The Saga of My Narrow Escape, and How You Can Protect Yourself
A hotel hacker attacked me during my recent vacation trip. For my bottom line recommendations, you can skip the details and go right to the conclusions:
- Protect your identity: see the last section of this post, How To Protect Your Identity From Hackers.
- Protecting websites, the subject of next week’s blog.
Want some meat on the bones? My down-and-dirty personal experience? Read on!
I managed to keep my body, my bank account and my websites intact. However, the experience scared me and taught me several lessons:
- Hotel networks and front desks are riskier than I realized.
- It’s rational to be paranoid about attack by a hotel hacker!
- HTTPS websites don’t just protect the visitor: they also protect the website owner.
A Hotel Hacker As a Rodent
I thought I was adequately protecting myself from the hotel hacker and other nefarious individuals. But I wasn’t.
My best analogy is: Have you ever found mouse poop in your house? From a mouse who entered by unknown means? You soon learn that a mouse can enter through an unbelievably narrow opening. If the weather is cold, or dry, all it takes is a single gap in your home’s perimeter, and bang! You’ve got a mouse colony.
Similarly, hackers surround us in the Internet world. They can rush through any gap in our security and, if not quickly stopped, cause untold damage.
I hope that this post about my personal experience makes the threat more real to you. And that what I learned will help you discover and block any gaps in your own personal security!
Today’s installment focuses on identity protection. And the next blog post discusses what’s involved in protecting a website.
A Pleasant Vacation With An Unhappy Sequel
In the summer Nola and I usually visit Santa Fe, New Mexico for not quite two weeks. There we enjoy opera, food, fine art and folk arts.
This year we decided to drive rather than fly. We allotted 30 days for what would be a 4,300-mile journey in our comfortable “road car” (Buick Avenir).
When we take a road trip we see and do as much as we can along the way. And most of this route we had never driven before. We timed our stops to include three performances: HMS Pinafore in Denver; the Grand Ole Opry in Nashville; and Iolanthe in Wooster, Ohio.
But we had time for much more fun! In Colorado we visited the Rocky Mountain National Park, the Denver Botanical Garden, the Garden of the Gods park and the Cheyenne Mountain Zoo. Passing through Texas we visited Cadillac Ranch, an outdoor art installation. In Kentucky, Mammoth Cave park. And in Ohio, the Toledo Museum of Art. As well as a ton of non-chain restaurants with unbeatable local flavors.
Attacked By Hackers
We returned to Michigan August 10. By then I had already received three e-mails notifying me that someone was trying to break into my website maui114.net. My security software had intercepted them and temporarily locked them out. Then I started receiving similar messages about artchester.net.
When I looked at the failed login reports, I was alarmed to see that the unknown assailant had gone to my secret login page and used my secret username. Both of these are unguessable, being long strings of alphanumerics. Apparently the spy had not intercepted my password, because they made repetitive tries to log in. Therefore, I think that they did not manage to get into either account.
As if this wasn’t enough, on August 19 American Express sent me an alert. Someone in Turkey had attempted to post an $800 charge to my credit card! So not only had many of my website credentials been compromised, they also nabbed my credit card!
All this was a double wake-up call. I thought I had been conducting my business securely. Obviously not! And since I had not experienced intrusions like this for some years, I suspected that these simultaneous hacks were somehow related.
Evidence of Sophisticated Hackers
When I studied the records I learned more information.
When I looked at the Amex charges I found a ringer – an early August charge of $8.11 from a pet care company in Las Vegas. This was apparently a test charge by a hacker, to verify that the account number was valid. The charge entry had no phone number, but included a website link for the company.
I clicked the link and was shocked to see the address line quickly cycle through a half-dozen completely unrelated web addresses. Then my browser displayed a full-page notice advising me to download an update for my Adobe Flash player.
I actually downloaded the file but did not open it. Dumb me. That was a “phishing” page intended to make me install malware (malicious software) on my computer. The multiple address switches apparently represented an attempt to evade tracing, and represented various legitimate websites that the hacker had taken over.
