The Saga of My Narrow Escape, and How You Can Protect Yourself
A hotel hacker attacked me during my recent vacation trip. For my bottom line recommendations, you can skip the details and go right to the conclusions:
- Protect your identity: see the last section of this post, How To Protect Your Identity From Hackers.
- Protecting websites, the subject of next week’s blog.
Want some meat on the bones? My down-and-dirty personal experience? Read on!
I managed to keep my body, my bank account and my websites intact. However, the experience scared me and taught me several lessons:
- Hotel networks and front desks are riskier than I realized.
- It’s rational to be paranoid about attack by a hotel hacker!
- HTTPS websites don’t just protect the visitor: they also protect the website owner.
A Hotel Hacker As a Rodent
I thought I was adequately protecting myself from the hotel hacker and other nefarious individuals. But I wasn’t.
My best analogy is: Have you ever found mouse poop in your house? From a mouse who entered by unknown means? You soon learn that a mouse can enter through an unbelievably narrow opening. If the weather is cold, or dry, all it takes is a single gap in your home’s perimeter, and bang! You’ve got a mouse colony.
Similarly, hackers surround us in the Internet world. They can rush through any gap in our security and, if not quickly stopped, cause untold damage.
I hope that this post about my personal experience makes the threat more real to you. And that what I learned will help you discover and block any gaps in your own personal security!
Today’s installment focuses on identity protection. And the next blog post discusses what’s involved in protecting a website.
A Pleasant Vacation With An Unhappy Sequel
In the summer Nola and I usually visit Santa Fe, New Mexico for not quite two weeks. There we enjoy opera, food, fine art and folk arts.
This year we decided to drive rather than fly. We allotted 30 days for what would be a 4,300-mile journey in our comfortable “road car” (Buick Avenir).
When we take a road trip we see and do as much as we can along the way. And most of this route we had never driven before. We timed our stops to include three performances: HMS Pinafore in Denver; the Grand Ole Opry in Nashville; and Iolanthe in Wooster, Ohio.
But we had time for much more fun! In Colorado we visited the Rocky Mountain National Park, the Denver Botanical Garden, the Garden of the Gods park and the Cheyenne Mountain Zoo. Passing through Texas we visited Cadillac Ranch, an outdoor art installation. In Kentucky, Mammoth Cave park. And in Ohio, the Toledo Museum of Art. As well as a ton of non-chain restaurants with unbeatable local flavors.
Attacked By Hackers
We returned to Michigan August 10. By then I had already received three e-mails notifying me that someone was trying to break into my website maui114.net. My security software had intercepted them and temporarily locked them out. Then I started receiving similar messages about artchester.net.
When I looked at the failed login reports, I was alarmed to see that the unknown assailant had gone to my secret login page and used my secret username. Both of these are unguessable, being long strings of alphanumerics. Apparently the spy had not intercepted my password, because they made repetitive tries to log in. Therefore, I think that they did not manage to get into either account.
As if this wasn’t enough, on August 19 American Express sent me an alert. Someone in Turkey had attempted to post an $800 charge to my credit card! So not only had many of my website credentials been compromised, they also nabbed my credit card!
All this was a double wake-up call. I thought I had been conducting my business securely. Obviously not! And since I had not experienced intrusions like this for some years, I suspected that these simultaneous hacks were somehow related.
Evidence of Sophisticated Hackers
When I studied the records I learned more information.
When I looked at the Amex charges I found a ringer – an early August charge of $8.11 from a pet care company in Las Vegas. This was apparently a test charge by a hacker, to verify that the account number was valid. The charge entry had no phone number, but included a website link for the company.
I clicked the link and was shocked to see the address line quickly cycle through a half-dozen completely unrelated web addresses. Then my browser displayed a full-page notice advising me to download an update for my Adobe Flash player.
I actually downloaded the file but did not open it. Dumb me. That was a “phishing” page intended to make me install malware (malicious software) on my computer. The multiple address switches apparently represented an attempt to evade tracing, and represented various legitimate websites that the hacker had taken over.
There was additional information from the WordPress report detailing failed logins. It listed the Internet address from which each attempted login occurred. Most IP addresses were used exactly two times. The addresses were registered in Turkey, UK, US, Vietnam, Romania, Philippines and Iran.
Art’s Analysis: I’m the Victim of a Hotel Hacker
I have a hypothesis for what happened to me. A hypothesis that seems to fit the data trail that I found.
During our month on the road, Nola and I stayed in 10 hotels in 7 different chains, located in 9 different states. Each offered insecure wi-fi, or service with very minimal security.
I believe that one (or more) of the many hotels where I stayed has a hacker on their staff. The hotel hacker kept a copy of my credit card information when I checked in. He or she also listened in on the hotel’s insecure wi-fi network, collecting as much information from me as possible.
The hotel hacker was committing low-tech theft. It didn’t require much expertise to collect the data from me. Moreover, the hotel hacker took little personal risk. I believe that he or she sold the information anonymously to a group of other hackers. I might assume the hackers are based in Turkey based on the repeated appearance of Turkey in my data; however, that could be purposeful misdirection.
The foreign hackers have a range of resources. They have taken control of a number of web addresses, presumably without the domain owner’s knowledge. They control computers located in different countries, so they can’t be blocked by a country filter. And they have a cooperating business in Turkey which can post charges to credit cards.
How Did the Hotel Hacker Get So Much Information?
What accounts for the website login information the hotel hacker captured? During the trip, I had not yet protected maui114.net and artchester.net with security certificates. For that reason, by eavesdropping on the hotel’s wi-fi, the hotel hacker could see everything that I saw on my computer screen.
