When it comes to protecting your digital identity, it can be difficult to know what you’re defending against. Attacker objectives, victims, and techniques vary significantly, and this uncertainty has only grown as malicious actors take advantage of the COVID-19 chaos to steal any data they can get their hands on. That said, the one certainty we know is that internet credential theft and misuse is involved in nearly 81% of hacker-related breaches, making it one of the most common attacks in the world.
About the author
Nic Sarginson is Senior Solutions Engineer for UKI and RSA at Yubico
The keys to the castle
Once a cybercriminal has someone’s authentication credentials, they have the tools to unlock their victim’s entire digital identity. So, if the potential damage is that significant, why are these credentials so easy to steal?
Attackers try common passwords with specific or common usernames, and this can be surprisingly successful. Unfortunately, most people struggle with creating or remembering strong passwords. As a result, people often choose weak passwords and rarely change them. In fact, recent research found that one out of every 142 passwords is ‘123456’ and indeed 23.5 million breached accounts have used ‘123456’ as their password.
Password Reuse Abuse (Credential Stuffing)
Attackers regularly take credentials stolen from one site and try them on another, as it’s very common for people to use the same username and password combination, or a variant, across multiple sites. In fact, more than 44 million Microsoft account holders have been found to use recycled passwords! This problem is exacerbated by the large volume of stolen credentials available for sale on the dark web.
Man in the Middle (MitM) attacks
Sometimes, attackers have access to the network path between their victim’s computer and the site they are accessing. This can enable the attacker to view what sites someone is accessing and steal their data if the connection is not encrypted or if the victim believes the malicious system or site is legitimate.
Phishing typically uses some pretext to convince a person to reveal their credentials directly, or to visit some site that does the same. Attackers do this via SMS verification, email, telephone, instant message, social networks, dating sites, physical mail, or by any other means available.
Account Recovery Exploitation
Unfortunately, account recovery flows can be much weaker than the primary authentication channel. For example, it’s common for companies deploying strong two-factor authentication (2FA) solutions as their primary method to leave SMS as a backup. Alternatively, companies may simply allow help desk personnel to reset credentials or set temporary bypass codes with just a phone call and little to no identity verification requirements.
Defending your domain
Once you recognise these credential theft methods, you can start to identify how bad actors can easily access your digital identity. Here are some simple steps you can start implementing today to stop these methods of credential theft:
Properly manage your passwords
It’s important to be as diligent as possible in creating the strongest passwords and securely managing them. Ideally, strong passwords should be randomly generated. At a minimum, avoid using information about yourself or your friends and family, such as birthdays, sports teams, pet names, etc. Never reuse passwords between sites. Yes, this means that you will need a different password for each account you have. As a best practice, use a password manager to generate and store passwords securely.
Use two-factor authentication (2FA)
Even the strongest usernames and passwords are open to compromise. To prevent this, always enable 2FA where possible to ensure that another form of identity — beyond a username and password — is required to access your account. Whatever you do, do not enable SMS codes as your second form of authentication. The National Institute of Standards and Technology (NIST) recently rendered these highly ineffective. While some services require using SMS to initially set up 2FA, you can choose to disable SMS after setting up other factors, such as security keys.
Verify before clicking
To protect against email phishing, ensure that an email is legitimate by asking yourself: Do you recognise the email address? Are there spelling errors in the email? Does the link or attachment make sense? When it comes to websites and links, check for HTTPS security, which indicates that the web page you are on is secure and can be trusted before entering any sensitive information. HTTPS will be listed in the URL itself and the bar will also display a small lock that says “secure” next to it. Additionally, your bank is not going to send you an email with a password reset link in it, always use your official mobile banking app or make sure you go directly to the bank website.
Be cautious of networks
Public Wi-Fi doesn’t qualify as a secure network, and therefore, gives hackers a greater advantage at stealing information or pushing malicious attacks. If you must use public Wi-Fi, stick to sites that don’t deal with sensitive information. When possible, always avoid public Wi-Fi and use other solutions such as a secured personal hotspot or a VPN solution. A VPN will make it difficult for third-parties to determine your identity or location. However, with the world adapting to working from home, record numbers of people are using a VPN to access the corporate network, putting them under strain. You can also secure VPN access with MFA to ensure both your personal and corporate details are protected.
Don’t divulge sensitive information
Any piece of information can make a hacker’s job easier. This may seem obvious but in the age of social media, don’t put any information you wouldn’t give to a stranger on your public profiles. With COVID-19 meaning more people are working from home there is a greater temptation to fill out that Facebook chain post that includes divulging where you were born and what your first pet was! Indeed, the National Cyber Security Centre has recently launched a new campaign to protect against such threats.
Develop your digital routine
Arming yourself with the right tools is a great first step in protecting your digital identity, but it’s also important to stay educated on the latest developments. Major data breaches are always covered in the news, so this is often a good place to keep a pulse on any attacks that could have compromised your personal information.
If you think you’re a target or have already been compromised, prioritise changing all of your passwords. Then, make sure to incorporate the necessary security measures into your daily digital routine to make sure your identity is adequately protected.