Have you been pwned?

Back in the day, I used to play a computer game called Counter-Strike.

I was never great at it, but the people that are can make a lot of money.

This year alone there are eight Counter-Strike tournaments with prize pools over $500,000. The biggest of which has a $1.5 million prize pool.

Like I said, I wasn’t great at it, but I played enough to become familiar with the culture.

In competitive computer gaming, or esports (electronic sports) as it’s now called, people tend to talk in modified language.

If you’re good, you’re 1337. Can you work out what that means? It’s actually pronounced leet. And it means elite.

If you get beaten badly, you’ve been pwned. This comes from the word “owned”. And is usually pronounced with an o instead of a p.

Pwned started out as a typo, given how close the letters p and o are on the keyboard, and then became its own thing.

Pwned is probably the biggest word to make the crossover from esports to other internet cultures. And it’s become synonymous with getting hacked.

If you’ve been hacked, you’ve literally been owned by the hacker.

How I got pwned

The reason I’m bringing it up is because I was pwned two weekends ago.

That Sunday one of my login combinations was posted in a data dump on pastebin.com, along with thousands of others. And within 24 hours I had fraudulent charges on my Zipcar account.

Here’s how it happened.

I have a Monzo card that I use for most of my spending, and you get instant notifications on your phone whenever money comes in or out.

And over the course of Monday afternoon I had numerous £5 deposits and refunds from Zipcar and then £9 that didn’t get refunded instantly, as you can see below.

Shortly after that £9 charge, I got a notification on my Zipcar app to say I’d successfully hired a car in Vauxhall.

I tried to log into my Zipcar app and it said my account had been locked due to numerous incorrect login attempts.

I rang up Zipcar and it confirmed it was looking into my account and would refund me the money that had come out.

After a day, Zipcar emailed to say it had investigated and confirmed I was not at fault and that I could now reset my password and use my account as normal.

Given my interest in tech and cybersecurity, its explanation didn’t really satisfy me and I asked if it could provide more information.

I asked if it was possible my Zipcar card had been skimmed.

That weekend was the first time I’d ever used Zipcar and it seemed like too big a coincidence that the next day my account was hacked.

When you join Zipcar it sends you a card with an RFID in it, like an oyster card, and you use this to unlock the car.

It would be very easy for a hacker to put a card skimmer in the car and clone users’ Zipcar cards.

But then you still wouldn’t be able to use the card without making a reservation using the original user’s account. So card skimming alone would not work.

Zipcar came back to say that my card hadn’t been skimmed. My login details had been posted online in a “paste” along with 1,014 others.

A paste is basically a copy and paste of a database or other information store that is posted online. Usually on to pastebin.com. People use them for all sorts of leaks.

These weren’t my Zipcar login details, they were likely from when Ticketmaster was hacked. But as I used the same password for both sites, the hackers could use the information to get into my Zipcar account.

Zipcar even told me the website its fraud team had used to investigate my account.

When I checked the website, it showed that my email address was linked to a number of data breeches. And, most importantly, a “paste” on Sunday afternoon.

It didn’t explain why the hackers locked out my account by trying too many wrong password combinations, if they had my password, but it did explain enough.

The name of the website it used, and many other companies now use, to investigate login breaches is: Have I Been Pwned? (haveibeenpwned.com).

Now do you see why I was talking about where the term “being pwned” comes from earlier?

I have never actually come across this site before Zipcar told me about it, but after looking into it, it seems legit. It’s partnering with 1Password and is being integrated into Firefox.

If you’re reading this now, I’d encourage you to use it to check your own email address on the site and see if you’ve been pwned. If you have, don’t use the password associated with the hacked account again.

I had almost the same thing happen to me with eBay a few months ago. A false listing for a Remington hair trimmer appeared in my seller account. eBay cancelled the listing, returned the listing fees and told me to change my password.

What’s the solution?

As I’ve said before. You can be as careful as you like with your own data, but if the companies you’re dealing with aren’t, you can get hacked all the same.

One good way to stop these mass data breeches from happening in the first place is to stop using centralised databases.

This is one of the many use cases for crypto. It’s not all about cryptocurrency. It’s also about creating new, better systems.

Using a decentralised database would mean that when a server is hacked, the hacker still won’t get access to individual user records. There will be no central record to hack.

With a new large-scale hack happening every few weeks, the decentralisation of databases is something that needs to happen, and soon.

Coin Telegraph has a good concise explanation of how decentralised databases work here. Have a read if you want to know more.

The results of our cybersecurity survey

A few weeks ago I asked you to take part in a quick survey on cybercrime. So, given the subject of today’s essay, I thought this would be a good time to reveal the results.

279 people participated in the survey, and here is what we found.

Have you been a victim of cybercrime?

Yes: 46%

No: 53%

Have you taken steps to protect yourself from fraud and ID theft?

Yes: 81%

No: 19%

Do you see cybercrime getting better or worse over the next ten years?

Better: 4%

Worse: 96%

The fact that almost half of the people who took part had been victims of cybercrime is pretty telling.

And it’s easy to see why 96% of you believe this will be a growing problem over the next ten years.

So, aside from decentralising our databases with crypto technology, what can be done?

That’s the question some of my colleagues at Southbank Investment Research have been thinking about a lot recently.

They have started a new project related to cybersecurity. How to tackle it and how to make money from the companies leading the charge.

It’s fair to say these companies will be in massive demand in the coming months and years.

I can’t say much more about it yet. But I’ll let you know more about it as it all comes together.

Until next time,

Harry Hamburg
Editor, Exponential Investor

Category: Technology

From time to time we may tell you about regulated products issued by Southbank Investment Research Limited. With these products your capital is at risk. You can lose some or all of your investment, so never risk more than you can afford to lose. Seek independent advice if you are unsure of the suitability of any investment. Southbank Investment Research Limited is authorised and regulated by the Financial Conduct Authority. FCA No 706697. https://register.fca.org.uk/.

© 2019 Southbank Investment Research Ltd. Registered in England and Wales No 9539630. VAT No GB629 7287 94.
Registered Office: 2nd Floor, Crowne House, 56-58 Southwark Street, London, SE1 1UN.

Terms and conditions | Privacy Policy | Cookie Policy | FAQ | Contact Us | Top ↑