How Hackable Are You? – Calculate Your ‘Pwned’ Score
The last several years have been good for criminal hackers and bad for consumers. From last year’s unprecedented string of major retailer breaches to the massive JP Morgan hack and Sony’s epic debacle, hackers have been almost unstoppable. So what should consumers expect for 2015?
Cyber attacks on major US companies and financial institutions aren’t likely to slow down this year, which means consumers will continue to find themselves targeted by increasingly brazen cyber-criminals. Of particular concern are the growing sophistication of ” crimeware kits” used in phishing attacks, and the widespread distribution of “ransomware” and banking Trojans.
Many people mistakenly believe cyber attacks are beyond their ability to prevent, and they instead rely on the vague hope that big corporations will do all they can to protect their information – or make them whole again after a breach. But this certainly isn’t advisable. Once a person’s identity is stolen, it can create problems for years or decades down the road. Additionally, some financial institutions won’t always cover stolen funds resulting from a hacked computer – and this is particularly true for people who own small businesses.
Going forward, it’s critical for consumers to take a much more active role in protecting themselves from hackers and identity thieves. While no one can be safe 100% of the time, there are a number of easy and inexpensive steps people can take to dramatically reduce their risk of getting hacked.
Here’s a basic questionnaire every consumer can use to evaluate their personal ‘hackability.’ Add up your ‘pwned‘ score to see how at risk you are:
- How strong are your passwords? (10 points) – People often make basic mistakes with passwords, like writing easily cracked/guessed ones (ex: ‘password123’), keeping default passwords, reusing the same password for multiple accounts, etc. Hackers also have tools at their disposal to crack passwords – like dictionary attacks and rainbow tables. Score Yourself: If you write complex passwords (10+ characters long, combination of letters, numbers and symbols), use unique passwords for each online account and take advantage of two-factor authentication when available, give yourself 10 points. If you don’t do all of these things, 0.
- Do you back up data? (10 points) – Cyber-criminals are increasingly using “ransomware” to victimize consumers. Since these attacks render personal files (documents, photos, videos, music, etc.) and computers unusable, the best way to protect against it is by regularly backing up data to an external hard-drive, thumb drive or cloud-based account. Score Yourself: Those who back-up data at least once a week have a +10. Those who don’t, 0.
- Do you use a Mac or PC? (5 points) – Because more people around the world use Windows-based PCs rather than OS X or Linux-based systems, cyber-criminals typically write malware that is specifically designed for this operating system. As a result, consumers who use Macs or Linux devices will generally be less exposed (but that doesn’t mean they’re immune) to malware than Windows users. Score Yourself: If you use a Mac or Linux device, give yourself a +5. If you use Windows, 0.
- Do you use antivirus? (5 points) – Admittedly, antivirus is no silver bullet – and it’s going to miss a lot of dangerous malware. But consumers still need to run it on all of their devices and keep it updated, because without it you’re even more at risk of infection. Score Yourself: If you use an antivirus product like Symantec, McAfee, Kaspersky or Sophos on all of your devices (whether PC, Mac or Linux), give yourself a +5. If you don’t, 0.
- How do you browse the Internet? (10 points) – More attacks now come through the web browser (drive-by downloads, cross-site scripting, man-in-the-browser, etc.), so it’s important for consumers to surf the web carefully. That means: add script-blocking security plugins to your browser (ScriptSafe, NoScript, Adblock Plus, etc.); never click on pop-up ads or alerts; don’t visit a sign-in page from a link sent via email; and use separate browsers for shopping and surfing the web. Score Yourself: If you do all of the above, 10 points. If you don’t, 0.
- Do you bank from your home PC? (10 points) – At some point, almost every computer that browses the web will pick up malware – and the worst-case scenario is a banking Trojan. If consumers should protect one thing, it’s their online bank account. The best way to do this is to have a dedicated computer (such as a cheap netbook or Chromebook) that is only used to login to your online bank account. Score Yourself: If you have a dedicated laptop that is only used for online banking, give yourself +10. If not, 0.
