Last month I raised the issue of identify theft and online security. The timing could not have been better – or worse, depending upon your point of view – because the day the article came out, the Internet was shaken with the discovery of the “Heartbleed” security flaw. Heartbleed is a serious issue and poses very real, and ongoing, risks to all businesses… but especially to smaller businesses. And it’s a stark reminder of just how careful you need to be to project your identity information when online.
But just what the heck is heartbleed and why should you even care? And what should you do about it?
Without going into all the technical details, heartbleed is really just a tiny little bug in a tiny little bit of software. Unfortunately, that software is used by two thirds of the Internet web sites to encrypt information sent from a web browser to a web site.
While the heartbleed bug was made in December 2012, it was only reported in April 2014. That means for the past two years everything you’ve typed into many web sites you’ve visited may have been visible to snoopers: your passwords, personal information in sign-up forms, bank accounts, lists of friends, love letters, photos of cats… the lot. The reason why I stress “may have” is that it is not known if criminal groups knew of this bug and were using it for identity theft. There is no hard evidence that this is the case, but as we know, cybercriminals are pretty good at hiding their activities. What we do now know is that the American NSA knew of it, and exploited it to gather intelligence.
Regardless of who knew about heartbleed, and when, it’s mere existence represents a clear and present danger to every internet user and small businesses.
The good news is that all of the major websites – from Yahoo and Google, to DropBox and many banking services – affected by heartbleed were able to patch their services within days of the discovery.
However many web sites run by small businesses were still unpatched weeks later, simply because small businesses do not always have the technical resources to jump on a security issue at a moment’s notice. If your business has a website, even one hosted by another company, you should get it checked. A quick way to do this yourself is via this online tool: https://lastpass.com/heartbleed/.
The reality is that by the time you read this article, almost all of the websites will have been fixed. So does that mean you can relax? Absolutely not.
Because if hackers have had access to your personal records in the past, they still have them! This is why it is so massively, outrageously important for you to change all of your passwords. If you’ve not done this yet, do it today. Yes, it’s a pain in the neck, but that pain is a hell of a lot less than finding your bank account empty. I’m not fooling here. I have hundred of passwords and it took me more than a day to change them all. It was worth it.
While you are changing your passwords, you should also ensure that every site you log into has a different password. If you use the same password over and over again, hackers only need to find one vulnerable web site and they have access to everything. By having a different password for every site you visit on the internet, you can be sure that if a hacker manages to steal information from one web site, they cannot then use it to access all your other information.
And it is information that hackers are seeking. The more information they can learn about you, the easier it is for them to steal your identity. For example, in Canada it is known that the government’s tax records database was breached due to the heartbleed bug. But why would hackers do that? Surely they would only target your bank account? Wrong!
As discussed last month, identity theft is the number one growth industry of criminal gangs. For these gangs, simply breaking into your bank account and robbing you is nowhere near as lucrative as taking out credit cards and loans in your name — buying things and leaving you with a bill that may not show up for months. We’ve seen gangs buy cars using stolen identities, then reselling them ‘as new.’ It’s almost the perfect crime. We’ve even seen stolen identities used to rent properties (which are then used by drug dealers), which not only left the poor identity theft victim with a huge rental bill, but also put them on the rental blacklist and had them under investigation by police! (In fairness, the cops are pretty damn good at realizing when someone has been victimized in this way… but even so, it must have been very stressful!) In short, these gangs are not simply after your cash, they are after your credit!
So, it’s up to you to minimise the ability of criminals to learn about you. Online, the best prevention is to ensure you use different passwords and make sure your passwords are complex enough to avoid being easily found.
However, it is not humanly possible to remember every password you are likely to use, so my recommendation is to use a ‘password locker’ – a software package that stores all of your passwords in a single, heavily encrypted file.
There are many password lockers (also called password managers) available – some are free and others require a small annual fee. The password locker I use is called KeepAss (great name, I know) which is a free, open source (and thus peer-reviewed to ensure there are no backdoors or NSA traps!) application. However, KeePass is a bit of a cow to install and use, and during ‘the grandmother test’ resulted in a lot of confusion. Unless you are a geek, you may wish to consider some of the other well-respected commercial password lockers, such as:
- LastPass – https://lastpass.com
- DashLane – https://www.dashlane.com
- RoboForm – http://www.roboform.com
- PasswordBox – https://www.passwordbox.com
To summarize: Heartbleed was a serious threat that most likely has been fixed on every website you will visit… but the damage may have been done. The best way to protect yourself as a consumer and as a small business is to change all your passwords. While doing this, get serious about password management and ensure that every web site is given a unique password. Use a password locker to keep track of all your passwords. If your business runs a website, check to see if it is still vulnerable to the heartbleed bug.