Prevention Is Easier Than Recovery

Simple efforts to secure online accounts make a big difference

When it comes to online security preparedness, many adopt the adage “out of sight, out of mind.” The issue might get our attention if we see a news report about a major retailer obligated to disclose a significant breach of accountholder passwords. Or a post from a neighbor about their frustration in recovering stolen reward points earmarked for a vacation.

Then we might be influenced to switch out some numbers on new passwords we create. Otherwise, we tend to shrug it off, wondering what a criminal could possibly accomplish with access to our “Slushee City” account.

The answer is quite a lot, actually. (Feel free to pass these tips along to your customers, clients or members.)

Innovative Hacking

Human behavior is rooted in routine. As such, people tend to use the same password across multiple services. Because cybercrime is a thriving enterprise, criminals continue to develop innovative ways to bypass ever-increasing security measures of organizations while exploiting the patterns of human behavior. According to a recent study from Hive Systems, an eight-character password can be cracked in as little as 12 minutes (that includes those with numbers and special characters).

Common Attacks

• Brute force – This traditional hacking method exploits easily guessable passwords. It has evolved from trying basic passwords such as “password” and “1234567” to any word recognized by a common dictionary. As computers become more sophisticated, brute force attacks will become easier for cybercriminals to execute.
• Credential stuffing – Once a password is obtained through a brute force attack, it can be used on other websites. Because the tendency to reuse the same password persists, credential stuffing remains one of the easiest ways for a criminal to gain access to a new account. It often starts with a large-scale breach of passwords that are sold to others who use botnets to automatically enter them into other websites until they are matched to an existing account.
• Drive-by download – This cyberattack is an unauthorized (or unintentionally authorized) download of malicious software onto a mobile device or computer. It happens when a user visits a compromised website or performs an otherwise innocuous action (like clicking on an “x” that is disguised as a close button on a pop-up ad). Once the attack software is installed, a hacker can gain access to a person’s operating system, spy on network activity, or destroy data and render devices inoperable.
• SMS OTP vulnerabilities – Businesses are replacing username/password access to accounts with Short Message Service One Time Password (SMS OTP). While these practices are more secure than traditional methods, they are not without their faults.
• SIM Swap – Hackers are able to fraudulently convince a person’s cellular provider to transfer the contents of the SIM (subscriber identity module) card of a mobile device to one in their possession. This can be done by exploiting a weakness in two-factor authentication and verification procedures.
• Social Engineering – Commonly known as phishing, this scheme involves manipulating someone into divulging confidential information under false pretenses. Often, the deception comes disguised as a verification request from a seemingly legitimate source (recognizable branding and “official” language). An urgent or threatening tone is designed to encourage fast action.

How to Prevent Hacking

Despite the increased sophistication of hacking, the truth is that user error remains the weakest link in the security chain. The good news is that if we are the problem, then we are also the solution. Simple efforts can thwart these most common opportunistic attacks.

• If it doesn’t look right – If you receive a credentials request from a recognizable company you do business with, consider whether you have engaged in any recent transactions that might warrant that action. Take a closer look at the sender’s email address. Are there letters transposed or a series of digits that seem unprofessional? If the feeling of being penalized for not taking action persists, call the customer service number from an official document (statement or previous correspondence) or the company’s official website.
• 20 characters of gibberish – Some people think that avoiding obvious password choices is enough. But changing one noun to another or adding a different numeral to a precious password is not sufficient. Length and complexity are game changers. A password made up of 12 characters and containing one uppercase letter and a symbol would take a computer 34,000 years to crack. Use a password manager program as a centralized storehouse to generate unique, strong passwords when you’re afraid that you’ll never remember a complex password.
• Confirm, confirm, confirm – For a long time, security questions were considered an acceptable authentication measure. Not anymore. Multi-factor authentication (MFA) is currently the best defense against most password-related attacks. But many users still opt out of the practice if they are given the option. Hopefully, users will feel empowered to take responsibility for their security as education about password protection changes misperceptions.

For financial institutions and businesses who want to protect their customers from harm, learn more about the right tools to provide ongoing protection.

• For financial institutions, see how SecureNow protects accountholders
• For enterprise businesses, see how Carat authenticates customers