3 Ways Target Breach Victims Can Protect Themselves from Identity Theft

shutterstock_128846449-800If you are one of the 110 million shoppers affected by the recent security breach at Target Stores, this post has 3 important steps you should take to protect yourself.

Every year, 11.5 million people in the US are victims of identity theft. In 2013, victims suffered $21 billion US dollars in losses.

If your identity is stolen, it takes the average person 330 hours to repair the damage.

There’s no such thing as being 100% secure against an online attack.  But there’s a lot you can do to protect yourself, your family, and friends from becoming the victim of a cybercrime.

Here are 3 things you can do to protect yourself.

1. Choose a Good Password

A good password is a password that’s hard for others to guess but easy for you to remember.

Don’t use words from any dictionary or patterns on the keyboard because password cracking malware runs quickly through every word — whether in English or some other language — alternates upper and lower case letters and even swaps out numbers and special characters for letters like capital B’s for 8s, ones for “i’s” and @ symbols for “a’s” until they hit a match.

So even if you substitute numbers and special characters or alter upper and lower case letters, using words from the dictionary is a bad idea. On the other hand, if you build a password by taking the first letter of each word in a phrase — and incorporate upper and lower case letters as well as special characters — you’ll have a password that’s much tougher to hack.

Here’s why this is so important:

After the initial breach, Target said that it had protected customers’ payment information with encryption and that it had stored the keys to descramble it on separate systems not affected in the breach. But the encryption algorithm Target used to protect that data — a standard known as triple DES, or 3DES — is vulnerable in some cases to so-called brute force attacks, when hackers use computers for high-speed guessing. In a breach on Adobe last year, hackers were able to bypass 3DES encryption through brute force attacks and exposed tens of millions of Adobe passwords within weeks of the breach.  ~NY Times, Jan 11, 2014

Think of it as an investment in the security of your data. Getting good passwords in place for all your online services could save you the 330 hours it takes to repair the damage.

2. Beware Spear Phishing Attacks

With these more sophisticated attacks, you might get a personalized email or SMS message that appears to be from Target Stores or another online service you’re familiar with.

To win your confidence, it might be personalized with your name and other information acquired in the security breach. Maybe the message is designed to look like an auto-generated notification — with the colors and logo of the brand being spoofed — and it says the security of your account has been compromised, and you need to change your password.

But if you click the reference link in the email message, it actually takes you to a fake website that the phisher has launched for the sole purpose of collecting usernames and passwords.  The look and feel of the fake site matches the service the scammer is impersonating, which might be Target Stores, your bank, a popular social network like Facebook or even an auction site like Ebay.  The phishers are trying to complete your profile so they can steal your identity. So if they’re missing your mother’s maiden name or your date of birth, they might spear phish for it this way.

As I said earlier, phishers often use some personal information about you, such as an event, a hobby or your travel plans. Often, they just get this information from your own disclosures on a social network.  When you share something on Facebook, you may think you’re only sharing it with your friends, and even if you set your privacy settings to restrict access to friends only, all it takes is one of your friends to share or retweet your post, and it goes from private to public. Never share anything on a social network that you want to keep private and think twice about sharing information in an email as well.  IN fact, if you’re displaying your date of birth on your Facebook Profile, got to privacy settings and turn that off right now.  Once you’ve posted something on a social network, or sent it in an email, assume it will be made public at some point.

Here’s why this is so important:

Security experts say that clever hackers could potentially piece together customers’ stolen information for identity theft or for use in a so-called spear phishing attack, in which hackers send a highly tailored emails to victims asking them to click on a link or download an attachment that, once opened, gives hackers a foothold into their computers and employers’ networks. ~NY Times, Jan 11, 2014

Phishing emails may also contain attachments or links to websites that are infected with malware, so never open a file in an unsolicited email and verify the sender before you even consider clicking on a link in an email or newsfeed.  But even of you do verify the accuracy of the sender, you’re still not home free, because it doesn’t mean they intentionally sent the email.

3. Use Multi-factor Authentication

In 2013, the Associated Press (AP) had their Twitter hacked. The attackers used it to send out a bogus social engineering tweet that said explosions in the White House had injured the President of the United States. The tweet spooked investors enough to drive the Dow Jones Industrial Average down 100 points.

To protect the integrity of their service, shortly thereafter Twitter introduced multi-factor authentication, which means you need both a password via a mobile phone number to login.  And a lot of other online services have a mutli or dual factor authentication option. If they do, you should use it.  If you were affected by the Target Breach, you should set it up today!

The way it works is, you log into your settings, find the Login verification option and check the Send login requests to your mobile phone number.  After you sign in, Twitter sends  a text with a unique code to your mobile phone, which you need to access your account.

The important thing to understand is that passwords are only one way of authenticating user access to an email account, social media profile or computer system. Multi-factor authentication involves adding additional factors, which could be something the user has, like a smartcard, digital token or mobile phone, and something the user is, which is determined by a physical identifier like a fingerprint, retina scan or some other biometric characteristic.

The reality is, we’re all responsible for securing our own data. Accidents happen. No one is 100% safe against cybercrime. But there’s plenty you can do to fortify your data and discourage hackers from harvesting your indentity.

Excerpted from our cloud-based social media compliance training courses on Social Media and Security and Social Media and Mobile Security.