Beware of KRACK
KRACK Attack? Is that the name of a new video game, dance craze, or rock band? Unfortunately, it's none of those things – it's the acronym for a new path identity thieves have to steal your personal information.
KRACK stands for Key Reinstallation AttaCK. It's a recently discovered systemic vulnerability in wireless devices that could potentially be exploited by criminals. At least this time the vulnerability was discovered preemptively, before thieves could take advantage of it on a larger scale. Device manufacturers are rushing to create patches, but not all are available yet for installation – and some wireless accessible devices may never have a patch.
While this doesn't represent a large-scale immediate threat to your identity and finances, the KRACK vulnerability should be dealt with quickly to the extent that you can. We suggest using the occasion as an opportunity to review your overall data security practices.
Be Sure to Patch Every KRACK
So what, exactly, is KRACK vulnerability? Simply put, it's a method thieves can use to attack the WPA2 security protocol used by most Wi-Fi devices to encrypt messages. (You probably selected WPA2 as an option when you set up your wireless router and haven't thought about it since then.)
Essentially, this security flaw allows criminals to access your unencrypted files in transit without having to go through a password. They can either steal personal information included in those files, or inject malware or ransomware into them.
To exploit this vulnerability, the hacker's device needs to be within physical range of the Wi-Fi network – thus the risk within your home network is generally not as great as that of public Wi-Fi sources and hotspots. If you needed another reason to be very careful of using unsecured Wi-Fi sources away from home, you now have one.
While the KRACK vulnerability is not an identity threat on the epic scale of the Equifax or Yahoo hacks, it exposes just how vulnerable we are to new styles of data breaches. Instead of affecting a particular vendor or data collection method, KRACK affects a security aspect of most wireless devices. Therefore, it requires installing patches on every wireless device that you have – routers, laptops, smartphones, televisions, and even watches and appliances.
Start with your router, since it serves as the hub for all the wireless traffic in your home. Next, move backward one step to all computers and mobile devices (including your phone), since these devices are where you are likely to store and transmit personal information that thieves will find useful.
Finally, address the other devices in your home that connect to the Internet via your wireless system – such as Smart TVs and smartwatches, gaming stations, lifestyle assistants such as Amazon Echo, appliances, and wireless security systems. Items with video output should move up the priority list for obvious reasons.
Any device that stores or provides access to identifying information, especially your Social Security Number, should be patched as soon as the patch is available. Check with the maker of each device or corresponding software for details on how to obtain the needed patch.
For any device that hasn't been patched, your best defense is to avoid using Wi-Fi whenever possible. With sufficient data packages, you can disable Wi-Fi and use your cellular network instead. If you must use Wi-Fi on unpatched devices, try to use only secure websites (sites containing "https" in the address) – generally good advice even if your devices have been properly patched.
Time for a Security Check-Up
As it is currently, the KRACK vulnerability is limited. However, it opens a new method of attack for hackers to create more destructive hacks in the future. This latest peril — combined with the recent Equifax data breach — shows why an overall review of your security protocols is both wise and timely.
So ask yourself: Have you kept up your anti-virus programs and installed all security updates? How long has it been since you changed your passwords? Do you use the same password for everything (and is it "1234" or your dog's name)? Do you check your bank account, credit card statements, and credit reports regularly? Do you shred all unwanted documents that contain personal information? With today's busy lifestyles, it's easy to slip into bad habits, or skip good ones.
If it helps, make a schedule for all the things you need to do to keep your accounts secure – and add installing KRACK security patches in all your devices to this month's schedule.
Patching the KRACK vulnerability is just one more item for your personal data security "to do" list. However, if you use simple passwords and never change them, never update your anti-virus software, never check your credit card accounts, and transmit personal information on unsecure Wi-Fi systems, the KRACK attack is probably low on this list. Are you keeping your identity and personal information as secure as you should?
If you are careless with your personal information, and never check your accounts or your credit report, you can't expect credit freezes and an identity theft protection service to protect you fully – they merely limit the scale of damage.
Whether or not you employ an outside identity monitoring service, make sure to protect yourself against a KRACK attack in two simple ways: check with your device and software makers for free patches; and install them at the earliest opportunity. And don't forget to review your overall security plan, taking care of the basics first.
If you would like to prevent identity theft, check out our credit monitoring service.
Photo ©iStockphoto.com/Ali Kerem Yücel