Column: Would You Know if You Had Been Hacked?
By Brian Desrosier
My next-door office neighbor’s mom had just died. It was a Friday and the first day I saw him come into the office for several days. Later, when I was emailing, in real time, he asked me to log on to his Dropbox account. I asked him why, and he thanked me for double checking this was legitimate. (He knew that is why I asked.)
‘An invitation…’ to the private funeral, I supposed. Such a horrible, sad time. My neighbor is not technologically savvy, and of course the Dropbox login, didn’t work. It asked me to confirm my cell phone number to authenticate, but then nothing happened. It was 5:30 p.m. by now, and I was in a rush to “get out of Dodge.” I’ll just go talk to him, I thought.
He had just left, and I had to chase him down in the parking lot. He happened to mention his email had been hacked, and he’d spent all day straightening things out. Oh, that’s too bad. But he hadn’t sent me anything.
That’s when i realized that I had been hacked, in real-time!! Everyone in my neighbor’s email address book had been hacked along with him, and he did not even know that he should notify us all.
I have numerous passwords but was not absolutely certain this same password wasn’t used elsewhere. Not every account is multifactor authenticated (extra device password in addition to normal password protection) because some sites just don’t do that.
I was not even sure who performed the last reset in my business accounts. I had to be certain and I had to act fast. My company locked everything down, private and personal. Disabled my email. Froze all personal and corporate bank and investment accounts. Investigated, exactly where the criminals had been and what they had done.
Getting into just one information store can unveil enormous key details. I thought I had used Dropbox before, but I hadn’t.
We knew the last hop to who I had been communicating with was in the Washington, DC area. They were unable to gain access to anything at all because everything was shut down so quickly. I told the bank not to reactivate transactions, business and personal, until I personally walked in on Monday morning.
I left my email shut down all weekend. That was kind of refreshing – why do we let this technology rule our consciousness?
It was just a big scare. Maybe it was more. I did a lot of research into potential recourse, liability-wise. Who is responsible in these types of matters? What would have happened if my bank account was drained? Did my office neighbor have some responsibilities? I started talking to lawyers and bankers. One of the nation’s largest and most successful investment advisors had no clue, nor did I.
If you give up your credentials and your bank account is drained, MOST people have NO INSURANCE COVERAGE. NO PROTECTIONS. NO RECOURSE. Yes, we are all responsible for our own stupidity!
Did you know that most breaches are not detected for over 250 days? The bad guys patiently wait and watch for the perfect time.
If this is making you nervous, it should. Some very intellegent, savvy people have been there. Last month, it was reported in the Wall Street Journal that New York State Supreme Court Justice Lori Sattler was in the process of selling her apartment and buying another, when she received an email that seemed like it was coming from her lawyer. Closings get complicated and crazy at the last minute. Her lawyer instructed her to wire a little over $1 million to the bank account he provided. Phew, she got it done in time!
Unfortunately, it was the wrong bank account and not her lawyer! Lori lost all of her money. No insurance, no recourse. How did they get such detailed information? Was it her realtor, attorney, mortgage broker, or her other buyer or seller…or was it the bank? Wow. We are as strong as our weakest link, and it might have nothing to do with us.
Phony emails (Phishing) getting in the middle of last minute real estate transaction are skyrocketing. These losses are happening every day, and people are losing their life saving. I can tell you, I am a “pro,” and these emails are convincing. So are the Amazon gift card emails going around.
I hear all the time, “Oh, all this is crazy technology and I don’t understand it. It is so scary.”
Everyone needs to wake up or else!
Don’t tell me you don’t know about auto insurance or car brakes not working if you want to drive a car. Don’t tell yourself you don’t know what phishing or multi-factor authentication is…if you want to survive in the world today.
You must have a unique password for each of your accounts. You must have two-step (multi-factor) verification for access to your mail and bank accounts. The way the latter works is when you attempt access your account with a new device, a one-time PIN is sent to your phone. In addition to your password, you need to enter your special PIN to access your account with that particular device. Only then, are you trusted.
No, actually, you are not alone. Every single CEO of a top technology company has been hacked. Yes, Tim Cook and Mark Zuckerberg. They have both said exactly what I am telling you today. And, Oh, did you read that the Apple iPhone device security has been compromised. Only you can save yourself.
Okay, so this takes care of you, Mr. and Ms. Reader. Actually, this is just the start. Next week we will explore Data Loss Protection (DLP) for Compliance Officers of “Main Street Financial” firms (Investment advisors, Hedge Funds, Broker-Dealers, etc…with less than 150 employees).
Brian Desrosier has been serving the Greenwich community for over thirty years as the owner of the tech firm, Lighthouse Technology Partners, and the retail store, the Computer Super Center.