In December 2015, V-Tech acknowledged that data thieves had compromised 11.2 million accounts from its learning software app store, Learning Lodge. More than half the accounts belonged to kids. That same month a security researcher alerted Sanrio Digital, owner of Hello Kitty,that its 3.3 million Hello Kitty fan site accounts had been vulnerable for almost a month, although the company says no data was stolen. This September, a hacker contacted Ars Technica and hacker-detection site Have I Been Pwned? with the stolen credentials of 2.2 million accounts from i-Dressup, a fashion-oriented online social hangout, along with a friendly reminder that the other 3.3 million accounts were there for the taking.
Major hacks that target credit card numbers, passwords, or other personal info of adults are so commonplace now that people know the routine. Change your password. Get a new credit card. But when hackers go after the accounts of kids, it gives one pause. What would hackers want with a 10-year-old’s Hello Kitty account?
“Any account is worth something, and as they age they can be worth more.” So says Ori Eisen, CEO of Trusona Cybersecurity as we rattle off a list of recent cyber attacks on children. “While most consumers are concerned about getting their credit card data stolen, what’s far more dangerous is hackers reaching into your social media to gather more personal and less easily changed information—photos, addresses, etc.”
Who has personal information floating around mostly unguarded? Children. Their games, electronic toys, and social media accounts are especially vulnerable, and kids are careless with their personal details. “Teens are a prime target simply because as soon as they have an email address of their own, they tend to be very lax with where they use it,” says Eisen, who prior to founding Trusona was director of fraud prevention at both American Express and VeriSign.
From a malicious hacker’s point of view, the problem is that there’s not much immediate use for a kid’s information. You can’t take out a loan with it, you can’t open a credit card with it, you can’t break open a bank account. As a result, attackers have started taking the long view. If they steal information when it’s easy—when victims are seven, ten, fifteen years old—they can sit on that personal data until the victim is 18, when those social security numbers, birth dates, past addresses, email addresses, legal names, and photographs shoot up in value. “As they near college age and start working,” says Eisen, “the personal identifiable information matures to a point of being useful as the credit bureaus begin to establish a credit file on that particular person.”
The other advantage to sitting on hacked data is that people eventually let their guard down. Most of the time, Eisen says, the info isn’t sold immediately because, if a breach is made public, the hacked company is expected to double down on monitoring for the stolen data to surface. Once that period passes, the attacker has more leeway to sell the data.
“The specific marketplaces on the Dark Web (part of the internet hidden from common search engines like Google) are always in flux, given that authorities are constantly on the lookout and shut them down whenever possible,” Eisen says. “However, since the start of the Tor browser and the advent of the Silk Road, the Dark Web has been like a Medusa character. Whenever one marketplace falls, it is replaced by others.”
It’s usually word of mouth or a specialized Dark Web search engine that finds them. Listings for stolen personal information look like Craigslist posts. According to Eisen, most note where the data comes from, and many mention how the information’s value will increase in the coming years. “Data stolen from children’s programs is absolutely infiltrating the many marketplaces that sell personal data of all kinds,” Eisen says.
“DATA STOLEN FROM CHILDREN’S PROGRAMS IS ABSOLUTELY INFILTRATING THE MANY MARKETPLACES THAT SELL PERSONAL DATA OF ALL KINDS.”
However, data isn’t always sold. Sometimes the easiest or most lucrative route is to ransom it back to the company it was stolen from, as companies will pay to keep news of the hacks out of the headlines. Kids’ programs are especially vulnerable, according to Eisen, because they make the log-in process easy for children without regard for making it more secure. “The key reason online security is so weak is that nearly every company trusts user name/password combinations to protect user information,” he says, “despite seeing breach after breach releasing static passwords that fraudsters can use many times over.”
How can we do better? The password rules for kids are the same as they are for adults. Using the same username and password over and over again lets a hacker run amok with any account sharing that password. It’s like handing over a master key. But maintaining a set of unique, complicated passwords is a chore even most adults won’t deal with.
The more secure alternative is dynamic log-in authentication, which syncs the user’s device with the website. The website’s log-in process randomly generates a sequence of bytes every few moments and sends it over as a “question,” and the device, which had previously been given the formula to figure it out, sends back the correct “answer.” Because they’re both in sync, the correct answers are always in time with the questions. Log-in credentials are used once and immediately become stale, unlike a user name/password. It’s more complicated to design, but Eisen says it’s overdue to become the new standard.
“The sheer number and magnitude of password breaches have caused a shift in mindset,” he says. “The ‘No Passwords’ revolution has begun.”