Newspapers across the country are reporting Epsilon, a mass marketing firm has been attacked by hackers. Early forensic reports indicate only individuals’ email addresses were compromised. However the list of company accounts compromised includes Best Buy, Tivo, Walgreens, Capital One, Citi, JPMorgan Chase and US Bank. Most customers will likely not see any consequences. But potential risks do exist and there’s a couple things everyday users can do to protect themselves.
The L.A. Times covers the story fairly well, citing who it knows the big players are that got affected. Epsilon issued a press release on April 1st which says almost nothing except that “only” 2% of its clients were affected. Whether this is 2% of the companies that use Epsilon or 2% of all the email addresses in Epsilon’s database is unclear.
Best Buy and some of the other companies have sent emails to their customers warning them to take care.
The threat to every day consumers is low. Names and email addresses alone cannot provide a hacker with direct access to your account information. There is potential for harm but hackers would by and large have to put significant effort into cracking each account. The self defense tips below will help guard you against a mass attack. The obvious targets will be bank accounts. So Walgreens and Brookstone subscribers can breathe a little easier.
What Could Happen
If a hacker wanted to target your bank account or Best Buy account they have two approaches for getting your account information:
- They can get the information from the bank.
- They can get the information from you.
Getting user account information from the bank or company is difficult and requires research. Account holders lose their password information routinely, which is why companies use security questions to help you recover your password should you lose it. The level of security generally corresponds to the sensitivity of the information being protected. Facebook lets you enter your name and a friends name to start the recovery process. Some investment firms require a phone call or a signed letter. A number of companies will ask three security questions which you have previously answered. These could include:
- Mother’s maiden name
- Place of birth
- Favorite teacher
- First pet
The above are often good questions, unless the information is publicly available on your blog or Myspace! But success rates for this form of attack are low and repeat attempts will alert the companies of suspicious activity. More likely hackers will try to target you, which is what Hilton Hotels and others warned about.
The classic phishing attack will send you an email asking you to log in to your account with either a bogus link or using a middle man to intercept your personal information en route to the actual server. You enter your credentials and the scam artists have what they need to wreck your day. This common attack is avoided by not clicking on links in an email. Instead use your web browser to go directly to the site itself and login from there. This is the best way you can ensure you are actually logging on to your intended site.
What Will Likely Happen
Assuming this wasn’t simply an “academic” exercise, the hackers who got the email addresses will probably sell them to a spam marketers. Valid email addresses are worth something to spam marketers, even though spam botnets are capable of sending scores of email to possible email addresses very quickly. Some users may notice an up tick in spam getting through their filter a few weeks or months from now.
Self Defense Tips
Everyday street smarts should keep you safe from most black hats trying to target you.
- Don’t Panic – If you get an “urgent” email, remain calm. It is extremely rare any security related issue must be addressed in hours or minutes. Hackers and Phishers know people make poor decisions when they are panicked and use that to their advantage. Your best countermeasure is to respond with calm poise.
- Keep Private Information Private – Don’t publish your mother’s maiden name on Facebook. The same is true for your 1st grade teacher’s name, your birth place and your favorite pet. On the flip side, don’t use easily identified or easily guessed information for your security questions. If you’ve lived in Springfield your entire life, don’t use birthplace as a security question. If your golden retriever “Duchess” has her own Facebook page and several photo albums dedicated to her, don’t use “favorite pet” as a security question.
- Don’t Click Here – Most phishing scams rely on you clicking a link sent to your email address. If you don’t click the bogus link they can’t initiate real contact with you. Whenever an organization tells you to log in to your account, don’t use the included link. Instead go to a new web browser page and get to the website yourself.
- Change Your Password – If you think your information has been compromised, change your account password. If your really worried, change your email address too. But since the most likely risk is increased spam, I have relatively low cause for concern.
As always, use your head and think clearly before reacting.