Database of 26 Million Stolen Passwords Discovered

Cyber Security, Data Security, Ophtek, Password Security, Two Factor Authentication, Updates, , , ,
22
Jun 2021

Passwords are one of the most common security measures, but they’re still considered a risk. And 26 million stolen passwords have just been found.

We all use passwords on a regular basis throughout our working day. Logging on to remote servers and online platforms all require a set of login credentials. And, on the whole, they provide an adequate level of security. But security which is considered only adequate will always remain a tempting prospect to hackers. Login credentials will typically consist of only two pieces of information: username and password. Naturally, with only two data values required – which can be entered from any keyboard – login credentials represent some major security concerns.

That’s why the discovery of this database, containing 26 million sources of information, is considered a major alert.

What’s in the Database?

Coming in at a huge 1.2TB, the database – which was discovered by NordLocker – contains the following:

  • 26 million login credentials
  • 2 billion browser cookies
  • 1.1 million email addresses
  • 6.6 million various files including Word, PDF and image files

These numbers are, of course, huge. And it’s a safe bet that some serious data has been compromised along the way. It has also been revealed that the malware made a point of creating an image file by taking a screenshot via active webcams on infected devices. This, again, is troubling as it underlines the danger contained within the malware for compromising personal data.

The actual malware behind these data harvests is currently unknown. It is believed, however, that its method of attack is fairly standard. Upon infection, the malware will connect to a remote server where it can transmit any stolen data. The compromised data, as NordLocker found, was being hosted on a cloud-based hosting service and has now been taken down. But it’s likely that this database has already been traded and is out in the digital wild.

How Do You Protect Yourself?

Attacks such as this are sadly commonplace in the modern age, but there is a lot that you can do to protect your organization’s data:

  • Use Two-Factor Authentication: The combination of a username and password may seem strong, but it can be made even stronger by two-factor authentication. This additional layer of security requires the use of a unique piece of data transmitted to a device separate from your IT network.
  • Install All Updates: The attack in question could easily have been caused by a vulnerability put in place by outdated technology. Both software and hardware require regular updates to patch any issues that may be discovered post-launch. And it’s your responsibility to install these as soon as possible to close any potential back door attacks.
  • Regularly Monitor Network Activity: If significant amounts of data are being stolen and transmitted to a remote server, this activity will be associated with a rise in outgoing network activity. Therefore, it pays to keep a close eye on any spikes in traffic to minimize the impact of any breach.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

SMS Authentication Isn’t as Secure as You Thought

Ophtek, Security Threats, SMS Authentication, Two Factor Authentication, , ,
10
Mar 2020

SMS is one of the most popular ways to confirm two-factor authorization. Accordingly, it’s been adopted by countless organizations. But is it secure?

Two-factor authorization is one of the simplest ways to maximize security. Instead of, for example, simply entering a username and password, two-factor authorization requires a little more. So, once the correct login details have been processed, a further level of confirmation is requested. One of the most popular ways to achieve this is through SMS. Users are sent a unique code which must then be entered into the system they wish to access. It’s one of the surest ways to confirm a genuine login.

However, the discovery of a vulnerability in SIM security has left security experts questioning the safety of SMS authentication.

The Problems with SIM Cards

The ease and simplicity of SMS authentication has made it a popular choice with IT experts and PC users. But a study by Princeton University has shone new light on the dangers of SMS authentication. It’s all down to a form of hacking known as a SIM-swap attack. A strain of social engineering, SIM-swap attacks involve deceiving phone carriers into swapping existing phone numbers over to new SIM cards.

With a new SIM card in their possession, the perpetrator is in the perfect position to hijack accounts and sail through two-factor authorization with ease. One of the most worrying aspects of the study was that some major phone carriers were involved. AT&T, Verizon, US Mobile, Tracfone and T-Mobile all failed to prevent SIM-swap attacks taking place. But how did this happen?

