Facts Security Part 3: How your PII can be used for Nefarious Purposes

August 25 2023
~1800 words, ~9-10 min read. ~300 word TLDR at the bottom =)

Introduction
Can the Data that I expose become Information, to the point where there is enough Information out there to become Facts about me that could negatively impact me if it were in the wrong hands?

Let's try to answer this question by using examples of digital attacks that have actually happened, threats that actually exist. This might give us hints on what needs to be secured, and inspire us to actually do something about it.

Email Account HACKED
Not wanting other people to access our personal accounts is a common belief to have. That's why we configure things like passwords, and we know that we don't want people to obtain both our account name and password because in some cases that is enough to gain access to our account. It's clear we want to avoid the Fact "XYZ is the password to my account ABC" being known and exposed. What outcomes are we trying to avoid by securing this Fact? To explore this, let's use the example of an Email Account.

Today, literally everyone who utilizes services on the Internet will have an email account. Email accounts have a plethora of functions. You can use it to communicate with people. You can use it to store Data and Information. You can use it to set up accounts with other services. The value of this communication, data storage, and account linkage will likely be subjective. However, it seems undeniable that email addresses are one of the fundamental tools the average Internet users utilize.

A bad actor with your email account credentials can potentially do many things:
-The obvious, they can access your account.
-They can change your password, taking away your access.
-They can read your emails, which may contain private Information that you don't want to reveal.
-They can impersonate you, using the account to email your contact list (or anyone else for that matter). The contacts might believe it is you and be tricked to do something such as download malware, enter their Information in a fake URL, or send money.
-They can blackmail you.
-They can download all of your emails, creating a copy of your Data that may exist on the Internet for a long time.
-They can delete anything and everything. There may be ways to recover from this, at best you temporarily lose access to your Data, and at worst your Data is lost forever.
-They can access other accounts that are linked to the email address.

Understanding the risks reflected upon your personal risk threshold can help you determine if the Information in your email account is important to you. If you aren't concerned with any of the risks, just a password might be fine for your use case. If you have Information that you don't want to risk, perhaps think to add additional security to that account such as Multi-Factor Authentication (MFA).

Here are some factors that may put your account(s) at greater risk:
-You only use a password to secure your account, allowing various automated authentication attacks to have potential success.
-You use a weak password, maybe even on a 'most common passwords' list.
-You use the same password across multiple accounts, and one of those services had a data breach which leaked your credentials.
-You got phished, for example clicking a fake link and entering your username and password.

SIM Swapping
An interesting method of stealing digital assets emerged in the form of 'SIM Swapping'. With MFA securing accounts, bad actors needed a way around it. MFA, or Multi-Factor Authentication, is an account configuration such that two or more factors are needed to access an account. Three common factors used are passwords, email addresses, and phone numbers, where an additional piece of Data is sent to the email address or phone number at login time to be used as an additional input. On top of this, many services have an 'I forgot my password' mechanism, which may utilize an email account or phone number to reset the password. This means that some accounts can always be accessed by whoever has control over the phone number associated with that account.

Those that had access to the vast amounts of stolen or exposed PII were able to utilize that to target high profile accounts, such as accounts that held large amounts of digital currency. With PII, they were able to convince (via hiring, bribing, or social engineering) the support workers of mobile carriers into transferring the victim's phone number to a new SIM card in the bad actor's possession. This gives them control over any accounts the victim may have where the password reset mechanism requires that phone number.

Due to how cryptocurrency works, a bad actor with access to your cryptocurrency account can move your assets out in such a way that makes it difficult to trace the final destination. In other words, it could be very difficult to catch the bad actor by following the assets, decreasing the chances of recovering those assets.

If these risks apply to you, then perhaps you would want to take extra security measures such as a separate private phone number nobody knows, or a different form of MFA such as a physical key. Your username could also be hard to guess based off public Information about you (e.g. your email address, your online handle).

Some factors that could make you the target of SIM Swapping:
-You openly talk about the digital assets you have in your accounts, such as on social media. Or, perhaps you are a well-known wealthy individual.
-Data that can lead to your account, such as email addresses, personal handles, phone number, etc, are public.
-The security of your valuable accounts can be bypassed by whoever has control of your phone number.

Identity Theft
Identity theft refers to cases where PII and other Information is collected and used by a bad actor for fraudulent purposes. Many Data points, such as name, social security number, credit card number, etc., are used depending on the type of fraudulent activity.

There have been past cases of massive data breaches that exposed the credit card Information of millions of people. This Data was stolen and used for malicious purposes such as fraudulent transactions and selling the stolen Data itself.

