New Research Points Blame at Old Techniques as Cause for Data Breaches
A new study out shows that most large data breaches are being made using tactics that came around in the mid 2000s. While many technical attacks have grown in sophistication in recent years the most common forms of data breaches have remained relatively the same.
- Phishing attacks – Sending fake emails to users asking for usernames and passwords
- Keylogging – installing hidden software to monitor keys pressed by a user
Despite the raised awareness around these, however people continue to fall for them at an astonishing rate.
The study “Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials” done in collaboration by Google, UC Berkeley and the International Computer Science Institute. The research conducted over a year from March 2016 found 1.9 billion compromised usernames and passwords on underground forums as a result of massive data breaches. Phishing kits potentially compromised 12.4 million victims and off-the-shelf key loggers hit as many as 788,000 victims.
The newer and evolving phishing kits collect not only usernames and passwords, but phone numbers and geolocation information, which is then used to spoof a user’s location. Services providers are constantly chasing new ways to detect suspicious activity on their platforms, such as Google’s Gmail alerting users when a login attempt is made from a foreign location, or prompting users with obscure security questions. This cat and mouse game continues as attackers increasingly find ways to mimic legitimate users, and providers develop techniques to catch them out.
We could all try a little harder with our passwords….
While many people use weak passwords as shown, it has also been highlighted that users often aren’t aware that their account has been breached, or ignore it. The wider implication comes with the fact that the same credentials are more often than not used across many accounts, creating issues once a breach publically surfaces.
It’s not all doom and gloom however!
Preventative measures can be taken to mitigate the risks of breaches to individuals with some easy to implement techniques.
- 2 Factor Authentication – This requires a user to enter a second password or number combination sent to them via an app or SMS text message when logging into an account for the first time on a new device. If a malicious attempt is made to access the account the notification is sent to you, and swift action can then be taken to lock the attacker out.
- Password Managers – These software platforms allow for the safe holding of multiple passwords for a user. Using one difficult master password to access the encrypted list, you can then easily double click on an account to copy the password to then past it into the webpage you are trying to login to. The benefit of this is that you don’t need to remember multiple passwords, just one master password. Therefore storing different and complex passwords for each account is easy!
Being proactive in keeping an eye out for suspicious events and mail can save you a lot of trouble, at the end of the day you may have the most fortified castle in the world, but if you hand the keys to the kingdom over willingly those defences are worth very little.