News that Uber got hacked and 57 million records were compromised may not seem like an overt threat after this year’s constant mega breaches—but it is. A recent studysuggests that even something as “harmless” as a breach involving names, phone numbers, and email addresses can lead to account takeover.
The study, entitled “Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials,” was backed by Google and conducted in partnership with the University of California, Berkeley, and the International Computer Science Institute.
While the title may sound boring, the takeaway is terrifying: Account takeover isn’t happening the way many people think.
What Is Account Takeover?
The first thing you need to know about account takeover is this: It’s an incredibly serious matter.
Account takeover is a form of fraud. A criminal attempting account takeover may target your bank account, your credit card accounts, or any other financial service where you do business. Once a criminal has control of an account, you will be robbed.
It’s easy to understand how your Social Security number can be used to defraud you, not to mention the time-suck of setting the record straight with whatever companies composed part of the digital “crime scene.”
Since the days of the rotary telephone, our Social Security numbers have acted as virtual skeleton keys to our financial realities. It was the way we proved that we were the right person to access our money at a bank or to be granted credit. For a long time criminals have found creative ways to use that same key to rob people—whether through the creation of new credit accounts or through account takeover.
Stolen credentials come in many forms, and they are not equal by any means. The importance of the Google study hinges on this new reality: Social Security numbers aren’t the worst threat to your accounts based on current statistics. And herein lies the kernel of what matters most in the study.
Account takeover can also zero in on your email.
How you can be robbed if a criminal has control of your email account? Think about how many of your active online accounts will send a link to reset your password via email—and then continue reading after you stop hyperventilating.
In a world where most of the day-to-day transactions we make are digital but two-factor authentication has not been universally adopted, the control of your email account by a third party may create an even greater vulnerability to fraud than the possession of your Social Security number.
Why Uber Matters (and Doesn’t)
The Uber hack was discovered more than a year before it was reported, and the company paid the hackers $100,000 to keep the incident under wraps. That such things aren’t considered serious crimes in the US is something to ponder, but that’s not the reason the hack matters.
The longer your information is “out there” unbeknownst to you, the longer you are unwittingly exposed to all stripes of crime—including account takeover.
There are many ways you can be attacked, but with the Uber hack, email would be the way in. The phishing ruse can be anything. Social engineering, or the art of tricking people into doing what you need them to do so you can rob them, can be endlessly creative.
Because the Uber hack included names and phone numbers in addition to email addresses, affected consumers may have spent the past 12 months being exposed to the more insidious threat of spearphishing and fraud via vishing (voice phishing).
In spearphishing attacks, the fraudster does a little research. For instance, using an Uber customer’s phone number, they may locate a Facebook account, and, from there, identify close friends and family. The criminal sends a spoofed email from what he or she guesses will be a trusted sender with a link that downloads keystroke-logging malware and thus puts the recipient one login away from account takeover. A majority of people use the same passwords at different sites, which means the fraudster will likely have access to multiple accounts once they determine one password.
Some questions you should always ask:
- Is it the right time of the month? (Your banks and other accounts usually send statements on the same day every month.)
- Does it make sense? (Has your cousin ever sent you a cute animal video before?)
- Can you trust those links? (A general rule of thumb now that spoofs are impossible to detect is to distrust all links, always, and type URLs to wherever you need to go.)
And of course, check the email address behind the display name on any email you receive before replying, and never be shy about asking a sender if they sent you something.
Another thing you should do whenever possible: Enable two-factor authentication. But bear in mind that even if you do everything right you may still be compromised. Unfortunately, there is no silver bullet. There is only vigilance and the three Ms (minimize your exposure, monitor your security, and manage the damage), which I discuss in my book, Swiped.
The violation of privacy associated with the takeover of an email account is disturbing, but it is nothing compared to the potential life disruption it can cause. Now more than ever, you need to be exceedingly careful about the links you click on in email and the calls you take—because you truly never know who’s on the other end.
If you fear you have been the victim of fraud, check your credit report for suspicious activity. You can get your free credit report at Credit.com.
Adam Levin is chairman and founder of CyberScout, and co-founder of Credit.com, where this article originally appeared.