If you’ve been affected by a data breach, or otherwise had your information hacked or stolen, you’ve probably asked yourself, “What happens when my stolen information is made public?” At the FTC’s Identity Theft workshop this morning, our Office of Technology staff reported on research they did to find out.
First, they created a database of information about 100 fake consumers. To make the information realistic, they used popular names based on Census data, addresses from across the country, email addresses that used common email address naming conventions, phone numbers that corresponded to the addresses, and one of three types of payment information (an online payment service, a bitcoin wallet or a credit card).
They then posted the data on two different occasions on a website that hackers and others use to make stolen credentials public. The criminals were quick to pounce. After the second posting, it took only nine minutes before crooks tried to access the information.
In total, there were over 1,200 attempts to access the email, payment and credit card accounts. The identity thieves tried to use our fake consumers’ credit cards to pay for all sorts of things, including clothing, games, online dating memberships and pizza.
The research shows that Identity thieves are actively looking for any consumer credentials they can find: if your account data becomes public, they will use it.
So what can you do to limit your risk? Well, in this study, two-factor authentication prevented thieves from gaining access to the accounts. Two-factor authentication is a process that requires both your password and an additional piece of information (such as a code sent to your phone). Because these thieves did not have access to the second factor, they were unable to access the accounts. It’s not a cure-all, but it can help.
For more tips, check out our article on Computer Security.