There have been cases of medical identity theft, where stolen personal Information was used to make fraudulent claims on medical services. This could have consequences such as mysterious medical bills, or fraudulently withdrawing limited prescribed medications.

There have been cases of tax identity theft. Just as recent as the COVID-19 times, the social security numbers of deceased people and people in prison were used by bad actors to collect benefits.

Identity theft truly is a tough one in terms of what an individual can do. In some cases, the exposure of your PII is not even your fault, but the fault of the organization that stored your data. Thankfully, banks seem to be putting in the resources to mitigate fraudulent activity. As for medical and tax, you would need to closely watch (or have someone monitor) the changes and updates to your profiles. You would need to be on top of your own personal medical and tax identities, and have mechanisms set up such that you are sent an alert for any changes or updates.

DOXXING
Doxxing is the act of revealing private/personal Information about someone, usually with malicious intent. Information revealed could include things like full name, photo, age, gender, sexual orientation, home address, phone number, email address, workplace, family Information, etc.

The frightening thing about this is that this could be a group of bad actors targeting an individual. Bad actors would work together to expose the PII of the victim in order to commit malicious acts such as identity theft, cyberbullying, reputation damage, and even real life harassment.

I don't have much personal experience with online harassment. However, I don't doubt that people can become attached to their online personas to the extent that cyberbullying can cause emotional and psychological trauma. It seems inevitable that the future generation will have an affinity with smart phones early on in their lives, which is a catalyst for developing online personas. The question is how we are supposed to help solve this. Are we supposed to prevent the younger generation from developing so closely with smart devices, and reduce their exposure to socializing on the internet? Or are we supposed to now come up with new cures to online addictions and the mental damage linked to social media?

SWATTING
Swatting is an interesting case that shows how risks can lead to your door. Swatting involves a bad actor tricking an emergency service (such as police) to respond to an address of the bad actor's choosing. They can falsely report something that could create the risk of injury or even death. There have been cases where police end up shooting at the victim due to false reports that create a situation where weapons are likely to be drawn. This occurs from just knowing an address (and of course, some reason why the victim was targeted).

Realistically, this is only something to worry about if you are the type of person that, for some reason or another, have enemies that would go this far to attack you. This is akin to pulling the fire alarm or reporting a false bomb threat, in that valuable resources are wasted for selfish and/or malicious reasons.

Conclusion
You know, it would be nice if there was a simple way to overhaul our digital security. In this day and age, we have so many separate accounts such as banking, government, medical, not to mention the plethora of social media accounts. This means that we have to assess what level of security we want to use for each one as well as continue to be aware of and make updates to these accounts. It sometimes comes down to individual preference, or difference in risk thresholds, that determines how much resources are invested into security. We could choose to manage and secure just one account that is used to authenticate into every other account. Or we could choose to manage and secure each individual account, assessing the adequate security for each account based on the risks.

Whether we prioritize convenience, security, or a balance, there also looms the question of who should be responsible for all of this Data. Should the individual user be solely responsible for their own Data? Or do the organizations, that require the collection and storage of this Data to use their services, have a piece of the responsibility pie? Not to mention entities such as law and government having the ability to take this Data from organizations regardless of any user privacy protection promised by the organization...

TLDR, some Facts that we probably want to Secure if they apply to us
Email Accounts:
The Fact that your email account only requires the password XYZ and username ABC to access (aka no MFA).

The Fact that you have contacts in your email account that, if asked via email, would send money, download a file, or put their Information in a URL because they trust you.

The Fact that you have private Information in your email account, which if exposed can lead to situations you would want to avoid such as blackmail or leaking confidential Information.

The Fact that your email account is linked to your ABC-XYZ accounts, which can be accessed with only your email account.

The Fact that you can't afford to lose access to your email address, or have your Data potentially modified or deleted, or your linked accounts accessed.

SIM Swapping:
The Fact that you have a valuable account that can be accessed with your phone number and username, which is likely to have been public Information at some point in time.

Identity Theft:
The Fact that your PII has been exposed in a past data breach and/or that there may be enough public/exposed Information out there to make fraudulent claims under your name. This is coupled with the Fact that you have not taken any extra steps to secure your identity.

DOXXING:
The Fact that you have an online persona that you are personally attached to, to the extent that reputation damage and online harassment could affect you negatively.

The Fact that you have an online persona that you don't want associated with your real life identity, to the extent that if this Information were exposed it could affect you negatively.

SWATTING:
The Fact that you have negative relationships with people that are willing and able to take big risks to their own personal reputation to negatively impact you.

• Facts Security Part 2

  Aug 25 2023 - Layers of Security and the Value of Information.

• What's an IP Address?

  Oct 6 2023 - Understanding IP Addresses in the Context of the Internet.