There is often only a password between a cyber criminal and a user’s personal and financial data, which is why they are currently one of the main targets of their criminal proceedings.
These keys are the Achilles heel of many people’s digital lives, especially as the average user today has to remember a hundred access credentials, and this number has increased in recent years.
ESET, a cyber security company, has compiled five widespread techniques used by cybercriminals to obtain passwords to access their accounts.
Fishing and Social Engineering
The most widely used attack technique exploits the human tendency to make wrong decisions, especially when they make hasty decisions. Cybercriminals exploit these vulnerabilities through social engineering, a psychological fraud trick designed to do something people should not do.
Fishing is one of the most popular examples. In this case, the perpetrators pose as legitimate entities such as friends, family, and companies that do user business.
These emails or texts may appear to be genuine, but contain malicious links or links that, if clicked on, will take you to a page where ‘malware’ can download or provide personal data.
Malware
Another popular way to get passwords is by ‘malware’ or malicious program. Phishing emails are the primary vectors for this type of attack, however you may be affected by clicking on the malicious ad (‘malvertising’) or by visiting the compromised website (‘drive-by-download’).
As ESET highlights, ‘malware’ can hide even in a legitimate mobile application, often found in third-party app stores.
There are many types of malware that can steal information, but some of the most common keyboards are designed to record user’s pressed keys or take screen shots of a device and send it to attackers.
Brutal power
The average number of passwords a person can manage is estimated to have increased by 25 percent per year by 2020. Many people use passwords that are easy to remember and re-use them on many platforms, but this can open the door to so-called key techniques.
One of the most common attacks is certification verification. In this case, the attackers inject large sums of already stolen username and password into the ‘software’.
The tool tests them on a large number of sites, hoping to find a match. This way, criminals can open multiple accounts with the same password.
An estimated 193 billion attack attempts took place worldwide last year. Notable among the recent victims is the Canadian government.
Another rugged technique is random password checking. In this case, hackers use automated ‘software’ to check the list of commonly used passwords against an account.
Puzzles
Although cybercriminals have automated tools to remove passwords, sometimes they are not necessary: even simple guesses – as opposed to the systematic approach used in rogue attacks – can reach the target.
The most common password for 2020 is ‘123456’, followed by ‘123456789’. In fourth place is the word password in English.
‘Look over the shoulder’
While there are many ways to steal a password, it is worth remembering that in the world of physics, knowing the password can be dangerous.
This is called ‘shoulder surfing’ in English and ‘looking over the shoulder’ in Spanish. Not only does it affect the credit card PIN, but ESET has conducted tests showing how easy it is to guess the Snapchat password using this system.
Security measures
To protect Internet users, ESET has shared a series of recommendations so that users can avoid having their passwords stolen.
Some of these tips are repetitive, such as using only strong and unique passwords or phrases on all accounts, especially across bank, email and social media accounts. This includes avoiding re-use of credentials.
Another suggestion is to enable two-factor authentication (2FA) or use a password manager, which will save strong and unique passwords for each site and account. If a provider reports data theft, it is also important to change your password immediately.
Users only need to know the HTTPS sites to log in, do not click or open links on unsolicited emails, and only download apps from official stores.
It is recommended to use cyber security ‘software’, always use updated operating systems and applications, be careful with ‘beepers’ in public places, do not connect accounts from public WiFi networks, use VPN tools.
