I’m departing from talking about reading or writing today. In the last week, I’ve had multiple friends reach out to ask me about emails they received. The messages threatened to expose personal or suggestive information about the recipient unless they paid the sender Bitcoin. The sender included one of each recipient’s correct passwords in these emails as “proof” of the sender’s access.
It’s a scam. The friends who reached out to me already knew it was a scam. But…but… what about those passwords? Those were correct. Even though everything about these emails screams out “scam,” could these threats be real?
You already know the answer. Say it with me – no.
So how are the scammers doing this password thing? Data breaches.
In 2019, there were over 7 billion records exposed. In January 2019 alone, hackers circulated more than 2 billion usernames and passwords in dark web forums. Chances are really high that bad guys know the password to at least one of your online accounts. Probably more than one. Before sending out these extortion emails, the savvier scammers will test passwords associated with your email address to verify that the one they include in their scam is valid, all the better to scare you. They do this validation check using a tactic known as “credential stuffing,” where they run batches of username/password pairs through services that will submit the credentials to multiple sites at once and report back with the passwords that were accepted.
With all of this information about you floating around the ether, what can you do to stop these scams? Well, you can’t stop them, but you can certainly lower your risk.
First, use unique passwords. I know, I know, we all have hundreds, if not thousands, of online accounts. But there are services like 1Password and LastPass that remember your passwords for you. You only need to remember one, the password you use to control your password manager.
Second, use multi-factor authentication (“MFA”) whenever possible. While not infallible, MFA raises the bar against would-be attackers. My personal favorite method of MFA is one-time token generators like Yubikey. They make versions for both phones and computers. You simply plug the key into your device and tap it to generate a passcode that’s only good for a matter of seconds. An alternative is to use an authenticator app, like Google Authenticator, which you can find in the Google Play or iPhone App stores. The last resort is using text/SMS to receive verification codes. There are multiple ways bad guys can intercept these codes, and, if all else fails, they can trick you into handing them over. Some sites will suggest using your email account as a “second factor” but, in my opinion, this isn’t a good option. Your email address has likely been exposed in one of those 9 billion records.
Which brings me to my next suggestion, look yourself up. There’s a service called Have I Been Pwned (“pwned” is hackerspeak for “compromised”). On this site, you can submit your email address to see all of the different breaches exposing your data. The site is run by an ethical, reputable security researcher who matches up the query against the 9.5 billion accounts (and growing) in public and private circulation. There are multiple safeguards for your privacy that you can read about on the FAQ page.
While a lot of us have had our lives disrupted by the global pandemic, for cyber criminals, it’s just another day at the office. Please stay safe out there.