After a year-long study, the Princeton researchers were able to determine that deceiving a call center operator was relatively simple. To activate the SIM-swap process, all the researchers had to do was pass a single security challenge. Perversely, to reach this stage, the researchers had to deliberately submit an incorrect PIN. Once asked to confirm personal information, the researchers would plead ignorance to these requests. The next step, by the phone carriers, would be to request details about the last two calls made by that number.

You may think that his information is difficult to obtain, but it’s a lot easier than you would imagine. Social engineering can be used to trick victims into making phone calls quite easily, particularly when financial matters are mentioned. And it was with this information that the researchers were able to initiate the SIM-swap process.

How Can You Secure Two-Factor Authorization?

The results of the Princeton study are worrying and highlight a lack of security on the part of phone carriers. T-Mobile has since confirmed that they have eliminated call logs from their authorization process. But the fact remains that SIM cards have been highlighted as a weak link. And it’s recommended that your organization drops SMS authorization. The preferred method of two-factor authorization is with an authentication app. These apps generate unique two-factor codes on a phone, but remain inaccessible by the SIM card.

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

What is Two Factor Authentication and Should You Use It?

Office IT, Security, ,
07
Dec 2014

Two_Locks_Two_Factor_Authentication

We use the Internet for almost everything from email to banking. Lets review how two factor authentication works and how it can protect you.

How does one ensure that their accounts are being kept safe at any point without risk of theft?

The truth is, the world is full of hackers trying to steal your personal information and money.  They’ll go as far as to phish your information without you knowing it. However, one good way to lock down access to your accounts is by using two-factor authentication, also known as 2FA. It’s highly likely that you’ve already used 2FA without even realizing it.

High profile companies such as Google and Twitter, along with many more, have adopted this security measure. Does this make any sense to you? If not, don’t worry as we’ll elaborate more on this.

What is it?

Let’s begin by understanding what single factor authentication is. When you log into an account with just a password, this is considered to be a single factor.

However, two factor authentication is used to verify the identity of the person who they say they are logging in as with the help of an additional factor.
This additional factor can be a piece of information such as:

  • An extra password, pin or pattern
  • Something physical such as a phone, ATM card or fob
  • Biometrics, such as voice, fingerprint or iris scanning

The additional factor forms part of the two factor verification during authentication, even if there’s no evidence of the person accessing the system being the rightful owner of the account.

Once the two factors have been successful verified, this would grant access to a computer system or website.

Example of Two Factor Authentication

An example of how Zoho Uses 2 Factor Authentication

An example of how Zoho uses 2 Factor Authentication

A common example is when you use an ATM machine. For this to work, you’ll obviously need an ATM card, which is one factor, and a pin as a second factor.  This makes it somewhat secure, where one will not work without the other. Say if your ATM card (without long-strip) was lost or stolen, it wouldn’t be any good to whoever gained possession of it without knowing the pin. The opposite is also true, in the case of someone else knowing the pin without having the card. They would be unable to access your account.

Should you use two factor authentication?

In principle, yes. It adds an extra layer to dissuade hackers from gaining entry into your accounts.  Although it isn’t necessary to use it on all of your internet accounts, enabling it on your main email account if it’s supported by your email provider and any financial accounts such as banks or credit cards is a good line of defense.

There are, of course, some downsides to two factor authentication:

  • 2FA logins can take a little longer to work out to login, as the additional step can seem like an inconvenience when using something like a mobile or a fob key to generate a code.
  • If any device, such as a fob or a phone is lost, you’re stuck having to find a way to log in and you’ll need to contact the company’s support.
  • If a hacker gained access to your main email account, which is listed within your contact details in another important account, they can receive the account recovery email. They can then reset it causing them to bypass the 2FA of the account they’re targeting.
  • A good way to prevent this is by having a smarter recovery option, such as an SMS sent to a cell phone to request any account actions.

Final Verdict

All in all, it is better to have 2FA enabled on your accounts than no additional step at all, especially if it means dissuading unauthorized access to your accounts. As 2FA has become more commonplace, it is likely that new developments in security will pave the way for more practical two factor authentication methods. It is fast becoming a necessity for both personal and business use.

For more information on using two factor authentication to protect your business and personal accounts, contact your local IT professionals.

Read More