As with any major crisis, hackers see opportunity in today’s devastating pandemic.
A thirst for information means people let their guard down. In confusion, lies get through more easily. Through expediency, we become less careful of threats we usually would search for.
This is why it isn’t surprising to hear of hackers from all stripes – from petty cyber criminals to well-organised nation states – trying to get into other people’s computers during this crisis.
Yet, some of the easiest ways that people get hacked – through their Zoom accounts or their e-mails – are often down to low-tech reasons.
Old passwords are a prime example. Thousands of Zoom passwords were shared on the Dark Web early this year as the video conference tool became popular for keeping in touch during worldwide lockdowns, according to cyber security firm IntSights.
This was not because hackers somehow breached Zoom’s security or hacked into thousands of user accounts. Instead, most of them were likely compromised because users used the same passwords they used on other sites, which may have been compromised earlier.
For example, if you had an account on Yahoo, which suffered a massive breach in 2013, there’s a good chance that password has been exposed and it’s easy for a hacker to use it to try logging in to other related services that are tied to your name.
In a report last month, IntSights detailed how hackers took old stolen passwords and incorporated them into automated scripts to try logging in to various online services, such as Zoom.
Called credential stuffing, this is an easy way for cyber criminals to get into user accounts without trying to find a loophole in a software program, said Etay Maor, chief security officer of the New York-based cyber security firm that specialises in providing intelligence on the Dark Web.
“It’s easier to find a login through credential stuffing than to find an exploit,” he told Techgoondu in a phone interview last week. “Even if you have the vulnerability, you still need to know how to use it.”
He said that discussions on the Dark Web were often collaborative, with hackers working in concert to pull off some hacking efforts.
Sometimes, they share credentials online to make it easier for others to hack into victims’ accounts, he added.
Though the security for Zoom was not compromised, he noted, users’ weak passwords often let in hackers, who could turn up uninvited to a virtual meeting or worse, listen in to conversations and use the information for elaborate phishing attempts later on.
In simple terms, you should not be using the same password for different online services. No, not even complicated-looking passwords that involve letters in difference cases, numerals and punctuation marks.
That’s because once one account is compromised, it is easy for a hacker to use that password to log in to your other accounts, say, on Zoom, Amazon or Google.
This issue will take a while to resolve as well. Fifty-three per cent of 2,000 consumers surveyed this year in the United States say they reuse their passwords on multiple online services.
In this group, 63 per cent say they use the same password on three to 10 sites, while 10 per cent say use it for more than 10 sites, according to security firm SecureAuth.
Clearly, passwords are an issue that technology firms wish to overcome. Of late, there has been a move towards trusted devices and users, rather than passwords, which can be easily stolen.
For example, the Singapore government’s SingPass login system now lets you in with a digital app on your phone, which acts as a two-factor authentication (2FA) token. Banks in the country are also moving towards that.
While 2FA may not be applicable in all systems – some do not require the same level of security – you should certainly have that turned on for your main e-mail account.
That’s the one that you use to reset the passwords on other accounts, from Amazon to Zoom. If a hacker gets into this e-mail account, he can trigger a reset of all your other services and lock you out, so harden it.
Website owners can also make it harder for hackers to log in with stolen passwords. A Captcha challenge, for example, would stump many automated scripts used by hackers.
Yes, it’s a little more troublesome for users but if the service is an important one, the added security is worth the trouble.
You can’t get rid of passwords altogether, unfortunately. Even the SingPass login, which only needs to scan your fingerprint once it is set up on your phone, requires you to log in with your password the first time round.
But that doesn’t mean that the old way of forcing users to change their passwords all the time is useful.
About half of users reuse the same password with a minor change when forced to do so at their workplace, according to a study by security outfit HYPR in 2019.
So, the key is making sure you have strong passwords that are unique for each service you log on to. Plus, having 2FA turned on for the most important services you use.
How do you remember all these passwords? Well, some savvy users rely on password managers, even though they can also be compromised, like any security measure.
Other users might write down all their passwords on a book, which should be secure from hacking, but what happens when you travel? You can’t log in. Worse, what if you lose the book?
Whatever you do, do not save your passwords on an unencrypted text file on your phone or PC, because that device can be compromised and the passwords can be stolen, as a result.
It’s true there are no failsafe methods to be absolutely safe on cyber space. However, it pays to reduce risk by understanding the threats that change constantly.
Right now, it’s best to make sure your online accounts are using unique passwords. If not, it’s a good time to go change them to make yourself a less easy target.