It’s not a matter of if, but when (Part I)

I received a letter from American Express yesterday.  It was nothing out of the ordinary as they send me crap all the time, but this was different.  The letter informed me that my information changed via a third party service sometime in January 2016.  Red flag.  The letter didn’t tell me that this was an ordinary or extraordinary action and in the 22 years I’ve had this card I’ve never had anything changed via a third party.  Red flag.  Upon calling them, I was informed of a potential breach in a third party system that American Express uses to update their credit files.  The letter was auto generated and was a result of a changed file.  My question “Why did I get a letter its changed as I’ve never received this before?” went unanswered.

This event triggered me to write about it, because I’ve yet to talk to someone that completely understands the extent of their threat exposure.  So here, a short list of items that I’m sure everyone has an account with or a device in their possession:

  • Mobile Devices:  mobile phones, wifi doorbells, wifi cameras, wifi baby monitors
  • WiFi Vehicles:  On-Star, Hyundai Assist, Ford Sync
  • Medical Devices:  pacemakers, defibrillators, insulin pumps
  • Social Engineering:  email, text messages, phone calls
  • Service Providers:  mobile phone companies, cable, phone, electric, gas, water

Every single one of the above items (its not an exhaustive list) has a component that can be breached and used to take advantage of unsuspecting people.  I’ve been in this industry for years and still see threat deltas that I’ve never seen before.  The potential that hundreds of thousands of people are even less aware is very real and the news tends to support that theory.  Here are some scenarios that may or may not fit:

  • Get a new WiFi router for your home and just plug it in and it works.  No changing of the default password, no wireless security (open), no update to the default factory settings that allows for internal device browsing, etc.
  • Get a new Android phone and start to build out your profile, download apps, etc.  You get a prompt to enter in your credentials for GooglePlay and blindly enter in your credentials because you think its for an app.  You don’t notice that you’re not prompted for a username/password ever for downloading apps (since it uses your Google account automatically) through official channels.
  • Connect your personal mobile device to a hotspot for internet access without reviewing the entire list of available networks.  Most places of business will display their wifi network name so you don’t connect to something malicious.  Ex – a wifi network will NEVER show up as “ad-hoc”, the ones that do are malicious almost in every case.

There are literally hundreds of thousands of articles and resources available if you want to learn more about protecting yourself.  I’m going to list a few of the more easier to understand resources in my next post.  Keep yourself safe online and the horror stories you see online will never be about you.