Credential Stuffing: What It Is and Why You Should Be Concerned

A recent credential stuffing attack on 23andme.com left most people bemused, if they noticed it at all. A similarly muted response followed the leak of millions of user records on known hacker forums. What is a hacker going to do with your ancestral history? The answer may surprise you and should concern you if you are lax about password security.

Anatomy of a Credential Stuffing Attack

A credential stuffing attack occurs when a hacker takes stolen login data from the Dark Web, such as a username and password stolen from a previous attack, and uses it to try and gain access to other online accounts. In the simplest terms, it works like this:

  1. A criminal steals, buys or finds usernames and passwords online.
  2. The criminal attempts to access an account on a popular site using the stolen usernames and passwords. This can be done slowly, one set of credentials at a time. The attack on 23andMe.com, which led to the compromise of millions of credentials, may have been automated.
  3. Credentials that work, that is, username and password combinations that give the criminal access to the account, get marked as “working” or valid.
  4. The criminal creates a new database of working credentials and offers it for sale via the Dark Web or hacker forums.

If you are the target of a credential stuffing attack, a hacker now knows two things about you: You use the same credentials on multiple sites and you do not update your passwords frequently. The next criminal in line, who buys the stolen, working logins, may attempt to access shopping sites, your email accounts or your bank accounts.

Why Was 23andMe Targeted?

Criminals target sites like 23andMe because they are popular. In its second-quarter financial report, 23andMe.com reported more than 14 million users. For criminals hoping to validate stolen logins, a popular site is a good place to start. Criminals are not necessarily interested in hijacking someone’s 23andMe account, but they are interested in finding out if username and password combinations work. Hackers can then prove that they gained access to the accounts by posting some data that would only be available to the account holder; in the case of 23andMe, this was information about clients’ genetic history, which is only shared on an individual basis with registered users.

That proof increases the value of the records. Criminals assume that people who use the same username and password on more than one site likely use it on additional sites, which may include Amazon, eBay, Facebook or banking sites. Armed with working passwords, criminals can then attempt to hijack the accounts that they truly want. For the hacker who carries out a credential stuffing attack, the reward comes from selling data.

Most of the top websites in the United States have protections in place to prevent large-scale credential stuffing attacks, which makes the 23andMe.com attack unusual. It is possible that the site was targeted because it offered a combination of a large user base and vulnerability to automated attacks, allowing hackers to test millions of potential username and password combinations. The most-visited websites, and nearly all financial services sites, have safeguards in place to prevent hackers from testing more than a few credentials at a time.

If you are a high-value target, such as someone with a large bank balance, access to large volumes of personal data, access to corporate or public-sector infrastructure or the ability to authorize wire transfers, you are particularly vulnerable to a targeted credential stuffing attack. Criminals will mine databases of validated credentials looking for a few people, identified by their usernames or email addresses, that are high-reward targets. They will then attempt to use stolen credentials across several popular sites to find shared passwords. Because they only try a few credentials at a time, systems that block mass attacks fail.

Should I Be Concerned, and What Should I Do?

Anyone who used 23andMe for a DNA test or opened an account on the site should change that password immediately. If you used the same password on other sites, it should also be changed immediately. The nature and extent of the 23andMe attack, including the number of logins compromised, remain unknown, which makes the potential threat to individuals unknown.

There are a number of additional steps you should take, whether impacted by 23andMe or not, to protect your online accounts from hijacking.