- Do you use public WiFi? (10 points) – If you use public WiFi, you’re just begging to get hacked. There are a number of free or inexpensive hacking tools online that make it easy for almost anyone to hack an open WiFi connection.Score Yourself: If you use public WiFi at least once a year, give yourself 0. If you never use it, 10. If you never use public WiFi, but do use password-protected WiFi at your home and you live in an apartment, condo or townhouse, subtract 5 points.
- Do you visit naughty sites? (10 points) – This isn’t a personal judgment, but if you’re someone who occasionally visits adult websites or file-sharing sites where users swap bootlegged movies and music, you’re increasing the potential of exposing yourself to a variety of Trojans and malware – and your computer may become unsafe to use. Score Yourself: If you visit these sites, 0. If you never do, +10.
So … how did you do?
Unless you scored 60 points or higher, you’re not very secure at all and it’s time to change your ways. And if you scored 35 points or less, watch out because you’re an extremely easy target for hackers and the only thing keeping you safe is dumb luck. Chances are, you may have already been compromised in one way or another, whether you know it or not.
Security Shock: Why Did 2700 Websites Expose Our Passwords?
Why did they do it?
With all the data breaches and website hacking that have been going on, how on earth could big brands like AT&T, The New York Times, and Macy’s needlessly expose their users’ passwords?
Here’s what I’m talking about and why you should be worried: Over the past few years, my latest investigation for StateoftheNet.Net found, more than 2700 websites left their users’ passwords in plain sight by placing them undisguised smack dab in the middle of e-mails to those users.
A Glaring Security Lapse
Security pros consider this a terrible security practice. Here’s why:
“When a company sends a password in plain-text it is essentially inviting a user’s account to be compromised,” says Rick Redman, Senior Security Consultant at KoreLogic Security. “It also means that the company not only KNOWS your password, but stores it in a method that anyone can see…it is an insult to the customer. In my mind, it is the same as saying, ‘we do not care about your security.'” (If a site stores passwords in plain text, it’s even worse than sending them in e-mails, experts say.)
Government officials agree. “Sending a user’s password in plain text increases the risk of unauthorized access,” Mark Eichorn, Assistant Director of the Federal Trade Commission’s (FTC) Division of Privacy and Identity Protection, told me.
It Gets Worse
When a website commits such a lapse, it puts more at risk than just the personal information stored in your account at that site. A survey that I reported on in 2012 for Consumer Reports found that nearly one in five consumers used the same passwordfor more than five accounts. So by exposing the passwords their users had entrusted to them, the thousands of sites in question were also increasing the risk of a breach of their users’ accounts at other institutions, such as retail, banking, and social network sites.
And that kind of risk could linger for months, or even years, according to Redman. “Most users don’t change their passwords,” he points out. “So an email with your password in it is sitting somewhere deep in your inbox, long forgotten by you, but it still has valid credentials in it.”
What does all this mean for you? Two things: Sloppy online security is more widespread than you probably thought; it’s hardly limited to the few websites that have been in the news. And even if you follow to the letter my recent advice on how to avoid a big password mistake, whenever you divulge your password to a website that sends or stores it in plain text, you might just as well have used the word “password” as your password.
We know about this massive security failure thanks to two public-spirited techies, Omer van Kloeten, Chief Technology Officer at New York-based app developer, AppMyDay and Igal Tabachnik, Lead Developer at OzCode. Fed up with having his own passwords repeatedly e-mailed to him in plain text, since 2011 van Kloeten has been posting examples of similar experiences that users send him at the site Plain Text Offenders (PTO), which he and Tabachnik created and he says is “dedicated to publicly shaming this horrible practice.” He typically receives and posts evidence for several offenders per day. For the year 2014 alone, the site’s archive contains more than 980 screen shots of offending e-mails. The full archive bulges with more than 2,700 examples dating back to 2011.
Who Are the Culprits?
