bit of research, Bill discovered that his emails were somehow being intercepted and that this had been going on for an undetermined period. He didn’t know if the hacker had been reading or stealing all of his emails for the past year or if it was sporadic theft for an even longer period, but no matter. This breach opened a Pandora’s box of trouble that gave Bill a headache in the short term but could evolve (devolve?) into privacy and financial troubles that he couldn’t yet define or foresee.
Bill Could Be Anyone
This is Bill’s story, a warning shout to the world to get us all to deeply consider how email is used in our lives and perhaps how we need to better defend a daily used but invisible “pipe” into our homes — one just as important as electricity or water.
Way beyond just a casual correspondence method, our email today transmits and stores all manner of information — some obviously confidential as well as other oft-shared information that can be leveraged for a longer term con.
Those multi-factor authentication requests mentioned at the top? Stop for a moment and try to remember how many accounts you set up where the secondary verification goes to your email. You’re probably like Bill; when two-factor verification caught on a few years back, he sometimes gave “the system” his cell phone number so it could text back a passphrase or code. And (now) regrettably, he also at times provided his email address, believing that his inbox was secure from prying eyes.
In the unknown period between the first email breach and Bill finally catching on to it, a few intercepted email authentications allowed the hacker to access the social accounts mentioned earlier. Who opened Bill’s emails? It was a frantic time of reflection and reaction, trying to reset everything — passwords online and new verification codes. And of course, Bill finally replaced all email two-factor authentications with his mobile number.
And Your Contacts? More Vulnerable by Association
With all that behind him, Bill hoped that that was it, and wouldn’t have to deal with any further hassles resulting from his email breach. It turns out he was mistaken, and down the road, this hack could end up costing Bill “real money.”
By now everyone’s heard of “phishing” — those bogus emails that look like a legitimate Google or Amazon login reset page, or an email claiming to be from your company’s CEO. These scams try to trick you into clicking on a malicious link in the email or sends you to a fake web page that instructs you to enter in your user ID and password. In the latter case, the hacker attempts to gather privileged login info, whereas the former sends your browser and computer to malware hell, downloading ransomware that can lock up your system or destroy data.
Phishing’s the shotgun or wide net hack, whereas “Spear-phishing” (as the name implies) is a much more targeted approach that aims for big fish rewards.
Until this email breach, Bill never realized casual interaction with his family and friends could be leveraged for spear-phishing. Within these emails contained information that he now realizes he probably shouldn’t have also used as personal identifiers for his various online accounts. Who cares that Bill recently moved to X address from his old Y address, that his dog’s name was Chewie, and that his high school had its 10th-year reunion?
Evidently, all that data (and scads more) are hard currency in the dark recesses of the Internet, as they can be used as vectors of information that can enable hackers to build a profile of us they can eventually exploit.
Bill’s hacker (or hackers) are the worst kind — patient and methodical to collect and triangulate data. It wasn’t enough to just invade his privacy or to mess up Bill’s access to social media and a few other accounts. There was a deeper con at work to extract relevant PII (Personally Identifiable Information) from Bill’s email to ultimately impersonate him and obtain a unique combination of information that could actually be monetizable.
On its own, all the PII in Bill’s email could be viewed as just disparate islands of random information. But in aggregate, this data can be combined and ultimately exploited to lure in big money fish:
– Online financial or government accounts that require layers of personal info to either login or to use as backup passcodes/phrases
– Distinct information combinations that compel action from authorized agents of your funds (a CEO’s assistant, Bill’s financial advisor or his parents)
Protect Than Email Like it’s Your Wallet
Thankfully, we’re far from powerless. There are numerous security “backstops” and hygiene that we all should be aware of and actively practice to counter these threats:
– Don’t use email as a secondary authenticator!
– Don’t accept calls from anyone posing as agents, always verify before action (wiring funds)
– Stop oversharing PII
But along with taking a hard look at our own security and privacy behavior online, this incident forced Bill to question his long-standing assumptions on the safety of our collective internet “infrastructure”. How does his email get from point A to point B? And is any kind of password ever good enough?
This incident proved to be a jolting wake up call for Bill, as he never really thought about the data flowing to and from his accounts, let alone if it could be exploited. Are our emails protected or encrypted in any way? Who can he trust? Should he rely on Gmail, or just depend on his internet provider? We know that companies have to protect their communications to each other, but is there an affordable solution for consumers like Bill as well? Are there email security options “as good” as the protection/encryption that companies use?
If this information is unnerving, downloading a free trial of Trustifi’s email encryption software may give you peace of mind.