12

What's the worst that can happen, the hackers will pay my bills for me?

Assume that this isn't a malicious hacker out to disconnect my electricity. What kind of concerns are there for my finances, property, and personal data?

Xander
  • 35,525
  • 27
  • 113
  • 141
Bigbio2002
  • 287
  • 1
  • 3
  • 6
  • As per @WhereAreYouSyntax's answer, think of your account as a Facebook account. Except you can't lie about or otherwise hide any personal info. Most hackers out there will tell you that a successful attack starts with information gathering, and making all of that information easily available is like **begging** to be attacked. – KnightOfNi Nov 06 '14 at 23:37
  • 4
    One of the things the Georgia DMV wants as "proof of residence" for the address on one's driver's license is a utility bill. I can get PDFs of my bills from my utility accounts. Changing the name on a PDF is trivial, and effectively undetectable on a printed copy. – Bob Brown Nov 07 '14 at 03:35
  • 4
    Misery starts with **Identity Theft** and can linger for years afterwards with all sorts of results from basic embarrassment to hellish background checks that deny quality of life. Enabling identity theft is as simple as using garbage universal passwords. – Fiasco Labs Nov 07 '14 at 04:50
  • Aside from what everybody else already said, **why** would you assume `this isn't a malicious hacker out to disconnect my electricity`? That's some great pranks right there! – AviD Nov 09 '14 at 11:06

5 Answers5

23

The most significant potential risk that I see is that profile information on these sorts of sites could potentially be quite useful for pivoting into identity theft. If there is stored financial information visible (like the last four digits of your credit card number, for instance) this has been shown to be useful in helping attackers own additional accounts you have elsewhere that they want, but don't have credentials for.

Beyond that, it's hard to say what someone might do, but the risk is probably low, and you'll have to gauge for yourself whether it's acceptable or not.

Xander
  • 35,525
  • 27
  • 113
  • 141
17

"assume that this isn't a malicious hacker"

right...

If you are okay with your name, account number, home address and account details being sold or used as part of a social engineering attack on you then there is no more need to protect it than your Facebook account.

However most people think this is enough of a reason to not set their password to "password"

WhereAreYouSyntax
  • 191
  • 5
6

To expand further on these answers, only you can say if it's "worth it." The heart of this question has to do with risk analysis. Best practice would typically state that for any account like this you should have a randomly generated password stored in a password manager. Typically most find the amount of work necessary to do this is much smaller in relation to the risk that they incur by using a weak password. The important thing of course is if you do use a weak password, do not reuse it with the same username or email combination somewhere else.

Consider as others have mentioned that information which could potentially put you at risk of damage could be in there. Things such as your mailing address, last four of your social security number, your last four of your credit card, and possibly bank information could all be in there. Remember also that some sites do a less than stellar job masking data, your entire social security number or credit card could potentially be accessible somewhere within your profile on the site.

theterribletrivium
  • 2,679
  • 17
  • 18
3

They would get access to any information contained on your account there, including:

  1. home address
  2. e-mail address
  3. bank or credit card information (hopefully not the entire thing, right?)
  4. statements (which would probably allow them to impersonate you on the phone with said company)

in addition to the information, they may be able to over-pay and trigger a refund - which they may then be able to re-direct to a different (Swiss/untraceable) bank account.

As for what more they could do with the information.. I think the other answers here cover that sufficiently.

Also, many people may not be malicious hackers, but quite a few may want to take advantage if and when an opportunity presents itself - how many Facebook accounts get posts from a person who forgot to log off of a computer that isn't theirs? are those people who take advantage of an opportunity hackers? no - but they can do damage given the information regardless.

user2813274
  • 2,051
  • 2
  • 13
  • 18
1

Besides the data typically useful for identity theft and social engineering scams note that the bills will often contain data on how much of which you used which helps analyze your lifestyle.

Just one example. Suppose you have electricity company billing differently for different times of the day and it's obvious from the bills that you spend very little electricity during usual working hours - great, it means that there's likely noone home at that time. Not something very useful alone but can be used as an additional data point.

Everything about how, what and when you consume (and pay for) can be used to analyze your lifestyle both for good and evil purposes.

sharptooth
  • 2,161
  • 1
  • 19
  • 22