A Helping Hand
The pandemic has given us all more data. Here’s how you can secure it.
Ever since the pandemic began and we’ve all had to cope with the associated lockdowns, bored internet users have been signing up for online services in droves to keep us productive, entertained and fed. According to recent research, the average adult now manages passwords for 100 online services, up around 75 just a year ago.
The problem is that, as a security measure, passwords are broken. While they’re one of the oldest and widespread digital mechanisms we have, but they’re no longer sufficient to protect our personal data. The characteristics of a good password (long, unique, with a variety of character types) make it almost impossible for humans to keep track of them all in our heads, so most users tend to choose passwords that are easy to remember and therefore easy to crack.
Meanwhile, as computing power has increased exponentially, it has become trivial for hackers to not only crack a huge proportion of passwords, but to acquire massive password databases in order to conduct a wide range of attacks against individuals and organisations.
Hackers stay hacking
These attacks are aimed directly at end users and often rely on a lack of education or awareness on the part of the target but can range from simple to incredibly sophisticated in their level of complexity.
A technique where attackers attempt to trick victims into providing personal credentials and/or details via fraudulent messages, which may be commonly delivered by email, SMS, online or over the phone.
Unlike phishing, which generally relies on messages sent en masse in the expectation that some small proportion of the recipients will fall for the fraud, spear-phishing relies on messages that are specifically crafted for the recipient using information about them captured in advance. This makes spear-phishing attacks harder to detect and avoid.
These attacks require an attacker eavesdropping on the communications between a victim and the server they’re connecting to (hence “man in the middle”) and capturing sensitive data as it’s being transmitted. One common example is malicious public wi-fi networks that collect the traffic from any victims connected to them.
This form of malware captures the input from a computer keyboard and sends it all to a remote server for processing by the attacker. Of course, any passwords typed by the victim will be captured and can then be used for malicious purposes.
The proliferation of connected services means that there are now more targets for hackers to attack where they can harvest millions of credentials at once, if they don’t implement security best practises. Over the course of 2020, 1120 breaches were reported that compromised — wait for it — 20 BILLION records. End-users have no visibility or control over these attacks but are still often the ultimate victims.
These attacks involve automated attempts at a pair of credentials, where an attacker creates a script that will cycle through millions of previously harvested passwords with the hope of finding a re-used password to gain elevated access to a server or network.
These attacks are where hackers will gain access to databases by finding and leveraging vulnerabilities in the infrastructure of an organisation through a wide variety of techniques, some of which may involve user attacks to gain privileged access to key resources.
The weakest link in an organisation’s defences are often the humans who work there. Social engineering attacks utilise social and psychological techniques to extract credentials and other key details from employees.
Sometimes, attackers are gifted with data from organisations who accidentally publish or fail to adequately protect sensitive resources.
Digital self-defence 101
Despite the depressing array of weapons hackers have at their disposal to attack us and the services we use, there are options available to protect ourselves:
Multi-factor authentication (also often referred to as 2-factor authentication or 2FA) is a mechanism that requires the user to provide at least two authenticating factors, typically something you know (your password) and something you have (an external account, device, biological feature, etc). This makes it harder for attackers to gain access to your accounts as even if they manage to acquire your password, they can’t then immediately log in to your account without the second factor in their possession.
Most major services offer some form of MFA, either using codes sent via email/SMS or more securely using industry standard protocols for unique codes that can be generated by mobile and/or desktop apps.
Choosing weak passwords and re-using passwords across multiple services are the most common — and critical — mistakes most users make. Businesses are put at even greater risk by this practise, as any employee that reuses a personal password for their work accounts multiplies the risk of compromise for the entire organisation.
[Security word cloud.png]
100 worst passwords of 2020
Password managers mitigate this risk by generating strong, unique passwords for every service that you don’t have to remember, as the manager fills in most forms for you. Some managers offer additional features like auditing your passwords to identify weak or duplicated ones, sharing passwords securely and scanning for any online password dumps containing your credentials.
Accessing the internet can leak useful data to attackers about your location and the data you’re sending and receiving online.
A VPN (or Virtual Private Network) protects your internet connection and data by creating an encrypted “tunnel” between your device and the services you access. In addition to location masking and defending against network eavesdropping, VPNs can also enable users to access blocked content.
With services breaches occurring on a daily basis, early warnings of leaked credentials can allow users to make changes before their accounts can be compromised. The major credit agencies all offer some form of identity monitoring service that scans the internet for leaked details that may expose your identity to criminals.
The Protective Registration service from CIFAS, on the other hand, is intended for people who may have already suffered identity fraud or at be at high risk from doing so. This service flags the user in a national database which then triggers additional checks by member organisations. This may slow down applications slightly, but otherwise has no negative impact and will prevent fraudsters from using stolen identities freely.
These are authentication schemes that rely on some biological feature of the user (fingerprint, iris pattern or facial profile). There are pros and cons to all approaches and their effectiveness can be highly dependent on the implementation of the provider.
These are physical devices that can provide authentication by USB or NFC. They provide a highly secure option for sensitive scenarios but may often be considered as overkill for casual consumers.
The battle against hackers is never-ending and it’s important to note that security is a multi-layered concept; there’s no magic bullet that can protect you against all attacks all the time, but by using some of the available tools and changing our data hygiene habits, we can take important steps to become safer online citizens.