How Attackers Compromise Your Accounts And How To Defend Yourself
Even the most technologically savvy people are capable of having their online accounts compromised and, often, the attack vectors are not even that complicated. As with many aspects of life, education can mitigate the issue. Improving your knowledge of how these attack vectors work is one of the best things you can do to prevent something like this from happening to you.
The Password Problem
Yup, you knew this was coming. Weak, redundant passwords make you a prime target for some serious online trouble. If you haven’t already read my series on LastPass, go check it out, ASAP.
All the encryption software in the world will do no good if the endpoints (i.e., the computers of the users that are communicating) are compromised. An insidious manifestation of this is the keylogger.
A keylogger is a piece of malware that runs in the background and surreptitiously records all your keystrokes. Often, the intent is to capture and transmit sensitive information (e.g., credit card numbers, sensitive online account passwords, etc.) to a remote attacker.
Infection by a keylogger can be the result of numerous factors, primarily:
- Running outdated and unpatched software
- Downloading compromised versions of popular software from unofficial third parties
- Using a system that is not properly secured and running a quality anti-malware program
If you can address the above issues, you will have gone a long way to ensuring that you don’t become infected with this particularly pernicious piece of malware. So, always keep your systems and software up-to-date, always buy/download quality software from official sources, and make sure you are running a good anti-malware application that is active and updated with the latest definitions.
One of the most common ways that attackers access your accounts, as previously discussed, is through social engineering. There are various attack vectors that utilize this approach, but they all take advantage of human beings innate tendency to trust other people and to respond to their solicitations for support.
Here are a few common scenarios:
- You receive an email from your financial institution that directs you to an illicit facsimile of your institution’s site, which captures your credentials
- You receive a message on a social network site from a user that claims to represent the company, and they ask you to send them your account credentials for authentication purposes
- You visit a site that promises to give you some kind of valuable reward in exchange for your account credentials (e.g., free Steam games)
The only solution to this problem is end user education on attacker tactics, and cautious and responsible computer use. To start, always directly type in the URL for sensitive sites, or, at the very least, do this once, and then, create a bookmark. If you train yourself to not follow such links in emails, you won’t have to worry as much about how to identify a fake message.
Never give your account credentials to someone that requests them. Always make sure that you’re the initiating party if you ever have an issue with your account.
Finally. if you come across an offer online that appears to good to be true, it probably is ;-).
Unfortunately, these are a common practice with many companies and services. It is unfortunate because the selection of questions you have to choose from is usually weak (i.e., the answers are very easy to guess or obtain).
Your best bet to address this issue is to simply use fake answers that are completely unrelated to the questions. Of course, this means that you will need to keep track of and remember the nonsense answers yourself.
For each service you utilize, there is most likely a security function that lets you use an email address for account password resets. To increase your security, make sure that you have a separate, secret email account that you exclusively use for this purpose. In addition, ensure that, like with all your other accounts, it is protected with a long, complicated, and random password.
Lastly, many online services now offer two-factor authentication. Exactly how it is implemented will differ from service to service, and while it may be a pain to setup on a new device, once you get it going, you will probably not notice much of a difference in day-to-day use, and you will be much more secure.
Source How-To Geek