Besides the three major brands I mentioned above, PTO’s archive also contains examples of culpable e-mails from such brands as Fedex, J. Crew, Laura Ashley, Office Depot, Rhapsody, SeaWorld, and Sprint, as well as examples from government sites, such as Indiana.gov and BoulderColorado.gov; local and regional businesses; and sites that appeal mainly to gamers or geeks.
I began this investigation in October by registering with roughly 20 of PTO’s reported sites to see if they were still exposing passwords. E-mails containing passwords are usually sent either when you first register with a site or when you tell the site you have forgotten your password. When I tried this with my small group of sites, quite a few did not include my password in their e-mail responses. But some did: One retailer of electronic lab equipment included both my user name and password in its account confirmation e-mail. And PetSmart, which stores customers’ credit card numbers on its site, sent me a temporary password in plain text when I told the site I had forgotten my old one.
Most troubling to me were the e-mails I received from Princess Cruises, whose exposure of passwords had first been reported by PTO in May, 2014. When I told the Princess site I had forgotten my password, the site–which may store such sensitive personal information as your address, birthdate, passport number, medical conditions, or sexual preference–e-mailed me my password in plain text. When I checked back with the site again on New Year’s Day, it sent me this e-mail with my password in it:
PTO’s van Kloeten also maintains a list, called Reformed Offenders, of the good guys that he knows have stopped sending passwords in plain text. As of early January, 26 sites were listed. “I’m very hopeful. It’s still an incredibly low percentage (less than 1 percent), but it’s growing,” he told me. He acknowledges that he hasn’t had time to follow up regularly on every submission, so even he doesn’t know just how many of the rest of the reported offenders may have reformed.
Earlier this year, software maker Dashlane, which offers a free password manager for consumers, published evidence that confirmed the sorry state of password security on many websites. Studying 100 of the top e-commerce sites in the U.S., it found that eight had sent passwords in plain text via e-mail. Among Dashlane’s many other troubling findings were that 64 percent of the sites had questionable password practices and 55 percent still accepted some of the worst conceivable passwords, such as “123456.”
What You Can Do
• If a website e-mails you your password in plain text, notify the owners of the offending site, if possible. Then report it to PTO using that site’s submission forms. PTO’s van Kloeten welcomes submissions and offers a helpful FAQ that answers many of your questions. You may also want to report the incident to the FTC, which welcomes consumer complaints about such practices, according to Mark Eichorn. To file such a complaint with the FTC , use the FTC Complaint Assistant.
• Use a different password on each site plus a password manager, such as Lastpass, Keenpass, or Dashlane. “Password Managers aren’t perfect,” says KoreLogic’s Rick Redman. “And there is an inherent risk with using them, but the risk is much less than using the same password on every site.”
• If a site you use (such as your bank, Google/Gmail, PayPal) offers two-factor authentication, a feature that provides extra security by requiring more than just a password for account access, take advantage of it.
• Look for telltale signs that a site isn’t properly securing your password. Says PTO’s van Kloeten, “You can be certain of it if the site shows you your password at any time. This can be in an email, on the site itself when viewing your account details, in a text message or even when conversing with a representative on the phone or via chat (“You forgot your password? Oh, it’s kitten123.”). If that’s not the case, you can still be suspicious if, for instance, the site has weird restrictions like not letting you choose a long and/or strong password.”
• To find out if sites you visit have ever been reported by PTO, install either the third-party Chrome Extension or the Firefox Add-on on PTO’s tools page. I can’t vouch for these tools’ accuracy or security, but when I tried them myself they appeared to work and I didn’t experience any noticeable problems. When they issue a warning, it doesn’t guarantee that the site still exposes passwords in plain text, but does mean that it has been reported to have done so at some time since 2011.
How It Could Get Better
“We try to educate, not just shame,” says van Kloeten. ” Offenders who contact us are immediately pointed to our very detailed and lovingly crafted FAQs and I even take as much time as needed to help them understand why what they did was wrong and how to fix it. We also encourage our wonderful community to spread the word. Google has started working towards making the web more secure, like giving higher PageRank to sites that are all-SSL. I hope this trend continues.”