Column: How scammers work is worth understanding

Select an option below to continue reading this premium story.

Already a Honolulu Star-Advertiser subscriber? Log in now to continue reading.

Get unlimited access

From as low as $12.95 /mo.

Subscribe Now

Our past few missives here have focused on computer security solutions. What’s the point of all of this? Out of fear of losing sight of the forest for the trees, let’s try and tie all of that together. How do the bad guys really try to pull off their nefarious schemes, and how do the tools we talk about stop them?

The fact of the matter is that the World Wide Web actually assists in making scams easy. The so-called dark web is where bad actors lurk and trade in information on potential targets. (The dark web also facilitates numerous crimes such as drug and sex trafficking, but that is the subject of another column.) On the dark web there are databases for sale; these contain the results of past data breaches.

Luckily, for the good netizens of the world, it’s easy to check whether you have been the victim of a past hack or data breach, and you don’t even have to delve into the dark web itself to check. Simply enter your email address into the website haveibeenpwned.com and it will tell you whether your address was victimized.

One might think that’s an odd url, but it’s basically “have I been pwned dot com.” “Pwn” is one of the oldest slang terms on the internet and is derived from misspelling “own.” If you don’t get it, don’t worry about it; only true nerds find this amusing.

Haveibeenpwned.com will tell you the types of violations to which you were subjected, if any. Those involving personal information such as date of birth, employers, geographic location and social media profiles are concerning. But the most concerning is when a password has been compromised.

Oftentimes, when a bad actor gets a hold of your login information, he/she will try it against a variety of websites to see whether it still works. Upon finding one, it is basically off to the races for the criminal. Sometimes they will take you for everything you’ve got in the account. Other times, they will play a waiting game, conducting a small transaction to make sure it works, then wait until the account becomes more valuable before cashing in.

Don't miss out on what's happening!

Stay in touch with top news, as it happens, conveniently in your email inbox. It's FREE!

By clicking to sign up, you agree to Star-Advertiser's and Google's Terms of Service and Privacy Policy. This form is protected by reCAPTCHA.

What is one to do upon finding they might be in such a database? In many if not most cases, changing your email address, or even using a different one, is not practical. So you have to change the password. And if you are one of those folks, and there are many, who use the same password on multiple sites, you have to change all of your passwords.

This is where password management software comes in handy. Virtually all password management programs have a feature to generate a random password, and of course, saving the new password is a core feature of such software. Many password management programs also will review your passwords and let you know if you are reusing a password.

In the scenario described above, the use of multifactor authentication will cut off the bad actors at their knees. As we have talked about here before, MFA prevents logins to a website from a new device, without a secondary authentication method, such as a text to your cellphone. This prevents someone from logging in to your account, even if they have your password. If a website supports MFA, you should enable it. And if a website does not support MFA, especially a financial institution’s website, it might be time for you to find a new institution.

John Agsalud is an IT expert with more than 25 years of information technology experience in Hawaii and around the world. He can be reached at jagsalud@live.com.