Saturday, September 13, 2014

Give me your e-mail to tell you if you are being hacked!


A lot of accounts from public services have recently been hacked, exploited, publicly listed, etc. With every single account breach there are at least 5 services that tell you “check if your account has been hacked” and ask you for your e-mail or account username. Almost never asking for your password. Here I will try to explain why You, dear user shall avoid using any of these services, even if the operator behind the service seems to be respectful like the “Bundesamt für sicherheit in der Informationstechnik” (or the German Agency for Information Security) which also offer the service “Check if your account exists in the hackers networks that we monitor”.


This year started with a lot of account breaches in different public services (mainly e-mail services). One such news was announced on the very same German Agency for Information Security where they so friendly offer you the free service of checking whether your account is subject to any identity theft. Then it was the eBay accounts breach. Then the iCloud celebrity accounts breach. Then Google account breach.  Probably much more in between. With every massive and hysterical announced account breach come a dozen of sites to tell you

You should immediately change your password!


Hey, gimmie your e-mail, I will tell you if it is hacked!

pretending to

I will not save your e-mail address anywhere, you can trust me!

While the first warning have some sense, none of the others does!

For Your own good and safe Internet browsing, do not ever use any services that pretend to tell you if your account is being hacked or not!

Why? Here is the story of “Why?”

How the attacks work

Without pretending for be a thorough analysis, let me tell you how these attacks (for hacking user accounts) work.

Online user identities are usually composed from three main components:

  • A service (Facebook, Google, Microsoft, eBay, Apple, etc.)
  • A Username / login
  • A Password

In order to “hack” your account, the attacker have to first focus on a Service. This is the easiest part. Just follow for couple of months the security reports from one or more monitoring agencies (like Symantec, SANS Institute,  or any other) and watch out which service comes out most often. Or just pick one.

Ok, the attacker has identified the service to attack. Say this is Facebook. What next? Now he/she has to hack tens of millions of accounts. Using techniques like brute-force attack to identify both login name + password will simply not work. Period. Nobody does this today! The attacker will look for other techniques to obtain, be careful here, your login name! Exactly! Your e-mail address. This very same e-mail address that other “friendly” services ask you to give them to check if your account is being hacked / hijacked!

By giving your login name / E-mail address to a “let me check this for you” service, you simply fill out attackers database with real accounts that can later be used for password hacking!

Now, because, You dear user have left your e-mail address in a similar service, You are already potentially subject to hacker attack! Please, never give your e-mail address or login name to any services of this kind ! Not even to the German Agency for Information security. Even if the service seems to be trustful, using such a service does not do any good for you at all! It only serves its owners for different purposes.

We slowly came to the last component of an Online identity that an attacker has to crack to solve the puzzle – the password. Your precious “123456”. Again, passwords are (almost) never hacked using brute-force attacks. Attackers usually use dictionaries of most widely used password. So called dictionary attack. Simple words, no (or few) special characters, no (or few) capital letters. Analysis report shows that even this recent iCloud security breach was committed using dictionaries. 

Next steps

OK, now what?

First and foremost, never give your account (e-mail address / login name) to a 3rd parties! The worst that could happen – you will be primary target for attacks, if you were safe until now! The least that could happen – you will be entered into a list for further monitoring – SPAM, Hack attacks, etc.! Lists with valid e-mail addresses are being trade (sold for real money!) over the internet ever day!

To make sure you are secure online, never use a dictionary word in your password! Your password shall not consist of a single word! Most of the online services already have mechanisms to prevent you from using weak passwords. Trust these “password strength” indicators and never let your password be in the “weak zone”.

Well, be careful and always think about your own Internet safety! And never ever give your account from one Service (say Google) to another service (say German Agency for Information Security). For your Google account, trust only Google. For your Facebook account, trust only Facebook, etc.

If you see a report for account hack or security breach, never rush for other services, then the very one you use and is responsible for your account. Most of the big players on the market already have forensic tools in place, and make sure you know them and you know how to use them!

Google Account

If you use Google, then navigate to the security section in Your Account. When you are logged-in with your Google account on any of Google’s service, click on the little arrow next to your e-mail and select “Account”:

Then navigate to Security:

This part, has the “Recent activity” section which shows really good and interesting information.

Microsoft Account (former Windows Live ID / Hotmail)

If you use Microsoft services the “Recent activity” information is in similar place. Login with your Microsoft account on any of Microsoft services (Hotmail/Outlook, OneDrive) and click on your name:

Under “Account settings” you will find “Recent Activity”:

Final notes

Again, never leave (enter, give away) your personal account information to anyone on the Internet!

Use strong passwords. It is not that important to change the password often! It is important to use strong password and regularly check the account activity section. Change your password only if you see suspicious action in the recent activity! Or if you receive a legitimate message from your service provider that you have to change your password. Like the e-mail all eBay users received in May 2014:

When you receive such an e-mail, first check its authenticity – check the sender and reply-to addresses in message properties. Check for official information on senders (in that case eBay) public internet site. Never click on any link directly from the e-mail. Just navigate to the service as usual and change your password.

When you enter your account information (login and password) always check if you do it on the providers sign-in page by verifying web page’s SSL Certificate! All the Big players pay for Extended Validation Certificate which makes the address bar / Certificate path green and displays their name (EV stands for Extended Validation):

While others just save couple of hundred dollars and not pay for Extended Validation. Still providing a Trusted and encrypted connection with the site:

NEVER ENTER YOUR CREDENTIALS, if the SSL Connection is not verified or not trusted:

No comments: