Is your privacy at risk?

By Ilma Seperovic

Did you know that there are nearly more than 3.8 million records stolen from illegal breaches every day? According to reports from Cybersecurity Ventures, that’s 158,727 per hour, 2,645 per minute, and 44 every second of every day. It happens a lot more frequently than you’d expect, making many question whether their private information is in fact private.

“If you have a credit card it’s probably been stolen, you may not see that, but people probably have bought your credit card off the black market,” said Eric Chan-Tin, assistant professor of computer science, whose research focuses on network security, privacy, and anonymity—the practice of being anonymous online.

With information leaks becoming a regular occurrence, Chan-Tin says we need a better way to combat data and privacy breaches. Here, he shares the dangers of mobile apps and information on how to safeguard one’s identity, passwords, and credit cards.

What’s the biggest thing a person should be thinking about when they’re trying to protect themselves online?

First thing I teach in security is to think like an “adversary.” You have to think outside of the box. Most people are taught to be good and kind, but there are people who are not, so to protect yourself, you have to put yourself into their mind set. Whatever you are doing, whether it is online or just on your computer, think about what a bad person would do. For example, if you go to your bank and you put in your password as “12345,” thinking as an adversary, that’s pretty easy to guess. If you have your password as your pet’s name and everybody knows your pet’s name, then that’s also easy to guess.

How do you create a secure password that is hard to guess but easy for you to remember?

For the password to be easy for you to remember, the best way is to use phrases. For example, you use, “I want to go to the movie theater.” You could write that as your password. It would be pretty long to guess. Or, you could take the first letter of each word and create an anagram. For this example, it would be “IWTGTTMT.” That would be your password. You could even add symbols. For example, you would add a “2” for, “I want 2 go 2 the movie theater.” The best password is automatically generated; any password that is human generated is pretty bad. What I recommend for passwords is to use a password manager, there’s a lot out there that are for free, like Dashlane and LastPass.

Do you need different passwords for every account you have? Is it ever okay to reuse the same one?

I would only ever consider it to be okay to use the same password if it’s an account that you don’t care about. For your bank, email, social media, you would want to use a different password. If someone stole your password to Facebook, and you use the same one for every account, they’d be able to hack into all of your other accounts.

How can people protect themselves on social media?

First tip do not have a social media account. If you do have one, make it private. For a lot of Facebook profiles, anyone can go to them, but there is a setting that can make it private. Even the posts become private, meaning they only appear to you and your friends. Be careful what you post online, don’t say things like you were on vacation for a month. People will know you are not home and will potentially rob you.

What should people do if their phone’s stolen, and their information is saved? How could be people prevent their information being accessed?

Lock your phone. I know a lot of people do not use a password on their phone. If I’m on the street, probably 50 percent of the phones do not have a password. I could easily open their phones and find their information. Most people have a password for their laptops but don’t for their phone. Pick a password. A pin is okay, but pick a good one, not your birthday, your birthday year, or things like that. iPhones usually offer encryption but if you have an Android phone, there’s an option where you can go in and encrypt everything. So, even if your phone is stolen, they cannot access anything. If your phone is not encrypted and your phone is stolen, they cannot get in due to the password. But, they can still access your data because nothing is encrypted. They can get your notes, your Google Drive, anything. Also, be careful what apps you install; most banking apps do not automatically save passwords each time you log in. This is good. Do not automatically save information like logins and pins.

Anything else?

Be careful what you install, treat your phone just like a computer. People are careful to not install random stuff on their computers, but for their phone, people install random games and apps. That same principle should apply to the devices. You could have an app steal your information or see what you’re doing, and that has happened. There have been studies done. The most popular apps, a lot of them leak your information. They send locations/GPS coordinates to random servers. Some of them will even send your phone number, but it’s apps you wouldn’t expect. If you have a video game, you don’t expect it to use your GPS. There is no reason for the app to use it, but it could be collecting that information. Every phone has a unique ID. Apps collect that ID, so that they can track you. Even if you uninstall the app, they can still see your information through the ID.

Can you tell us how apps allow people to steal your info. How do you tell which apps are safe and which ones are risky?

