Is it possible to detect security breaches as a user before they're announced?

You can't detect it with 100% certainty because not everyone who steals your data wants to phish you, or sell it. But for those who do want to phish you - and that's a large portion of them - there are some tricks you can apply.

In most places, you cannot provide fake details. You need to enter your name, physical address, credit card information, social security number, etc. You don't really have much control over the real details.

However, what you do have control over is your email address. You can always provide a dummy email account to anyone, for any reason, even if the rest of your details are required to be legitimate.

Roving Email Address Method

Let's call this REAM. I like REAM.

Here's what I do: I buy a few domains and create unlimited amounts of email addresses, then use a different email address for each website on which I have an account. I also use Gmail, Yahoo, etc.

Buy 2-3 reasonable domain names, and give the accounts reasonable, unique names like [email protected], [email protected], etc. You can also use free email providers, but having to repeatedly enter your phone number might cause you some issues.

It's a lot of work, but it pays off in the long run. When you're asked for your email address at a retailer, give them one of those emails, and use it ONLY for them. Make sure you use each email address only once. Carry a list of email addresses in your wallet.

Now why would we want to detect phishing, instead of sending it to the spam folder? Because a phishing attempt on these emails may indicate a breach.

I've found that, with astounding regularity, without even providing my email address to additional companies beyond the first one, that I get phished on a regular basis on each account. In fact, I've seen dozens of such breaches.

Here's a small list of some notable phishing attacks I've found:

  1. OPM (2011, undisclosed until 2015)
  2. IRS (2015, undisclosed until late 2015)
  3. IRS (2016. Repeat of 2015? Undisclosed until recently)
  4. Pizza Hut (early 2015, breach still undisclosed)
  5. Target (2013?)

In most of the emails, the attackers usually have bad English. In some, they do not. They'll also google a location near the provided address, and say they have a job opportunity, etc.

In some cases, I will even get phone calls from them in the same area code as me! It's actually very easy to get a burner phone at Wal-Mart and have it set to the same area code as your victim. If you're clever enough, and they're in the same country, then you can quickly lead them down the path of the damned.

In nearly every case, they try to get me to click on an infected website. I will go there anyway (on a dummy+virtual machine, obviously) because I am a masochistic security researcher who revels in reverse-engineering malware, and making attackers suffer. Suffer mortals as your pathetic magic betrays you! You may not want to visit them, however.

The Multiple Phone Number Method

Some like to try and use multiple phone numbers. I would not do this. It's neither reliable, nor effective because:

  1. Phone numbers can be enumerated very easily, and auto-dialed/texted.
  2. It costs a lot of money to have multiple phone numbers.
  3. You'll likely get calls from people who knew the person who knew the previous owner.

Therefore, REAM is a much better way than this.

The Plus Email Address Method

I guess we can call this PEAM.

Others have suggested the plus email address method. Gmail supports this. For example, if your email address is [email protected], it's recommended to use [email protected] instead. Google will apparently discard the plus side of the email address.

Using this method could be good for a lot of reasons. However, very few - if any - of those reasons would apply to actual skilled phishers. I would not recommend using this method because it may only work against run-of-the-mill spammers, not actual skilled phishers. Here's why:

  1. Phishers are more intelligent than the average spammer. They are targeting you personally. If you respond, they will build a profile on you, or maybe they already have a profile built on you based on stolen data sets.
  2. Spammers are willy-nilly sending spam to everyone they can. Your plus addressing still gets delivered to your inbox. And you just know you want those lengthening pills... so you end up buying them anyway, and they don't work, and all the women laugh at you. [sobbing uncontrollably] Ahem...

  3. This method can be easily circumvented with code. I'll demonstrate:

    List<String> possiblyIntelligentTargetList = new List<String>();

foreach (string email in emailAddressCollection)
{
    // We might've found a plus-size individual
    if (email.Contains("+"))
    {
        // Ignore the plus email address
        string realEmailAddress = email.Split("+")[0] + "@" + email.Split("@")[1];

        // Phish user's actual email address.
        PhishUser(realEmailAddress);

        // Add their provided email to a new list so we can analyze later
        possiblyIntelligentTargetList.Add(email);
    }
    else
    {
        PhishUser(email);
    }
}

    Of course, this could be made much better, but this is a rough example of how easy it would be do to this. It only took me like 0.05 miliseconds to write this.

