Think you're not at risk? Think again...
So one of the most common questions I get when I talk to non-IT-security people about user security online is “Why should I care? I’m not a target.”
This is wrong on so many levels and in this post I’ll try to explain why.
“I’m not a target”
So to analyse why this is wrong we need to understand the fundamentals of why someone “hacks” others.
I’ve chosen to put a quote around hack as I think the word has been abused by media in recent years so that it now has lost its original value.
Just like I wouldn’t call someone copy-pasting an article a journalist, I wouldn’t call someone guessing someone’s password a hacker.
In this analysis I’ll focus on identity theft. That doesn’t mean there’s no other security risks or that I don’t know of other ways. It’s just because I know browsers tend to crash when they load a page with a couple of billion characters, and I doubt anyone would even want to read that much.
Hackers want all your information
It doesn’t matter if they get your cat’s name or your shoe size. When someone wants to pretend to be you, they’ll want to know everything about you.
So why would they want to pretend to be you? You’re not a very interesting person, you might say.
Maybe not, but you probably have something they can make money on. Bank account, Amazon account, Facebook, e-mail. The list goes on.
If they can get your bank account or Amazon account they can sell it to someone. If they can get your Facebook or e-mail account, they can phish for other people’s information that you know of, or sell it to spam networks.
In a world full of ads, companies pay for social media accounts that they can use. They can use your Yelp account to write fake reviews, post status updates on Facebook about how nice the staff at Bill’s restaurant are or how you recommend everyone to buy the new fake Chinese iPhone.
“I don’t use social media”
Fair enough. Let me tell you a story about a person I met not too long ago who got his information leaked.
This person once got a call from the police saying they had caught a criminal gang outside his house waiting for the mail. “Why?” you might ask.
Because they had applied for a credit card in his name. A card which would be sent out by mail along with its code a couple of days later.
But this couldn’t happen to you, could it?
Most countries publish their citizens’ most basic information such as full name, phone number, address and sometimes job and income.
“I don’t have an address”
Okay. Some don’t have an address.
But you’re probably a citizen of some country.
Most countries in the world keep track of births and deaths. And while the thoroughness might vary from country to country, most countries at least write down all the names of the people involved.
For example, here in Sweden they file the baby’s parents’ names, the baby’s name, weight and height, give out the social security number and soon after, the dog tag (so that the baby in 18 years can receive his or her military uniform and be taught how to say “I surrender” in Russian (which for anyone wondering is я подчиняюсь.)
I’m not any of the above
Then you have a medical condition called “mortuus est”, often referred to as being dead.
The conclusion is that we’re all at risk constantly of being in the crosshair of someone with shady motives.
You might wonder what the point is of protecting yourself then. The answer is that while non of us are 100% safe from attacks, we can help limit the damage vectors and thus limit the number of people who have the skills, or ‘know-how’ to attack us. If you put in 30 minutes to change your passwords once in a while, you might save 30 hours trying to call around to companies where your identity has been used.
The amount of time one should put into protecting oneself is something one has to evaluate oneself, but the least you can do is to take 10 minutes to draft up your most basic vulnerability points online.
If someone would gain access to your Facebook password, would they be able to access your e-mail? How many other accounts could they reset the password on if they had access to your e-mail?