Sunday 1 July 2018

Have I Been Pwned?

Do you know if your email address or logon details to various websites have been hacked? In hacker slang, to "pwn" is to take control of someone's access or computer.  While hackers and cyber-criminals have the means to identify hacked accounts, the average person will find it difficult to know whether their details have been compromised. It is becoming increasingly common for websites to be hacked and the details of their users compromised. Some of the largest breaches include 164,611,595 Linked In accounts, 359,420,698 MySpace accounts and 152,445,165 Adobe accounts. The hacked details may include usernames, passwords and personal information. These details are sold or published online. In 2013 web security expert, Troy Hunt, developed a platform that made it easy for a person to check if their details had been hacked. The website is called Have I Been Pwned (HIBP) and is accessible at https://haveibeenpwned.com. It had also become obvious to Hunt that companies were slow to release details of data breaches and this left end users exposed. As a result, people can now register on his website and be alerted when a data breach occurs that matches their details.

HIBP has been so successful that other companies are integrating their products with this functionality. In particular the Mozilla Firefox browser is using the site to advise users when they are browsing a compromised web page. Mozilla will be releasing a new tool called Firefox Monitor that integrates the ability to search for compromised emails in the browser.  1Password (a password management app) is also using HIBP to advise their users if their logins have been compromised and their details need to be changed.

So what can you do if your account details have been hacked? The most important thing is to reset your password and security information as soon as possible. This is why getting an alert from HIBP is useful. Another common problem is that people tend to use the same password for many sites. So if one site is compromised then access to the other sites is also compromised. Using a password manager is a good way to avoid this issue. Password managers can generate complex unique passwords for every site. Not only can they generate passwords but they can be used to login automatically from your web browser. This way you don't even need to know your passwords or bother typing them in. 

Another useful security measure is to use multi-factor authentication (MFA). This is particularly relevant for high risk websites such as personal banking or government sites. With MFA, a username and password will be only the first means of authentication. Another another mechanism is needed to verify your identity. This can be in the form of an sms to your mobile, or using a one-time password (OTP) that can be verified from an app on your phone app. 

Lastly think carefully about the type of security information you use when registering an account. If you use real information and this is hacked, that can be used for identity fraud (by someone pretending to be you when registering a credit card etc.). If the website is low risk (e.g. a recipe site) then use bogus information that is kept in your password manager, in case you need to recover the account. There are many options when it comes to password managers, so check the review from PC Mag here to choose the right one for you: http://au.pcmag.com/password-managers-products/4524/guide/the-best-password-managers-of-2018