When it comes to protecting your digital identity, it can be hard to know what you're defending against. Attackers' targets, victims, and techniques vary widely, and this uncertainty has only grown as malicious actors take advantage of the COVID-19 chaos to steal whatever information they can get their hands on. That said, the only certainty we know is that online credential theft and misuse is involved in nearly 81% of hacker-related breaches, making it one of the most common attacks. most common in the world. About the Author Nic Sarginson is a Senior Solutions Engineer for UKI and RSA at Yubico
The keys to the castle
Once a cybercriminal has someone's credentials, they have the tools to unlock their victim's full digital identity. So if the potential damage is so great, why are these credentials so easy to steal? weak passwordsAttackers try common passwords with specific or common usernames, and can be surprisingly successful. Unfortunately, most people find it difficult to create or remember strong passwords. As a result, people often choose weak passwords and rarely change them. In fact, recent research revealed that one in 142 passwords is "123456" and that 23,5 million hacked accounts have used "123456" as their password. Password reuse abuse (credential stuffing)
Attackers regularly take credentials stolen from one site and try them on another, since it is very common for people to use the same username and password combination, or a variant, on multiple sites. . In fact, over 44 million Microsoft account holders use recycled passwords! This problem is compounded by the sheer volume of stolen credentials available for sale on the dark web. Man-in-the-middle (MitM) attacks
Sometimes attackers gain access to the network path between their victim's computer and the site they are accessing. This can allow the attacker to see what sites someone is accessing and steal their data if the connection is not encrypted or if the victim believes the malicious site or system is legitimate. Identity fraud
Phishing typically uses a pretext to convince someone to directly reveal their credentials or visit a site that does the same thing. The attackers do this by verifying via SMS, email, phone, instant messaging, social media, dating sites, physical mail, or any other available means. Account recovery operation
Unfortunately, account recovery flows can be much weaker than the main authentication channel. For example, it is common for companies to implement strong two-factor authentication (2FA) solutions as the primary method of leaving SMS behind. Alternatively, companies can simply allow help desk staff to reset credentials or set temporary referral codes with a simple phone call and with little or no identity verification requirements.
Defend your domain
Once you've recognized these methods of credential theft, you can begin to identify how bad actors can easily gain access to your digital identity. Here are some simple steps you can start taking today to stop these methods of credential theft: Manage your passwords correctlyIt's important to be as diligent as possible about creating the strongest passwords and managing them securely. Ideally, strong passwords should be randomly generated. At the very least, avoid using information about yourself or your friends and family, such as birthdays, sports teams, animal names, etc. Never reuse passwords between sites. Yes, that means you'll need a different password for each account you have. As a best practice, use a password manager to securely generate and store passwords. Use two-factor authentication (2FA)
Even the most secure usernames and passwords are subject to compromise. To avoid this, always enable 2FA whenever possible to ensure another form of identity, beyond a username and password, is required to access your account. Whatever you do, don't activate SMS codes as a second form of authentication. The National Institute of Standards and Technology (NIST) recently made them very ineffective. While some services require the use of SMS to initially set up 2FA, you can choose to turn SMS off after setting up other factors, such as security keys. Check before you click
To protect yourself against email phishing, make sure an email is legitimate by asking yourself: Do you recognize the email address? Are there misspellings in the email? Does the bond or attachment make sense? When it comes to websites and links, check for HTTPS security, which indicates that the web page you are on is safe and can be trusted before entering any sensitive information. HTTPS will appear in the URL and the bar will also show a small padlock that says "secure" next to it. Also, your bank will not send you an email with a password reset link, always use your official mobile banking app or make sure you go directly to the bank's website. Beware of networks
Public Wi-Fi does not qualify as a secure network and therefore gives hackers a greater advantage in stealing information or driving malicious attacks. If you must use public Wi-Fi, stick to sites that don't handle sensitive information. When possible, always avoid public Wi-Fi networks and use other solutions, such as a secure personal hotspot or VPN solution. A VPN will make it difficult for third parties to determine your identity or location. However, as the world adjusts to working from home, a record number of people are using a VPN to access the corporate network, putting them to the test. You can also secure VPN access with MFA to make sure your personal and business information is protected. Don't reveal sensitive information Any information can make a hacker's job easier. It may seem obvious, but in the age of social media, don't put any information on your public profiles that you wouldn't give to a stranger. With COVID-19 meaning more people are working from home, there's a greater temptation to fill out that Facebook channel post that includes revealing your birthplace and first pet. In fact, the National Cyber Security Center recently launched a new campaign to protect against such threats.