Why everyone’s accounts are so easy to hack

Why everyone’s accounts are so easy to hack

When it comes to cybersecurity, the number of breaches happening daily are almost impossible to count. In fact, just this past week the public was made aware of several major breaches, including the Government of Canada and Amazon’s Alexa—two terrifying examples of how no one is safe. And the way they were compromised was easier than one might think.

Cyberattacks are often complex, representing a confluence of information gathered at different times from countless sources, brought together once all of the so-called blanks have finally been filled in for the cybercriminals to exploit. Social media sites, for example, have been hacked in the past, exposing personal records such as usernames and passwords. The same has happened to hundreds of other online services, resulting in all the same data being exposed on the Dark Web. In fact, earlier this year, billions of login credentials—9,050,064,764, to be exact—from over 750 million users were found from an assortment of breaches. This gold mine of data is being used by criminals in various ways to gain access to all manner of accounts. “Credential stuffing,” for example, is when hackers take credentials from a breached account and trying using them in a different account, such as inputting stolen Yahoo information into Disney+. When account holders reuse their credentials, this method of attack works.

Now, pair all of that information—usernames, passwords and more—with everything else that we, as a global society, share every day through social media, forums, and so on. Think about the picture that information paints. Now, back to the CRA example. If I were a cybercriminal looking to access records within the CRA, what information would I need? First, I would potentially use AI to sift through all of the information about you that is available from every site that has failed to adequately protect your records—calculating commonalities such as repeated passwords, usernames, and so on. Chances are, if you have used the same username and password more than twice, it’s been used a lot.

Next, to find additional data, such as your banking or financial details, I would comb through your Alexa account information, which is undoubtedly available on the Dark Web due to the exploitation of some simple Internet of Things (IoT) software. This would give me your banking information, credit card numbers and, again, your username and password.

So now that I have that information, the last and final step would be to pass the “security questions” test that so many organizations use for security authorization. But these common questions are often laughable at best, especially knowing how much information we all share online all the time.

Let me ask you this. If I were to comb through your Facebook history, could I find out your date of birth? How about your pet’s name? Or what brand of car you drive? Would it be really difficult to find out what city you were born in? Your postal code? What your maiden name is? Every one of these answers can be found in minutes—from simple searches through profile information, to the most basic of genealogy sites and public searches. In 20 minutes, criminals could very likely find out everything they need to answer standard questions.

To prove that point, I tried it with a few friends. The outcome? Between LinkedIn and Facebook alone, the longest it took me to find their published date of birth, pet’s name, car brand, birthplace, postal code and maiden name was six minutes—less than the time it takes me to make a pot of coffee in my coffee maker. And, to be clear, this goes far further than just personal data. That same data can also be used to infiltrate a work environment as well—raising the proverbial stakes to an entirely new level.

What’s the solution? Firstly, everyone needs to start re-evaluating what they share with the world. Is social media a fun way to stay connected? Absolutely. But, is sharing every detail of your life worth the consequences of what could (and most likely will) happen? Set your account to private, and unpublish your date of birth, birthplace and all the rest—you’ll sleep better at night knowing that you did.

The next step is to always use different passwords and usernames, and make sure they are impossible to guess. One of the best examples I’ve heard of late on how to do this came from a good friend of mine. His solution is to choose specific names and phrases as passwords, but then he translates them to Scottish Gaelic. In any case, create a unique username and password combination for each site, and remember to change your passwords regularly.

Technology also comes into play. Things like multi-factor authentication can go a long way toward ensuring no one is trying to get into your accounts, giving you the advantage of real-time knowledge if something weird or out-of-place happens.

In all, cybersecurity is just a part of life. A username and password paired with security questions such as your mother’s maiden name, your date of birth, postal code or the city where you were born offers little to no defence in an age when the majority of that data is public knowledge.

Something simple we’ve done for some organizations is to run a basic credential scan or assessment. This can quantify the exposure that organizations may face when their employees reuse their work credentials in their social accounts.

Tonight, before you post anything to your favourite social site, look through your accounts and ask yourself the aforementioned security questions. Then, if your account, your family members’ accounts, or anyone else’s account gives away any of those answers, change the questions to something no one else can answer. Next, turn on two-factor authentication and change all your passwords (if you’re interested, I know a guy who translates English to Gaelic )

Be smart. Be diligent. Be safe.

Steve Borza

President at Bluink Ltd

4 年

Perhaps it's time to change it up with Password-Free login to critical accounts? eID-Me is ready to go today! Giddy Up GOC!

回复
Ian Rapin

Modern Sales Leader | Channel Expert | Start Up Builder | Cloud & Security Executive

4 年

Well made points Bill...you can train an entire organization but it only takes one user’s credentials to be compromised or one user to be socially engineered into bypassing MFA (eg Twitter hack)...that’s why security keys are growing in use and so critical right now. Protect your users and don’t assume they will know how to protect themselves or your organization.

回复
David Bingham

Senior Software Engineering Manager for SurveyMonkey Analysis at Momentive-AI

4 年

Unfortunately, those easily-defeated security questions appear to be here to stay. The Scots-Gaelic translation idea is interesting. Another suggestion to mitigate the risk that some nefarious actor (or Bill!) will mine the answers from your Internet Footprint is to use some other association for the standard question-answer pairs. Consider the standard question: "What is your mother's maiden name?" You can develop another association for that - for example, assume that any family-relationship question is being asked not of YOU, but some other family member. Better yet - store the answers in a secure password manager app, so you don't need to remember them, and then you can have completely vague answers. No AI analysis of your public info will determine that the answer to your "mother's maiden name" question is "Cumquat!"

要查看或添加评论,请登录

社区洞察

其他会员也浏览了