How reusing your password could result in identity theft

How reusing your password could result in identity theft

A growing number of companies are disclosing data breaches that involve large amounts of stolen user credentials data such as emails and passwords. The companies involved are quick to reassure customers that the stolen data does not include account or financial details and that passwords are obscured. However, consumers who use weak passwords and reuse the same ones across multiple websites are more vulnerable to hacker attacks and could end up the victim of identity theft.  With two out of every three data breaches involving some use of stolen or misused user credentials the risks really shouldn’t be ignored.

How safe is your data?

Whilst it’s true that most passwords on websites are typically obscured this does not mean they are impenetrable.  Most passwords are obscured using a method called Hashing or Salting; Hashing converts passwords into a fixed number of random characters while Salting adds a secret value to the end. Whilst both methods make it difficult for hackers to decipher the password, given enough time it may be possible, especially if the password uses a simple format and structure.

User names, emails, and passwords also provide hackers with the data they need to carry out credentials stuffing attacks where data is integrated into software that automatically attempts email/password combinations and hacks into different websites. Where people use the same usernames and passwords across multiple sites it becomes easy for the software to crack the combination. Hackers can then steal additional personal information including financial details or change a user’s login and take control of their account.

Several UK businesses have recently become victims of credentials stuffing attacks including Camelot, where data from previous breaches was used to access UK National Lottery accounts and online takeaway firm Deliveroo, where the attack resulted in customers being charged for food they didn’t order.

How your data can be used to commit identity theft

Once an account has been hacked stolen personal data is often sold on the Dark Web. Both personally identifiable information, the most stolen data type, and financial data can be purchased by criminals and used to commit identity theft, the fastest growing crime in the UK. According to Fraudscape’s 2016 report, Identity theft accounts for 53% of all frauds in the UK and 86% are committed online. This type of fraud uses real consumer data rather than fictitious names and addresses and is therefore very difficult to detect. Criminals also hack and sell on deceased individual’s data which is particularly valuable as identity theft committed using a deceased person’s information usually goes undetected for longer. Organizations can help combat deceased identity theft by using a detection service such as The Ark’s National Deceased Register Monitor which blocks fraudulent applications and helps prevent these crimes.

What can consumers do to help protect their personal data?

  • Always use strong/complex passwords with symbols, numbers, and capitals
  • Never share passwords across multiple websites
  • Change passwords regularly; anyone using a password that is several years old should change it as soon as possible
  • Use a password manager

Remembering a strong password is difficult, and doing this for every website just about impossible, so we advise using one of the many password management tools available. The tool should be installed and all passwords changed so that every single one is different, long, and hard to crack. They provide a simple and safe way to keep track of multiple passwords and help consumers avoid becoming an easy target for hackers.

Whilst it’s true that stolen credentials are lower risk than financial information, they can result in serious consequences, especially for consumers who reuse their passwords.

For more information on the prevention of identity theft visit the cifas website https://www.cifas.org.uk/identity_fraud

View the CIFAS Fraudscape report here https://www.cifas.org.uk/secure/contentPORT/uploads/documents/160706_cifas_fraudscape_ONLINE.pdf

Paranormal direct mail activity

Paranormal direct mail activity

Some marketers seem determined to make contact with the other side, offering credit cards, discounts and special offers to the deceased.  It would be an incredible achievement on the part of the marketer to get any take up on the campaign from someone who is no longer living, so why do some companies not remove the deceased from their mailing lists?

There is a potential issue of fraud and identity theft here; reports of direct mail being sent to people who have died appear in the media with alarming regularity, and according to a study conducted by Wilmington Millennium with ex-offenders, 79% of these people believed that identity theft was an easy way to obtain cash fraudulently.  Fraudsters intercept credit card offers and similar pieces of direct mail after checking obituaries or graveyard activity, and use these details to open credit accounts and run up a huge bill using the personal details of someone who has died.  This is very distressing to the relatives of the deceased, as they are left to deal with the authorities alongside the bereavement process.

As well as the issue of criminal activity related to these erroneously sent communications, there is also the issue of negative impact on the reputation of a company that continues to mail out to the deceased.  Elderly relatives that lived in a family home will have played a very important part in daily family life, and to be reminded of that loss with every piece of direct mail can be distressing for the family left behind.  Dealing with unsubscribing from these companies’ mailing lists will not be a priority for the family, so the responsibility for managing the removal of the deceased from the mailing lists rests firmly with the marketer.  When you consider that around two thirds of people would not consider dealing with a company that has sent direct mail to a deceased relative, it is even more important to get a removal process in place.

Companies whose products and services are aimed at the elderly have a much greater responsibility than most to get this right, as their database will have a higher proportion of deceased contacts (and goneaways where the elderly person has moved into a residential or nursing home) than most.   Charities are especially susceptible to a high rate of deceased records due to the older average age of their donors, so proactively managing the suppression process and managing final communications can improve the brand image, whilst addressing the need for removing the deceased and goneaways from their databases.  Charities can take the opportunity to pay tribute to a valuable donor; an action that can provide comfort for the relatives in a distressing time and potentially recruit new donors to continue the good work that was funded by the late donor.  It is a sensitive issue, but when managed correctly can lead to more donors, and a positive reinforcement of the brand image.

Using up to date deceased contact lists is not an onerous task and the small effort required to make sure the database is cleansed against this list, far outweighs the potential negatives of leaving people on there that can no longer receive or read mail.  With that in mind, can any organisation really afford to overlook such a simple, yet important component of data hygiene strategy?