Back in January of 2021, you may have seen this eye-catching headline: “Hackers are targeting security researchers”. As it turns out, threat actors in North Korea were luring pen testers and other vulnerability professionals into a trap where a backdoor was installed on unsuspecting researchers’ operating systems. This scheme was discovered by Google’s Threat Analysis Group. This was a relatively sophisticated scheme based on fake social media profiles, websites, and test beds. It also points out that even skilled cyber pros can fall victim to cybercrime. Based on the most common form of attacks against both individuals and businesses, it may be time to update the advice we give and follow. Here are three areas that need immediate attention.
Still telling people to change their password every 30-45 days? Using a 7 or 8-character password with upper/lower/symbol/number format? You, my friend, may be part of the reason why passwords are hot commodities in identity marketplaces. All that complexity drives users – including other leaders and peers – into bad cyber habits. One in particular: The vast majority of people use the same password on multiple accounts both at work and home.
The current generation of brute force attack tools can break the traditional password format in a matter of seconds or minutes. Adopt a minimum 13-character, easy-to-remember passphrase – a song title, a movie quote – with only upper- and lower-case letters and the time to crack the encryption is measured in millennia (16 to be precise).
Multi-Factor Authentication (MFA) with SMS
MFA has been all the rage long enough that threat actors are able to defeat it. Lose your phone or suffer a SIM Swap attack and say good-bye to all the benefits of MFA. You are one text and/or password away from your account information becoming an attacker’s account information. A researcher at one cybersecurity vendor has documented as many as 50 different ways to get around MFA, unless you are using an authentication app on your device. Google and Microsoft offer authentication apps along with a number of vendors that offer password managers and security tokens which make it more difficult to access accounts with only stolen credentials.
Phone Numbers as Authenticators/Identifiers
The less effective cousin of MFA is using a mobile number to access an account. A legacy of the time before MFA, using a mobile number or other contact phone number to verify your right to access an online account is especially risky today according to a study from Princeton University: “We sampled 259 phone numbers available to new subscribers at two major carriers, and found that 171 of them were tied to existing accounts at popular websites, potentially allowing those accounts to be hijacked.”
Thanks to data breaches and data brokers selling phone numbers, there are a lot of phone numbers for sale that can be used to access information. The fix is easy. Update the phone number on existing accounts when you get a new phone number. This way the new owner of your old phone number cannot go rummaging around your dating apps or other sensitive accounts. This also applies to business accounts, too.
Let’s not forget, too, that we in the community as well as our friends and families are not immune to phishing attacks. That includes texts and websites along with emails, too. The Law of Averages tells us eventually even the most eagle-eyed among us will click on a link we shouldn’t just like 241,342 people did in 2020 that ended with a report to the FBI.
There is a virtually fool-proof way of avoiding the consequences of launching an unsolicited link: do not click on it. If you did not initiate the contact or transaction, ignore it. If you think it could be real, verify it by contacting the person directly via the web, contact center, or a direct dial number you already have. Teach your friends and family to do the same. You may miss out on pics from someone’s Google Photos album, but you will avoid being part of the $1.8+B in annual business and individual losses to phishing schemes.
Remember, even skilled cyber pros can fall victim cybercrime.
James Everett Lee