Hackers are gathering personal information from the online accounts of children as young as six or seven years old and sitting on the info until it becomes useful to them, cyber security experts say. Major hacks have targeted toy companies like V-Tech, Ars Technica, and Sanrio Digital (Hello Kitty), compromising millions of accounts. Luckily help is on the way, as companies will soon be using a more secure alternative to protect your child’s online information.
In December 2015, V-Tech acknowledged that data thieves had compromised 11.2 million accounts from its learning software app store, Learning Lodge. More than half the accounts belonged to kids. That same month a security researcher alerted Sanrio Digital, owner of Hello Kitty, that its 3.3 million Hello Kitty fan site accounts had been vulnerable for almost a month, although the company says no data was stolen. This September, a hacker contacted Ars Technica and hacker-detection site Have I Been Pwned? with the stolen credentials of 2.2 million accounts from i-Dressup, a fashion-oriented online social hangout, along with a friendly reminder that the other 3.3 million accounts were there for the taking.
Major hacks that target credit card numbers, passwords, or other personal info of adults are so commonplace now that people know the routine. Change your password. Get a new credit card. But when hackers go after the accounts of kids, it gives one pause. What would hackers want with a 10-year-old’s Hello Kitty account?
“Any account is worth something, and as they age they can be worth more.” So says Ori Eisen, CEO of Trusona Cybersecurity as we rattle off a list of recent cyber attacks on children. “While most consumers are concerned about getting their credit card data stolen, what’s far more dangerous is hackers reaching into your social media to gather more personal and less easily changed information—photos, addresses, etc.”
Children’s games, electronic toys, and social media accounts are especially vulnerable because kids tend to be careless with their personal data.
“Teens are a prime target simply because as soon as they have an email address of their own, they tend to be very lax with where they use it,” says Eisen, who prior to founding Trusona was director of fraud prevention at both American Express and VeriSign.
From a malicious hacker’s point of view, the problem is that there’s not much immediate use for a kid’s information. You can’t take out a loan with it, you can’t open a credit card with it, you can’t break open a bank account. As a result, attackers have started taking the long view. If they steal information when it’s easy—when victims are seven, ten, fifteen years old—they can sit on that personal data until the victim is 18, when those social security numbers, birth dates, past addresses, email addresses, legal names, and photographs shoot up in value. “As they near college age and start working,” says Eisen, “the personal identifiable information matures to a point of being useful as the credit bureaus begin to establish a credit file on that particular person.”
Eisen said that hackers don’t mind sitting on the information because they know eventually, people will let their guard down. There’s an added advantage if they wait. Companies with breaches that are made public usually double down on security and monitoring while they wait for the hacked data to surface. When nothing surfaces in the immediate aftermath, security usually eases up and it’s easier to sell the data.
“The specific marketplaces on the Dark Web (part of the internet hidden from common search engines like Google) are always in flux, given that authorities are constantly on the lookout and shut them down whenever possible,” Eisen says. “However, since the start of the Tor browser and the advent of the Silk Road, the Dark Web has been like a Medusa character. Whenever one marketplace falls, it is replaced by others.”
Next page: The good news is that passwords will soon be a thing of the past…
Eisen says that because they’re so easily compromised, passwords will soon be a thing of the past. Experts have come up with a safer alternative which uses a dynamic log-in authentication to keep online accounts secure.
The website’s log-in process randomly generates a sequence of bytes every few moments and sends it over as a “question,” and the device, which had previously been given the formula to figure it out, sends back the correct “answer.” Because they’re both in sync, the correct answers are always in time with the questions. Log-in credentials are used once and immediately become stale, unlike a user name/password. It’s more complicated to design, but Eisen says it’s overdue to become the new standard.
“The sheer number and magnitude of password breaches have caused a shift in mindset,” he says. “The ‘No Passwords’ revolution has begun.”
The development can’t come soon enough for parents who opt for electronic learning toys for their children.