Merry Phishmas… and a Hacky New Year
The last few months have been big for news about data breaches, and on Byte Into IT we’ve covered a lot of them.
Chances are high you’ve been affected by at least one of the breaches in the news, and you might have gone through the pain of having to update your licence or your passport, requesting credit reports, and probably considered changing your name for good measure while you were there!
If you want to at least sound like you know what you’re talking about when the topic comes up, or maybe get your online life a little more in order to protect your info from being Saint Nicked, here’s our gift to you… a crash course in cybersecurity.
What is a data breach?
When information that a company holds about you is copied and stolen, it’s called a data breach. Sometimes the data is held for ransom (this is usually how we hear about them in the news). Breaches haven’t necessarily increased: we’ve just been hearing about a lot more of them since the high profile Optus and Medibank breaches, which affected a very large number of people.
Why do companies have all this data lying around?
Great question! Lots of answers. Pick one or many…
- Someone hasn’t cleaned up properly
- “Just in case”
- The Government has mandated its storage
- “Oh, we didn’t realise it was there”
- Privacy laws in this country are shit
- Your data is mighty useful for analytics and marketing
- “Big data” - everyone else is doing it
What is phishing? How is it connected to data breaches?
Phishing is a kind of “social engineering” attack (i.e. using basic human decency as a weapon, ugh) that involves attackers sending you unsolicited messages, often pretending to be legitimate organisations or real people (like your boss), in order to steal information from you like usernames and passwords, credit card numbers, etc.
These days it is very easy for attackers to perform these attacks automatically, especially if they have access to a big database (like a list of telecommunications provider customers, for example). You will likely already have received messages like these, perhaps pretending to be from a road toll company, Australia Post, or the Tax Office.
Phishing attacks will use info from big data breaches to sound more legitimate and trick you into believing the scam. These kinds of messages often try to create a sense of urgency (like medical alerts, or making you think you owe money) and they commonly ramp up around the holiday season, during crises, and when things are uncertain or new (such as when you start a new job, or in the unlikely event that a pandemic occurs). When the Optus breach happened, some attackers used the mere existence of the breaches to trick people into believing they had sensitive info, even when they didn’t.
Importantly: if you end up falling victim to a phishing attack, don’t be ashamed - they are designed to trick you! An attack with the right phrasing at the right time will fool just about anybody. If it happens to you, get help right away – there are resources at the end of this article.
What does phishing look like?
Phishing can take the form of emails, texts, WhatsApp or other messages, phone calls (sometimes known as “vishing” or “voice phishing”), “spear phishing” which is when you are targeted specifically, or “whaling”, when influential or important people are targeted, like a CEO.
What do attackers usually want?
The main goal for most attacks is money-based: to get access to credit card numbers, PayPal account information, or to directly get you to send them money. Attackers might also try to take out lines of credit (like loans or credit cards) in your name, if enough information about you has been leaked.
In some cases, attackers may want to target you specifically. This might happen if you’re in a position of influence (like the head of a business, or someone in the Finance team), if you’re famous, if you’re already marginalised because of your identity or your profession, or if someone has had a history of stalking or harassing you. If it’s safe for you to get help from law enforcement or your employer in these cases, that’s an option.
Should I be worried about my passwords?
So far (at the time of writing, anyway), none of the major breaches making headlines in Australia have involved password information, but many other breaches do include password data.
Many people use a single password, or similar passwords, for all of their online accounts. This means they’re easier to remember, but also means that if a data breach happens for one service, and the attackers get access to your password, they are likely to try to use it on other services, which they can run automatically via massive databases.
To stop this, it's better to use a different password for each service. This sounds like a real pain in the neck – and it is! Password management services like 1Password, LastPass, or Dashlane try to make it easier for you. These programs will generate new passwords for each account for you and keep track of them.
You can also use the password management services inside a browser like Chrome, Firefox, or Safari to do the same kind of thing. Anything that supports you using a unique password for each account or service is usually better than using the same kind of password for everything. We also suggest checking services like "Have I Been Pwned" (https://haveibeenpwned.com/) to see if one or more of your email addresses has appeared in a data breach in the past.
If this sounds daunting – it kinda is. Passwords are a bit of a rubbish security system and some apps are starting to use “passwordless” services like one-time login codes, or using Google or Apple to sign you in, in an attempt to improve this.
What should I do if I think my data has been breached?
If you think (or know!) that your info was involved in a breach, you can take the following steps, depending on what type of data that service probably has about you:
- Change your passwords for the breached service (even if the password data wasn’t part of the breach)
- Get your credit report
- Freeze your credit
- Change your ID numbers (passport, drivers licence)
- Write to your MP and demand better privacy law reform
- Support a digital rights organisation to help lobby for better legislation and regulations about this kind of thing
Where can I go for more info on dealing with a breach?
Merry Phishmas, everybody.
(Thanks to my Discord pals for the terrible holiday-themed phishing pun ideas!)
Lilly Ryan is a security consultant, board member of Digital Rights Watch, and part of the Byte Into IT team, Wednesdays 7-8pm.
This article first appeared in the December 2022 issue of The Trip.