4 min read | August 26, 2020 | Bill Dunnion
Why Everyone’s Accounts Are So Easy To Hack
When it comes to cybersecurity, the number of breaches happening daily are almost impossible to count. In fact, just this past week the public was made aware of several major breaches, including the Government of Canada and Amazon’s Alexa—two terrifying examples of how no one is safe. And the way they were compromised was easier than one might think.
Cyberattacks are often complex, representing a confluence of information gathered at different times from countless sources, brought together once all of the so-called blanks have finally been filled in for the cybercriminals to exploit. Social media sites, for example, have been hacked in the past, exposing personal records such as usernames and passwords. The same has happened to hundreds of other online services, resulting in all the same data being exposed on the Dark Web. In fact, earlier this year, billions of login credentials—9,050,064,764, to be exact—from over 750 million users were found from an assortment of breaches. This gold mine of data is being used by criminals in various ways to gain access to all manner of accounts. “Credential stuffing,” for example, is when hackers take credentials from a breached account and trying using them in a different account, such as inputting stolen Yahoo information into Disney+. When account holders reuse their credentials, this method of attack works.
Now, pair all of that information—usernames, passwords and more—with everything else that we, as a global society, share every day through social media, forums, and so on. Think about the picture that information paints.
Now, back to the CRA example. If I were a cybercriminal looking to access records within the CRA, what information would I need? First, I would potentially use AI to sift through all of the information about you that is available from every site that has failed to adequately protect your records—calculating commonalities such as repeated passwords, usernames, and so on. Chances are, if you have used the same username and password more than twice, it’s been used a lot.
Next, to find additional data, such as your banking or financial details, I would comb through your Alexa account information, which is undoubtedly available on the Dark Web due to the exploitation of some simple Internet of Things (IoT) software. This would give me your banking information, credit card numbers and, again, your username and password.
So now that I have that information, the last and final step would be to pass the “security questions” test that so many organizations use for security authorization. But these common questions are often laughable at best, especially knowing how much information we all share online all the time.
Let me ask you this. If I were to comb through your Facebook history, could I find out your date of birth? How about your pet’s name? Or what brand of car you drive? Would it be really difficult to find out what city you were born in? Your postal code? What your maiden name is? Every one of these answers can be found in minutes—from simple searches through profile information, to the most basic of genealogy sites and public searches. In 20 minutes, criminals could very likely find out everything they need to answer standard questions.
To prove that point, I tried it with a few friends. The outcome? Between LinkedIn and Facebook alone, the longest it took me to find their published date of birth, pet’s name, car brand, birthplace, postal code and maiden name was six minutes—less than the time it takes me to make a pot of coffee in my coffee maker. And, to be clear, this goes far further than just personal data. That same data can also be used to infiltrate a work environment as well, raising the proverbial stakes to an entirely new level.
What’s the solution? Firstly, everyone needs to start re-evaluating what they share with the world. Is social media a fun way to stay connected? Absolutely. But, is sharing every detail of your life worth the consequences of what could (and most likely will) happen? Set your account to private, and unpublish your date of birth, birthplace and all the rest—you’ll sleep better at night knowing that you did.
The next step is to always use different passwords and usernames, and make sure they are impossible to guess. One of the best examples I’ve heard of late on how to do this came from a good friend of mine. His solution is to choose specific names and phrases as passwords, but then he translates them to Scottish Gaelic. In any case, create a unique username and password combination for each site, and remember to change your passwords regularly.
Technology also comes into play. Things like multi-factor authentication can go a long way toward ensuring no one is trying to get into your accounts, giving you the advantage of real-time knowledge if something weird or out-of-place happens.
In all, cybersecurity is just a part of life. A username and password paired with security questions such as your mother’s maiden name, your date of birth, postal code or the city where you were born offers little to no defence in an age when the majority of that data is public knowledge.
Something simple we’ve done for some organizations is to run a basic credential scan or assessment. This can quantify the exposure that organizations may face when their employees reuse their work credentials in their social accounts.
Tonight, before you post anything to your favourite social site, look through your accounts and ask yourself the aforementioned security questions. Then, if your account, your family members’ accounts, or anyone else’s account gives away any of those answers, change the questions to something no one else can answer. Next, turn on two-factor authentication and change all your passwords (if you’re interested, I know a guy who translates English to Gaelic 😉)
Be smart. Be diligent. Be safe.
May 26, 2023
Meet the Experts - Kevin de Snayer
In today’s edition of Meet the Experts, we have an interview with Kevin de Snayer, Director of Cyber Solutions, ITCS, Calian.
May 10, 2023 | Oscar Morales
Stronger Together—RSA 2023
The theme for RSA this year was stronger together, sending a message that, as an industry, we must have a united front to beat the bad actors that target our organizations.
April 27, 2023
Cyber Resiliency in Healthcare
What preventative actions can wealthy countries, such as Ireland and Canada, take collectively to improve cyber resiliency?