StrongKey Blog

Sharing Isn't Caring

Written by A. Khedron de León | Sep 30, 2019 1:04:00 PM

Comfortable Breaches to Fit Any Lifestyle

Do you travel? Do you prefer to drive or fly? Do you have a favorite hotel chain? Use the same entertainment methods from day to day? How long have you had that credit card? When did you start using Facebook? Have you done anything to protect these accounts? Were data breaches even a concern at the time you started using them?

Most of us go through our daily lives and don’t think about how widespread our digital footprint has become. We see individual data breach reports and useful statistics about the degrading face of cybersecurity, but the overwhelming numbers and bloated frequency with which we see them has desensitized us to the impact.

It’s no longer news; you’ve been breached. That’s not placing blame, but just stating a statistical fact. If you are online in any way, even if you’ve never used the internet and just have a simple credit card, your data is out there, probably for sale on the dark web. What started a few years ago as seemingly exceptional reports every few months has risen to an almost daily occurrence.

Gotta Get Away Now

If you stayed in a Marriott (or Starwood) before early 2019, or any of hundreds of Choice Hotels before summer of 2019, or any of these Pyramid properties… Did you by chance enjoy a vacation at a Wyndham Resorts property before 2010? Hyatt? Did you use booking.com or the Travelocity/Orbitz/Expedia network? Your data is at least vacationing in style.

How did you arrive? If you flew on British Airways, American Airlines, or Cathay Pacific, you, too are a contestant in the Price is Wrong, now showing on the dark web. Some airlines are part of larger ticketing and flight networks; United Airlines is part of the Star Alliance, so if you flew with any of their affiliates, you might already be for sale. It’s potentially even more profitable to hack an entire airport. Heathrow sees 213,000 passengers a day, while Atlanta’s Hartsfield shuffles 275,000 passengers daily, and has been the world’s busiest airport for over 20 years. Their networks affect multiple airlines, whose networks in turn span the globe to collate passenger and cargo data for human consumption.

Did you take a rideshare along the way? Between Uber’s record-breaking lapse and Lyft’s lax personnel, it’s safer to drive oneself, but it turns out even that’s not safe if cars have any remote technology in them.

Once you are comfortably ensconced at your compromised hotel that you booked on a vulnerable website, arriving in a remote-controllable car after sending your data to their porously secured servers, wouldn’t a MoviePass be a fine means of winding down? Or are you more in the mood for Netflix, Hulu, or HBO? Perhaps you like to use VLC for music and videos.

How would you like to pay for that? Capital One issues both Visa and Mastercards. Discover, thought not breached, replaced cards en masse earlier this year. AmEx hasn’t missed out on the fun, either. Regardless of your flavor, Equifax, who monitors all those and more, has joined the club.

The End Is the Beginning

Everybody’s doing it. It almost makes me want to become a hacker. Maybe I could buy my identity back. To undo all the damage, I’d have to shut myself in and never leave again, but then that, of course, necessitates me using my credit card on a website to order things...

What does a responsible person do? Stop worrying, for one. Your data is already being sold, and there’s nothing you can do to stop it. What you can do is make your stolen data useless to those who would use it. While it may sound extreme, you can always “reset”—and I don’t mean just your password, but a full reset. It will require some effort, but it’s better than footing the bill for a total stranger’s Parisian shopping binge. Call the accounts that impact your life the most, or submit in writing, to request removal of your account (here’s the GDPR form for a Request for Erasure; in the U.S. it may require more direct interaction).

After (and only after) you think you’ve exhausted all your accounts, vet the companies with which you are considering doing business. Check their track record by searching for breach news about them or visiting the government’s breach report filings. Does the site use secure connections? If so, it will have “https://” before the URL. Do they offer an option for, or just use by default, two-factor a.k.a. strong authentication? Biometrics, once stolen—barring a disfiguring accident—will always retain their usefulness; it is important to understand the difference between authenticating on a handheld device (locally) and doing so on a website which may store or pass on that information. When you decide on a vendor that seems safe, assume it still puts your data at risk. Do they use third-party providers to process orders? You don’t know where your transaction goes before it lands. Opt not to store credit card and other payment details with them. This may mean you have to physically type them in periodically, but then you might start remembering them, and not have to. In your fresh new online existence, create new accounts on vetted websites using new handles, and hopefully buy a FIDO Device. FIDO keys and the like are portable, transferable, and most importantly, easily replaceable without having to compromise with regard to your identity.

A large majority of consumers will defect from a company after a breach; hopefully you are no exception. If you’ve done your due diligence in checking on the businesses you chose, correcting one set of credentials should be much easier than before. If you can remake your image, and take greater care about handing out identity data, it will both secure your lifestyle better and send a staunch message to businesses: Go Safe or Go Home.