Late last month, I was hacked. Specifically, a few of my accounts were hacked, most notable being my everyday Google account and my “@DougH” Twitter handle, which I have had for nearly ten years. No matter what is taken (or not), while I got everything back and lost not much more than a month of frustration, it was an interesting experience and I learned a few things, among them:
Lots of People Have Your Personal Info
One of the things you do when you have a known breach of your personal data is to file a police report. In my case nothing (no money or assets, that is) was stolen, so the local police were not that enthusiastic. As I asked them to file a report anyway so I have something on the record, The officer mentioned something that I agree is very likely true: many people have your personal information, as it is so easy to get: your address, phone number, social security number and even more. Rather than lay awake at night in fright, I realize this is the plight of most of us, and the proper response is:
- Don’t be paranoid about people having your personal data; assume they do. Watch all your financial accounts very closely; many companies (American Express does a great job of this) will alert you to unusual activity, but regularly comb financial account activity on your own. Besides, there are plenty of other benefits to knowing the state of all your accounts.
- Don’t be afraid to change your accounts: move things around if you think a credit card or other account is compromised: change passwords regularly, etc. etc.
- Use the credit bureaus: they are such a pain in the butt in a good way: when I filed a fraud alert with Experian (which alerted the other bureaus by default), every time I performed a legitimate new transaction (opening a new car lease, for example), the bank had to call me to verify that everything was in order. I’ll take that inconvenience (in fact, I gave up on a retail credit retail credit account I didn’t really need) knowing that if someone tried to open a fraudulent account in my name, that the same stops are in place.
Customer Support for Online Services is Gravely Lacking
Here is my real point of concern from my experience. First: I appreciate that it is not super-easy or instantaneous to get your account back if you don’t have access to a password or other information: however, it should still be more difficult for someone to steal your account than it is for you to prove that you are you and get it back. While Twitter is only so important, and Google only somewhat more so depending on what you keep linked to your account, it is disruptive, upsetting and potentially catastrophic to lose control of your accounts to some other person.
In the case of my phone provider, getting control of my phone number back was pretty easy- but so, apparently, was the process for the hacker to get my number in the first place. There must have been some breakdown in protocol where the hacker was not required to use my “secret code” (which I don’t even write down) to get access and switch my phone number. That should not happen, but it did. The provider called a family member to confirm this was a valid action (a good policy), but when the family member failed to answer they went ahead and handed over my life in the form of a phone number anyway (not such a good policy). The hacker had the number for two or three hours, but that was enough to change account passwords and phone numbers.
In the case of Google, the account recovery process resulted in Google asking me (by email, as no actual people were evident in my contacts with either company) to fill out the same account recovery form with the same questions (and answers) – repeatedly. My experiences with Twitter were similar. While I don’t know exactly what triggered the final recovery of the accounts, I did have friends inquiring with contacts they knew, but I had no idea of knowing exactly who or how finally got things moving- and i that means anything for most people who simply get stuck in the robotic “customer support” loop.
By the way, The Daily Dot was kind enough to include me in a story on the difficulties of recovering accounts from social media platforms and Internet services.
So, a month later, I have my accounts back. The process of confirming identity should be thorough, but it should not take nearly that long.
Definitely Activate Two-Factor Security. However…
One thing most people asked once I got hacked was “did you have two-factor security on? You gotta have two factor security!”
Truth is, I couldn’t remember at first, but I obviously had not turned on two-step authorization features for Google and Twitter. I was just lazy, but the truth it is worth the hassle.
That said- the real answer to the question, unfortunately, is it didn’t matter. In two-factor, the second factor is normally your phone- and if a hacker gets your phone number, you’re screwed anyway. So don’t relax just because you have two-factor security turned on (you smug reptile), you still need to be on guard.
Perhaps if that second factor were something less transferable- a corneal implant or a simple tattoo on the inside of one’s eyelid, maybe- it would be more effective, but I suppose that would just encourage the growth of rings of eyelid or eyeball thieves.
Another fun link- in a recent This Week in Google podcast, panelist Gina Trapani describes (about 44 minutes in) more or less exactly what happened to me; so either it’s more common than we want to admit or there is a concentrated identity theft crime spree.
So, big fun in Internet-land over the last month- between that and end-of-school (forever: my son graduated) activities, I’ve stayed away from writing here. I’m just glad it is over with.