When I signed into a website to manage it, my secret sign-in page address was visible, and my secret username was visible from a pull-down menu while I was managing the account. My password was not visible because it was stored in my browser. Apparently the hotel hacker was not sophisticated enough to record and decode the password information.
I also did some work on honokeana.net, one of the other websites I manage. However, that website was already protected by https: security. For that reason, only the domain name would have been visible to the hotel hacker. Everything else was encrypted and not visible to him. That explains why the login report for honokeana.net does not show any spurious logins.
Locking the Barn Door After the Horse…
What did I do, belatedly, to improve my security?
- As soon as possible I changed all the secret information on the web accounts.
- I added https: security to maui114.net and artchester.net, the domains that didn’t already have it.
- I had American Express block the fraudulent charges, cancel my existing card and send me a new one.
- Next, I performed a complete scan of my computer for malware.
- I scanned all the websites for malware, using a WordPress plugin and using GoDaddy’s scan service. However, I was disheartened to discover two dozen examples of suspected malware in the data bases! The scanning programs removed that malware for me.
How To Protect Your Identity From Hackers
- Updated 12/7/18: Freeze your credit with all five credit reporting services (Equifax, Experian, TransUnion, Innovis, PRBC). Thanks to a new law, you no longer have to be hacked to get this service for free. Do this for everyone in your household, especially your kids. No, they’re probably not going to apply for credit cards on their own. But a hacker can commit identity theft and start running up debts that they owe!
- Sign up for “fraud alerts” on each of your credit cards. I suggest that you have the credit company send you both text and e-mail when any of the following occur: purchases over a limit that you choose (e.g., $300); all foreign transactions; cash withdrawal; balance within $500 of spending limit; irregular account activity. If you receive a notice for a transaction that you don’t recognize, immediately phone your credit card company.
- Activate “two factor authentication“ for all your financial accounts. With this established, the bank will verify you with something that you “know” (your password) and something that you “own” (your cellphone, receiving a PIN code).
- Install the “HTTPS Everywhere” extension in its compatible browsers. Those browsers are Chrome, Firefox, Opera and Firefox for Android. Then try to use one of those browsers for all financial transactions. That will ensure that you have no security gaps during sign-on to a secure website. Alas, Safari browsers have no similar protection.
An Important Addition on 12/7/2018:
- Cellphone fraud protection: Cellphone providers maintain their own credit records. You need to take additional steps to protect against fraud involving your phone accounts. Consumer Reports magazine for January 2019, just arrived, has on page 38 a brief article. There’s a longer discussion on the CR website. Here are the steps you need to take:
(1) Place a Security Freeze your cellphone credit records at the National Consumer Telecom & Utilities Exchange. This should stop a hacker from opening a new cellphone account in your name and running up charges against your credit.
(2) Set up a PIN or passcode for your cellphone account with your service provider. This should stop a hacker from “porting” your cellphone number to his own phone, which could allow him break into your bank accounts.
(3) If you also have a landline phone, ATT suggests adding a PIC freeze, or Primary InterExchange Carrier Freeze, to your account. This requires you to call your telephone company. Make sure that the phone rep understands what a PIC freeze is – I spoke with a rep who thought I wanted to suspend my phone service!
Yes, There’s More…
- Use “strong” passwords, and never use the same password twice. Yes, that means you need a way to remember them all. But don’t use a “wallet” app to store them, because what if someone hacks that app? Keep a written log in your home. If that’s impractical, put them in an encrypted file on your computer: for example, a Word document protected with a password.
- Don’t bank with a smartphone. OK, I know that some readers cannot live without mobile banking. But at least, don’t use insecure wi-fi for financial transactions using a mobile device.
- Keep all your devices up to date. Activate auto-updates for your computer, tablet and smartphone. Delete any apps that no longer work or that you are no longer using. Out of date apps may have security gaps that offer a window into your private affairs!
- Install, keep updated and regularly use anti-malware software on your computer.
- Don’t put personal information, financial data or passwords on your portable devices. They are less secure than computers, and more easily lost or stolen.
- Beware of links that you see in e-mail and that appear on your computer screen. More details follow.
Don’t Click Risky Web Links
- Never, ever click on a link unless you are positive it’s genuine. How can you tell? Roll your cursor over the link and read the address it’s linked to. If it leads to a business, make sure it starts with https:, and that the business name is not subtly mis-spelled (e.g. fidelitty.com instead of fidelity.com). For a quick course in decoding a web address, see “Appendix 1: How To Decode a URL (Web Address) To Find the Domain” in the blog 9 Dangerous Emails.
- If a link arrives in an e-mail or pops up unexpectedly in your browser, don’t click on it! Many phishing messages look genuine, from a company that you know. However, they take you to dangerous addresses. If a message makes you want to check one of your accounts, type the correct web address directly into your browser address line.
- Never get suckered into believing that your bank or the Internal Revenue Service will send you an e-mail requesting personal information or passwords. They simply will not do it!
- If your e-mail program flags an incoming message as spam, be especially cautious.
- If you goof and an e-mail or a website downloads a file onto your computer that you didn’t specifically ask for, don’t open it! Trash it, and empty the trash.
- And finally, always use common sense. I promise you: There is no terminally ill grandmother in Nigeria who will give you a million dollars with which to do good. There is no lottery that selected your e-mail address out of the billions, to give you a big prize. There is no company that will pay you handsomely to work out of your home, or to help them transfer large sums of money. Fuggetaboutit!