With the holiday season upon us, the already accelerated pace of online shopping is picking up even more. And more online transactions means more reasons to be careful about protecting your data from fraud like identity theft and account takeover. ID theft claims millions of victims per year, but how does it happen and how can you avoid being a victim in a world where everything’s online? For episode 47 of Cyber Security Sauna, Olli Bliss of F-Secure joins us with answers. Also in this episode: How attackers get your data, how they crack passwords and break into accounts, what’s happening to your data on the dark web, the new trend in credit card fraud, and much more.
Janne: Welcome, Olli.
Olli: Thank you, Janne. Glad to be here.
Why don’t you tell us a little about yourself?
Sure. I’ve worked for F-Secure for close to six years now. And basically I’m responsible for everything related to our ID protection product, so I get the opportunity to talk to our global partners about identity theft. That’s basically what I do every single day.
All right. Awesome. So maybe we should take a minute and talk about what we mean by identity theft. So what are the different forms of ID theft that we’re tracking, or seeing?
I think it’s fair to say that most of us have an idea of what identity theft means. We see it all over the news, but I think it’s especially fair to say that the press and the mainstream media and heck, even the industry itself, they’re very good at painting a picture about identity theft. So we’re kind of being fed the idea that identity theft is typically the worst-case scenario that can happen to you.
So there’s a lot of fear and anxiety involved in that. So think of it as like, your social security number being stolen, which leads to a loan being taken out in your name. All this kind of stuff that creates a lot of anxiety and even financial damage.
Now this is sort of what the industry and the press wants us to believe identity theft is. And while this is a massively uptrending threat and we’re seeing these cases every single day, we actually have to recognize the fact that typically these scenarios are the result of something that’s happened earlier on in the timeline, such as account takeover.
So it’s hard to say that there’s one shape and form of identity theft, because it can be your social security number stolen, which leads to other implications, but it could be and start with something as trivial as your Netflix account being taken over, which leads to something else.
What do you think about the conversation – like, we’re looking at these big data dumps, like millions of user records got stolen, or stuff like that. But you’re talking about account takeovers, which are very individual and almost private things. So is there a difference between these kinds of like – how do the attackers get the information that they then abuse?
We have to take a step back and put ourselves in the shoes of the attackers. What they’re predominantly interested in is getting their hands on some sort of data, things like credentials, usernames and passwords. But it’s how they get that data that’s what we’re seeing where that differs a little bit.
So for example, they can get that data through a data dump, or a data leak, or a data breach. They go by many names. Or they could get that data through various phishing attempts, phishing scams. Or they could get it through traditional malware. We see things like infostealers and keyloggers, and all these different types of malware campaigns.
Now, regardless of which source they tap into, they’re essentially able to get their hands on data. And it’s that data that they use for things like account takeover and ultimately for full-blown identity theft. So it really depends on the situation. But they’re all sort of interconnected, and data breaches are a huge source today for online attackers, and it’s those sources which actually end up in things like account takeover.
Okay, because I would have thought that account takeovers maybe happen more because of, like you said, phishing and credential harvesting, and then maybe the data breaches. Because we’ve seen a lot of high profile data breaches that result in everything, your name, address, social security number, credit details, everything. And you would have thought that that sort of data would lend itself more to credit card fraud and things like that.
So here’s the thing: The fact that end users are forced to create so many different accounts with different services. It’s not uncommon for us users to have up to like 80 different accounts that we’ve created over the years. What that means is that we have bits and pieces of ourselves, our personal information, logged with different companies.
And if we’re to look at what account takeover is best at, is creating a chain reaction. So basically if an attacker can get into your Netflix account, let’s say because he got your credentials through a data leak, there’s a good chance that he can get into other of your accounts. Maybe you’ve reused your password. Maybe they’ve been able to use various forms of credential spraying, where they’re guessing your password. But account takeover is most successful when it can latch onto as many services as it can.
Because the more services it can latch onto, the more potential information it can gather on you as an individual. The more information it has about you as an individual, that’s when they can use that for things like creating new personas in your name, filing for new credit cards and you being the bill payer, so all these different things.
So we can’t really just connect it to one single data breach or one single service or site that has been breached. They’re all connected. That’s sort of the lay of the land as we see it right now.
Speaking of accounts being connected, that’s actually one of my pet peeves, is when people talk about like, “I don’t have anything to hide, my Facebook account is public anyway.” Or, “There’s nothing in my emails that would interest anyone.” And I’m like, “Do you realize that your email address is how you reset your passwords to every other service, and that your Facebook account is now also a single sign-on account? Do you realize what it means that these things are compromised?”
You can ask anybody, “Hey, would you be willing to give your social security number to somebody?” They’d say no, right? What if you say “Would you be willing to give your credit card number to somebody?” They’d still probably say no. Okay, fine. Now if you ask them, “Would you be willing to give your email address to somebody?” “Sure, why not? I use that everywhere.”
Okay. So then we take that forward a little bit. So what are these companies asking us for? Predominantly email addresses. And honestly, how many of us use multiple different email addresses when we’re logging into services? Some of us do. The majority, we have that trusty old Gmail or Hotmail that we love to use. Fine.
Now, coming back to the comment of “I have nothing to hide,” or “Who cares if somebody hacks into my MyFitnessPal account? If somebody wants to see my heart rate analysis, go for it, I don’t really care.” Again, we have to be worried about that chain reaction that account takeover creates, because if a hacker is able to compromise a service like, you know, it could be your fitness app or a fitness service that you use. And you might not have any personal information of value stored to that account.
But what if you’re using the same password God forbid, with, let’s say Facebook, and you’ve used Facebook to authenticate to 30 other different services because it’s so convenient. That basically means that that one service that was compromised that you don’t care about, basically you’re saying to the attacker, “Go ahead and authenticate to these 30 other services, and have a crack at what information you can put together on me.”
Now that starts to look like a longer list of information that we have about you, which we can use for full-blown identity theft.
So, okay. Password reuse is a thing you can avoid. Like, we’re talking about how people have multiple different accounts – I just checked my password manager, I have 275 different accounts. But those have unique passwords. So you can do things to not reuse your passwords. But what about when a hacker breaks into a company or service I’m using and gets access to the hashed passwords? How worried as a user should I be about hash cracking?
First of all, I’d say that as an end user, you shouldn’t even be having this conversation in the first place, right? I mean, I can picture myself asking my dad, “Hey Dad, are you worried about password dehashing?” (Laughing) That conversation is going to be very long.
But to attempt to answer your question, we need to understand the fact that the majority of us are using weak passwords. And we often say don’t reuse the same password. And even if we’re not reusing the same password, the fact that we’re using a weak password basically means that we’re sort of sitting ducks in the world of attackers who are looking to crack or dehash passwords.
And ‘there’s been some publicity in social media about this on Twitter, where if your password is 8 characters or less, with the help of software, it can be cracked instantly. So basically that means it can be just turned into plain text. Now if it’s a little bit longer, we’re talking seconds. So what that means is unless you have a password that is, I don’t know, longer than 16 characters, today’s software is very good and effective at turning that into plain text.
So that’s one problem. The other problem is that we don’t actually know what these service providers are using to encrypt those passwords in the first place.
That’s actually a question I sometimes ask when I’m, especially when I’m registering to a new service, and they tell me that my password can be max 20 characters. I’ll fire off an email to their customer service, like, “What kind of crap is this? And how are you storing these passwords, what kind of algorithm are you using, how many repetitions?” Things like that, and they’re like, “I don’t know.”
(Laughing) And it’s pretty sad, because there’s a lot of companies and services who do exactly that. I remember trying to create a password with a password manager that I used, and I think the default was 32 characters. And not only was I not allowed to create such a long password, I wasn’t able to use any symbols. So I actually had to tell the password manager to please create a stupid password for me so I can actually access this service.
You gotta ask yourself, like, what’s happening behind the scenes in a service like that? Where do these restrictions come from? And I think I can guess the answer, but it’s not a good picture.
No, it’s not. But it does tell us that there’s something bigger going on here. Because it’s so easy for anybody to start up a company and a service. You don’t have to be the size of Facebook to offer a really engaging service. However, that means that there’s not a lot of hurdles in terms of security to be able to offer something that people can publicly access. And you might as that service provider not even know any of this stuff, and you simply don’t know any better, and there’s online tools for you to be able to offer a service that seems and looks nice on the front end, but is just terrible from a security standpoint.
And us end users, looking at a website, how are we supposed to know? When we’re logging our information, how do we know that they’re using the correct means to encrypt my data? Or are they even encrypting it?
Yeah, exactly. So okay, once the criminals have my credentials, what are they going to do with them, try to log onto every single service out there?
Basically, yes. But it’s not exactly how you describe it. Because you might think that there’s some hacker sitting in the corner and taking your specific email address and your password, and trying to log onto Netflix and then going onto Spotify, and then going on to Amazon, and spending hours and hours on you as an individual. That happens, but we’re talking like in milliseconds. And that happens because of hardware power and software that is designed to do all of this stuff instantly.
There’s a few different ways that these attackers can try and access these services such as Spotify, Netflix, Amazon, and thousands of other services. There’s something called credential stuffing, and there’s actually something called credential spraying.
Credential stuffing is quite common, because let’s say for example you have a combo list that you got off the dark web that contains millions of leaked usernames that have a password associated to that email address, so an exact match. Now, credential stuffing is literally taking, Janne, your email address and your password that was a password to a service that was part of a breach, and they’re trying to use that exact combination and stuff that, literally, into thousands and thousands of different services to see where has Janne used this exact email address and this exact password? And if you’ve been reusing your password, well, that’s why they can get into your other accounts.
Yeah. But like you’re saying, they’re not just trying my password. My password goes on a list of tens of thousands, hundreds of thousands of these credentials that get tried for every service out there, sort of automatically. So it doesn’t take the attacker hours just on me, it takes them seconds on everybody.
Exactly. And it’s good that you said that because again, we have to remember that this isn’t a targeted attack. You might be the victim at the end of the day, but you were not targeted. You were just part of this lovely little setup that they have that is designed to take over accounts instantly, and take over millions of accounts instantly.
Yeah, and I guess that’s relevant, because a lot of people are saying, “Who would be interested in attacking me?” They don’t know it’s you. You’re just a number. You’re account number 5,000 to them. They don’t care.
Exactly. So that’s the credential stuffing part. But then there’s something called credential spraying. Which, some attackers might not have a list of exact email addresses matched to a specific password. They might just have millions and millions of email addresses, and that’s it.
Credential spraying is then taking those email addresses and applying four or five most commonly used passwords in the millions and millions and millions, and seeing if they can access those services. The main difference here is that, as you know, if you try logging onto a company’s service and you type in your password, I don’t know, more than five times incorrectly, it’s going to lock you out. So the same scenario applies to credential spraying, which is why these guys are smart enough not to try and five or six passwords, they’re choosing three or four.
Now as you can imagine, it’s like closing your eyes and shooting with a shotgun and seeing what you can hit. However, when you have millions and millions and millions of email addresses and even country-specific commonly used passwords, they’re pretty successful at getting into some accounts.
Yeah, and that’s why you can’t have “password1” as your password, because it’s going to be on that list.
Exactly. I mean, we’ve seen most commonly used passwords in different countries. For example, you go to the UK, and I think it was like, “arsenal” was one of the most commonly used passwords in all of the UK. Arsenal. And just imagine how many people are using that. So if I’m going to take your email address and throw in “arsenal, manchester, united, chelsea,” I might be able to get into some of your accounts.
Yeah. I need to go and change my passwords now.
(Laughing) Or change your football club.
There we go.
So that’s typically what’s done in the scenario of account takeover, is credential stuffing or spraying. It’s hard to say which is more successful, but the end result is typically the same.
Okay, so let’s say the data gets leaked. Big data dump, I fell for phishing, whatever. You hear that now my data is being sold on the dark web. What’s that all about?
I like to call the dark web people-who-are-up-to-shady-things’, or online criminals’, version of eBay. The dark web is simply a place where a lot of data, be it illegal data or stolen data, is traded, distributed, sold, all this kind of stuff.
But is this really happening with my – with the user information, the kind of identity information we’re talking about?
It is. But if we’re to look at the typical timeline, the individual or individuals responsible for that data leak, they’re not dumping that data to the dark web as soon as they get it. Because as soon as they dump data to the dark web, it’s like throwing fish feed into a shark tank. Because there’s many more eyeballs on that same data and they can try and monetize that data in different ways.
So the attackers originally responsible for a data leak, they’re going to do everything they can to monetize their efforts with the data that they’ve been able to steal or expose. Once they’ve done that, and once that data has no more value to them, that’s when they’ll actually dump it to places like the dark web.
So we have to be a little more concerned about what happens to the data before it ends up in the dark web, because that’s when things like account takeover in mass scale actually happen. So the dark web is more of a place where eventually data gets more openly distributed.
Let’s actually talk about the monetization a little bit. Because I think it’s clear how you can make money off stolen credit cards or bank account credentials or stuff like that. But what about birthdays, driver’s license information, passport numbers or passwords? How do you make money off of that?
First we have to look at the individuals responsible for obtaining that data, whether through a malware campaign or data breach. These guys are going to do everything that they can in mass scale to monetize those efforts. So that can, as you mention, that can lead to things like credit card accounts being created, identities stolen. But then eventually when they’re willing to dump that data into the dark web, that’s where you see then, let’s call it, more individuals willing to purchase different types of data sets.
There’s many different ways that this stuff is being offered. For example, these online criminals in the dark web, they’ll post Black Friday deals, Cyber Monday deals. They’re able to create almost like a retail environment on the dark web, where they’re saying, “Hey, why would you want to pay ten euros a month for a Spotify account when you can pay one euro a month and get an active Spotify account?” And they even go so far as offering, like, a one-year guarantee. Because if that account gets reinstated or shut down, they’ll reimburse them or give them a new account.
Who are these people who are going onto the dark web and purchasing this stolen data or compromised accounts?
That’s what I want to know. I get why somebody would sell information. If somebody’s paying me money, I’ll sell it. But like, who buys passport numbers?
There is no single answer to this. But as an example, you could be a college student bored on a Saturday afternoon, you go onto the dark web, and you decide to pay 20 bucks and you buy a couple hundred Spotify accounts. Or you buy a couple hundred Domino’s pizza accounts and you can eat free pizza for the rest of the year.
That’s one motive of somebody going onto the dark web and paying something for these compromised accounts. Now while that’s not necessarily terribly severe, I mean, yeah Domino’s might be out a few pizzas.
But then we have other individuals who are looking to buy something a little bit larger. It could be paying significantly larger amounts for something like a list that contains millions and millions of unique passwords and emails, which they can throw into some nifty software that is going to do things like credential stuffing or credential spraying, which they can create their own little version of account takeover.
So we people going into the dark web and purchasing things like that, combo lists and different lists containing credentials, all the way down to these guys just looking for some free pizza. So, most of this stuff does have value in the dark web, pretty low value…it just depends on what’s being offered and who the actual buyer is and what their intent is.
Yeah, and that’s something that always keeps on surprising me. That people will find a use for whatever information is out there. Like some genius somewhere is thinking about how can I abuse this information that I have? And they’ll come up with something incredible, and we’re all like, wow. Not the good kind of wow, but still.
Yeah. It’s tricky, because as an individual, A, I have no idea of any of this going on, I have no idea if my service provider is taking my security, or their security as well, seriously. So that’s a big problem. But then we have this huge murky place called the dark web where all sorts of weird stuff is going on, and potentially means that I could be paying for something that I never ordered, or something like that.
So it’s tricky because it’s really hard to pinpoint where did this actually originate from. Was it because I reused my password? Was it because my service provider didn’t encrypt my data? Was it because, you know…many different reasons.
Yeah, and it’s one thing when it’s because of something you did, like reusing a password, a weak password at that. But it’s another thing when your information gets leaked through no fault of your own. Let’s talk about when that happens, how does that impact the victim, and what do they usually do to get things fixed?
If, let’s say, full-blown identity theft happens, and you’re unfortunate enough to be the victim of that, typically these are pretty difficult cases to restore or to get your identity back. Mainly because there’s a lot of things that are part of identity theft that may not be visible.
For example, a lot of children’s identities are being compromised, not because they – they don’t have credit cards tied to their name or anything, but it’s things like their social security numbers that are being leveraged. And problems that may not surface for years until they turn 18 and they start applying for loans, and all of a sudden they have a bad credit history and all this kind of stuff. So trying to resolve these cases once they’ve happened can be pretty tricky.
Now obviously there’s lots of things that you can do to try to restore as best you can that incident. It could be, for example, a lot of people fall victim to identity theft and get a bill from Amazon or some online merchant for something that they didn’t buy. Now, typically those are fairly easy to dispute. You can contact Amazon or whoever and try to prove that you didn’t actually purchase that 60-inch Samsung TV.
Not always actually terribly easy to do that. Because you know, if I were Amazon, I’d say “Janne, you purchased this TV with your active account. How do I know that this TV isn’t in your living room right now?” So not the easiest thing actually. But it’s done, and typically…I mean, there are a lot of companies who help end users to do that, and do a lot of that heavy lifting. So I’d say those types of things are easier to restore.
But then you have things like social security numbers. Which, if that ends up in the wrong hands, how am I supposed to get that back? I haven’t technically lost it, it’s just been leveraged by somebody else. They’re not just going to be kind enough to delete it from their records, because if it’s somewhere on the dark web, anybody can access it.
So you can try and mitigate the damages you can see, and there are companies who can help you do that. There’s even insurance you can take out to pay some of the bills if you’re footed with those bills. But you can’t ensure that this won’t happen again in five years.
No, that’s right. And especially, you hear these horror stories about the absolute worst cases of identity theft where somebody actually starts to impersonate you. For example, there was this one guy whose identity – like, somebody created an account in eBay for this person, using all his personal information, and then started ripping people off in eBay trades. And the web is now full of websites where people are like, “This person is a horrible person, he ripped me off in eBay,” and stuff like that. So short of changing your name, that stuff is always going to come up when somebody Googles you. And then you get to explain to each new employer or a new significant other or whoever, that no, that was actually not me, I’m the victim of identity theft here.
Exactly. Then we can open up the discussion of, well, you could even go as far as changing your name, you can in some cases even potentially change your social security number in some countries, not so easy.
But then if you look at like well, if we’re to move away from authentication methods such as email or passwords, what if we’re to go into more the biometric route and you’re talking about your fingerprint or your face. Try changing your face. Try changing your fingerprint. If those get compromised, which a lot of services are moving more towards that, it’s like, what are we supposed to do?
Absolutely. Wow, okay, so better not get that far. So, how can I as a consumer protect my identity from theft? What are the things as a regular person I should do or not do?
Well, let me start by saying that you know, we’ve talked about a lot of worst-case scenarios, and maybe we’ve thrown a bit of fear on the table here. But we have to understand that we live in a world of convenience.
Things like Google and Apple, they make our lives so much easier. And the fact that we can stream music and watch content on demand, all of this stuff is about convenience. So let’s not forget that we still have to live our lives like we’re in 2020, right? So we can’t just hide in our houses and lock the door and be constantly fearful of something’s going to happen.
That being said, we can play it smart. We can do things that are going to, I would say, significantly lower our risk of falling victim to things like account takeover and or identity theft in the first place.
We’ve been saying this for years, the industry has been saying this for years, everybody’s heard it, but things like unique passwords. Plays a massive role in actually lowering your risk of falling victim to account takeover. It can’t be said enough. So password hygiene, and good password hygiene, is sort of key here. I think we can start from there.
Protect those end devices, so things like endpoint protection, that’s a fancy way of saying antivirus. Antivirus, internet security, whatever you want to call it…protect those end devices. Because we see things like malware designed to steal your credentials and different types of data, which lead to identity theft. So protect the devices.
In addition to that, there are many different services, and even F-Secure has a service around this, which are designed to alert you if they’re able to detect that your information is floating around in places where it shouldn’t be, such as the dark web. They go by various different names. If you Google “identity theft protection,” you’re going to see all sorts of different services that can help you with that. So there are very response-based services that can help you, and especially if you fall victim to identity theft or account takeover.
But if nothing else, get those passwords in shape, protect your devices. That’s a pretty good start, I’d say.
Okay, that makes sense. Good advice. We started off this podcast by talking about the holiday season that’s coming. And nowhere are people more happy to shop themselves silly during the holiday season than in the US of A. And the American FTC, a consumer protection organization, release earlier this year a report, Consumer Sentinel Network Report, highlighting for example credit card fraud as the most commonly reported type of identity theft in 2019. Specifically, they were talking about how people’s information is used to open up new credit cards. And new account credit card fraud grew by like 88% over the course of 2019. So if this is the biggest problem facing consumers, at least in the US, what can the consumer do to protect themselves against this sort of fraud?
