How to recover from common hack attacks

Some nasty stuff has gone down and you find yourself in trouble. Perhaps an online scammer has stolen your credit card information. Perhaps your business has been hacked. Maybe you’re getting huge unexplainable Internet bills.

Here, we take a look at some of the more common issues and your responsibilities and recourses when they happen.

Credit card theft and online banking breaches

Credit cardIt’s by far the most common issue that regular users have to deal with: the theft of credit card and net banking details.

Online stores that have been hacked, scams, spyware and social engineering can result in your credit card or Internet banking information ending up in the hands of a bad guy.

Thankfully, consumers are well protected against credit card issues — in general, you are not liable for anything bought with your credit card without your permission, so long as you report the fraud within a reasonable time frame (75 or 90 days is common).

You do typically have to go through a process to get a chargeback on any fraudulent purchases made on your credit card, and it’s a process that can take some time: up to 120 days or more in some cases.

Typically, you’ll have to produce a signed report on the fraudulent charges — which can be tedious, but banks deal with this commonly enough that the process is relatively streamlined.

Along with the chargeback for the purchase, you should be returned any interest accrued related to the false charges, and you’ll need to keep meeting your monthly payments until the refund is resolved.

Chargebacks can even be sought where it’s somebody you know who has stolen your credit card details, so long as you didn’t authorise their use of the card. There are, however, some cases where your claims might be disputed or denied.

If it’s found that you didn’t take proper care with your credit card details, or did something silly like keep your pin number attached to the credit card, you might be denied a refund.

But in general, most refunds are handled pretty smoothly, and the worst part is having to get a replacement card and updating all your automatic billing and payment services.

Likewise, if your Internet banking account is compromised, as long as you notify the bank that it has been breached and any purchases or transfers were not made by you, you won’t suffer losses. The bank will cover it — assuming, once again, that you took reasonable care with your net banking details.

Excess data usage charges due to virus/hack

UsageIt’s not uncommon, especially on mobile networks where your usage is limited and excess data charges can be extreme, to get charged far more than you expected.

In some (most) cases, it’s because you or someone else in your house went nuts. But sometimes, it’s because you’ve been infected with a virus that’s hijacking your Internet connection and sending a lot of data without your knowledge.

In some cases, you might have neighbours hijacking your Wi-Fi — which is known as theft of service, and is a misdemeanour.

Unfortunately, most telcos are rather unsympathetic to such claims, and will generally expect you to pay for the data regardless. The only thing they’re required by law to do is to send you spend management alerts at 50%, 85% and 100% of your usage quota if you’re on a plan that has excess charges.

They do have mechanisms to deal with bill shock, and they will often advise you as best they can about how to properly monitor your bandwidth usage and perhaps organise a payment plan, but in general, you’re going to be stuck with the bill.

You don’t have a lot of recourse, unless you can somehow prove that the ISP’s usage monitor is incorrect — which isn’t likely.

Your best defense is being proactive: monitor your usage, make sure you’re on plans that don’t have unlimited charges, take heed of usage warnings and be careful about protecting yourself against malware.

Monitoring net usage

NetWorxIf you think you may have been hacked or have a virus sucking up your bandwidth, one thing you should do is monitor your net usage.

There are a number of apps that can help with this: we currently like NetWorx, which provides diagnostics on what is using your PC’s Internet connection and how it’s being used, and can cut it off when it reaches a certain threshold.

Local PC monitors like NetWorx can’t help you with service theft, however; for that, you need a monitor at your router to see all the data going in and out, rather than just one device.

Some routers do have such monitors, as well as SNMP (simple network management protocol) support, but many consumer ones don’t.

You can get a router that supports it, or you can upgrade your router with an open source firmware like DD-WRT and use SNMP tool to manage it — but that’s really not for the faint of heart.

Stolen customer or user data

From the other side of the equation, if you run a business that stores customer data, you can be liable for the theft of that data and any damage that incurs.

Legally, this is an area in flux, and is managed largely by the Office of the Australian Information Commissioner (OAIC).

The Privacy Act requires that companies take “reasonable steps” to protect the information they have from misuse, and a 2014 amendment added strong notification requirements; if your company suffers a data breach, you are required (at your own cost) to notify the OAIC and all affected parties.

You may even be required to take out ads in newspapers and publish breach details on your website.

Of course, the cost of notifications can be dwarfed by civil liabilities that can occur if the stolen data is used for identity theft or other criminal acts.

A major credit card information theft can cost a company millions in compensation, which is why cyber insurance is becoming a lot more common.

Cyber insurance protects a company against legal costs and expenses associated with a data breach, and many of the major insurers now offer it as an option for businesses big and small.

Recovering your identity

If you’re the victim of identity theft, there are two services you can contact to help you scrub any black marks off your name.

The first is the Attorney General’s office, which can issue a Commonwealth Victims’ Certificate that you can use to re-establish your credentials with government agencies.

You can also contact IDCARE, a group dedicated to helping victims of identity theft get their credentials and credit ratings back in order.

Item not received

PaypalSo you ordered something online and it never arrived, or what did arrive was completely different from what you ordered. What’s your recourse?

Online credit-card purchases are actually covered by the same zero-liability chargeback system that covers credit card theft.

If you don’t receive goods you have paid for, then you should first try to get a refund from the seller. If that fails, then you should notify your credit card issuer and provide a report.

As long as you notify the issuer within 75 days, Amex, Visa and Mastercard will all reverse the charges if they determine you’re telling the truth.

If the vendor disputes your claim, then it may take some time to resolve — but if you’re telling the truth, you should get your money back. This applies even if the company you paid for the product has gone out of business.

PayPal offers a similar system to the credit cards, called Buyer Protection, and claims can be lodged on the PayPal site. It covers charges up to $20,000 and you have 180 days to file a dispute claim.

PayPal purchases that draw from a credit card account can also be resolved using the credit card chargeback system.

EFTPOS, post, Internet banking and BPAY transfers are a different matter — these are immediate transfers made by the bank rather than a credit card issuer.

Generally, you should avoid making EFTPOS or BPAY transfers to untrusted online sellers — your bank may offer chargebacks the same way they do credit cards, but there’s no guarantee.

You should at least read the fine print on the service’s conditions of use.