If you have an Android phone, when you download an app, it will ask what permissions the app is allowed to use: whether it is going to use your phone number, location, contacts, and address book. Some of them don’t say whether you can say yes or no. If you install the app it may have access to your phone number—but for your GPS location you have the capability to allow or deny the use of it. Some of the apps just require your phone number or ID and don’t have an option to deny this. For an iPhone, it is the same, they offer options to deny or allow the use of location, camera, and microphone. So, you have control over that, but you don’t have control over other things like your phone number, card number, or the ID of the iPhone. You never know if the app is going to be asking or is asking for access to these things until you install it, depending on what apps you install. There is no way to tell which ones are risky until it’s too late.

Stealing a person’s identity, how easy is it?

If I pay $40, I can know everything about you. I can know your last name, date of birth, social security, mother’s maiden name. Not everybody’s information is online, but most people’s information is. If you have a credit card, the possibly that your credit card is on the black market is pretty high.

There have been a lot of breaches, so your social security is probably already out there. I can get your name, phone number, date of birth, and middle name with a quick Google search, especially if you have Facebook or Twitter. People might say it might not happen to me, but hackers are not saying, “I’m only attacking a certain group of people.” They don’t care, as long as they can get money out of it.

What are the steps a hacker takes to steal your credit card?

Let’s say I’m a hacker: All I care about is that I get one credit card that I can use. It doesn’t matter if it’s yours, or anybody else’s. The first thing that someone could do is to go on the black market and buy a credit card. It’s just like Amazon or eBay. There are many black spaces that people go to, but for the majority of them, you just need to sign up and you’re in. An example of one is “Silk road.” They have drugs, credit cards, and other items that people can buy on their website. But some markets are by invite only, so you can only get in if someone else has invited you. They can go online and buy a bunch of credit card numbers that are in bundles. Last year, the average purchase price for about a thousand numbers was about $40. They would simply pay through bitcoin and then receive an e-mail with the numbers, and at least one out of the thousands of numbers would work. When you pay the $40, sometimes you might just get the credit card number. Getting the CVV, expiration date, address, and name increases the price for the cards, so there are different levels of information that you could buy off the black market.

Is there any way to avoid your credit card info being stolen, other than just not using a credit card?

In general, almost every card number is on the black market. If you have a credit card, it’s probably been stolen. You may not see that people have bought your credit card, because your credit card company has a fraud team. Their main job is just monitoring illegal transactions. It happens all of the time. When you go to the black market, you're buying thousands of numbers. It’s a guarantee that at least one of them will work.

There is not much for a consumer to do to protect themselves. Don’t go to random websites and don’t give away your credit card number. Check your bank statements to see if something is off. Something that is nice in the U.S. is that most credit cards have a liability policy, so if someone stole your credit card and they used it to buy something you are not liable for that purchase.

Once your info is stolen, is there any way to stop it being used?

I don’t know how wide spread this is, but I have heard of banks going to the black market and purchasing credit card numbers so that other people don’t get it. All of the fraud detection would be ‘behind the scenes,’ so you won’t see anything as a consumer. Usually the purchase is a onetime thing because the sellers only sell the same numbers to one person, they will not resell it to someone else.

How can you find out what information about you is available?

As a regular person, you just have to look through all of the black markets for yourself, see what’s on Google, and see what's out there—and delete it. It is doable, but it is a lot of work, a lot of companies offer that as a service now.

How would you steal an individual card?

There are a few things I could do:

• The first thing I could do is break into your house, or rob you to get your information.
• I could also try and guess your banking passwords to get your information that way.
• Many credit cards also have many wireless capabilities, such as NFC chips. It’s similar to the way people use a Ventra card, all you have to do is tap the card onto the pad, and it’ll pay your balance. I could use this to my advantage and walk around with a machine that reads everyone’s credit card numbers who are in my surroundings. All I would have to do is get really close to you. So, maybe I would bump into you and then my device is reading your credit card number. The device is just like what you see used on the residential hall doors that scan a student’s ID. The person whose credit card I just stole wouldn’t even see it. It could just be in my pocket and no one would think twice. It’s a type of machine that runs on batteries, you can buy one at Walmart or anywhere else. One of my students did a project on credit cards last year, and she saw that Walmart was selling them for about $70. It’s pretty cheap. A way to protect yourself against this trick is to use the sleeve your credit card came in from the bank, it will prevent any wireless communication.
• There are credit card skimmers too. If I was trying to steal a credit card number, I would go to a gas station and put in a little device, maybe less than an inch thick, on top where you would swipe your card. Someone can put one in and then a week later, come and take it out. It would have recorded a bunch of people’s credit card numbers. I could even put a camera next to it, so I would see all of the information that I would need to steal the credit cards.