Your Digital Identity Could Sabotage You And Others Around You.
Picture this: Yasmin H., a senior executive for a Fortune 500 company, is a progressive thought leader and is very active in the social media space. She frequently posts online content, articles, and materials to her many followers, covering industry insights, inspirational messages for aspiring leaders. She also shares aspects of her personal life through her personal Instagram account. Using LinkedIn, Instagram, and Twitter, she takes great pride in building her personal and professional brand.
In the public domain, one can see she is very well educated, financially comfortable, enjoys personal vacations, occupies a high visibility role at work, is engaged to be married to a Simon K. (SVP of sales for a pharma company), lives in a very sought after part of a major metropolitan city, enjoys fine dining, and has an active healthy lifestyle. Each year she gets a flood of birthday well wishes and congratulatory messages for her work anniversaries. Yasmin is rising to the peak of her personal and professional life.
Just a few days ago Yasmin learned her digital identity was compromised and used to gain unauthorized access to her work, where there was a very well-orchestrated company data breach.
What The “H**K!”, And How Did This Happen?!
Threat Actors are constantly crawling and sniffing the internet, looking for information to use that will afford them an entry point into a company network. Once in, then typically ensues the follow on of cyberattacks - data breach, ransomware attacks, or completely wiping out or destroying parts or all of a company’s critical infrastructure systems. What Threat Actors look for are Personally Identifiable Information (PII’s) of individuals both from a personal and professional perspective. PII can also be referred to as digital identities, as it all contains information that may also connect to a number of accounts, online profiles and be used to gaining access to a network.
Threat Actors can effortlessly find profiles and digital identities of internet users. They are able to use popular social media sites like LinkedIn, Facebook, Twitter, Instagram, etc, to gather their information. An individual’s digital identity may be found on one or more social media sites, ranging from full name, home or work address, mobile number, email, and Date of Birth. It’s all online.
In the case of Yasmin, a Threat Actor accessed and exploited her digital identity from her LinkedIn account, where she has provided her executive title, the name of the Fortune 500 company, her email address, and personal mobile number. The cyberattack began by sending emails to Yasmin with a Remote Access Trojan (RAT) malware to her corporate email account through a Whaling Attack (spear-phishing email). Once activated, the RAT allowed the Threat Actor to establish remote access to Yasmin’s corporate laptop (local machine), where deep level surveillance was done on files/folders, keylogging strokes, emails, calendar schedules, camera, microphone, etc.
The RAT malware was a particularly sophisticated strain that allowed the Threat Actor to obtain Yasmin’s password credentials, bypass the corporate Multi-Factor Authentication (MFA) service, move around with unfettered access not only on her local machine but also the company’s enterprise network. After gaining unauthorized access to several critical system applications, the Threat Actor finally got into the database that contained millions of customer accounts and profile data, whereupon the data breach took place.
Your Self-Assumed Digital Obligation Is Your Biggest Risk & Threat.
Yasmin ended up becoming a key piece of the puzzle in the cyberattack and data breach, and all because the Threat Actor was able to work and exploit the information she had innocently shared with the world. But Yasmin is not alone. Everyone does it! Hundreds of millions of people openly share their personal information across multiple social media sites. People don’t think twice about sharing their full names, DoB’s, addresses (work, school, and home), email addresses, telephone numbers (work and mobile), locations, vacations, (selfie) pics, videos, tagging family members and friends, their moods and opinions, their likes/preferences, and desires.
From a security perspective, it’s fascinating to see why Yasmin and others like her feel obligated, even comfortable, to share so much personal information. The footprint across the internet of shared digital identities is colossal. There appears to be a behaviour of self-assumed, subliminal, digital obligation to expose so much personal and sensitive data. Fact is, we are not obligated. You don’t have to post your personal information online.
Switch from Digital Identity to Anonymous Identity - Immediately!
With the escalating and unprecedented rates of cyberattacks and data breaches, our personal information has either been compromised (very likely scenario) or will very soon be compromised (also a very likely scenario). It's a pretty grim situation to comprehend. Individual consumers are just sitting ducks in the cybersecurity and threat landscape.
So can we protect ourselves one might ask? It turns out we can! We strongly advise you to switch your mindset from offering your single digital footprint to creating anonymous identities. This is about the smartest and safest move anyone can (and should) do. The less information there is about you in the public domain, the better chance of you falling victim to a cyberthreat. The following are some of the most important things you can consider doing immediately to potentially evade Threat Actors:
Your Full Name -
Wherever possible, simply don’t use your full (legal) name. There is no obligation. Instead, create a pseudonym, or even consider using your first name with a random letter for your last name. Unless it’s a government or court order requirement, no one needs to know your full legal name. Unknown to many, the full name is just as valuable to Threat Actors to identify a target.
