Paul's Insights: The danger of stolen data

There was a time when crooks made off with television sets or jewellery - items that were easy to cart off and hock around town. These days, they focus on far more transportable stuff, like details of our personal accounts. And it's an all too lucrative business.

By Paul Clitheroe · 1 Apr 2019

By Paul Clitheroe ·
1 Apr 2019

Comments

Mention cyberattacks, and we often think of dodgy malware that infects entire computer systems. But for cyber-crims, malware is yesterday’s news. ‘Credential stuffing’ is the latest trend among cyber-thieves.

In mid-March the Australian Federal Police arrested a Sydney man who had allegedly made $300,000 selling account details including email addresses and usernames for subscribers of various websites.

The man is believed to have got hold of these details through a process known as credential stuffing.

In simple terms, credential stuffing involves a hacker feeding thousands or millions of stolen username and password combinations (obtained on the black market) into multiple websites to see if any of the details match a live account.

If the hackers are able to log in successfully, they can pull out personal information to sell on the dark web. Long story short, it can open the door to identity theft, or worse, having your bank account cleaned out.

There’s not much companies can do to combat credential stuffing – hackers aren’t trying to break through security systems, they’re just entering login details from other websites.

Consumers are vulnerable to these attacks because of our habit of using the same password across multiple sites. A 2018 US study found 52% of consumers use the same or very similar passwords for different sites and services.

How can you protect yourself from these attacks?

The most important step is to use distinctly different password and username combinations for all your online accounts. If one company you have an account with experiences a data breach, all of your accounts that share the same username/password combination could be in jeopardy.

If you have a lot of online accounts, which many of us do nowadays, consider a password manager to help you keep track of the details.

Where two factor authentication is offered, take advantage of it. This is where you enter a password plus a code that your service provider sends via SMS. Plenty of banks are offering two factor authentication, and it can provide additional protection in the event of a network attack.

It’s also worth paying attention to news of major data breaches. In February, Dunkin Donuts in the US reported a credential stuffing attack. A few weeks earlier social site Reddit was breached. If a company you have an account with experiences a data breach, do not waste time in changing your passwords.

Paul Clitheroe is Chairman of InvestSMART, Chairman of the Australian Government Financial Literacy Board and chief commentator for Money Magazine.

Go to Google News, then click "Follow" button to add us.

Share this article and show your support

Frequently Asked Questions about this Article…

What is credential stuffing and why should investors be concerned?

Credential stuffing is a cyberattack method where hackers use stolen username and password combinations to access multiple websites. Investors should be concerned because successful attacks can lead to identity theft or financial loss if hackers gain access to sensitive accounts.

How does credential stuffing differ from traditional malware attacks?

Unlike traditional malware attacks that infect systems, credential stuffing involves using stolen login details to access accounts. Hackers aren't breaking through security systems; they're exploiting reused passwords across different sites.

Why is using the same password across multiple sites risky for investors?

Using the same password across multiple sites is risky because if one site experiences a data breach, all accounts with the same login details are vulnerable to credential stuffing attacks, potentially leading to financial loss.

What steps can investors take to protect themselves from credential stuffing attacks?

Investors can protect themselves by using unique passwords for each account, employing a password manager, and enabling two-factor authentication where available. These measures help safeguard against unauthorized access.

How can a password manager help in preventing credential stuffing?

A password manager helps by securely storing and managing unique passwords for each account, reducing the risk of using the same password across multiple sites and thus mitigating the threat of credential stuffing.

What is two-factor authentication and how does it enhance security for investors?

Two-factor authentication adds an extra layer of security by requiring a password and a code sent via SMS. This makes it harder for hackers to access accounts, even if they have the password, providing additional protection for investors.

Why is it important for investors to stay informed about data breaches?

Staying informed about data breaches is crucial because it allows investors to take immediate action, such as changing passwords, to protect their accounts from potential credential stuffing attacks following a breach.

What should investors do if a company they have an account with experiences a data breach?

If a company experiences a data breach, investors should promptly change their passwords for that account and any other accounts using the same login details to prevent unauthorized access through credential stuffing.