Another day, another breach headline.
However, a recent breach involving T-Mobile servers begs a closer look – even for those of us desensitized to this kind of news.
Hackers claimed to have obtained data of 100 million T-Mobile customers from its servers, selling some of this data on the underground web for 6 bitcoin, or $280,000, according to WIRED.
Seems pretty par for the (cybersecurity) course, right?
Not quite. The breach not only contained names, phone numbers and physical addresses, but “social security numbers, driver's license information, and IMEI numbers, unique identifiers tied to each mobile device,” reported WIRED.
Personal data, like your phone number and address, is publicly searchable. And other data is most likely already on the dark web (your driver’s license information, for example). Those IMEI (International Mobile Equipment Identity) numbers, though, are not your typical hacker pull. And when you put all these pieces together, this unique data mix is prime bounty for bad actors.
Smishing, or SMS-based phishing, uses those phone numbers and IMEI data to create believable-looking mobile messages that convince you to click. SIM-swap attacks, also using IMEI numbers, involve the hacker contacting your wireless carrier and rerouting your phone number to a new SIM card. If your phone number is linked to your bank, work or social media accounts, just to name a few, that information is now exposed.
In the face of these evolving attacks -- from smishing to SIM-swaps -- here are steps you can take right now to ensure you’re protected the next time a major breach occurs.
Use app-based authentication
Multi-factor authentication (MFA) uses multiple data points to prove that users are who they say they are by supplying biometrics (like a fingerprint) or a code sent to an authentication app on your smartphone in order to log in. If the hackers don’t have the required authentication information, they can't get a foothold into an account.
LastPass’ enhanced Authenticator app provides consumers and businesses an extra layer of security you need in this volatile mobile cybersecurity landscape, including:
- Biometric-protected push notifications for both password manager and single sign-on applications connected through LastPass
- Third-party one-time passcodes to access sites that require secondary authentication
- Account back-up and recovery for third-party passcodes to streamline Authenticator set-up on a new device or restore if data is lost
- Never reuse your passwords: This includes never reusing your master password. Using the same password for multiple accounts means that if a hacker ever got hold of just one password, that one password would open several doors to your personal data. Use a unique password for every online presence you have.
- Use strong, complex passwords: An easy to remember (weak) password translates into an easy to crack password for hackers online. Always create strong, complex passwords for each of your accounts.
- Update your passwords: Keep hackers out of your personal data by regularly updating your credentials. Hackers may want to continuously access your account after a breach -- resetting your password can shut the door on compromised data in the future.