Have I Been Hacked? Asking Can Be Perilous
16th February, 2019 | Cyberprivacy | Entropic
Jump ahead to...
Organizations that provide free and commercial "Have I Been Hacked?" or "Dark Web Scanning" services, including ones established immediately after the announcement of a data breach, can be justified by the best of intentions. Ultimately however, the way that these services amass stolen information from the dark web, and disseminate it to their customers, makes them subject to the same types of problems that have impacted the companies that they collect information about.
By using these services, you might actually be exposing more about yourself, and even raising further attention to your stolen personal information.
Companies affected by data breaches who provide an "Am I Affected?" service following a hack, and independent companies who provide Dark Web Scanning services, commonly gather data dumps containing individuals stolen personal information that are periodically released on the dark web and other hosting sites by nefarious actors. The various data dumps are then refined, including removing duplicates and correlating them against other sources of information. The resulting refined information is then typically stored in one centralized storage location, then made available either for free or for a price via a simple web-based service.
In this process, additional copies of this refined stolen personal information might be made across their company, and possibly external networks of their partners, via storage, additional backups and replicas.
So, to a nefarious cybercriminal, how tempting is the refined personal information of individuals that is harbored by these services? Especially Dark Web Scanning services provided by independent aggregators of stolen personal information? Based on the amount of ongoing effort required to gather and refine this stolen personal information, it would seem that hacking one of these services would be a lot easier than undertaking the more tedious task of constantly having to gather and refine the original data dumps from the vast number of sources on the dark web.
Thus these services have the potential to become high value targets for cybercriminals and nation-states who want to cut costs in gathering and processing stolen information.
What Happens When You Query?
Querying a "Have I Been Hacked?" or "Dark Web Scanning" service to determine whether your information has been hacked and leaked into the wild, can expose more information about you to others. Lets look at what happens when you choose to use one of these services.
Asking is Telling
Querying for the existence of your stolen information, along with the number of times you query (your individual "query volume"), reveals how worried you are about your privacy, which in turn might reveal that you are more concerned than the average person. You could liken this to your credit history being queried excessively affecting your overall credit score.
A typical breach or scanning service query will ask you to provide some identifying information (shown below) that is used to correlate records of your personal information against their refined database of stolen information. Some examples include your e-mail address, name, social security number, and drivers license number.
When you perform a query, part or all of it can be stored and accessed at a later time. If this is not being done by the provider of the dark web scanning service, or those who have access to their stored information, it can be done by any entity that exists between your query and the scanning service, which includes your browser cache, your local network, the internet service provider, and the content delivery network. Finally, your IP address, which reveals your approximate physical location (ex: Santa Monica, CA) is also disclosed when you query.
Any one of these entities can potentially gain knowledge about your queries, which raises the chances of further extortion or blackmail.
Panic Induces Mistakes
The enhanced state of fear we experience after learning of a data breach can prevent us from thinking clearly. This means we can be more susceptible to playing into social engineering attacks established by hackers, which can trick us into submitting our personal information to the wrong site; all in the name of checking whether we were affected.
An example of this was the Equifax data breach in 2017. Following the announcement of the breach, they established a special web site that people could use to check whether they were affected, however their choice of domain name was somewhat ambiguous, and as a security research engineer demonstrated, in a state of panic people are less likely to be aware of how authentic a specific url is.
Some Limitations of Protecting Yourself
Before we go into details about how to protect your identity, there are some caveats which at this time, are probably better to accept than defy.
Firstly, due to the unfortunate nature by which people's personal information is currently collected, centralized, and in many cases monetized, it's almost certain that some of your personal information has already been stolen and/or exposed in some way.
Secondly, there are hundreds of endemic government and commercial services which are less likely to offer a clean option to stop the collection of your personal information - we are stuck with them. Some of these services have experienced the largest historical data breaches, since they are subject to the same vulnerabilities as other services. Equifax, a service that amasses information about people and their credit worthiness, is part of this endemic ecosystem and is the elephant in this room when it comes to data breaches. But there are others, such as the US Office of Personnel Management (OPM), and Anthem Insurance.
With all this doom and gloom, it's important not to give up. In the long term, privacy is still your choice and you have more control than you might assume. A more resilient, long term approach to protecting your information is required.
A More Resilient Approach to Protecting Your Identity
The more resilient approach towards protecting your personal information involves being proactive about identifying less desirable services, before you start using them. Should you be pressured towards, or feel the need to sign up for a specific service, cultivate your investigation skills, so that you can better understand the nature of this service first. This experience will also serve you well in the future.
1) Understand Your Renewable vs. Non-Renewable Personal Information
Knowing the difference between renewable and non-renewable personal information is critical to making the right decisions when investigating the services provided by a company, and responding to their requests for information.
