Security22.05.2022

What South Africans can do to protect themselves after huge data leaks — bad news from a hacker

Effective privacy legislation is the best solution for targeting the rise of scams following significant data leaks, Orange Cyberdefense South Africa managing director Dominic White told MyBroadband.

Even individuals who have gone to every length to protect their data are still at risk of being defrauded because of the loose governmental grip on consumer credit bureaus.

Everyone should do the basics — use strong passwords, change compromised passwords immediately, and not click on suspicious links in emails or WhatsApp messages.

However, these steps aren’t of much use if a con-man can weaponise your private data and trick you into giving them your passwords and PINs.

“Two-factor authentication notifications sent to a mobile app that requires you to approve as a user are a good start but only really work for a small percentage of the population,” White said.

Those affected by either the Experian or TransUnion data leaks could sign up for the companies’ respective identity protection programs.

TransUnion has offered those affected by the March data leak a year’s access to its TrueIdentity product, allowing them to monitor identity-related threats.

However, White doubts the effectiveness of credit data monitoring services like these since they do not provide enough details on who is looking at your records.

Attackers with access to a data leak could also avoid triggering a credit record check, unless they impersonate you to take out contracts or other credit in your name.

“[Whether companies] are using our search history to change our insurance premiums is as much unknown to us as if an attacker is looking at a leak to impersonate us,” White said.

The most common attack resulting from major data leaks is identity theft.

“[Identity theft] is a pretty dumb name, and we cyber people should be a bit ashamed that it remains in use,” said White.

He explained that attackers use leaked information to impersonate you — either to the institution that experienced the leak, or to third parties.

Targeting third parties is more likely as a recently-hit company like Dis-Chem, for example, will be on high alert for attackers using their leaked information right now.

However, Dis-Chem’s leak only seems to comprise marketing details — names, emails, cellphone numbers — which White said generally isn’t enough to impersonate you.

An attacker would have to combine the data from this leak with something else.

Instead of impersonating you to an institution, an attacker could reverse tack and use your leaked data to call you and pretend to be the institution.

This is called “vishing”.

A typical example of vishing involves a scammer pretending to call from a bank’s fraud department to trick you into disclosing your confidential banking information, like PINs and passwords.

The scammer can also pretend to be from your cellular operator and ask for a one-time PIN sent to your mobile device, claiming that it will stop a fraudulent transaction.

In reality, the PIN will allow them to execute a fraudulent transaction.

SARS eFiling phishing email

SARS eFiling phishing email

White said that data leaks like 2017’s “Master Deeds” incident that contain your ID Number, income level, and address are particularly dangerous.

Another issue South Africa must address is how easy it is for malicious actors to get a person’s credit record.

White said a major part of the problem is that the government doesn’t regulate consumer credit bureaus enough.

“I’d just need a name, R200, and a birthdate to do a credit lookup on someone,” White said.

Scams like vishing are exacerbated by detailed personal information leaks like the TransUnion hack, which included ID numbers, employer information, and vehicle financing information.

For example, an attacker used vishing to steal R100,000 from an unsuspecting couple. The attacker convinced the couple to divulge their credentials using detailed personal financial information, suspected to be from a credit bureau leak.

Con-men like these trick their victims into believing they are legitimate employees by using the wealth of private data they have at their disposal.

Rather than forcing South Africans to jump through hoops to try and protect themselves from impersonation attacks after a data leak or breach, White said there should be a more efficient approach.

“We’d probably have the most bang for our buck organising and putting pressure on legislators to not give credit bureaus a free pass in our privacy legislation,” White said.


Now read: Critical security flaws put millions of Android users’ privacy at risk

Show comments

Latest news

More news

Trending news

Sign up to the MyBroadband newsletter