Don’t Fear the Reaper

By: (Security+)

Publication: The Community Banker , Fall 2014

The Community Banker Fall 2014 Are you familiar with the term harvesting? User credentials can be gathered from sites with, likely, weak security. This gathering process has been named harvesting and has been a recent issue in the security world.

We all remember the Target breach of 2013 when 40 million credit card numbers and 70 million addresses, phone numbers, and other personally identifiable information were stolen by Eastern European hackers. I personally barely missed the breach window, buying a pair of socks two days after the attack was discovered and addressed. Phew! Some other large-scale events you may know less about include the theft of tens of millions of records from Adobe Systems, 360 million records from multiple companies found for sale on the black market, and an identity theft service in Vietnam with 200 million personal records including Social Security numbers, credit card data, and bank account information. All of these breaches have occurred in the last year! A helpful U.S. firm, Hold Security, uncovered each of these incidents.

Their most recent find in early August was one of the largest data harvesting breaches known to date. After seven months of research, Hold Security discovered the full extent of the most recent hack: 1.2 billion unique Internet user names and passwords have been harvested by Russian criminals. The 1.2 billion credential pairs belong to over 540 million different email addresses from more than 420 thousand websites.

Breached Sites

420,000

Total Credential Pairs

4,500,000,000

Unique Credential Pairs

1,200,000,000

Unique Email Addresses

540,000,000

World Population (for reference)

7,185,600,000

 

The harvesters began by purchasing user data on the black market. Then, they began using botnets to perform SQL injection on the sites the users of these zombie-machines visited. Vulnerable sites were then tracked so they could later return to exploit them.

Their extreme success in this harvest highlights the sad truth that most people use the same password for multiple services. I’m guilty of that. You’re likely guilty of that. Using the same password on multiple sites means with the discovery of one password, a criminal can hold the keys to much or all of your online existence. While companies who rely on usernames and passwords need to be more proactive in relation to their vulnerabilities (and this applies to companies of all sizes), individuals need to practice safe internet usage themselves. In the case of stolen credentials you’re looking at more than just the possibility of financial mischief, your primary concern should be identity theft.

Here are some tips to help keep your information as secure as possible:

  • Don’t make it about you. A lot can be found out about you through social media. Avoid using birthdays, anniversaries, pets, and other things that may identify you in your passwords.
  • Don’t use dictionary words. Many sites are now requiring that you do not use dictionary words. This can make picking a password pretty difficult, but to make it a little easier, try using only the first few letters of a word instead of the full word itself. You can test the strength of your password at https://howsecureismypassword.net. (Do not test your actual password, just something similar to it. They could be stealing your credentials; they’re not, but they could.)
  • Use multi-factor authentication. This isn’t an option on every site, but when it’s available you should opt to use it. While methods may vary, typical multi-factor authentication requires you to provide your password and additionally provide a time sensitive second code sent to you by email or text.
  • Lock them up. Don’t leave your passwords lying around in the physical world or the virtual world. One of the best ways to keep them safe is to store them in some form of secure password vault, like LastPass.
  • Mix it up. Using different passwords for different sites/systems is the best practice to reduce the results of attacks, like the Russian 1.2 billion password harvest. Using the same password on multiple sites leaves you fully susceptible to having all your accounts compromised when the weakest of the sites is compromised.

There are many methods available to help you secure your passwords. Pick a few of your favorites and stick to them. Of course, the most effective method to use when protecting your credentials from the reapers is to use a different password on each site and change your passwords often.