It’s a good question. Most people have this idea that they really need to protect their credit card because if I, Janne, give my credit card to you, you could do a lot of bad things with that. That’s true, but in this case, the threat that we need to be more worried about is new credit accounts being opened in your name.
Because, if we look at the banks and credit card companies themselves, who better in the world to detect fraud than these companies themselves?
They actually do a pretty good job at it.
They do a very good job. I mean, how many calls have you received from your bank or credit card company saying “Hey Janne, did you purchase these train tickets in Beijing?”
Once or twice, yeah. That has happened, yeah.
Yeah. I mean, I’ve probably received that call multiple times, as most people do. But that’s the reason we’re seeing this increase in new credit cards being opened, because attackers understand that. They understand that the only way they can swipe the card multiple times without it being detected as fraudulent or suspicious activity is actually to open up an entirely new account with created personas.
So that’s what we’re seeing now. And what we can do about it is, we can be selective and cautious of, well, is this a service provider that I think is probably pretty up-to-date in terms of their security? Am I using a good password, and a password that I haven’t reused elsewhere? And am I not falling victim to phishing attempts?
So again, we come down to those core principles that, if we can tick those boxes, yeah, we’re going to lower our risk. We still can’t totally remove from the equation that this service provider won’t be hacked themselves and compromised, which leads to this information being stolen. But you know, that’s out of our hands.
Okay. So, what’s the responsibility of businesses in protecting users’ data?
Well, I would say that the responsibility is pretty vast. Because when you think about it, they’re asking a lot from us. They’re asking us not only to create a username and password, but they’re asking for things like, in some cases, social security numbers, credit card numbers, all of this stuff that you would never, ever give to anybody who asked you on the street, but you’re willing to give it to a company that you know nothing about.
So the responsibility is large, but again, it’s…what do we as end users, what do we know about this? You can’t just go onto a company’s site and it’s going to say in bold text that “Don’t worry, we’re not like the others, we actually take the appropriate measures.”
But should that be a thing? Should companies talk about their security and what they’re doing to keep my data safe on their websites?
Well, they probably should be. But again, are you as an end user, are you terribly interested in this? You might be interested, but are you even able to comprehend what they’re trying to tell you? Because they might say “I have ISO-something certification.” Sounds great. Doesn’t mean that they’re doing anything about it. Right?
Basically, I see that as sort of throwing the responsibility back onto you and saying “Well, I’ve shown you my credentials, literally, it’s your decision to trust me enough to store your data. Are you willing to trust me?” That’s a pretty big decision.
But aren’t they doing that already? Like I go to a website and they have all these stickers and Trust Pilot reviews and all thse different things on their websites anyway. So yeah, I guess there’s different ways you can talk about your security position. You can say stuff like that, or you can talk about like, “We’re getting regularly pentested by known companies, and we’re using industry best practices in storing your passwords,” and stuff like that.
Yeah, I think there’s definitely room for improvement, and that’s a good start, to be able to try and convince end users and say look, these are industry-known standards, we’ve ticked all these boxes, if something happens, it’s going to be pretty unique and pretty rare. Again, nothing is completely watertight, but you’re pretty safe in our hands.
That should be the general message. But how do we ensure that companies across the world and across the internet are actually doing this or even remotely in that field of securing your data? We can’t. We don’t know what they’re doing.
So are there any final words you want to leave our listeners with before they start their online shopping for the holiday season?
I’m a big online shopper myself, so I’d say just go nuts, shop what you want. Most of these providers, they do a very good job. Especially some of the bigger service providers. Again, we can’t hide from this, so let’s embrace it. But again, just every now and then, try and ask yourself, how is my password hygiene, are my devices protected, am I talking to the guy who calls me on the phone who’s claiming to be from Microsoft? Maybe I should not talk to this guy and tell him anything and just hang up. So just these sanity checks here and there. We don’t need to live in fear all the time, but let’s practice some common sense.
Absolutely. And everybody remember, friends don’t let friends reuse passwords. All right, thanks for being on the show today, Olli.
Thanks so much, Janne.
That was our show for today. I hope you enjoyed it. Make sure you subscribe to the podcast, and you can reach us with questions and comments on Twitter @CyberSauna. Thanks for listening.