Following news that a Russian crime ring has gathered the largest known collection of stolen Internet credentials, the limitations of passwords are now a critical issue, said Symantec Malaysia Principal Consultant David Rajoo during an interview with Computerworld Malaysia.
Photo - David Rajoo, Principal Consultant, Symantec Malaysia.
What are the confirmed details of this latest hack?
On 5th August, a report by Hold Security claimed that a Russian cybercrime group stole more than 4.5 billion records, obtaining 1.2 billion unique username and password combinations (also known as credentials) from 420,000 websites. This cybercrime ring goes by the name "CyberVor" gang and the word "vor" means thief in Russian.
The breaches reportedly affect a huge variety of entities ranging from Fortune 500 firms to very small sites. The affected sites weren't identified, as many of them are still vulnerable to attack. Based on the number of records and credentials stolen, this incident is being considered as the largest reported data breach to date.
The group allegedly managed to obtain these details by using botnets to probe websites for vulnerabilities. The report states that when one of the botnet's infected computers visits a website, the attackers force the computer to carry out an SQL injection attack on the site to see if it contains vulnerabilities. If the site is vulnerable, then the attackers take note of the website and return at a later time to steal information from the site's database.
The attackers have reportedly not sold many of the stolen details online and have instead used the information to send spam messages on social networks. Still, this information could be of great value to other cybercriminals. If people reused their passwords on other services, then attackers could use the information to compromise other accounts and obtain further sensitive information about the victim.
What do Malaysian businesses need to do about this; and could you also offer some advice for Malaysian internet used?
Enterprises are affected by the potential security vulnerabilities on their websites and FTP servers that may have allowed for the attacks, which led to the unauthorised access to their databases. We advise businesses to safeguard their online information from attackers in the following ways:
- Always use strong passwords and never reuse them across other websites.
- Enable two-factor authentication on websites that provides it. Symantec's Validation and ID Protection (VIP) Service lets enterprises implement both two-factor and risk-based token-less authentication.
- Consider using a password manager, such as Norton Identity Safe, which securely stores different passwords for online services.
Malaysian digital citizens may be affected by the potential theft of login credentials associated with a number of websites, as well as malware that may have been installed on their systems.
Symantec recommends consumers take steps outline below now to protect their most sensitive password protected information:
a) Pay special attention to your email credentials: A lot of users fail to recognise that their email account can be a front door to their entire digital life. Think about how many times you may have reset your password on some other site and the recovery link is sent to your email account. In addition, avoid opening emails from unknown senders and clicking on suspicious email attachments; exercise caution when clicking on enticing links sent through email, instant messages, or posted on social networks; and do not share confidential information when replying to an email.
b) Change passwords on important sites: It's a good idea to immediately change passwords for sites that hold a lot of personal information, financial details, and other private data. Cyber criminals who have your credentials could try to use them to access more information on these accounts. This is particularly true if you have used the same password on multiple sites. Attackers will often try to use stolen credentials on multiple sites.
c) Create stronger passwords: When changing your password, make sure that your new password is a minimum of eight characters long, and that it doesn't contain your real name, username, or any other personally identifying information. The best passwords include a combination of uppercase and lowercase letters, numbers, and special characters.
d) Don't re-use passwords: Once hackers have your account information and credentials, they'll try to use it to gain access to all your accounts. This is why it's important to create a unique password for each account. If you vary your passwords across multiple logins, they won't be able to access other sites with the same information.
e) Enable two-factor authentication: Many websites now offer two-factor (or two-step) authentication, which adds an extra layer of security to your account by requiring you to enter your password, plus a code that you will receive on your mobile device via text message or a token generator to login to the site. This may add complexity to the login process, but it significantly improves the security of your account. If nothing else, use this for your most important accounts.
Are there better authentication processes on the horizon that would offer more resistance to hackers?
There's an urgent need for corporations to consider password-less authentication, as passwords are insecure and become hard to use on mobile phones. Mobile just may be the agent of change for both enterprises and consumers.
The rapid proliferation of smartphones has also helped to boost the popularity of the 'two-factor authentication'. Once users log in with their password, they check an email, SMS message, or mobile app for their second temporary authentication code. This means that even if a user's password is compromised, an attacker would still need to gain access to the second authentication method to break into the targeted account.
As the shift to mobile is increasing in Asia, is the day of the password really numbered?
It is possible to imagine a future without passwords and the rise of seamless and transparent two-factor authentication. Researchers are continuously looking at new ways to revolutionise the system.
For example, last year, Google suggested that a tattoo or ingested pill could authenticate a user. The user would only need to touch their device - or even their car or front door - to unlock it.
As more users go mobile and they move critical data and applications into the cloud to achieve cost savings, flexibility, and scalability, enterprises must emphasise security more than ever.
The stakes keep getting higher. Data breaches and malware are on the rise, and the cost of a single breach can run into the millions, not to mention the impact on commercial and financial outcomes and brand reputation. At the same time, there is a growing desire for a simpler, smarter user experience when it comes to authentication.
Symantec Validation and ID Protection Service is a viable option. It's an industry-leading cloud-based two-factor authentication solution that provides all the cost and scalability benefits of a managed service, delivers robust security, and offers the right options for a user-friendly experience. It provides a proven way to prevent unauthorised access to critical data and applications that's easy to implement, cost-effective, and smart.