Recently, yet another cybersecurity threat seemed to materialize and disseminate scores of sensitive information almost overnight. Accounts affected ranged from Google to Yahoo. Initially, experts feared that hundreds of millions of sensitive account numbers and passwords had been compromised.
Fortunately, reports of this most-recent cyber invasion appear to have been a bit inflated. As it turns out, a majority of the information was inaccurate and obtained from less-secure third-party sites. Many of the passwords were incorrect and the account numbers turned out to be obsolete. In fact, one of the email providers—Mail.ru, based in Russia—confirmed that only 0.018% of the email-password combinations were accurate and current.
Additionally, it wasn’t the large-scale attack as previously thought—it was a compilation of smaller data stashes from less-secure sites, made to look by a particularly savvy hacker like he had scored big time. The hacker—known in an online forum as “The Collector”—created a database from smaller compilations of hacked information to garner attention and get social media brownie points in return for offering up the stolen information.
Despite the fact that this latest cyber-security scare turned out not to be “the heist of all heists,” there is still an important lesson to be learned here: the speed and effectiveness with which the young Russian hacker spread the news of his corruption and the widespread response he received serves to remind us of what exactly can go wrong in those potential worst-case scenarios. If the hacker had gotten his hands on accurate data as the result of a large-scale attack, and the account information had been current—the speed with which he could have spread financial destruction would have been impressive. He could have breached massive amounts of clients’ personal information, at least temporarily.
The appropriate response here is not to simply look the other way regarding this seemingly bogus attack. A responsible approach to this type of situation is to take preemptive action against system vulnerabilities. Business users should make sure employees:
- Update operating systems when requested.
- Download security fixes when they become available.
- Keep away from spammy, phishing emails.
- Don’t visit suspicious websites or corrupt downloads.
Additionally, all business users should protect sensitive password and account information by regularly updating and changing their online credentials—and never use the same information across multiple sites.
Perhaps most importantly, business users should take advantage of a website’s 2-factor (2FA) and multi-factor authentication options for even more enhanced password security. A multi-factor authentication process is based on three categories:
- The Knowledge Factor: Like traditional single-factor authentication protocols, the knowledge factor represents only information a user “knows” like user ID and password information. This is considered the most easily hacked password type.
- The Possession Factor: The possession factor refers to something the user physically possesses, such as a hardware device, credit card security code, or single-use passcode. Used in conjunction with the knowledge factor, the combination can provide two-factor authentication, which is considered more secure than the typical user ID and password combination.
- The Inherence Factor: This is typically derived from user biometric information, such as a thumbprint or retina scans. This is considered the most secure of the three factors, and when used in combination with the above two factors, can provide a high level of security.
Though these types of authentication require more steps than a single-factor authentication process, the problems this type of enhanced validation can save you and your business down the road is well worth the extra effort.
Phoenix Technology is the trusted choice when it comes to keeping our clients’ ahead of the latest information technology tips, tricks, and news. Contact us at (360) 433 or send us an email at -firstname.lastname@example.org for more information.