How a Single Username Puts Your Security at Risk
In the theme song for the old television sitcom "Cheers," the Boston bar was the place where "everybody knows your name." To prove it, every time the character Norm walked into the establishment, everyone inside shouted out, "Norm!"
But the Internet isn't "Cheers." On the Internet, it's not always advisable to let everyone know your real name.
Instead, many Internet users create usernames that incorporate details unique to themselves, even if those details are only initials followed by a three-digit number.
While it may not be a person's official legal name, a username makes an individual user recognizable within online communities. A username can be just as much a part of a person's identity as the name on his or her birth certificate.
For those reasons, many individuals have only one online username, which they use all the time across multiple platforms and websites.
Yet using a single username is asking for lots of trouble.
"Having the same username everywhere will negatively impact the limited amount of anonymity there is on the Net," said Roel Schouwenberg, principal security researcher with anti-virus software maker Kaspersky Lab. "It will open people up to more directed attacks."
The exposure of a person's username may not sound very risky, but it can trigger a cascade of security failures, each of which opens the door to account hijacking, identity theft or financial damage.
How Snapchat provided a snapshot of online security risks
The user database of the photo-sharing mobile app Snapchat was breached this past December, and usernames and mobile-phone numbers of 4.6 million Snapchat members — a small fraction of the total number of users — were posted online.
No passwords or email addresses were taken from Snapchat. Nonetheless, security experts advised all Snapchat members — regardless of whether they were on the breach list — to change their usernames, as well as any passwords associated with those usernames on other websites.
That was because malicious hackers and online criminals knew many Snapchat members would have used the same usernames when signing up for other services — and when creating email addresses.
"Using a single unique username across different services makes someone very identifiable," Schouwenberg said.
Under the right circumstances, the compromise of a single username can lead to a domino effect across many platforms in which a malicious hacker, with all of a user's identity in hand, can attack every account that uses that name.
How usernames lead to email addresses
Most Internet users make attacks easy for identity thieves by creating email addresses based on their usernames, which helps criminals make connections between identities and passwords.
John K. Smith, for example, might have used the username jksmith456 for Snapchat. Odds are that John has an email address such as firstname.lastname@example.org or email@example.com, and that he used one of those to set up his Facebook and LinkedIn accounts.
An online criminal wouldn't know John's password right away from the Snapchat breach. But he would know that many people use obvious passwords, such as "password," "letmein" or "123456." He could use the 100 or 1,000 most common passwords to try to break into John's accounts.
But even if a criminal can't break into any of a user's accounts directly, there are still indirect ways to get in and take over.
Your information, all out in the open
If a username is based on a real name, a criminal can guess the user's real name and then use that to learn as much as possible about the person.
In the case of jksmith456, the criminal could run through common names beginning with "J." He could leverage the cellphone number leaked with the Snapchat username, cross-referencing the area code with potential J.K. Smiths, or even call the cellphone to see if a man or woman picks up.
Cellphone numbers can be almost as identifiable as Social Security numbers, Schouwenberg pointed out.
Most people plan to keep their mobile phone numbers for a long time; unlike a home address or land-line number, a cellphone number often doesn't change with a move across the state or country.
Once a person's username is known, it can be combined with other information to leverage account password-recovery options, said Charles McColgan, chief technology officer at TeleSign, a mobile-identity-protection firm in Marina del Rey, Calif.
A criminal could use social media and public records to figure out when John K. Smith was born, where he grew up, what his parents' names were, and where and when he went to high school.
After that, it would be easy for the criminal to answer many of John's password-recovery questions, such as "What was your mother's maiden name?"
The criminal takes over, and the risks spread
Having seized control of John's email account, the criminal could reset John's email password or, better yet, have copies of all John's email messages secretly forwarded to another email address while John unsuspectingly continues to use the account.
"Cybercriminals often will try accessing other websites and apps using the same information they've obtained to see if they can gain access, steal data, make purchases and much more," McColgan said.
The criminal could systematically hijack every account John had created using the compromised email address. It would be easy to take over those that used the same password. For the rest, password-recovery options could be leveraged.
"Since the attacker is going after a common username, the user's email address is probably already hacked," McColgan said. "Whether it's through a data breach or a targeted attack, any associated accounts using the same username can be compromised by password recovery once the trust anchor is compromised."
Once an account is hijacked, it can be used for fraud. John's friends may get emails saying that John was mugged in London and needs money wired to him immediately. John's Twitter feed may send out links to ads or malware.
John's email contacts, Facebook friends and LinkedIn connections would be at risk of becoming victims of cybercrime themselves as soon as the criminal used John's accounts to learn their names, email addresses, locations, telephone numbers and professions.
"That knowledge — the profile that can be created of a target — can then be used in a directed attack," Schouwenberg said. "This attack could then take place over the phone, or the phone number could be used to give a phishing message more credibility."
How to set up multiple usernames to protect yourself
So how can you maintain a unique Internet identity without risking your personally identifiable information, or that of your friends and acquaintances?
Robert Siciliano, security expert with BestIDTheftCompanys.com, said the first step toward better account security is to create a unique password for each account that shares a username.
John K. Smith may use "jksmith456" as his username for both Amazon and Netflix, for example, but he should make his passwords different for each – for example, "sH4zB4t_b00ks!" and "sH4zB4t_m0v13z!"
The next step would be to use different usernames for different types of accounts — one name for gaming platforms, another name for social media sites, and yet another for online forums.
John could create the name "johnks123" for Facebook, Google+ and Twitter and the name "jk_th4_d35tr0y4" for gaming.
The final step would be to create a new email address for each new username, and for the accounts that use that username.
So while John might use "firstname.lastname@example.org" for Netflix and Amazon, he could use "email@example.com" for social media and "firstname.lastname@example.org" for gaming. Each email account would have a different password.
Any account that holds sensitive information, such as a banking or other financial account, should have a unique username and password. Ideally, each should have a unique email address as well.
Whenever possible, set up an account to use two-factor authentication. Each attempt to log in from an unfamiliar computer or device will result in a numerical code being texted to your cellphone.
The code must be used to log in to the account, and if an identity thief doesn't have your phone, he can't get in.
Keeping track of your credentials
If you take all of these steps, you'll have a lot of email addresses, and even more passwords, to manage. How can you keep track of them all?
"An easy solution is to use a password manager, like LastPass or 1Password, to help manage the unique credentials for each platform," McColgan said. "Depending on how you use them, they still may not solve the common-username issue if your email is breached."
To manage many email addresses, set up the least-used ones to automatically forward new messages to email addresses you use more frequently. You'll get the messages on time, and then can log in to the seldom-used email accounts to send replies.
Why you should take action now
Don't assume that these risks are abstract, or that this will never happen to you. In late 2013 alone, more than 200 million email addresses — many listed with real names, usernames and telephone numbers — were stolen from Adobe Systems and Target Corporation.
"Whenever databases get leaked online, we see activity from malicious actors to acquire these databases and try the credentials against other services," Schouwenberg said.
Being identifiable online more easily exposes a person to malicious actors of all kinds, not just identity thieves, and such a situation can be very hard to fix retroactively.
Once your information is in criminal hands, there's not a whole lot that can be done. The best remedies are prevention and vigilance.