There was additional information from the WordPress report detailing failed logins. It listed the Internet address from which each attempted login occurred. Most IP addresses were used exactly two times. The addresses were registered in Turkey, UK, US, Vietnam, Romania, Philippines and Iran.
Art’s Analysis: I’m the Victim of a Hotel Hacker
I have a hypothesis for what happened to me. A hypothesis that seems to fit the data trail that I found.
During our month on the road, Nola and I stayed in 10 hotels in 7 different chains, located in 9 different states. Each offered insecure wi-fi, or service with very minimal security.
I believe that one (or more) of the many hotels where I stayed has a hacker on their staff. The hotel hacker kept a copy of my credit card information when I checked in. He or she also listened in on the hotel’s insecure wi-fi network, collecting as much information from me as possible.
The hotel hacker was committing low-tech theft. It didn’t require much expertise to collect the data from me. Moreover, the hotel hacker took little personal risk. I believe that he or she sold the information anonymously to a group of other hackers. I might assume the hackers are based in Turkey based on the repeated appearance of Turkey in my data; however, that could be purposeful misdirection.
The foreign hackers have a range of resources. They have taken control of a number of web addresses, presumably without the domain owner’s knowledge. They control computers located in different countries, so they can’t be blocked by a country filter. And they have a cooperating business in Turkey which can post charges to credit cards.
How Did the Hotel Hacker Get So Much Information?
What accounts for the website login information the hotel hacker captured? During the trip, I had not yet protected maui114.net and artchester.net with security certificates. For that reason, by eavesdropping on the hotel’s wi-fi, the hotel hacker could see everything that I saw on my computer screen.
When I signed into a website to manage it, my secret sign-in page address was visible, and my secret username was visible from a pull-down menu while I was managing the account. My password was not visible because it was stored in my browser. Apparently the hotel hacker was not sophisticated enough to record and decode the password information.
I also did some work on honokeana.net, one of the other websites I manage. However, that website was already protected by https: security. For that reason, only the domain name would have been visible to the hotel hacker. Everything else was encrypted and not visible to him. That explains why the login report for honokeana.net does not show any spurious logins.
Locking the Barn Door After the Horse…
What did I do, belatedly, to improve my security?
- As soon as possible I changed all the secret information on the web accounts.
- I added https: security to maui114.net and artchester.net, the domains that didn’t already have it.
- I had American Express block the fraudulent charges, cancel my existing card and send me a new one.
- Next, I performed a complete scan of my computer for malware.
- I scanned all the websites for malware, using a WordPress plugin and using GoDaddy’s scan service. However, I was disheartened to discover two dozen examples of suspected malware in the data bases! The scanning programs removed that malware for me.
This scary experience caused me to re-examine my own security practices. I also reviewed the best Internet advice in this area, which I’ll share with you in the following section:
How To Protect Your Identity From Hackers
- Updated 12/7/18: Freeze your credit with all five credit reporting services (Equifax, Experian, TransUnion, Innovis, PRBC). Thanks to a new law, you no longer have to be hacked to get this service for free. Do this for everyone in your household, especially your kids. No, they’re probably not going to apply for credit cards on their own. But a hacker can commit identity theft and start running up debts that they owe!
- Sign up for “fraud alerts” on each of your credit cards. I suggest that you have the credit company send you both text and e-mail when any of the following occur: purchases over a limit that you choose (e.g., $300); all foreign transactions; cash withdrawal; balance within $500 of spending limit; irregular account activity. If you receive a notice for a transaction that you don’t recognize, immediately phone your credit card company.
- Activate “two factor authentication“ for all your financial accounts. With this established, the bank will verify you with something that you “know” (your password) and something that you “own” (your cellphone, receiving a PIN code).
- Install the “HTTPS Everywhere” extension in its compatible browsers. Those browsers are Chrome, Firefox, Opera and Firefox for Android. Then try to use one of those browsers for all financial transactions. That will ensure that you have no security gaps during sign-on to a secure website. Alas, Safari browsers have no similar protection.
