Glossary:
Threat actor: Malicious person who acts in malice.
I casually asked a friend two generations (in terms of age) above me what if her sensitive personal information is leaked to the public?
Her response was, “I have nothing to hide, and I don’t think people can make use of my information much.”
This is the usual response that we heard and many innocently fall for this.
However, the new wave of hacking is not about hacking the computer network anymore. The new wave of hacking is about utilising what the threat-actor knows about a person and execute its plan to gain control or access to victims' private accounts or computers. The primary motivation for this kind of attack is usually the money.
Have you ever received an email or SMS from someone that you know, but it is actually a threat actor camouflaging as someone you know?
I will give you an example. Let us say you have an email account with Email.me (not actual company). From some data leaks somewhere, the threat actor now knows your email address and phone number. Looks like harmless piece of information.
Now, if I go to Email.me and I click on forgot password, the muti-factor authentication will kick in. There are variations of way how the Email.me can authenticate you but we just stick with this common ones.
But for the sake of this example, let us say in order to reset the password, it will send a 6-digit number to the person’s mobile phone. Email.me may obscure some numbers and only reveal the last 3 digits.
That is fine for the threat actor. He/she already has the whole phone number from the data leaks. Now, she just needs to key that in.
But before the threat actor punch in the phone number and the system sends the victim the 6-digit code, the threat actor will send the following SMS by spoofing:
From: Email.me
We noticed strange behaviour on your account. Please reply to this SMS with the 6-digit onetime pass we have sent you in order to verify your identity.
Then, the threat actor key in the number and Email.me system sends the 6-digit one time pass to the victim’s phone. If the victim is not being careful, the victim will then send the legit 6-digit one time pass to the scam SMS.
Many victims may not fall for this, but some will. This probability is good enough for the threat actor.
This is how a threat actor can make do with data leak of just your email and phone number. Imagine if the data leaks consist of other sensitive personal information like your pension number, medicard number, Bank accounts or your health record.
Therefore, do not think that it is fine for your personal and sensitive personal information to be available for public view. The least we should do is to safeguard our data from the preying eyes of hackers and scammers.