on 14-05-2019 05:47 PM - last edited on 15-05-2019 10:59 AM by Meghan
Just another day for John
It’s Monday morning and everything is going smoothly. I made breakfast for my kids, dropped them off at school on time and the barista didn’t burn my coffee – a great start to the day. I get to my desk and look through my emails and I notice there are quite a few spam messages in my inbox. One of them says I won a free toaster, and another is an Indian prince claiming to be my uncle, the usual silly scams. I’m pretty savvy when it comes to security and have never had a breach. My firm uses some of the best firewall and virus protection software available. In addition, I even have a strong password that no-one will ever guess, and I use it across all my accounts so that everything is secure.
After a day full of meetings, I return to my desk and decide to check LinkedIn. I like to keep up with industry news, and a lot of my business comes from the connections I make through the website.
Little did I know that somewhere in the world, Elliot, an individual in an organised group of hackers, was searching the Dark Web, where illegal information can be bought and sold. Elliot stumbles across 117 million leaked LinkedIn username and passwords for 2 bitcoin ($16,853). How interesting. His team quickly purchases the data, as 2 bitcoin is nothing considering the monetary opportunities the data could present. Elliot and his team get to work downloading the data and selecting their victims.
Two weeks later
It wasn’t a good morning. The kids were dropped off late, one of my daughters left their lunch at home and the traffic was abysmal. To make things worse, the petrol prices had gone up another 2 cents – great. I get into the office and my mobile starts ringing almost as soon as I sit down. It’s my mother.
“Hi Mum, how are you?”
“Yes, good. I transferred the money you needed for your car repair. Here I was thinking that the days of you asking me for money were over! Also, when did you change banks?”
I frowned. I didn’t recall asking her for any money, and what car repair or new bank account was she talking about?
“I never asked you for money”
“Yes, you did, last night on Facebook!”
I start to wonder if my mother had finally gone crazy. Suddenly, my desk phone starts ringing, it's one of my most loyal clients.
“John, why am I getting emails from you with dodgy links, and you’ve been asking me for money that I don’t owe you, have you been hacked?”
I quickly access my work email and see to my horror that last night over 100 emails were sent to my clients from my email address, some asking for money, others with suspicious links that I was too scared to click. But I never sent these emails! What’s happening?
Next, I login to my LinkedIn account and see that someone has been posting advertisements from my account, some of them extremely inappropriate coming from someone who considers themselves a professional. I quickly scramble to delete them all, but most of them have already received scathing comments.
I don’t understand what is going on. My heart races and I sink down into my seat, I wouldn’t be surprised if this day marks the end of my career.
Unbeknownst to me, over the past two weeks Elliot and his team had been working to execute the perfect crime. Known as credential stuffing, the group was able to use my credentials to access different accounts through automation, and because I used the same password for every account, they were able to easily access my social channels, work email and destroy my professional reputation. Having a strong password is great, but using it for everything isn’t.
Two hours later
My IT supplier confirms that majority of my accounts have been compromised and advises me to change all my passwords and employ a password manager, so I don’t have to remember them all. I post a statement on my website announcing that I have been hacked and instruct my clients to not click on or engage with any material that they have received. The next three weeks I spend ringing my clients and family to explain what has happened, but it’s too late. My reputation is ruined.
As far-fetched as it may seem, what happened to John has happened to ordinary people before. It is vital that individuals protect themselves and their personal information by using strong passwords that are unique to each account. Because John used the same password for everything, Elliot was able to use John’s login information to access all his accounts, impersonate him and obtain information.
Understandably, it’s unrealistic that you will be able to create and remember strong passwords for each account so you may want to consider a password manager. By doing this, you will only need to create and remember a strong password for the password manager and change the password every six months.
When you change your password, you should change the entire combination rather than the number at the end. Hackers know this is a common practice and will try different numbers against the end of your password.
When creating a password, it is recommended that you choose two, easily remembered words that are separated by two symbols and a number, e.g. “Alpaca7!@housE”. To make it easier to remember, you could use the names of objects that are around you.
For more information on strong passwords click here.