Security All The Way Down [#27]

Source, one of the many blogs I follow, has recently had a themed content week focusing on security. For their main readership this means security for the newsroom, security for the journalist, but their articles are both fascinating and widely applicable. It may seem a bit ridiculous but the reality is: everyone is a target. Yes, a journalist is more likely to be specifically targeted, because they have access to unique and often-times damaging material, but literally every single person has something that is valuable to someone else.

Maybe it’s money in the form of online bank accounts, crypto wallets or card-verified e-commerce sites like Amazon. Maybe it’s social media accounts, valuable for gathering personal identifiers that can be sold en masse for identity theft purposes or even to be used as part of modern botnets, spreading viruses and further compromises. Maybe it’s compromising personal information, images you wouldn’t want widely distributed or conversations you’d rather pay to keep out of the public eye. Maybe it’s just the thrill of seeing how far you can go, what you can uncover.

It’s unlikely that you would be directly targeted, but it’s actually fairly likely that you will be targeted at some point. It’s happened to me. A few years ago I received a message from my bank querying a large sum purchase made with a debit card that I hadn’t used in years. I freaked out a little, contacted them and had the transaction cancelled; once the bank had assured me that no further charges would occur I calmed down and started trying to piece together how the hell someone had managed to skim a card that had been out of circulation for years.

The answer, as is so often the case, was the combination of forgotten accounts, common passwords and third party security breaches. Exactly which chain of interconnecting services led to this particular attempt at fraud is impossible to prove, but here’s my best guess. Back when I was heavily active on League of Legends they had a mass server breach, with hundreds of thousands of accounts compromised. The parties involved made off with data tables of passwords, account names and associated email addresses; no credit card details, but enough personal information to be seriously damaging. My account name was unique and the associated email address had a different password, so I figured I was safe. I was wrong. Someone, somewhere, managed to link my username to an old email account, which used that same password (Error #1). They accessed that email account without my knowing (Error #2 – setup two-step authentication!) and from their likely downloaded my entire email history (Error #3 – if you don’t need it right now, encrypt/archive it or delete it).

Within that database of emails were messages from an ancient PayPal account I hadn’t used in years (Error #4 – close accounts you no longer need). That PayPal account had a different password, but that doesn’t matter; whoever it was simply had a password reset request sent to my compromised email address and flipped it. That PayPal account was still connected to my old debit card, which I’d never closed down despite no longer using it (Error #5). They tried to use that account, with that card, to make a purchase when luckily a third party, my bank, flagged it as suspicious. As a result, the purchase was cancelled. Great, right? Problem solved, issue avoided, time for a cup of tea, right?

Wrong. I contacted PayPal and had the account closed, I went to my bank and terminated the card and figured the worst of it was over. Except, the email account was no longer accepting my leaked password. Four years later and, for some reason, the password happened to be flipped back to the original one; I’ve just managed to regain control, through sheer luck, but the ripple effects are still being discovered. That email account was the main personal ID for dozens of other online accounts, many of which have been deleted, taken over or banned. Some were used for spam, others for malicious “fun” and others just destroyed. I’ve spent the best part of the last two weeks going through that old email account, finding associated logins across the web and shutting them down or taking back control.

The whole ordeal has spanned years and is still on going. Now, on the one hand, I got lucky. Losing so many accounts didn’t impact my financially, it didn’t uncover any secrets that could have been used to blackmail me or hit me IRL (I’m too boring for anything like that) and I never really felt any negative impact from it. I’ve lost some memories and a decent chunk of my personal time, but that’s about it. But like I said, I got lucky.

So, whilst very interesting and a recommended read, going through Source’s recent articles on personal security have left me a little red-faced. For everything I supposedly “learned” I’m not much better today then I was four years ago in real terms. I’ve slowly been building a database of accounts I have, what they’re associated with and the personal details they contain. I’ve reset my passwords and made sure they’re all unique. Where possible I’ve closed accounts I no longer want or, at the least, removed any personal identifiers from them. But beyond that? Not much.

Reading through A Guide to Practical Paranoia is like reading a checklist of ways I’m falling behind. It recommends using local password managers like KeyPass rather than cloud-based services, but I still haven’t managed to even make that step. Tor and other end-to-end encryption are mentioned as good first steps, but all I have is WhatsApp… not sure that really counts. Don’t use out of the box, popular options for data you care about it says, which I agree with whilst writing on a WordPress blog running the vanilla theme.

Perhaps it’s time to start making inroads into my personal security again. The reason it hasn’t happened yet is because it’s hard, it’s boring and it can be pretty confusing to boot, but the alternative is harder and potentially actively damaging. In the mean time, though, I can definitely recommend giving the suggestions and ideas on Source a good read over:

A Guide to Practical Paranoia – Stephen Lovell (Source)
Why My Motto as a Security Journalist is “Assume Breach” – J. M. Porup (Source)