InvestSMART

Paul's Insights: The danger of stolen data

There was a time when crooks made off with television sets or jewellery - items that were easy to cart off and hock around town. These days, they focus on far more transportable stuff, like details of our personal accounts. And it's an all too lucrative business.
By · 1 Apr 2019
By ·
1 Apr 2019
comments Comments

Mention cyberattacks, and we often think of dodgy malware that infects entire computer systems. But for cyber-crims, malware is yesterday’s news. ‘Credential stuffing’ is the latest trend among cyber-thieves.

In mid-March the Australian Federal Police arrested a Sydney man who had allegedly made $300,000 selling account details including email addresses and usernames for subscribers of various websites.

The man is believed to have got hold of these details through a process known as credential stuffing.

In simple terms, credential stuffing involves a hacker feeding thousands or millions of stolen username and password combinations (obtained on the black market) into multiple websites to see if any of the details match a live account.

If the hackers are able to log in successfully, they can pull out personal information to sell on the dark web. Long story short, it can open the door to identity theft, or worse, having your bank account cleaned out.

There’s not much companies can do to combat credential stuffing – hackers aren’t trying to break through security systems, they’re just entering login details from other websites.

Consumers are vulnerable to these attacks because of our habit of using the same password across multiple sites. A 2018 US study found 52% of consumers use the same or very similar passwords for different sites and services.

How can you protect yourself from these attacks?

The most important step is to use distinctly different password and username combinations for all your online accounts. If one company you have an account with experiences a data breach, all of your accounts that share the same username/password combination could be in jeopardy.

If you have a lot of online accounts, which many of us do nowadays, consider a password manager to help you keep track of the details.

Where two factor authentication is offered, take advantage of it. This is where you enter a password plus a code that your service provider sends via SMS. Plenty of banks are offering two factor authentication, and it can provide additional protection in the event of a network attack.

It’s also worth paying attention to news of major data breaches. In February, Dunkin Donuts in the US reported a credential stuffing attack. A few weeks earlier social site Reddit was breached. If a company you have an account with experiences a data breach, do not waste time in changing your passwords.

 

Paul Clitheroe is Chairman of InvestSMART, Chairman of the Australian Government Financial Literacy Board and chief commentator for Money Magazine.

 

Google News
Follow us on Google News
Go to Google News, then click "Follow" button to add us.
Share this article and show your support
Free Membership
Free Membership
Paul Clitheroe
Paul Clitheroe
Keep on reading more articles from Paul Clitheroe. See more articles
Join the conversation
Join the conversation...
There are comments posted so far. Join the conversation, please login or Sign up.

Frequently Asked Questions about this Article…

Credential stuffing is a cyberattack method where hackers use stolen username and password combinations to access multiple websites. Investors should be concerned because successful attacks can lead to identity theft or financial loss if hackers gain access to sensitive accounts.

Unlike traditional malware attacks that infect systems, credential stuffing involves using stolen login details to access accounts. Hackers aren't breaking through security systems; they're exploiting reused passwords across different sites.

Using the same password across multiple sites is risky because if one site experiences a data breach, all accounts with the same login details are vulnerable to credential stuffing attacks, potentially leading to financial loss.

Investors can protect themselves by using unique passwords for each account, employing a password manager, and enabling two-factor authentication where available. These measures help safeguard against unauthorized access.

A password manager helps by securely storing and managing unique passwords for each account, reducing the risk of using the same password across multiple sites and thus mitigating the threat of credential stuffing.

Two-factor authentication adds an extra layer of security by requiring a password and a code sent via SMS. This makes it harder for hackers to access accounts, even if they have the password, providing additional protection for investors.

Staying informed about data breaches is crucial because it allows investors to take immediate action, such as changing passwords, to protect their accounts from potential credential stuffing attacks following a breach.

If a company experiences a data breach, investors should promptly change their passwords for that account and any other accounts using the same login details to prevent unauthorized access through credential stuffing.