Epsilon E-Mail Hack: How You Can Protect Yourself
Most of the time I only hear from my credit card companies when I owe them money or when they want to sell me a new service. That's changed; now I'm being bombarded with notes telling me that a company I never heard of has been successfully hacked and these still unknown bad guys now have my name and e-mail address -- and maybe more.
If you've been paying any attention to the news lately, you know I'm talking about Epsilon, a huge outsourcer that sends e-mail of all kinds to customers of major financial services and retailers. Say you get an offer for a new card from Capital One, or for a special vacation deal from Marriott Rewards; that e-mail was actually sent by Epsilon. To do its job, Epsilon stores data about the customers of its customers -- in other words, you and me.
A partial list of companies whose data was compromised (that's the polite term) includes JPMorgan Chase, Capital One, Marriott Rewards, McKinsey Quarterly, US Bank, Citi, Ritz-Carlton Rewards, Brookstone, and Walgreens. Larry Ponemon, a security expert interviewed by the New York Times, estimates that thieves obtained the names or e-mail addresses of 100,000 customers at each of 50 clients. No doubt there's overlap in those lists, but that's still millions of people.
By and large you're hearing that you shouldn't panic if you get a note from one of your credit card providers saying they've been hacked. That's because Epsilon has stated that only e-mail addresses and names were stolen. By themselves, that's not enough information to obtain really sensitive information like the password to your checking account.
I won't question the truthfulness of Epsilon's disclosure, but I'm not entirely convinced of its accuracy. The really skilled hack is invisible to the victim. But let's assume that all that was stolen was what Epsilon said was stolen. There's still reason to be concerned.
Adam Levin, chairman and cofounder of Credit.com and Identity Theft 911, calls e-mail addresses the "social security number of the digital age." By that he means that many Web sites use an e-mail address as the user name. If that's the case, the hackers are half way into your account simply by knowing your e-mail address. (Remember, they know you're a customer of say, Chase, because that information was stolen from Epsilon.)
It's important to note that hacking has long since ceased to be about juvenile fun and games. Modern hackers are generally out to make money, and often work as part of organized, international gangs. You can be sure that whoever stole that information is hoping to make a substantial profit.
Here are two ways the bad guys may make use of that information, and what you can do to protect yourself.
Spear Phishing Attacks
You've probably heard of phishing. Simply put, that means luring a user to a site that's either a spam advertisement or one that has been infected with malware. It's called phishing because the hackers are fishing for victims. Spear phishing, though, is more insidious. Rather than send out an utterly random email to random victims, the spear phisher targets (or spears) a specific class of people, or sometimes even specific individuals, by using information about them to make the bogus pitch seem genuine.
So if the hackers who broke into Epsilon learned that you have an account at Chase, you might well get an e-mail that looks like it came from Chase. Typically, that type of fraudulent e-mail would ask you to supply some sort of personal data, like your birthday or even a password to "verify" you account info. Often those e-mails are breathlessly urgent, saying that your account will be shut down immediately if you don't respond.
The defense is simple: Ignore e-mails asking you to supply personal information. No reputable company or e-mail provider will ask you for it.
Guessing someone's password isn't always very hard. As a backup for forgetful users, many sites have so-called security questions, like "the name of my high school was" or "my favorite pet is." As Credit.com's Levin points out, "In the Facebook age, it's not difficult to figure out someone's high school or mother's maiden name." That's a great point.
Levin suggests answering those question prompts with information that's totally unrelated, like: "My pet's name is --- Omaha, Nebraska." But how would you remember that? At the very least, though, make those answers a lot tougher, or even decline to give yourself those hints.
Serious hackers don't sit around guessing your password; they use automated programs to do the hard work. That means you've got to stop using the same password over and over. As bad as it would be to have your checking account hacked, how would you like it if that same password open the door for hackers to access your retirement and investment accounts?
As you've no doubt heard, you should use strong passwords, which means they should be long, have letters, numbers and characters (like % or #) scattered randomly within them. And do not use your birthday or the names of your kids.
Of course, you'll never remember those strong passwords, so I suggest using a password manager. I've recommended Roboform in the past and have recently heard good things about Last Pass, though I haven't tried it yet.
When you visit a site and fill in the username and password, the manager will remember them, and fill them in for you the next time you're there. You only have to remember a master password. Some of those programs will even generate a random password for you. Use it; it's likely to be stronger than anything you dream up.
San Francisco journalist Bill Snyder writes frequently about business and technology. He welcomes your comments and suggestions. Reach him at firstname.lastname@example.org.
Follow Bill Snyder on Twitter @BSnyderSF. Follow everything from CIO.com on Twitter @CIOonline.