Page 4 - index
P. 4
(It should be noted that given the variety of da-
(Continued from page 3)
forms, such as having a security code ta that can be captured through this approach,
emailed to you to confirm your identity, or the attackers do not limit themselves to obvi-
verifying that you are logging on from a ous targets such as bank accounts and credit
known computer. However, when I cards. They may also siphon off loyalty
changed the password for my Yahoo! ac- points, frequent flyer miles, stored value in gift
counts through my AT&T DSL provider, cards and even points from online games.
there was no option that I could see to es- Moreover, there is an increasing amount of
tablish a two-factor authentication. Perhaps medical fraud, in which someone steals your
this only applies to Yahoo! accounts set up medical insurance information and then ob-
directly with Yahoo! In any event, this is a tains medical treatment on your insurance.)
good thing to do wherever you can, for any Lots of reasons to pay very close attention to
of your accounts! the security of your online data! Because this
What is surprising about this breach is the is such an important and topical subject, Linda
lack of any obvious attacks on personal ac- Rohlfing and I have agreed that we will devote
counts during the almost two years since our November LCACE meeting to computer
the breach occurred. It makes me wonder if and Internet security.
this breach really provided enough infor- Be careful out there!
mation to go after individual users, or if this
was in fact committed by a state-sponsored
actor who was simply practicing or trying to
send a message, rather than go after indi-
vidual accounts. On the other hand, there September Winners
is the possibility of “Credential Stuffing”…..
Credential stuffing has become epidemic
over the last year and a half, according to a
VP at Gartner Research. Because so many
people use the same logon and password
on multiple accounts to make remembering
them simple, bad guys who have captured
logon information at one site will test that
information on multiple other sites, to see if
they can add to the files they are accumu- DeBorah
lating about their original victim(s). As they
are successful, they build dossiers for indi-
viduals that contain an ever-increasing 50/50 Winner
amount of personal information. There is
even a term for these dossiers – they are
called “fulz”- and may include the target’s
name, Social Security number, birth date,
address, account numbers and other infor-
mation.
As part of this approach, the bad guys may
lay low for quite a while, accumulating more
and more data and filling out their dossiers. Eric
This can lull the target(s) into a false sense
of security, until they are finally victimized
by the fulz creator or someone who has Door Prize
purchased this information from the creator.
4