5 Ways A Bad Guy Can Steal Your Data
In this day in age, we have a DIGITAL FOOTPRINT. Your digital footprint is the portion of data that lingers around the internet. Some of it is data you have personally shared, the rest is data other people have shared. We live in a world where someone is googling you all the time. Every time you meet someone or even if you go on a job interview, someone will run a quick search on your name. People can take your data and digital footprint and use it against you. Data and Identity theft is a big business. In 2014, Identity theft affected 17.6M and cost $15.4B. I will be going over a few ways that your data can get stolen.
You have a weak password
Password strength matters. Best practice is to have a password with minimum of 8 characters and using 3 out of the 4 items: Uppercase Letters, Lowercase Letters, Numbers, and Special Characters. If you use the word "password" as your password, it will take 1 second for a Bruteforce attack to crack your password. If you use "Zizzling" as your password it will take 6 days to crack, "Zizzling1" 4 months, "Zizzling1!" 4 years and "Zizzling1!@" 33 years to crack. Now you can see how important it is to use all the categories from above.
If I can figure out your email password, I can read your messages as well as reset your passwords for logins to your bank information.
You give me your password
Phishing is a way for you to give me your password, all I must do is ask! People run email campaigns either looking like an email coming from your Bank, Amazon, and even your Corporate IT. These email look and sound very real. They use your mind to play a trick on you to give up your password. Sometimes you can realize it before it is too late, other times you don't. You must be very vigilant when opening emails. Your Bank, Amazon, or Corporate IT will never ask you to input your password directly into an email or a webpage without initiating some sort of change, like password reset. Phishing was used as recent as celebrities that use iPhones. They received an email that looked like Apple asking them for their iCloud password. They inputted their password and hackers went through their emails, notes and even pictures that were uploaded into iCloud.
I take your password
There are devices that can attach to your computer that look like a USB drive and can sniff out text and keystrokes. This information can then be sent back to a location over the internet and then passwords can be sniffed out. Even if it is not something that is attached to your computer, it can even be a wireless keyboard. KeySweeper is a device that can be disguised as a USB wall charger that sniffs, decrypts, logs and transmits keystrokes typed on your wireless keyboard. This device can even sit under your doormat outside of your house.
Your phone gives me your data
Everyone has a smartphone and everyone deals with the constant struggle with having your battery charged. With public charging kiosks and USB ports being so readily available, we all want to keep our batteries charged. This is where Juice Jacking comes in place. I can gain access to a usb charging station and compromise the port. As soon as you plug in your device I can either view all the data in your phone or install software that can give me direct access to your phone. You can also connect to a malicious wireless network. Once you connect you may just think you are just browsing the web but, I can see all the websites you are going to and all the passwords flowing through the wireless network. With the smartphone, you can have all your data leaked. I've even seen people keep passwords in plain text or even take a picture of a password. Your iPhone can even store your passwords in your Keychain, your Keychain syncs with your Mac and you then download some software that runs an exploit on your Keychain and emails your password back to me.
I walk up to you and you give me your data
You might not know it but you might have an RFID chip in your credit card or some sort of NFC device. Most of you have heard of Tap to Pay. This is a practice where you wave or tap your credit or debit card at checkout and you are charged for your purchase. These devices are constantly broadcasting your information. I can walk up to you with a simple computer in my back pack, bump into your wallet or purse and take your card information. Even passports have RFID in them. This information can then be used to make new documents or cards and someone can take over your identity.
Bonus: You smile and hand it right to me
Many times, card skimmers are used to take your data. You can be dining at a restaurant and when you hand over your card to the waiter they can swipe your card into a device that can record your magnetic strip. The skimmers then can upload the data to a computer and then a new blank card can be created with your card details. They can then walk into stores and use it as a form of payment. Skimmers can also be attached to ATMs. Your cards magnetic strip will be recorded as well as a camera can view you entering your pin. Your ATM card can then be recreated and used to withdraw funds from your account.
I will recommend some options to put in place to combat me from stealing your data.
Use a hard password. The best way is to use all 4 categories of Uppercase, Lowercase, Numbers and Special Characters. I also recommend to use a sentence and then numbers and special characters. This will make your password long and hard to crack but it will also be easy to remember.
Be vigilant of emails that come into your inbox. Sometimes if it looks too good to be true, then it is. If it your bank emailing you, call them. If it is an email from a friend that looks suspicious, reach out to them and ask if they sent that email.
Do not use Microsoft wireless keyboards, switch to Bluetooth. Inspect your surroundings and check if you see something out of the ordinary like a USB wall charger that wasn't their before or something that resemble a miniature computer motherboard.
Do not plug into any USB port either in a public kiosk, airport, or even unknown computer. Invest in a portable backup battery. These batteries can be recharged repeatedly and can provide the extra juice needed for your phone. Also, do not connect to unknown wireless networks that you do not trust. Wireless networks without a passphrase should be avoided. If you can connect to it easily, imagine who else can.
You can also invest in RFID blocking wallets. These wallets and passport covers can block the RFID signal from being read. If you have any credit cards that offer the NFC or Tap To Pay option you can choose to disable that feature or get another card.
I know it can be hard to keep an eye on your cards every time a waiter takes it for payment. I suggest keeping a separate card or even using a prepaid card for eating out. If you are super paranoid then just use cash. When you use any ATM always check to see if the reader is fully attached to the ATM. Cover the number pad with your hand when you input your pin. Do not use any ATM that is not associated with a big bank.
Everyone needs to keep an eye on their data. Cyber criminals are getting very clever and have new ways to get to you and your data. Please do not use 1 same password for all your accounts. It will just take one breach of data to get the password and then all your accounts will be compromised. Please use Two-Form Factor Authentication where ever possible. Most Banks and Email providers accommodate 2FA. Lastly a Password Manager like LastPass can store your passwords in a safe and encrypted manner and they have plugins that can install into your web browser so when a website requires a password your password manager can autofill the information.