A growing number of companies are disclosing data breaches that involve large amounts of stolen user credentials data such as emails and passwords. The companies involved are quick to reassure customers that the stolen data does not include account or financial details and that passwords are obscured. However, consumers who use weak passwords and reuse the same ones across multiple websites are more vulnerable to hacker attacks and could end up the victim of identity theft. With two out of every three data breaches involving some use of stolen or misused user credentials the risks really shouldn’t be ignored.
How safe is your data?
Whilst it’s true that most passwords on websites are typically obscured this does not mean they are impenetrable. Most passwords are obscured using a method called Hashing or Salting; Hashing converts passwords into a fixed number of random characters while Salting adds a secret value to the end. Whilst both methods make it difficult for hackers to decipher the password, given enough time it may be possible, especially if the password uses a simple format and structure.
User names, emails, and passwords also provide hackers with the data they need to carry out credentials stuffing attacks where data is integrated into software that automatically attempts email/password combinations and hacks into different websites. Where people use the same usernames and passwords across multiple sites it becomes easy for the software to crack the combination. Hackers can then steal additional personal information including financial details or change a user’s login and take control of their account.
Several UK businesses have recently become victims of credentials stuffing attacks including Camelot, where data from previous breaches was used to access UK National Lottery accounts and online takeaway firm Deliveroo, where the attack resulted in customers being charged for food they didn’t order.
How your data can be used to commit identity theft
Once an account has been hacked stolen personal data is often sold on the Dark Web. Both personally identifiable information, the most stolen data type, and financial data can be purchased by criminals and used to commit identity theft, the fastest growing crime in the UK. According to Fraudscape’s 2016 report, Identity theft accounts for 53% of all frauds in the UK and 86% are committed online. This type of fraud uses real consumer data rather than fictitious names and addresses and is therefore very difficult to detect. Criminals also hack and sell on deceased individual’s data which is particularly valuable as identity theft committed using a deceased person’s information usually goes undetected for longer. Organizations can help combat deceased identity theft by using a detection service such as The Ark’s National Deceased Register Monitor which blocks fraudulent applications and helps prevent these crimes.
What can consumers do to help protect their personal data?
- Always use strong/complex passwords with symbols, numbers, and capitals
- Never share passwords across multiple websites
- Change passwords regularly; anyone using a password that is several years old should change it as soon as possible
- Use a password manager
Remembering a strong password is difficult, and doing this for every website just about impossible, so we advise using one of the many password management tools available. The tool should be installed and all passwords changed so that every single one is different, long, and hard to crack. They provide a simple and safe way to keep track of multiple passwords and help consumers avoid becoming an easy target for hackers.
Whilst it’s true that stolen credentials are lower risk than financial information, they can result in serious consequences, especially for consumers who reuse their passwords.
For more information on the prevention of identity theft visit the cifas website https://www.cifas.org.uk/identity_fraud
View the CIFAS Fraudscape report here https://www.cifas.org.uk/secure/contentPORT/uploads/documents/160706_cifas_fraudscape_ONLINE.pdf
A gang has been identified and two men jailed after being found guilty of committing identity fraud. The victim, Minh To of Stockport, Greater Manchester was targeted by criminals who transferred the deeds of his £500,000 five-bedroom home and attempted to auction his property.
The fraudsters targeted Mr To’s mail and stole utility bills. They then forged his signature and transferred the deeds of his home falsifying the documentation required to auction his property. Mr To was alerted to the deception by his daughter who saw his home on Rightmove for sale just three days before the auction was due to commence.
This case further highlights the risks of fraudsters intercepting mail and using it to commit identity fraud; one of the fastest growing crimes which is estimated to cost the UK approximately £5.4 billion per year.*
Criminals often target mail as it can contain lots of personal information. The most obvious of these being financial details such as bank statements and credit and debit cards. Unfortunately, consumers are often less aware of the risk of other mail, much of which still contains a wealth of information that fraudsters can put to good use.
How to avoid being the victim of identify fraud
The safest way to avoid being targeted is to ensure that all mail is safe. If a consumer moves home, they should change their address with all organisations that send them mail as soon as possible to ensure it doesn’t end up in the wrong hands. Unfortunately, we know that this doesn’t happen in practice and many people simply forget to tell everyone. In fact, research shows that when asked to rank the organisations that people would tell when they were moving house respondents categorised just five types as ‘essential to inform’.
Typically, the top tier was advised of a new address within three weeks of a move. Important organisations were told within two months and non-essential organisations (including many heavy direct markers such as retail, charity, and entertainment) were not told at all.
We always advise our clients sending mail to screen their data against goneaway and deceased suppressions to help to minimise the impact of mail not reaching the intended recipient. It’s not enough to rely on consumers updating their personal details. With ‘potential opportunities for fraud’ to add to the long list of reasons to screen data, it’s easy to see why it’s a no brainer for any responsible marketer.
* Source – Annual Fraud Indicator 2016, PKF & Experian.