From picking clothes and paying bills to communicating and job hunting, people are increasingly logging on to sites and online services that promise to make life more convenient. The use of online entertainment is surging as well, as people drop traditional television in favor of subscription to on-demand services like Netflix, Hulu, and Amazon. Even music is brought to us by online services like Spotify and Apple Music. Though these services are reasonably priced and convenient, they require a certain amount of information from the consumer before they become available—needing at least an email address or phone number, or credit card details and a billing address for paid services.
While these services were designed for convenience and speed, security might not have been top priority. A spate of recent mega-breaches demonstrated just how easily personal information can be stolen online. Just last month, Yahoo confirmed that around 500 million accounts were stolen, leaving half a billion people exposed to a slew of security issues. On the underground market, Netflix passwords are easy to find, besides PayPal, Ebay, Dropbox and other popular sites’ user credentials. Cybercriminals are hauling in account information and selling them wholesale.
What's in it for them? Pure profit. You can calculate here just how much cybercriminals gain from different site credentials.
Personally identifiable information (PII) is harvested and exploited in different ways. Credential stuffing, or using stolen usernames and passwords to crack accounts on other sites, is one way to use stolen credentials. Evidently, a lot of users recycle their passwords, which explains why this method has proven to be a largely successful practice. Compromised email addresses also open up the victim to a lot of other risks. Personal email accounts are usually used to verify other online accounts, which can give cybercriminals access to other sites from one set of credentials.
Where do they get the data?
A large cache of data is a more lucrative target than individual accounts, which is why cybercriminals go after sites with big repositories. Aside from the Yahoo incident, the breaches of LinkedIn and MySpace also leaked millions of online accounts. The sheer amount of users affected by mega-breaches from these popular sites has pushed many organizations to build up their defenses, and also prompted lawmakers to discuss stronger legislation on data breaches.
A breached site isn't always the cause for identity theft and account fraud. Sometimes the loss of information can also be attributed to individuals. Despite increasing awareness and savviness of users, many still fall prey to classic phishing scams, done using a number of different methods that range from email to malicious websites. Users aren’t entirely to blame—attackers are growing more sophisticated. Phishing scams are much more advanced, with scammers often impersonating legitimate companies and asking for login details or account credentials. There are also fake websites that ask for login details before allowing users to see certain content—something legitimate sites also do frequently. As users catch on to old tricks, scammers just make new ones.
What happens to stolen data?
- Free access to online services—Stolen Netflix, Amazon, and Uber accounts are prime examples. Why pay the monthly subscription fee when you can have premium service access for free? The trick is to know how to use the accounts without the user knowing.
- Mined for information—easily exploitable information like online banking credentials gives criminals an easy avenue for making illicit financial transactions.
- A way into corporate networks—for sites like LinkedIn and Adobe, many use their company email address to register. Stolen credentials could give an attacker an avenue into internal company networks.
- Credential stuffing—this is when attackers try to use stolen credentials from one breach to gain access to other sites. Here attackers count on the fact that usernames and passwords are frequently reused across multiple sites.
- For phishing schemes or DDoS attacks—an email account can be used to target other users. Attackers can use your email to send spam for phishing campaigns, or as part of a DDoS attack.
- Identity theft— your email and personal information can be used to register on other sites.
- Blackmail or extortion—in some cases victims have sensitive information in their email or online accounts which can be used for blackmail.
Protecting your accounts:
- Think before you click. Before you click on an email from an unknown source, before you link any social media account to a new game or app, or even before you sign in to any new site—make sure that it is legitimate. Cybercriminals often use clickbait to lure in users into giving up their credentials. Sporting events and other big events are a popular lure used to ask people to “sign-up” for free tickets or merchandise. In reality, they’re just collecting user credentials.
- Keep updated. Update your OS and make sure you have the latest security patches. Weak or non-existent defenses make it easier for malicious actors to steal vital information from your device.
- Use 2FA. Whathave we learned from the breaches on sites such as Yahoo, LinkedIn, and Dropbox? That cybercriminals have proven to be successful at grabbing millions of usernames and passwords from popular sites. One way to protect your accounts is to enable the two-factor authentication option, a feature offered by a lot of popular sites and services. This feature requires two types of authentication for your online account, such as a password and a code sent via mobile, to make it hard for unauthorized parties to log on using stolen credentials.
- Monitor your finances. Regularly check your billing statements to find out if your credit or debit card has been compromised. Keep an eye on your accounts and notify your bank quickly if you notice any suspicious activity.
- Use unique passwords on different sites. This practice eliminates the danger of having stolen credentials from one account compromising your other accounts. Earlier this year, an online backup firm was targeted by attackers using credentials stolen from another site. Attackers assume users reuse passwords across multiple sites, so make sure you use strong and unique passwords for different accounts.
- Keep separate emails for different purposes. Use separate emails for personal communication, work, and online entertainment. This way, if one email is compromised, attackers will have limited access to sensitive information and other accounts.
- Get comprehensive protection. Effective and comprehensive security solutions can help you enjoy your digital life safely. Trend Micro™ Maximum Security secures multiple devices, helps manage passwords, and guards against the most prevalent online threats.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.