An Important Addition on 12/7/2018:
- Cellphone fraud protection: Cellphone providers maintain their own credit records. You need to take additional steps to protect against fraud involving your phone accounts. Consumer Reports magazine for January 2019, just arrived, has on page 38 a brief article. There’s a longer discussion on the CR website. Here are the steps you need to take:
(1) Place a Security Freeze your cellphone credit records at the National Consumer Telecom & Utilities Exchange. This should stop a hacker from opening a new cellphone account in your name and running up charges against your credit.
(2) Set up a PIN or passcode for your cellphone account with your service provider. This should stop a hacker from “porting” your cellphone number to his own phone, which could allow him break into your bank accounts.
(3) If you also have a landline phone, ATT suggests adding a PIC freeze, or Primary InterExchange Carrier Freeze, to your account. This requires you to call your telephone company. Make sure that the phone rep understands what a PIC freeze is – I spoke with a rep who thought I wanted to suspend my phone service!
Yes, There’s More…
- Use “strong” passwords, and never use the same password twice. Yes, that means you need a way to remember them all. But don’t use a “wallet” app to store them, because what if someone hacks that app? Keep a written log in your home. If that’s impractical, put them in an encrypted file on your computer: for example, a Word document protected with a password.
- Don’t bank with a smartphone. OK, I know that some readers cannot live without mobile banking. But at least, don’t use insecure wi-fi for financial transactions using a mobile device.
- Keep all your devices up to date. Activate auto-updates for your computer, tablet and smartphone. Delete any apps that no longer work or that you are no longer using. Out of date apps may have security gaps that offer a window into your private affairs!
- Install, keep updated and regularly use anti-malware software on your computer.
- Don’t put personal information, financial data or passwords on your portable devices. They are less secure than computers, and more easily lost or stolen.
- Beware of links that you see in e-mail and that appear on your computer screen. More details follow.
Don’t Click Risky Web Links
- Never, ever click on a link unless you are positive it’s genuine. How can you tell? Roll your cursor over the link and read the address it’s linked to. If it leads to a business, make sure it starts with https:, and that the business name is not subtly mis-spelled (e.g. fidelitty.com instead of fidelity.com). For a quick course in decoding a web address, see “Appendix 1: How To Decode a URL (Web Address) To Find the Domain” in the blog 9 Dangerous Emails.
- If a link arrives in an e-mail or pops up unexpectedly in your browser, don’t click on it! Many phishing messages look genuine, from a company that you know. However, they take you to dangerous addresses. If a message makes you want to check one of your accounts, type the correct web address directly into your browser address line.
- Never get suckered into believing that your bank or the Internal Revenue Service will send you an e-mail requesting personal information or passwords. They simply will not do it!
- If your e-mail program flags an incoming message as spam, be especially cautious.
- If you goof and an e-mail or a website downloads a file onto your computer that you didn’t specifically ask for, don’t open it! Trash it, and empty the trash.
- And finally, always use common sense. I promise you: There is no terminally ill grandmother in Nigeria who will give you a million dollars with which to do good. There is no lottery that selected your e-mail address out of the billions, to give you a big prize. There is no company that will pay you handsomely to work out of your home, or to help them transfer large sums of money. Fuggetaboutit!
I hope that you find my sad tale of the hotel hacker informative. And I hope that it prompts you to make your own identity security as good as it can be. For more of my “lessons learned” concerning website security, please read the next blog!
– Identity theft courtesy of email@example.com on openclipart.org
– Hacker courtesy of geralt on pixabay.com
As you probably know, you can always pay for online services or goods with a virtual credit card. It’s free. It can not be used for more than the the dollar amount you specify, Can only be used by one vendor, not to exceed your specified dollar amount, and only for a time period you stipulate. Also, you can cancel the card when It gets used, or, whenever you want. You can generate many new paper ones for stops along the way. Reserve your hotel room with one for the usual hold room dollar amount and cancel it when departing, Then pay for the full amount due with another, or, with filthy cash from your money belt. Shop Safe is Bank of America’s version of the virtual credit card. Cheers. Mort
Excellent suggestion, Mort, and I should have mentioned it.
