Tom Holladay Putting It Together Again
How a Single Username Puts Your Security at Take chances
In the theme song for the old television sitcom "Cheers," the Boston bar was the identify where "everybody knows your name." To prove it, every time the character Norm walked into the establishment, everyone inside shouted out, "Norm!"
Just the Internet isn't "Cheers." On the Internet, information technology'south not always advisable to let everyone know your real name.
MORE: 13 Security and Privacy Tips for the Truly Paranoid
Instead, many Internet users create usernames that incorporate details unique to themselves, even if those details are only initials followed by a three-digit number.
While it may not be a person's official legal name, a username makes an individual user recognizable inside online communities. A username can be just as much a part of a person's identity every bit the name on his or her birth certificate.
For those reasons, many individuals accept only one online username, which they employ all the fourth dimension across multiple platforms and websites.
Withal using a unmarried username is asking for lots of trouble.
"Having the same username everywhere will negatively impact the limited corporeality of anonymity at that place is on the Cyberspace," said Roel Schouwenberg, primary security researcher with anti-virus software maker Kaspersky Lab. "It will open up people up to more than directed attacks."
The exposure of a person'due south username may not sound very risky, but it can trigger a cascade of security failures, each of which opens the door to account hijacking, identity theft or financial damage.
How Snapchat provided a snapshot of online security risks
The user database of the photo-sharing mobile app Snapchat was breached this past December, and usernames and mobile-telephone numbers of four.6 million Snapchat members — a small fraction of the total number of users — were posted online.
No passwords or email addresses were taken from Snapchat. Nonetheless, security experts advised all Snapchat members — regardless of whether they were on the breach list — to change their usernames, likewise as whatever passwords associated with those usernames on other websites.
That was because malicious hackers and online criminals knew many Snapchat members would have used the aforementioned usernames when signing upwards for other services — and when creating e-mail addresses.
"Using a single unique username across different services makes someone very identifiable," Schouwenberg said.
Under the correct circumstances, the compromise of a single username tin lead to a domino effect across many platforms in which a malicious hacker, with all of a user'due south identity in manus, can attack every account that uses that name.
How usernames lead to email addresses
About Internet users brand attacks easy for identity thieves by creating email addresses based on their usernames, which helps criminals brand connections between identities and passwords.
John G. Smith, for case, might have used the username jksmith456 for Snapchat. Odds are that John has an email address such as jksmith456@yahoo.com or jksmith456@gmail.com, and that he used ane of those to set up his Facebook and LinkedIn accounts.
An online criminal wouldn't know John'south password correct away from the Snapchat alienation. But he would know that many people use obvious passwords, such as "password," "letmein" or "123456." He could apply the 100 or 1,000 most common passwords to effort to pause into John's accounts.
But even if a criminal can't break into any of a user's accounts directly, there are still indirect ways to get in and take over.
Your information, all out in the open up
If a username is based on a existent name, a criminal tin guess the user'due south existent name and then use that to larn as much as possible most the person.
In the instance of jksmith456, the criminal could run through common names starting time with "J." He could leverage the cellphone number leaked with the Snapchat username, cross-referencing the area lawmaking with potential J.K. Smiths, or even telephone call the cellphone to come across if a man or adult female picks up.
Cellphone numbers can exist nearly equally identifiable equally Social Security numbers, Schouwenberg pointed out.
Most people plan to keep their mobile phone numbers for a long time; dissimilar a domicile address or country-line number, a cellphone number often doesn't change with a move across the state or state.
Once a person'southward username is known, information technology can be combined with other information to leverage business relationship password-recovery options, said Charles McColgan, chief engineering officer at TeleSign, a mobile-identity-protection firm in Marina del Rey, Calif.
A criminal could use social media and public records to figure out when John K. Smith was born, where he grew up, what his parents' names were, and where and when he went to loftier schoolhouse.
After that, it would be easy for the criminal to reply many of John's password-recovery questions, such as "What was your mother's maiden name?"
More than: seven Ways to Lock Down Your Online Privacy
The criminal takes over, and the risks spread
Having seized control of John'due south email account, the criminal could reset John's e-mail password or, better withal, have copies of all John's email messages secretly forwarded to some other email address while John unsuspectingly continues to utilize the account.
