How Users Can Prevent Cyber-Attacks on Their Everyday Applications
Co-authored by Patrick Morin
During the past year, we have learned that hackers aren’t taking a break while in quarantine; rather, they are taking advantage of it.
According to IdentityForce[1] there have been scores of data breaches since we went into quarantine in March of 2020, dozens[2] of those were reported as occurring in just the first few months of 2021.
We have seen a trend emerge where companies whose applications are being used more often in remote work environments, such as Spotify, Zoom and Facebook are being targeted by malicious actors at a much higher rate than before.
Spotify, one of the world’s largest music streaming services, reported an attack in April 2020 where it is estimated that 300,000 of its user accounts were compromised. In the same month, as Zoom began to gain popularity in a remote environment, it reported that nearly 500,000 accounts and a large number of lobby key passwords were compromised and sold on the Dark Web. This allowed for hackers to gain the ability to join in on zoom sessions and potentially gain access to more secure and private information regarding the wide range of companies using the application.
In April of this year, Facebook reported that over 533 million accounts had been compromised and sold online in a breach that had occurred in 2019. This number is so large it accounts for almost 7% of the world’s population.
This increased focus is not limited to big tech companies. Home Chef, a home meal delivery service, which saw a large uptick in its customer base during the pandemic, reported having over eight million accounts compromised in a data beach, proving that every bit of user data, no matter how insignificant it may seem, is becoming more attractive to hackers for its selling potential on the Dark Web.
What do each of these attack have in common? In most cases, internal and external passwords were found to be weak, old and/or reused. Specifically, in the case of Zoom, some user passwords dated all the way back to 2013.
Many of the accounts compromised in breaches mentioned above were owned by the same people and exposed due to a Credential Stuffing Attack. This type of attack occurs when hackers use an already compromised list of account names, emails, and passwords and try them on another service. Many hackers find success with this type of attack because users simply repeat the same password across multiple services.
Just like IT departments vigilantly teach its users that they are the first line of defense for security at their work, this also holds true in your personal life. Length with a combination of letters, numbers, and special characters is a very well-known set of rules for password making. However, some people find it hard to make passwords, especially unique passwords, for each service they use. This is where passphrases come in handy, as they are considered more secure, easier to remember, and can even be fun to make. A passphrase is a string of words that can be used instead of one single word to help people formulate stronger passwords. For example, Password123, is not a secure password, but 0Tter$ @RE Cut3! is easy to remember and it fits all of the complexity rules required to create a secure account.
Additionally, users can add multi-factor authentication (MFA) to several popular services in use today. With MFA enabled, a user is required to provide two or more verification factors to gain access. This way, even if your password has been compromised, there is still a line of defense the hacker must go through giving the user and the service time to react and block the malicious activity. One of the most common MFA factors that users encounter are one-time passwords (OTP) that users can receive via text, email or some sort of mobile app (like Google’s or Microsoft’s Authenticator apps).
While a password’s strength and complexity is key to its effect on security, even the strongest password becomes weaker once it is used again for an account on a different service. Therefore, it is imperative to use unique passwords across applications. However, remembering all of your passwords can be tiresome. Thankfully, modern problems have modern solutions. Users have access to a range of password management systems that can be used as a method of keeping track of each unique password created across services. Most password management systems even help the user generate secure, unique passwords for each service. Further, they allow the user to manage these passwords across devices. Once a password management system is established, each password managed by the system can be accessed by authenticating to the password management system itself, which should be protected with a separate, unique password, allowing the user to only have to remember one password.
Overall, the process of creating and remembering secure, unique passwords can seem as though it is creating more work for yourself; however, it pales in comparison to the amount of effort needed when your personal and/or financial information has been compromised. Establishing personal password standards and applying them in practice is an effective way to avoid being compromised.
[1] https://www.identityforce.com/blog/2020-data-breaches
[2] https://www.identityforce.com/blog/2021-data-breaches
Disclaimer of Liability: This publication is intended to provide general information to our clients and friends. It does not constitute accounting, tax, investment, or legal advice; nor is it intended to convey a thorough treatment of the subject matter.
