The 5 Ways That Hackers Steal Passwords (That Your Accounting Firm Needs to Know About)
Cyberattacks are a fact of life these days. The methods of attacks are numerous, but many of them still centre around passwords. Find out what you should be on the lookout for.
For whatever reason, people still have a wrong picture of hackers in their mind. They imagine an unkempt nerd sitting in a dark room for hours on end. This is why the term ‘hacker’ doesn’t seem too threatening.
On the other hand, ‘cybercriminal’ sounds much more intimidating. It’s also a far more fitting term to describe those you need to protect yourself from. There are entire organisations of hackers who go above and beyond to breach businesses’ security measures.
Worse yet, their strategies keep evolving. Every year, we read about stories of sophisticated methods used to carry out these data breaches. However, most data breaches aren’t the results of anything sophisticated. More specifically, weak passwords are behind 81% of these breaches.
Luckily, this is also by far the most easily preventable risk, which you definitely want to prevent as it can cost your business untold damages. Just recently, this happened to Deloitte. But companies of all sizes are vulnerable, seeing as many smaller accounting firms have been a victim of data breaches.
The first step to prevention is to find out what you’re preventing against. For this reason, you’ll want to know the most common strategies that hackers use to steal passwords.
1. Brute force attacks
In a brute force attack, a bot bombards your account with thousands of password attempts per second until it breaches it. It can take a typical brute force bot less than half a second to hack a 7 character password, but 74 million years to crack a 16 character one.
It’s all about your password’s complexity. If your password is qwerty or 123456, for example, you might want to replace it as soon as possible. Use a combination of upper- and lower-case letters, numbers, and characters. You’ll minimise the risk of falling victim to a brute force attack.
2. Phishing
Hackers have sent out billions of phishing emails to email account owners across the globe. Unless you’re careful, you can easily become the victim of an attack. Here’s how it works:
The target receives an email, supposedly from a well-known organisation. Its content creates a sense of urgency with the aim of getting the target to click on a link. For example, it could claim to be your bank asking you to log in and resolve an urgent issue. What you’ll get is a spoof login portal that might or might not look like the right thing. As you can imagine, the moment someone enters their login credentials, the attacker gets them.
There are all sorts of things that a hacker can do with that information. They can use it for their own gain or sell it to the highest bidder.
To protect against phishing, use a spam filter and set it to the highest level. In the rare event that a phishing email gets through, never click on any link because legitimate companies will never ask you to log into your account in this fashion.
3. Spidering
Similar to brute force attacks, the only difference is that spidering is a bit more sophisticated. First of all, it doesn’t target personal passwords or information but organisations.
While brute force bots try random passwords or count up or down, spiders research company terminology. It’s based on an educated guess that the systems will likely have business-related passwords.
This often turns out to be true, especially for Wi-Fi passwords. While businesses might pay close attention to account credentials, they often overlook Wi-Fi protection.
They probably wouldn’t if they knew that the person who infiltrates it can easily gain access to all the data in a company’s computer network.
And you’ve guessed it, the best way to protect against spidering is with strong passwords. In addition, make sure they’re not related to your business in any way to throw the spider off its scent.
4. Social Engineering
This one is nowhere near as exciting as elaborate cyberattacks. But that doesn’t make it any less effective. In fact, it can steal passwords with minimal effort.
Think of it as the real-world version of phishing. Instead of using software, the attacker will outright ask you for your password. If they are to target a company, they’d pretend to be from the tech crew or an intern who forgot a password. Overly trusting people may not think twice and give out the password freely.
However, you don’t have to be trusting or gullible to fall for this. Expert social engineers are very stealthy and have a way of getting what they need from you without you even realising it. Because of this, it can be quite hard to protect yourself from them.
Obviously, a high dose of scepticism works. Unless you can confirm the identity of the person who’s asking for a password, don’t give out any information. Better be paranoid than to give unauthorized persons access to your sensitive information.
5. Rainbow Table Attacks
Not all cyberattacks happen online. Rainbow tables are offline and they’re a powerful tool that can allow an attacker to steal a good number of complex passwords in rather short periods of time.
Let’s say that someone acquires a list of hashed passwords. This means that they look completely different from the original. What an attacker would do here is to put a series of plaintext passwords through a hashing algorithm. The algorithm runs until it finds a match.
But wouldn’t this take too long?
Unfortunately, no. This is where rainbow tables come in. A rainbow table contains precomputed hash values specific to an algorithm. This means that there’s no need to go through hundreds of thousands of guesses. The time needed to breach a password can be quite short.
This is one of the most powerful strategies available to attackers. However, rainbow tables are not very common for the fact that they can take up an enormous amount of space. However, this doesn’t mean that rainbow tables aren’t a threat. Once again, you can protect against it with – it’s getting to be a common theme – a strong password. This increases the time needed for an algorithm to find a match.
In reality, most people won’t bother to figure this out on their own unless the stakes are high. When in doubt, the best thing that you can do would be to seek expert help.
Reassess Your Security Measures
Now that you know what to look out for, you might want to revisit the security systems that you have in place. In some cases, simply creating stronger passwords would suffice.
But the risk of a breach is too high to leave anything to chance. This is why you need to see if your security measures protect you from all of the above hacking methods. Again, these evolve on a regular basis, so you’ll have to reassess your systems every so often.
Currently, your safest bet is to go with the Zero Trust model. Never trust anyone’s word, and always verify their identity before giving out sensitive information. Aside from common sense, there are a few methods that you can do to reinforce this.
Make sure to switch to two-factor authentication. This adds another layer of security in case of unauthorised account access. In addition, going with single-use passwords is a simple yet powerful way of increasing your security levels.
Do you have more questions about protecting your business from cyberattacks? Book a Cyber Security Consultation with us to know more.