"Cybercriminals often will endeavour accessing other websites and apps using the same information they've obtained to see if they tin gain access, steal information, make purchases and much more," McColgan said.
The criminal could systematically hijack every business relationship John had created using the compromised electronic mail address. It would exist piece of cake to take over those that used the same password. For the residuum, countersign-recovery options could be leveraged.
"Since the attacker is going subsequently a common username, the user's email address is probably already hacked," McColgan said. "Whether it's through a data breach or a targeted attack, any associated accounts using the same username can be compromised by countersign recovery once the trust anchor is compromised."
In one case an account is hijacked, information technology can exist used for fraud. John's friends may get emails maxim that John was mugged in London and needs money wired to him immediately. John's Twitter feed may send out links to ads or malware.
John's email contacts, Facebook friends and LinkedIn connections would be at risk of becoming victims of cybercrime themselves as soon equally the criminal used John's accounts to learn their names, email addresses, locations, phone numbers and professions.
"That noesis — the profile that can be created of a target — can so exist used in a directed attack," Schouwenberg said. "This attack could and then take place over the phone, or the phone number could be used to give a phishing message more brownie."
How to set upward multiple usernames to protect yourself
So how can y'all maintain a unique Net identity without risking your personally identifiable information, or that of your friends and acquaintances?
Robert Siciliano, security expert with BestIDTheftCompanys.com, said the commencement step toward improve business relationship security is to create a unique password for each account that shares a username.
John K. Smith may use "jksmith456" as his username for both Amazon and Netflix, for example, only he should brand his passwords dissimilar for each – for example, "sH4zB4t_b00ks!" and "sH4zB4t_m0v13z!"
The next step would be to use different usernames for different types of accounts — one name for gaming platforms, another name for social media sites, and however another for online forums.
John could create the name "johnks123" for Facebook, Google+ and Twitter and the name "jk_th4_d35tr0y4" for gaming.
The last stride would be to create a new email address for each new username, and for the accounts that employ that username.
So while John might use "jksmith456@yahoo.com" for Netflix and Amazon, he could use "johnks123@gmail.com" for social media and "jk_th4_d35tr0y4@outlook.com" for gaming. Each email account would have a different password.
Any account that holds sensitive information, such equally a banking or other financial account, should accept a unique username and password. Ideally, each should have a unique email address as well.
Whenever possible, set up an account to utilize two-factor authentication. Each attempt to log in from an unfamiliar calculator or device will upshot in a numerical code beingness texted to your cellphone.
The code must exist used to log in to the account, and if an identity thief doesn't have your phone, he tin't get in.
More than: How to Turn On 2-Footstep Verification
Keeping track of your credentials
If you take all of these steps, you lot'll take a lot of e-mail addresses, and even more than passwords, to manage. How can you go along track of them all?
"An piece of cake solution is to use a countersign manager, like LastPass or 1Password, to help manage the unique credentials for each platform," McColgan said. "Depending on how you use them, they still may non solve the common-username upshot if your email is breached."
To manage many email addresses, set up up the least-used ones to automatically frontward new messages to e-mail addresses y'all use more oftentimes. You'll get the messages on time, and and then can log in to the seldom-used email accounts to send replies.
Why yous should take action now
Don't assume that these risks are abstract, or that this will never happen to yous. In belatedly 2013 alone, more than 200 million email addresses — many listed with real names, usernames and telephone numbers — were stolen from Adobe Systems and Target Corporation.
"Whenever databases get leaked online, we see activity from malicious actors to acquire these databases and try the credentials against other services," Schouwenberg said.
Beingness identifiable online more easily exposes a person to malicious actors of all kinds, not just identity thieves, and such a situation can exist very hard to fix retroactively.
Once your data is in criminal hands, at that place's not a whole lot that tin can exist done. The best remedies are prevention and vigilance.
Follow the states @tomsguide , on Facebook and on Google+ .
- 7 Reckoner-Security Fixes to Make Correct Now
- vii Tips for When Your Email Business relationship Is Hacked
- eleven All-time Identity Theft Protection Services
Source: https://www.tomsguide.com/us/single-username-risks,news-18288.html
0 Response to "Tom Holladay Putting It Together Again"
Post a Comment