With the above code snippet, the plus side of the email address is discarded. Now how will you know where the breach came from? Because of this, I would recommend that you get REAMed.

Trawling the "Deep Web"

bmargulies brings up an interesting, and very good point: your data may sometimes appear on the Deep Web. However, this information is usually for sale.

While yes, it may be possible to detect a breach before it's announced by visiting the Deep Web or using an Identity Protection Service that does, this method has it's drawbacks as well. Here are a few problems I see with looking on the Deep Web:

  1. While some Identity Protection services are excellent, they may cost a fair bit of money. Identity protection services may be provided for free, but they usually come after the breach announcement, and the protection only lasts for a limited time, usually around 1-2 years.
  2. You usually have to buy this information from attackers, unless they released it for the Lulz.
  3. The breached data simply may not appear on the Deep Web at all.

As you can see, there are a lot of pros and cons of every single method here. No method is perfect. It's impossible to get 100% perfection.

REAM also detects individual breaches

This method doesn't just detect breaches to companies. It detects breaches to individuals. You may find that, after giving someone your email address, they send you phishing attacks several months later. It may come from them, or it may come from someone else who hacked them.

Now that my data has been stolen, what do I do?

If you have a strong suspicion that your sensitive information has been stolen, you should do the following:

  1. Shut down and replace all credit and debit cards associated with the aforementioned email address.
  2. Put a freeze on your credit so they can't do anything with the details.
  3. Inform the company/individual that they've likely been hacked, so they can take the appropriate steps.
  4. Read about Virtual Credit Cards in the answer provided by emory for the bonus question below.

For the main question, I recommend Mark Buffalo's answer.

For the bonus question, my credit card company provides me a virtual credit card service they call ShopSafe. Other credit card companies provide their own virtual credit card services that will have different names and different details. Here are the ShopSafe features.

I can create a virtual credit card at will in a matter of seconds using their web portal. I can choose the credit limit and expiration date. Any charges against this virtual credit card will show up on my regular credit card bill as if they were against my regular credit card. I can query for charges against specific virtual credit cards.

When I need to provide credit card information, I create a virtual credit card with a chosen credit limit and expiration date. If I am buying a $100 item in October, the credit limit is $100 and the card expires in November. If the site is breached, most likely my credit card info is stale. This covers the majority of use cases.

Another use case is my transit pass. I have a transit pass that allows me to ride buses and metros. I have provided the transit agency with a virtual credit card. Every time my transit pass drops below $20, they auto-reload it (by charging my virtual credit card).

I gave the transit agency a virtual credit card with a $500 limit and 12 months until expiry because I want the card to auto-reload by itself. (When I am running for a train, I don't want to spend time adding money to the transit pass.)

ShopSafe records the first merchant to charge against a virtual credit card. Subsequent charges made by other merchants will be automatically rejected. If the transit agency is breached, my virtual credit card will not be expired and it will have credit left, but nonetheless the hackers will not be able to make charges against it. No one but the transit agency can charge against that virtual credit card.

Without a Virtual Credit Card If you do not have virtual credit cards, then you might make all purchases with the same credit card number. If a site gets breached (and even if you know about it) you will probably choose not to cancel the card because it would disrupt everything else. Instead you would probably rely on your credit card's fraud guarantees. As hackers put bogus charges on your card, you dispute them. The credit card company is exposed to financial risk.

So virtual credit cards are mostly a benefit to your credit card company. If they do not make it available to you, their heads are full of rocks.


Facebook scrapes popular pastebin type sites where hackers post stolen login info and checks for their users' account info. You could do the same (for your various email addresses or credit card numbers), though it'd be a lot of work!

To do this, we monitor a selection of different 'paste' sites for stolen credentials and watch for reports of large scale data breaches. We collect the stolen credentials that have been publicly posted and check them to see if the stolen email and password combination matches the same email and password being used on Facebook

https://www.facebook.com/notes/protect-the-graph/keeping-passwords-secure/1519937431579736

Tags:

Account Security

Recent Posts