Passwords in data breaches and cybersecurity
5th December 2018
It’s obvious that passwords are an essential part of protecting your online information. Yet one of the key gripes of modern digital life is having to create a password for everything. However, love them or hate them, an effective password helps keep your data, your money and your business safe.
A key report has revealed that 81% of hacking related data breaches are down to exploitation of stolen or weak passwords.
Be password aware
Last week I received an email out of the blue, apparently from an ‘IT help desk.’ It solemnly informed me that I was using an old security setting and that I needed to update it to avoid a ‘service interruption.’ They even helpfully provided a link asking me to click it within 12 hours. Distracted by getting ready for the day, and the chance to tick off a simple IT maintenance job, it would have been easy to click the link. Luckily I spotted the strange email address behind the help desk alias. Most telling was the spelling error in the subject line: “passworld reminder.’
This was obviously a scam to get into my email and all the logins and portals to which that might offer entry. It’s a variation of a very common scam email sent to thousands of people very day. Sadly many do click the link and fall victim to criminals accessing their online information.
Spotlight on password breaches
Government statistics have shown that only 35% of people in the UK are following official advice on using strong passwords made up of three random words. Weak passwords are leaving people and businesses vulnerable to identity theft and fraud.
We are now used to news headlines coming thick and fast about the latest set of passwords to be compromised. Each case serves to show the destructive potential of these data breaches.
● Password exposure: Earlier this year 333 million Twitter users were urged to change their password after some became exposed during an internal process. Twitter said the number was substantial and that they were exposed for “several months.”
● Fraudulent emails: A computer hacker is facing jail for single-handedly scamming Just East customers with a ‘phishing’ email and harvesting their personal information such name, address and payment card details. He then sold on the details of 9,627 people many of whom lost large amounts money to other online fraudsters.
● Sextortion emails naming your password: Recently this alarming scam has been affecting thousands of people around the world. Victims have been receiving emails from scammers where the person’s password is included in the message. The scammers claim to know about what the victims have been watching online and especially about their visiting adult websites, threatening to release the information to their social media contacts unless they pay a ransom. For an undercover reporter concerned this was just under £3,000. Even where victims had no history of visiting such websites, the inclusion of the password has often alarmed them into paying the ransom. Apparently at least half a million dollars has been paid out to the scammers so far.
For customers, password breaches can mean exposure of personal information and criminal access to financial card or bank details. For businesses, small or large, these losses are often compounded by significant reputation damage. Whether the cyber-attacks are on individuals or where cyber criminals try to grab large sets of passwords from businesses the effects can be devastating.
Stealing your password
Scammers will try all sorts of ways to access your password. Some of the most common methods include:
● Phishing emails – emails which pretend to be from a legitimate source such as your bank or other company with which you deal, with the aim of eliciting your personal information.
● Fake websites – these can be ‘mirrors’ of legitimate website where the url (web address) may seem the same but in fact differs slightly. The aim is to harvest your personal details when you enter them.
● Phishing phone-calls – typically someone claiming to be from your broadband company will call and tell you that your internet service is in danger of being cut off unless you follow their instructions. They aim to get you to your key board so that you enter your passwords and they can get access to the personal information on your device.
Did you know that “Fullz” is a slang term on the dark web used to describe a full set of harvested customer details for sale that would allow others (who purchase them) to defraud individual bank accounts and credit cards.
What passwords should you use?
It’s always advisable to be highly-vigilant when asked for your password. However, cybercriminals will also try to hack online accounts and guess at passwords, especially with stolen laptops and devices. So it’s recommended you choose a difficult password when setting up.
The urban myths about the most popular passwords are true – as crazy as though it sounds, ‘1234’ and ‘password’ are actually very commonly used as passwords.
Setting difficult passwords needs to be taken seriously. Business should include effective password-setting in their induction and on-boarding of new staff so that they do not inadvertently leave exposed company data and accounts.
There are a number of best practice password rules to follow when setting up passwords:
• don’t use the same password – have different passwords for different accounts
• don’t use local street, pet or your child’s names or date of birth
• don’t use the business name or any variation of it
• don’t stick post-it notes on screens with the password written on them – again this is surprisingly common.
• do make them over 8 characters long
• do include variable characters e.g. a mixture of lower and upper case, numbers and punctuation.
How to keep your password safe
Sometimes companies offer security questions when logging in, from the infamous ‘mother’s middle name’ to ‘your favourite holiday.’ For businesses setting up ICT systems for their customers to use, it’s advisable to enable two-factor authentication that adds another ID check to login attempts – this will help “harden” accounts and reduce hacking.
One woman told me she was alarmed to have her pension website ask her the name of the person she first kissed! Not exactly information you want to share with strangers so keep the questions sensible.
In fact, the UK Information Commissioner’s office has recently issued guidance on the use of encryption and passwords by organisations in connection with the General Data Protection Regulation (GDPR), rules which all UK businesses must follow. In relation to passwords, the ICO’s recommendations include:
● not to store passwords in plaintext –use a suitable hashing algorithm (or other mechanism)
● ensure that login pages are protected with HTTPS or an equivalent level of protection
● not to prevent users from pasting passwords – while often seen as a security measure, preventing pasting of passwords impedes people from using password managers effectively.
● using “password blacklisting” to prevent users from setting a common, weak password.
Has my password been hacked?
Hackers are constantly breaking into innocent websites to harvest passwords which can then get sold on to various types of cyber criminals. If you suspect the worst has happened and your password is breached, change it immediately and don’t use the old one ever again.
You can find out if your password has been discovered by visiting a trusted data breach monitoring website such as HaveIBeenPwned.com (pwned = slang in the gaming world suggesting you’ve been ‘owned’).
How small businesses can stay safe online
At 360ict we specialise in keeping small businesses safe online. It’s not only large businesses who are targeted by cybercriminals. In fact, SMEs are often singled out because their cyber security may be weaker than that of larger firms with more resources, time and skill. Yet smaller companies have the same requirement, responsibilities and obligations with regard to data protection, including keeping your own, and your customers’ data safe.
Over the years 360ict has shared its expertise with many businesses who have benefitted from increased cyber security as a result. Let 360ict help you with your risk management, cyber and data security.
To arrange your on-site review or talk to our IT support team about your options, call 0208 663 4000 today or Contact Us.