How Your Account Got Hacked
An overview of common password theft techniques
My password is “lantzolot2016”. That should get you into just about everything except my bank account. I figured that should be a little more secure, so that password is “L4ntz0l0t”.
As ridiculous as it sounds, many people today make it just that easy for attackers to gain access to their accounts. And it doesn’t always take a super genius to do it either.
Here’s 5 ways your account got hacked:
And if you do nothing else with this post, at least read the Closing Tips.
Social Engineering
Social engineering is by far one of the most effective ways of obtaining a password. As humans, we have a certain inclination to trust, and social engineering exploits that.
Here are a few examples of how it works:
- You’ve just met someone and have a short conversation about where you’re from, your family, your pets, etc. Nothing about the conversation strikes you as being particularly different. What you might have missed, though, is some of the things you let slip. Many times, we create accounts and set up recovery questions for them without given much thought to how accessible the answers to those questions may be. Recovery questions like “What’s the name of your first pet?” or “What’s the first car you owned?” are really come up quite frequently in conversation, even with strangers.
- Another social engineering technique comes into play when an account has already been compromised. With access to a Twitter, Facebook, or email account, a hacker has the perfect mask. Sure you may be careful around strangers, and you’d never divulge any sensitive information to them, but how about a friend? Let’s say you got a Facebook message from someone close to you asking to borrow your Netflix account. Many people would happily oblige.
- Another approach to social engineering is exploiting the human nature of curiosity. So many people are willing to blindly click a link if they think what’s on the other end will be interesting or amusing. Don’t take the bait! This is closely tied to phishing, which we'll cover next.
Phishing
Phishing is probably the most common form of attack currently. The idea is that the attacker tries to fool you into believing they are a legitimate organization.
Often times, malicious hackers will create websites with misspelled versions of, or really similar names to popular sites like facebook.com or youtube.com. The idea here is that they can make the page look almost identical to the true site, and even ask for the user to log in.
These attacks don’t just apply to phony websites either. You may receive emails, texts, or phone calls that try very hard to make you believe they are legitimate.
My tips for avoiding phishing attacks:
- Always double check your address bar when visiting a new site, especially if it's asking for any information from you.
- Always check the email address of the sender of an email that asks for any information. If you are suspicious of an email, you should search the sender online to see if any other people have reported issues with it.
- Treat any unsolicited phone call as if it is illegitimate. Providing any personal information can be very dangerous.
For a little more information on phishing, read Sam Tripp's post on avoiding the trap here.
Massive Theft
This sort of attack is something that should truly frighten us. There have been a lot of incidents in recent years of large corporations failing to secure the passwords of hundreds of thousands, if not millions of users. Whether the attack came from someone who found a clever loophole in the system, someone who tricked someone in their IT department to give them access to sensitive information, or even a disgruntled employee, this is an enormous problem in our world today.
Here's what you need to know.
-
A chain is only as strong as its weakest link. What I mean by this is that not all organizations pay equal attention to security. Having many accounts that use the same password is like knocking over a row of dominoes. Once one falls, they all fall.
- I know this can be a challenge to keep them all straight. I recommend picking a theme for your passwords to remember them better (for example: pirates. You could use create passwords like “Gangplank!23”, “land.lubbers.&”, or “shiver!me!timbers” ).
- If a company announces a security breach, take them seriously. They’re probably losing a lot of business by saying they were hacked, so you know they’re not kidding around. Change ALL of your passwords. It’s a lot of work, but it’s essential.
- Sometimes an organization may have been hacked and simply doesn’t know it. In this case, your password may be compromised and you have no way of realizing it. Because of this, I recommend that you occasionally change your passwords. At least every six months or a year.
Keylogging
Keylogging is a tried and true method of password theft. The idea is that the hacker uses malicious software/hardware to check what keys are being pressed on your keyboard.
Keyloggers come in 3 major flavors:
- Malware: This is traditionally the most common. You managed to get a virus from some download or sketchy website and now everything you type is being monitored.
- Browser-based keylogging: This technically falls under malware, but it's gaining a lot of usage and I think it deserves special attention. This is a type of keylogging software that specifically attaches to your internet browser as an addon, extension, or plug-in.
- Hardware: This is significantly less common, but also highly effective. Some malicious hackers may have a USB device they could plug in that grabs keystrokes even without installing software. This is especially dangerous when using public computers where you aren't sure what all is plugged into the back.
My best tip for avoidance is regular virus scans (Try scheduling them to run at night while you're asleep! This way it won't slow you down during the day). Remember: password changes won't help you until the keylogging software/hardware has be removed; the attacker will see it!
Brute Force
Brute force attacks are another golden oldie. They're pretty simple and guaranteed to work. You just have to keep guessing until you get it.
With the modern standard of things locking you out after so many failed attemps, I hesitate to even mention this one. Still, it does have some usage today, especially if the hacker has a method of bypassing the lockout.
You should also be aware of a very similar attack known as a dictionary attack. This is a brute force that goes word by word through the dictionary trying to catch simple passwords. Keep your passwords complex.
Closing Tips
- Pick a secure password.
- Don't use the same password for any two accounts.
- Don't use a really super similar password for any two accounts.
- Change your passwords at least every 6 months to a year.
- Be conscious of the information you're giving out.
- Seek out the true identity of the person you're giving information to.
- Don't write your password on a sticky note and attach it to your keyboard, it's not as clever as you think.
No comments: