What type of activities do you participate in online? Most people bank, check in with their friends and family on multiple social media sites, shop, participate in forums … the list goes on.
But just how safe are your accounts? How safe is your identity?
I don't normally go into underlying details and minutiae when discussing an issue as I'm going to here, but I couldn't help myself. With mounting security breaches, hundreds of millions of users across the nation and the globe are now much more vulnerable to cyberthreats such has cyber-ransom and fraud. In fact, in early June, not only were multiple social media accounts belonging to Mark Zuckerberg hacked, but so was North Korea’s version of Facebook, called "Best Korea's Social Network.”
If you are scared, good; you should be. If you aren’t scared, then feel free to continue using “password” as your password for all of your online accounts, and keep reading because even though some hackers might simply spam your Facebook account, others have the ability to get away with much more than just thinning out your Friends list. For instance, one single stolen password ended up costing Bangladesh’s Central Bank $81 million after the new-age robbers were able to hack into the bank’s secure messaging system earlier this year.
Fortunately, we can learn from others’ mistakes, as well as learning from the enemy. So let’s take a look at the ways in which your password can be stolen.
Know Thy Enemy
There are three main ways that cybercriminals can gain access to your password. First, it is important to understand “encryption” and how it works. When you create a username and password for your online account, the company stores that data in their server and is responsible for keeping your account information secure. Companies generally do this by encrypting your account information, which can be done by using one or both of the following encryption methods:
2. Symmetric and Asymmetric Encryption
- Definition: This type of encrypting uses a complex algorithm to condense the password into a code, based on the letters, numbers or symbols used, and the combinations of them. Think of cryptograms but in reverse. Cracking this code would be like trying to find one particular grain of sand in a desert.
- Example: If your password is Love2Swim the algorithm changes it to and then stores it as 34F12g. The idea behind it is that a person (or computer) must figure out the meaning of each symbol. This information is generally kept on a master key.
- Definition: Like hashing, Symmetric and Asymmetric Encryption use an algorithm for security, but that's about where the similarities to Hashing end. Both Symmetric and Asymmetric Encryption algorithms use keys to encrypt and then decrypt traffic, but the passwords are stored on the server as unencrypted. Symmetric Encryption uses the same key to encrypt and then decrypt the password, whereas Asymmetric Encryption algorithms use one key to encrypt and a different key to decrypt.
- Symmetric and Asymmetric Encryption in Use: Symmetric encryption algorithms need all the hosts participating in the encryption to have been pre-configured with a secret key through external means. It is fast and easy compared to Asymmetric Encryption’s ability to have a secure connection even through an insecure medium, like the internet. To do this, public keys, which encrypt the data, are exchanged and then private keys, which do not get shared, are able to decrypt it.
With all of this encrypting then decrypting going on, you might be feeling a bit of relief. While it is true that it can be difficult to for a cybercriminal to get your account information, it is imperative to remember that it is not impossible.
In case you are not aware of the LinkedIn breach of 2012, here are the key points: More than 117 million accounts were stolen that included such information as usernames and passwords. Those hackers started to sell the pilfered data in May 2016. Myspace, Tumblr and Fling breaches exposed an additional 465 million accounts. Keeping that in mind, here are the three main ways hackers are able to get access to your accounts:
- Partial Server Breach. Hackers get ahold of your username and encrypted password, but don’t did get the master key. They must then figure out a way to reverse engineer the codes used. The more complex the algorithm, the more difficult it is to figure out. There is software that can help, but it could take hours or even years to turn the raw data into usable information. This was what happened in both the Ashley Maddison and the Adobe security breaches.
- Full Server Breach. A full server breach is just what it sounds like. Hackers have full access to all the files on that server, which includes not only usernames and encrypted passwords, but also the master key with which to unlock it. Fortunately, this type of breach does not happen very often and when it does, it usually happens to small businesses and websites. As long as the company finds out quickly and reports it quickly, you are safe.
- Your Bad Password. This is usually how hackers get you – and it is your fault. Fortunately, it is also something that you can fix. Cybercriminals can easily find your email by a quick Google search of your name. From there, they try to crack your password by using common passwords and algorithms. If they figure it out, and you use the same username and password for everything, they can drain your bank account before you even realize it.
We can all agree that being hacked because you used a bad password is embarrassing. Fortunately, though, passwords can be changed. In our next article we will teach you all about what makes a weak password and how to come up with a strong one. We will take you from a password grasshopper to a password master.
Shaun Olsen is the CEO and president of CloudWyze. CloudWyze was created to help businesses focus and perform at their optimal level by crafting and executing custom technology plans for businesses of every type and size. To learn more about CloudWyze, visit www.CloudWyze.com. Shaun can be reached at [email protected] or (910) 795-1000