Just a couple weeks after Collection #1 Breach was identified, there come Collection #2-5 Breaches. There are an estimated 2.2 billion unique accounts compromised in this breach.
The site we usually check for breaches (HaveIBeenPwned.com) has not been updated yet. In the meantime, you can use the Hasso-Plattner Institute’s tool to check. When you enter your email into this tool, it will email you a report of what has been found in a breach.
Once again, we want to stress that you use a password manager, use hard to type or guess passwords, use 2FA where available.
We’ve written a few times about password security. But what if your phone number gets hijacked? This is not having your phone stolen but rather having your phone number taken from you. You no longer can use the two-step verification because someone else has the number they have on file for it. So how does a phone number get hijacked in the first place? The Victor crew wanted to learn more.
It can start with a text that looks like it came from your carrier. It may have a number or a login page for you to enter some information. All they need is your call-in pin and they can start the process of porting your number over to their phone. You actually think you are talking to a representative of your carrier. Once they have your number, they can use the “forgot password” function of all your apps and get a code sent to them to reset the passwords. Think of all the apps you have – your bank, your email, your wallet. So what can you do?
Here are some ideas from Forbes:
- Put a passcode on your account with your carrier. Make sure whoever you are talking to uses that passcode with you. If a hacker tries to use it, hopefully the representative is on the ball and asks for the passcode.
- Use the mobile carrier specific email address to access the account. Forbes suggests you have an address as your current primary one, one just for a mobile carrier, and one for all your sensitive accounts like banking. This way your primary account can’t be used to steal your phone number.
- Disable online access to your wireless account. You will have to go the store to make changes but it won’t get hacked.
- Ask your carrier to make changes with photo ID required.
Some other thoughts:
- Use a password manager and let it generate passwords.
- Don’t have the same security questions on all sites and don’t answer them truthfully.
- Do not connect your mobile number to sensitive accounts. Create a new Gmail email address and don’t connect a phone number to it. Use Google Authenticator with one-time passcode generator to use it. They suggest using a Google Voice number.
- Use a security key. Yubikey is a physical security key device. There are also devices you use a USB port for.
- Use biometric authentication – fingerprint for example.
Every year, SplashData comes out with a new list of “worst passwords” for the year. The list for 2013 is out now. Their data is taken from “millions of stolen passwords posted online.” Is yours one of them?
The password “password” has fallen to #2 this year as “123456” has taken the number one spot. In light of the recent credit card numbers being breached from retailers, are they able to use your number to try to log into your accounts too?
They suggest you use a different password for every site. Don’t use the same password for entertainment sites as you do for email or banking sites. Too hard? try a password manager like SplashID Safe or LastPass.
~ Jody Victor