The New Sos – Save Our Systems, Subscriptions & Sensitive Information!
In our previous blog, we spoke about the different types of scams that happen in the online universe. We also looked at a couple of examples that discussed the devastating effects of successful phishing and cyber attacks on individuals as well as small and large companies. We at Portman Tech (an IT company in the heart of London) therefore ask clients to consider cyber-safety while setting up shop, and ask everyone to always be alert and aware of such fraud in the market.
In today’s digital era, the Internet (and Information Technology) has become an integral part of our lives, where AI is the new buzzword, offering countless opportunities and conveniences! However, the more you rely on technology, the more you are susceptible to such risks. Worldwide data in fact confirms that internet fraud and identity theft are on a substantial rise, emphasising the critical need for everyone to prioritise internet safety. One crucial aspect of protecting ourselves online is the proper use of passwords. Let’s explore the significance of passwords in internet safety, using two real-life examples of internet fraud incidents.
Example 1: The Social Media Impersonation Scam
In a recent incident, an unsuspecting individual fell victim to a social media impersonation scam. A fraudster created a fake profile mimicking the victim’s identity on a popular social networking platform. This imposter then proceeded to deceive the victim’s friends and family, soliciting money by leveraging the trust associated with the victim’s name. The scam was only uncovered when a concerned friend contacted the victim directly, exposing the fraudulent activity.
While it may seem that this scam was solely the result of the victim’s social media platform being compromised, the truth is that a weak password significantly contributed to the success of the scam. In this case, the victim had been using a simple, easily guessable password, such as their pet’s name followed by their birth year. By choosing such a predictable password, the victim inadvertently provided the fraudster with a gateway into their personal information and online account.
Example 2: The Phishing Attack on Online Banking
Another prevalent type of internet fraud is phishing attacks. In a recent high-profile incident, a large number of customers of a prominent bank received emails claiming to be from the bank’s official website. The emails prompted recipients to click on a link and enter their banking credentials to resolve an alleged security issue. Unfortunately, many customers fell for the trap, providing their sensitive information directly to the fraudsters.
Once again, weak passwords played a significant role in enabling this type of internet fraud. Many victims had chosen passwords that were easily cracked, such as using their birthdate or a simple combination of numbers. By relying on such easily discoverable passwords, these individuals unknowingly exposed their accounts to potential hackers, leading to substantial financial losses and identity theft.
The next question would be – how to ensure our passwords are strong enough? To combat the rising tide of cybercrime, it is crucial to understand what constitutes a strong password! Let us first talk about its length (number of characters) …
- Increased Complexity: Longer passwords inherently have more characters, making them more complex and harder to crack. Brute-force attacks, where hackers systematically try all possible combinations of characters, become significantly more time-consuming and resource-intensive with longer passwords. This complexity acts as a deterrent, forcing attackers to invest more effort and time into breaking the password, reducing the likelihood of success.
- Resistance to Dictionary Attacks: Many hackers employ dictionary attacks, where they use automated tools that systematically test common words and phrases as passwords. Longer passwords that do not contain dictionary words are more resistant to such attacks. A longer password provides a larger search space for the attacker, making it increasingly difficult to guess through automated methods.
- Mitigation of Rainbow Table Attacks: Rainbow tables are precomputed databases containing the hash values of commonly used passwords. When an attacker obtains a hashed version of a password, they can use a rainbow table to quickly find the corresponding plaintext password. However, longer passwords increase the complexity of generating and storing these tables, making them less effective against passwords of sufficient length.
- Enhanced Protection against Guessing: Short passwords are more vulnerable to guessing attacks, where hackers attempt to guess the password based on personal information about the user, such as their name, birthdate, or common words associated with them. Longer passwords that do not contain easily guessable elements or personal information significantly reduce the likelihood of successful guessing attacks.
- Defense against Rainbow Table Attacks: While not as prevalent as before, rainbow table attacks can still be a threat if the attacker gains access to hashed passwords from a data breach. A longer password that is not easily guessed or found in a precomputed rainbow table makes it more challenging for attackers to reverse-engineer the original password.
Portman Tech firmly believes that longer passwords provide an additional layer of defense against various hacking techniques. However, it is important to note that length alone is not sufficient for a strong password. A combination of length and complexity, including a mix of uppercase and lowercase letters, numbers, and special characters, is essential for optimal security. Additionally, it is crucial to use unique passwords for each online account, as reusing passwords across multiple accounts increases the risk of a single data breach compromising multiple accounts.