Renewable information can be invalidated or expired if it is stolen. For instance, if your Social Security Number (SSN) is stolen and made available on the dark web in a data dump, disruptive as it might be, with appropriate justification you can still apply for a new one, invalidating the old number. Non-renewable information, such as a photograph or thumbprint...not so much.
The gathering of non-renewable personal information is especially concerning with the increasing emergence of devices that capture, and amass our biometric information.
2) Is The Service Better Than What You Already Have?
Make sure you are clear in your head about why you want to sign up for a particular service. What is the value that it will bring you vs. what you already use? Do you really need it?
3) Cultivate Investigation Skills
The next step is due diligence - investigate the service. Find out more about the company offering the service, including which country they are based in. Different countries and cultures have a different understanding and perspectives on the meaning of privacy.
Understand what information that the company collects, who they share it with, and how they might use it to make money. Know what part of the information they gather from you is renewable vs. non-renewable. Use common sense, and avoid relying on one or only a few sources of information to investigate a specific service.
Privacy policies are a great way to answer these questions, but are inherently boring to read. One approach is to start reading them in the middle, then pick random paragraphs north and south of the starting point. Sounds crazy, but if the alternative is you falling asleep, or just giving up after the first few paragraphs, this approach is more likely to help you find the most useful pieces of the document faster.
Checking historical records of data breaches and vulnerabilities can give you an indication as to how much they have historically managed the security and privacy of their customers. Aside from Google, there are some more specific sources of information. The Privacy Rights Clearinghouse offers a simple way to access historical information about data breaches affecting government, organizations and commercial entities. For vulnerabilities, a good reference is the National Vulnerability Database, which tends to focus more on the software and hardware products produced by companies.
4) Trial Using a Fake Account
Having direct experience using a service can be a valuable way to get a realistic understanding about the value that it offers you. But wouldn't it be great if you didn't have to provide your personal information initially. If it's allowable, providing fake information during the sign-up process is a good way to understand the nature of the service as you progress through the sign up process, and understand what type of real value it will offer. Following sign-up, you can observe any increase in spam, and other information dispersion that might further reveal what will happen to your personal information over time.
5) Use Available Security Options
Once you have signed up for a service, you should not only regularly change your password, but you should also take advantage of any additional sign-in protections offered by the service, such as two-factor authentication (2FA). As a side note, while using Internet-connected password managers can be convenient, it is generally a bad idea, due to the nature in which they amass and centralize the credentials of all of your accounts. Unfortunately, many otherwise solid password best practices still recommend using them.
6) Know What You Have Already Agreed To
Cultivate your awareness of services that you have used in the past, along with privacy policies, and other legal agreements you have signed up for. This can help you be more proactive about managing your information sharing. Some quick ways to discover the reality behind services you have historically used, include:
- Review Your Password Keychain - Your keychain is used to remember usernames and passwords for the web sites and services that you use, and is a great way to understand what services you have previously created an account for.
- Review Your Previously Configured Wi-Fi Networks - Reviewing WiFi networks you have historically configured, will help you to understand how your information might have been monitored in the past.
- Review Your Internet Cookies - Reviewing your cookies, normally through your browser, will reveal the sites you have visited historically. .
7) Purge Your Data Regularly
Pressure resulting from the introduction of the GDPR data protection standard in the European Union has forced many larger companies with online services, to offer an option to allow their customers to view and request deletion of their stored personal information. Regardless of whether you believe they actually implement this properly, if this option is available, you should use it to remove the information that you no longer need. In the event of a data breach, less of your personal information will be exposed.
The same logic also applies to your device, whether it be your PC, tablet, smartphone, etc...Clearing the usage history on your device regularly, including browser history, opened documents, and keychain, as well as moving documents, photos, videos, notes, old e-mails, and other information to non-Internet connected storage will help reduce the impact if your device is compromised.
8) Monitor/Freeze Your Credit History
Checking your credit history regularly for any potential fraudulent accounts, is something that you should already be doing on a regular basis. Applying a credit freeze to prevent criminals from opening new accounts in your name, is increasingly being recommended, based on the expanding incidence of data breaches.
In summary, some part of your personal information is already out there in the wild. Using "Have I Been Hacked?" or "Dark Web Scanning" services is a reactive approach to protecting your information that is rooted in fear.
These services can potentially expose even more of your personal information, raise more attention to it, and only remind you of how much more of your personal information you have lost control of. Due to the increasingly concentrated and refined nature of the stolen personal information these services are amassing, they are also becoming a high value target for cybercriminals and nation-states.
Focus on cultivating your investigative skills, so that you can be more empowered to make better decisions before signing up for new services. Once you have signed up, enable the security controls provided by the service to protect your account. Finally, keep tabs on your credit history, and consider freezing it to further protect your identity.