Sharing your location such as the address to your home, business, school, or a location you’re visiting, either by pin-dropping or adding to your profile presents a number of risks. Many of today’s smart devices and mobile app services have default settings to track your location and some of them do share if publicly and or make it available to 3rd party data companies. You should consider changing the default settings on your devices to either track you when only using their app services, or turn off location tracking services all together. Also, don’t voluntarily offer your address location in the online public domain. If you are not legally required to your location or address, then simply don’t. There is no obligation to do so.
Date of Birth (DoB) -
It is very surprising to see people post or share their DoB online! What’s particularly concerning is that users most often share this sensitive data with other sensitive data, such as their full name and address. Being in possession of someone's full name, address and DoB will enable a Threat Actor to easily impersonate that victim for a variety of personal and or professional based attacks. For Threat Actors, gathering this data has become very simple as most mainstream social network sites (LinkedIn, Facebook profiles, Twitter, Instagram, and online community message boards), and past company data breaches contain access to individuals online identities and other sensitive data.
It is highly recommended that you don’t (a) offer your DoB across any site or platform, or (b) you create an anonymous DoB. Unless it’s a government agency, financial institution or a medical service. Unless there is high value being provided by the service provider and you accept the risks, no one needs to collect your DoB along with your other sensitive data.
Many online accounts and service providers rely on emails for users to sign-up and sign-in, and Threat Actors find email addresses very useful to exploit to gain unauthorized access. If a corporate email address is known to a Threat Actor, they can do all forms of password exploits (brute force, password spraying, etc.) to gain unauthorized access to that email account. Once in, all sorts of cyberattack nightmares can begin. If a personal email is known to a Threat Actor it’s just as useful as email accounts are the gateway too many services, such as financial, medical, government services, and other online accounts, where the sabotage begins. Also gaining unauthorized access to an email account enables the Threat Actor to do password resets, account takeovers and impersonation attacks. Also, most email addresses often contain either the complete name of the person or variants of the name, providing the Threat Actor with more information on the victim.
For your personal use of email accounts and addresses, you should strongly consider creating multiple anonymous email addresses for the various group types of online services you use. Example, one anonymous email address for social media, one for online financial services, another for billing and utilities, etc. This way should one (anonymous) email account become compromised, it’s then isolated from all the other services you use. Also, you will be able to quickly switch out the compromised email account for a newly created anonymous email address. For corporate email addresses, we recommend using other identifying values that don’t include the employee’s full name, example - James25.firstname.lastname@example.org.
Mobile Numbers -
Many companies, service providers and social media sites are enabling their users to register their mobile number to use as a second security factor (2FA/MFA), which will protect access to their accounts and services. In addition, many users are openly registering their mobile numbers to their publicly visible online profiles across various social media sites. Recently, the cybersecurity landscape has seen a trending spike in Threat Actors compromising mobile numbers so they hijack the second security factor. This can be done through either mobile spyware, porting numbers or even SIM-Swap Attacks. All of these mobile based attacks will allow the Threat Actor to take complete control and ownership of all incoming and outgoing calls and text messages but to ultimately sabotage the second security factors (passcodes) to then gain unauthorized access to the victim’s account(s).
To evade this type of attack, you should strongly consider not adding/removing your mobile number from online public profiles. It is surprising to see how many executives and professionals list their mobile numbers on their LinkedIn profiles, where they have their full names, email address and mobile numbers.
Anonymous Identity Is The Best Identity
Threat Actors are always in search of information to exploit and it’s not hard to find online. Despite companies having up to date security systems and many abiding by industry and regulatory compliance and standards, it’s simply not enough. Threat Actors will get whatever they want. If as users we voluntarily provide our Personally Identifiable Information (PII) then we assume a certain degree of responsibility. Rather than expecting organizations, online service providers, online accounts and social media sites to maintain the integrity of our data, we suggest you proactively protect yourself with becoming anonymous. The less that is known about you, then better off you will be.
Going anonymous means there is an unreliable and inaccurate identification about you, which cannot be trusted. While Threat Actors look for trusted digital identities to compromise, they should not be able to get too far if your anonymous identity is in fact unreliable, untrusted and incomplete. Going with anonymous identities could be the best identity.
Had Yasmin H. and her company adopted anonymous identity policies and procedures, perhaps the Threat Actor may not have been that successful in using her information for exploiting and ultimately conducting a company data breach. Further, who knows if her fiancé, Simon K., is currently being targeted...
About IAmI Authentications -
IAmI Authentications (“IAmI”) is an identity & access management company who has reinvented Two-Factor Authentications (2FA). For the first time, users can now detect, identify and prevent Threat Actors from exploiting their login credentials to gain unauthorized access to networks and critical system applications. Additionally, IAmI empowers customers to safeguard access to their accounts and services, and prevent fraud - all in realtime.
Using its proprietary solutions and applications, IAmI offers a bespoke, fully integrated, white-labeled, cross-platform, encrypted tokenization, cloud security, SaaS platform for clients in all industries. For more information, please visit www.useiami.com