- Complexity: Passwords with multiple characters significantly increase the complexity, making them harder to crack through brute-force attacks or automated software. For instance, a password like “P@$$W0rd!” is exponentially more secure than the simple word “password”.
- Randomness: Multi-character passwords can incorporate random combinations of letters, numbers, and symbols, making them more challenging to guess based on personal information or common patterns. For example, “J6n!@4WqL” is far more secure than “iloveyou123”.
- Diverse Accounts: Using unique passwords for each online account is crucial. By employing multi-character passwords, users can easily create and remember distinct combinations for every account, minimizing the potential damage in case of a data breach.
In an increasingly interconnected world, safeguarding our online presence has become paramount. Passwords play a pivotal role in internet safety, as demonstrated by the real-life examples of social media impersonation scams and phishing attacks. And yet, fraudsters are finding new and unique ways to get past the door, frisk through your e-wallets, maybe peek into your bank accounts and also help themselves on the way out.
To avoid such situations, companies in London and other parts of the world, that adhere to advanced technologies, secure their transactions via multifactor authentication; so, you would not just need a password, but maybe an OTP generated on-the-spot & sent to your registered phone/email id, retina scans, biometrics, or even facial/voice recognition to gain access to your systems.
IT engineers are constantly working on new technology that can be used to safeguard our systems. Now-a-days, the two-factor security keys (hardware security keys) are being used by corporates to grant access to their mainframes, or their accounts. These dongles make it more difficult for hackers to sneak into your accounts or devices. To use a hardware security key, you will need to be physically in possession of the instrument, and after entering your credentials and your password, you will need the key to work its magic. Some well-known Hardware Security Keys are:
- YubiKey Series – YubiKey 5 NFC, YubiKey C Bio, YubiKey 5 Nano
- Google’s Titan Security Key
- Apple Passkeys
- CryptoTrust OnlyKey
- Kensington VeriMark fingerprint key
Given below are some of the benefits of using these security keys:
- Strong Authentication: Hardware security keys use public-key cryptography, which provides robust authentication. Each key contains a unique private key that is securely stored within the hardware device. When used for authentication, the key creates a digital signature that cannot be easily replicated or forged. This makes it extremely difficult for attackers to compromise an account without physical possession of the key.
- Protection against Phishing: One of the major advantages of hardware security keys is their resistance to phishing attacks. Phishing involves tricking users into entering their credentials on fake websites that resemble legitimate ones. However, hardware keys rely on a challenge-response mechanism. The website sends a challenge to the key, which then signs the challenge with the private key and sends back the signed response. This process ensures that even if users unwittingly enter their credentials on a phishing website, the key will not respond to the illegitimate request, thus preventing the compromise of their account.
- Physical Possession Requirement: Hardware security keys are physical devices that users possess and carry with them. This physical possession requirement adds an extra layer of security since an attacker would need to physically steal or clone the key to gain access to an account. Compared to software-based authentication methods, hardware keys significantly reduce the risk of remote attacks and account takeovers.
- Protection against Password-Based Attacks: Hardware security keys eliminate the vulnerabilities associated with password-based authentication methods. They are not susceptible to common password-related attacks like brute-force attacks, dictionary attacks, or credential stuffing. Even if an attacker somehow obtains a user’s password, they will still need physical possession of the hardware key to access the account.
- Standards and Industry Support: Hardware security keys adhere to open standards such as Universal 2nd Factor (U2F) and Web Authentication (WebAuthn). These standards are supported by major browsers and platforms, including Google, Microsoft, Mozilla, and others. The widespread adoption and support from the industry ensure compatibility and interoperability across various websites and services.
It’s true that hardware security keys are an additional cost, need to be physically carried around, have limited compatibility and can get lost or easily stolen. Yet, the advantages mentioned above clearly outweigh these challenges and offer robust protection.
We at Portman Tech however believe that no security measure is entirely foolproof; users (individuals, small or big business owners) must still exercise caution and follow best practices, such as creating strong passwords, keeping their hardware keys secure, using unique keys for different accounts, and regularly updating firmware when necessary. For any additional details on IT Managed Services, or assistance with any of your digital requirements, simply pick up the phone and speak with one of our expert consultants!