Unfortunately, not every credit card offers a one-use card. Citibank offers it on some of its Visa cards, but not the Costco card, which is the one I use. American Express appears to be offering this service very soon (https://abcnews.go.com/Business/story?id=89386&page=1).
I guess that I foolishly assumed that my risk was small since I was staying at major hotel chains. However, your advice is well expressed. We can simply equip ourselves with a stack of one-use virtual cards and use a fresh one for each transaction. I may get driven to do this yet!
You need to stay in better places. Just a little joke.
All the best to you and Nola.
Thanks, George! Unfortunately, even the best hotels disclaim all responsibility for their wi-fi services. Nothing is simple nowadays… – Art
Art: I fully understand. I don’t do anything on this laptop that compromises any aspect of my life. I’m in the San Diego airport, following the GIA technical meetings. We should visit about their scientific work when convenient. Diamonds provide amazing geological records.
Wow, a spectacularly helpful comment Charles! Many thanks, from me and from our readers. Good analogies and great advice!
It might be useful to have a separate article about the “types” of malware you can conceivably run into anytime you are on the Internet. There are counterparts in real life — the person who claims to be a policeman and wants special access to you or your house but really isn’t, the van which drives by and tries to pull you into it, the stranger who tries to lure a child to go with them by offers of candy or stories about their pet being in trouble, etc.
But all of them come down to the fact that the Internet isn’t a trusted place, no matter how many people you trust are using it. It’s like being in a big city. There are safe areas in big cities, but there are definitely neighborhoods that are on the fringe of being safe, and there are some places that are downright unsafe.
Art describes some situations with direct analogs to real life, and if you think of them that way it’s more intuitive what the level of protection is. Using HTTPS instead of HTTP is the difference between having an armed security guard or policeman escorting you to where you wanted to go. Avoiding “phishing” situations is like ignoring someone trying to sell you or give you something when they are standing at the entrance to a dark alley. Watching out for false credentials is like asking to see a security badge or official paperwork before inviting someone into your home.
Remember — anyone on the Internet is untrusted until you have a good reason to believe they are legitimate, even if this seems to be someone you know based on who they said they were.
Art doesn’t mention three things that are worth keeping in mind
One is the difference between a Mac and a PC (Windows). The latter is much stronger nowadays but you still should never operate a PC on the Internet without malware protection. Using a Mac on the Internet without protection is still a good bet, but it IS a bet. There is no perfect protection for any device on the Internet and someday there will be a serious piece of malware in the wild that will affect Mac owners too. But even in today’s world, just because you have a Mac isn’t protection from ALL malware … you are just as vulnerable to phishing type traps as a PC user. You must remain vigilant at all times no matter what platform you are using (including mobile platforms).
The second is that the specific type of vulnerability Art describes, where someone eavesdrops on your unprotected Internet conversation is not — as far as I know and understand — the case with a pure cell data conversation. In other words, if you don’t connect your cell phone to a local Wi-Fi network but instead just use its cell data connection, you are pretty much safe from someone trying to listen to your conversation. If someone knows differently, please correct me. But that is a far higher level of trust than using a public Wi-Fi network. That means that if you are in your local Starbucks or McDonalds location and have access to their public Wi-Fi network, think twice about using it … you are going to be far safer if you just stay on your cell network directly, if you don’t need high speed or high volume for your Internet connection.
And finally, there is a solution which could have protected Art on his trip even if he had persisted in using public Wi-Fi networks — VPN (Virtual Private Networks). This is a way of encrypting all of your Internet conversation so no one can eavesdrop on any part of it even if your desired website you wanted to contact is operating in a fully unencrypted mode. BUT — this only protects against eavesdropping, it doesn’t protect you against your own mistakes, such as clicking a button that will then install malware on your computer.
There is no perfect solution to security, other than to be vigilant. Remember the analogy of being in a big city, and operate accordingly. When in a dangerous or semi-dangerous place, you must keep your eyes swiveling and remain aware of where you are and who is near you, and you must remain suspicious of the motives of everyone until they are proven safe.