Simple efforts to secure online accounts make a big difference
When it comes to online security preparedness, many adopt the adage “out of sight, out of mind.” The issue might get our attention if we see a news report about a major retailer obligated to disclose a significant breach of accountholder passwords. Or a post from a neighbor about their frustration in recovering stolen reward points earmarked for a vacation.
Then we might be influenced to switch out some numbers on new passwords we create. Otherwise, we tend to shrug it off, wondering what a criminal could possibly accomplish with access to our “Slushee City” account.
The answer is quite a lot, actually. (Feel free to pass these tips along to your customers, clients or members.)
Human behavior is rooted in routine. As such, people tend to use the same password across multiple services. Because cybercrime is a thriving enterprise, criminals continue to develop innovative ways to bypass ever-increasing security measures of organizations while exploiting the patterns of human behavior. According to a recent study from Hive Systems, an eight-character password can be cracked in as little as 12 minutes (that includes those with numbers and special characters).
- Brute force – This traditional hacking method exploits easily guessable passwords. It has evolved from trying basic passwords such as “password” and “1234567” to any word recognized by a common dictionary. As computers become more sophisticated, brute force attacks will become easier for cybercriminals to execute.
- Credential stuffing – Once a password is obtained through a brute force attack, it can be used on other websites. Because the tendency to reuse the same password persists, credential stuffing remains one of the easiest ways for a criminal to gain access to a new account. It often starts with a large-scale breach of passwords that are sold to others who use botnets to automatically enter them into other websites until they are matched to an existing account.
- Drive-by download – This cyberattack is an unauthorized (or unintentionally authorized) download of malicious software onto a mobile device or computer. It happens when a user visits a compromised website or performs an otherwise innocuous action (like clicking on an “x” that is disguised as a close button on a pop-up ad). Once the attack software is installed, a hacker can gain access to a person’s operating system, spy on network activity, or destroy data and render devices inoperable.
- SMS OTP vulnerabilities – Businesses are replacing username/password access to accounts with Short Message Service One Time Password (SMS OTP). While these practices are more secure than traditional methods, they are not without their faults.
- SIM Swap – Hackers are able to fraudulently convince a person’s cellular provider to transfer the contents of the SIM (subscriber identity module) card of a mobile device to one in their possession. This can be done by exploiting a weakness in two-factor authentication and verification procedures.
- Social Engineering – Commonly known as phishing, this scheme involves manipulating someone into divulging confidential information under false pretenses. Often, the deception comes disguised as a verification request from a seemingly legitimate source (recognizable branding and “official” language). An urgent or threatening tone is designed to encourage fast action.