No, I don’t talk much about my role in the cyber-insurance world. But, I have become much more informed than most and I want you to do one simple thing for me:
“Stuffing-proof Your Email”
Data breaches are happening at an ever-increasing rate. We (the people I work with) anticipate huge growth in the number of breaches in coming months.
Even though some breaches are only PII (personally-identifiable information) breaches, if they relate an email address and snag a password, it opens the way for “stuffing” attacks.
Let me walk you through a typical case:
- It begins when a hacker manages to breach a website. Let’s for the sake of this example assume it was a social media site.
- The hacker hasn’t gotten your credit cards. Nor has the hacker gotten your street address or phone number. But all they are after is your email address and password. For some sites, a username is required. But, an unfortunate number of websites (including most social sites) will log you on with an email and a password.
- Let’s make this a small breach. 2-million records. We will load them up into easily written scripts. The scripts look at two databases. One is the PII data that has been stolen. The other is the “stuffing list.”
- When run, the hacker’s program will insert your email and your password into the logon screen of, oh, 500 of the largest banks and brokerages in America.
- You turn out to be unlucky and what happens? It’s like having the key to your home stolen. They get in and wire the money (shadow banks are great for this) to themselves via a third-party cut-out.
That’s how email “stuffing” works. Simple enough.
How do big companies try to get around it? Well, any time they get more than a couple of password/logon attempts that fail, they block an IP address. But, sadly for the IT departments, the “stuffers” are bright-enough to use multiple IP addresses and they happily continue to stuff.
Is there a way to protect yourself? Sure. And it’s simple.
All you need to do is “key” each of your passwords to the sites you use.
Just like setting up access control on a commercial building. Not all employees have access to all areas. I’ve had to, in the past, set up “security zones” so that a business knew who was able to access high-value resources and keep everyone else out.
The first thing you need to do, before we go spending a bunch of time of keying passwords, is to make sure your critical passwords are complicated-enough to be nearly impossible to crack.
My “core passwords” are 13-characters in length. They include numbers, upper/lower case letters, and several of the so-called “special characters.” Upper case 8 on most keyboards will generate a * for example.
Using the Gibson Research password tester, I figure my odds on the core passwords as:
Naturally, even though I trust everyone (OK, I trust no one) even on the tester I don’t use my actual. I use proxy characters. But, as you can see, my core password is pretty good.
Now, Let’s Key it to Specific Sites
Let’s assume now, that I have this really good password but one of my accounts is breached.
How can I “key” my really good password to only one site?
Let’s use an example of a three site user. They may use Facebook, Twitter, and Spotify, for example.
All we need to do is add “Fa” somewhere in the strong password which keys it to Facebook. So, strong (nearly unbreakable) core plus the letters Fa (the first two letters of Facebook, right?) nailed on the ass-end of the strong core. We just got even more difficult to crack.
OK, we can do even better by going with four letters from the site. Let’s run my core plus “Face” in it. In other words, we add four total characters to our strong core:
Now consider what happens when if (and this is an example only) there were to be a huge breach at Facebook. That password would not open the Spotify account, nor would it open the Twitter account of our theoretical user. Nor any of their bank or trading accounts.
What About Smarter Hacker Scripts?
Yeah, we need to have this part of the discussion, too. Because hackers, as a lot, are very smart people.
It wouldn’t be too tough to run a search of (again, an example only here) a file of hacked Facebook data and look for all occurrences of “Fa” (case 1) or “Face” (case 2) and hold those out for further study.
However, at some point “mining” Bitcoins becomes a much more predictable way to maker money on the Internet.
What’s more, some wise-ass somewhere is bound to figure out that most people would put either the “Fa” or the “Face” at either the beginning or end of the solid core password.
Two further tricks to enfold into becoming “email stuffing proof” with all your accounts arise:
One is to reverse “Fa” and “Face” to “aF” or “ecaF” respectively. The other is to place them inside the strong core at an easy-to-remember break.
OK, Enigma bonus points if you bust the 4-part “ecaF” into a 3 and 1 or 2 and 2 positioning split or a further iteration.
The point is?
There are definitely things people can do on the “consumer side” that can reduce (almost to the point of eliminating) certain kinds of password risks.
I appreciate that it is a little bit of work and personal retraining, but it’s also a damn-fine way to reduce your risk. Especially if, like so many people, you use common passwords between sites.
If it’s not keyed, it’s just a matter of time until you end up in a big data breach and once thee? Here come the stuffers.
You don’t have to make it easy on the bad guys. They aren’t going to make it easy on you.
Write when you get rich,