Africa Information & Communication Technologies Alliance (AfICTA) as a prominent private sector advocating for businesses in Africa is very concerned with the issues of cybersecurity and data protection. As such, AfICTA has organized several webinars and sessions at events in the past to raise awareness on the issues of Cybersecurity and its effect on businesses and the digital economy in general. AfICTA, an alliance of ICT Associations, Companies, Organisations and individuals in the ICT sector in Africa has professionals in the cyber security space and in the vein of raising awareness on the severity of DNS abuse and cyber threats, Mr Kileo, an AfICTA board member and cybersecurity expert from Tanzania has discussed some of the necessities for everyone in order to be more cyber vigilant. He also enlightens everyone on some of the techniques cybercriminals use to steal logins and how to protect our online identity.
The concept of using a secret series of characters that enables a user to access a file, computer, or program was introduced into computing way sooner than most of us can remember – Password contains a unique string of characters used to restrict access to computers and sensitive files.
One reason for the enduring popularity of passwords is that people know instinctively how they work. But there’s also a problem. Passwords are the Achilles’ heel of the digital lives of many people, especially as we live in an age when the average person has 100 login credentials to remember, with the number only trending upwards in recent years. It’s little wonder many people cut corners and security suffers as a result.
“Given that the password is often the only thing standing between a cybercriminal and your personal and financial data, crooks are more than eager to steal or decrypt them and sometimes disable protection of these logins” So says Yusuph Kileo, a cybersecurity and digital forensics expert.
Kileo urges internet users not to use users account name or any data that appears in your record as a password, any word or name that appears in any dictionary, Phrases and slang with or without space, Alphabetic, numeric, or keyboard sequences, titles of books, movies, poems, essays, songs, CDs, or musical compositions and any personal information.
What can cybercriminals do with my password?
Passwords are the virtual keys to your digital world – providing access to your online banking, email and social media services, our Netflix and Uber accounts, and all the data hosted in our cloud storage. With working logins, a cybercriminal could steal your personal identity information and sell it to fellow criminals, selling access to the account itself.
Dark web criminal sites do a brisk trade in these logins. Unscrupulous buyers could use access to get everything from free taxi rides and video streaming to discounted travel from hijacked Air Miles accounts or use them to unlock other accounts where you use the same login credentials.
How do cybercriminals steal passwords?
Familiarize yourself with these typical cybercrime techniques and you’ll be far better placed to manage the threat:
- social engineering
Human beings are fallible and suggestible creatures. We’re also prone to make the wrong decisions when rushed. Cyber-criminals exploit these weaknesses through social engineering, a psychological con trick designed to make us do something we shouldn’t. Shoulder surfing and phishing are the most famous example.
Shoulder surfing.
Shoulder surfing is the name given to the procedure that identity thieves use to find out passwords, personal identification numbers, account numbers and more. It happens to be the easiest way one could easily get someone’s password – a cybercriminal will just look at your shoulder as you enter your password.
As lockdowns ease and many workers start heading back to the office, it’s worth remembering that some tried-and-tested eavesdropping techniques also pose a risk.
A more hi-tech version, known as a “man-in-the-middle” attack involving Wi-Fi eavesdropping, can enable hackers sitting on public Wi-Fi connections to snoop on your password as you enter it in while connected to the same hub. Both techniques have been around for years, but that doesn’t mean they’re not still a threat.
Phishing.
Here, hackers masquerade as legitimate entities: like friends, family, and companies you’ve done business with etc. The email or text you get will look authentic but includes a malicious link or attachment which, if clicked on, will download malware or take you to a page to fill in your personal details.
Scammers are even using phone calls to directly elicit log-ins and other personal information from their victims, often pretending to be tech support engineers. This is described as “vishing” (voice-based phishing).
“Of late, most people have fallen victims to vishing – One would receive a call from someone posing as a bank personnel and start extracting information from an individual,” Says Kileo.
He added, he receives many complaints from individuals asking his opinions after facing this kind of attack.
- Malware
Another popular way to get hold of your passwords is via malware. Phishing emails are a prime vector for this kind of attack, although you might fall victim by clicking on a malicious advert online (malvertising), or even by visiting a compromised website (drive-by-download).
Malware could even be hidden in a legitimate-looking mobile app, often found on third-party app stores.
There are various varieties of information-stealing malware out there but some of the most common are designed to log your keystrokes or take screenshots of your device and send it back to the attackers.
- Guesswork
The average number of passwords the average person has to manage increased by an estimated 25% year-on-year in 2020. Many of us use easy-to-remember (and guess) passwords as a consequence and recycle them across multiple sites.
The most common password of 2021 was “123456”, followed by “123456789”. Coming in at number four was the one and only “password”. this makes it easier for cybercriminals to guess someone’s correct password.
And if you’re like most people and recycle the same password, or use a close derivate of it, across multiple accounts, then you’re making things even easier for attackers and putting yourself at additional risk of identity theft and fraud.
- Brute forcing
In a brute force attack, the program guesses the password by trying every single combination of characters until the password is found. It is the slowest method of password attack, but can be successful against short and simple passwords. For example, the program might follow a sequence like: • “aaaaa” • “aaaab” • “aaaac”.
Cybercriminals feed large volumes of previously breached username/password combinations into automated software. The tool then tries these across large numbers of sites, hoping to find a match. In this way, hackers can unlock several of your accounts with just one password. There were an estimated 193 billion such attempts globally last year, according to one estimate. One notable victim recently was the Canadian government.
How to protect your login credentials
Kileo strongly calls on internet users to use only strong and unique passwords with at least eight characters which include a digit, punctuation upper and lower case on all your online accounts, especially your banking, email and social media accounts. “One can choose a phrase or combination of words to make the password easier to remember or maybe two words separated by a non-letter non-digit and non-printing characters” He added.
It is also advised to change your password regularly and avoid recycling them or making minor variations such as incrementing a digit and using different passwords on different machines. Avoid reusing your login credentials across multiple accounts and making other common password mistakes.
Switch on two-factor authentication (2FA) on all your accounts
Use a password manager, which will store strong, unique passwords for every site and account, making log-ins simple and secure.
Never log on to an account if you’re on public Wi-Fi; if you do have to use such a network, use a VPN.
“The demise of the password has been predicted for over a decade. But password alternatives still often struggle to replace the password itself, meaning users must take matters into their own hands. Stay alert and keep your login data safe” He concluded.