  1. Enable two-factor authentication. This is the strongest measure you can take against account hijacking. Even if criminals get your username and password, they will not be able to access the one-time code needed to complete a login. Two-factor authentication is a must for your email and financial logins, and you may want to avoid websites that do not provide it as an option.
  2. Sign up for account access notifications. Many of the web’s most popular sites, including Microsoft, Gmail and Disney properties, will send you an alert if your account is accessed from a new device. Always enable this notification when it is offered, as it will alert you if criminals attempt to access your accounts. If you receive an alert about activity that you do not recognize, immediately change that password and enable two-factor authentication.
  3. Close and delete accounts for services you no longer use. Some sites and service providers will offer to keep your account in a suspended state, hoping that you will return in the future. Reject this convenience and insist that all of your account data, including login information, be removed when you close your account. To ensure that this has been done, attempt to log in to the account with your canceled username and password. If the system does not recognize it, you can consider the account fully closed. Old accounts are a significant vulnerability, because you may not be aware that your credentials were stolen during a cyber attack.
  4. Never use the same password or username across multiple accounts. Avoid small variations as well, as a determined hacker could crack your code with a set of your usernames and passwords. As a hard rule, it should take a hacker more than 5 tries to guess your password, as many sites will suspend access to your account after 3 or 4 failed login attempts. Assume that criminals have stolen your credentials from multiple sites and avoid passwords with patterns; for example, if you use passwords such as Magnolia1, Magnolia 2 and Magnolia 3 on different sites, a criminal can very easily figure out that pattern and make an accurate guess about other passwords.
  5. Consider a password manager. Next to two-factor authentication, password managers are the best way to keep your logins safe, but the most robust options come with monthly fees. If you are a high-value target, the extra expense may be necessary. Businesses that use password managers should consider offering them for employees’ personal devices as a perk. While there may be a small amount of additional overhead, this will cost far less than the work hours lost by an employee who has to recover from a cyber attack. This also plugs a potential path for phishing and pretexting attacks.

The more difficult you make life for criminals, the more likely they are to leave you alone. Password protection should be your highest priority, as poor password hygiene opens the door to attacks that could devastate your finances or your business. If you need some practical advice for protecting your email, check out our free E-mail Safety Crash Course Elearning video. If you have larger cyber security needs, please contact us online or call us at 1-800-658-8311.

MoveIt Hack: What Businesses Should Know and Individuals Should Do

Dozens of global businesses may have been impacted by the MoveIt hack, a cyber attack on a third-party data-transfer provider that has potentially exposed the sensitive personal information of millions of people in the United States alone. Here is what businesses and individuals should know about the hack and how they should respond.

The MoveIt Hack Explained

MoveIt is a data-transfer tool developed by Progress Software that allows businesses to send large volumes of data across the Internet. In a typical MoveIt transfer, data are sent from one user’s account to a web server, then downloaded to another user’s account, completing the transfer.

A Russian hacker group known as Cl0p claims to have used a vulnerability in MoveIt to access the servers that stored the data, exfiltrating millions of records. Data were stolen from a broad range of organizations, including banks, broadcasters, the U.S. Department of Energy and the Oregon DMV, which alone reported approximately 3.5 million records exposed.

Cl0p has posted a growing list of potential targets on the Dark Web and is threatening to publish the data unless the impacted organizations pay a ransom.

It is important to understand what this attack is not and what it is. Though it has been reported as a ransomware attack by some media outlets, it is not a traditional ransomware attack where hackers lock up an organization’s systems and demand a payment to release them. Instead, Clop is holding the data it stole hostage and threatening to publish or sell it if impacted organizations do not pay. The MoveIt attack itself was limited to MoveIt servers and hackers did not gain direct access to other online systems of their victims. However, the data stolen in the attack may contain information that criminals could use in the future to carry out phishing or pretexting attacks, login credentials or personal information that can be used for identity theft.

The exact nature of what was stolen will vary from organization to organization. In some cases, information about employees was compromised. In others, individual customer records, potentially including Social Security numbers, were stolen. What any organization lost depends on what they sent via MoveIt and what Cl0p was able to access. In remarks to reporters on June 15, Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly said, “As far as we know, the actors are only stealing information that is specifically being stored on the file transfer application at the precise time that the intrusion occurred.”

It is possible that Cl0p is overstating the data it actually has. Those who sent data via MoveIt should still have their data, as Cl0p was only able to steal the copies sitting on MoveIt servers.

How Should Businesses React to the MoveIt Attack?

If you use MoveIt, patch the software immediately. Only download the software directly from the Progress Software site. Be alert for additional updates on vulnerabilities and patches from Progress Software. Unpatched software may still be vulnerable to the exploits used by Cl0p.

Assess the potential damage from the MoveIt hack. The start date for the hack is unknown, but it is believed to have begun in late winter or early spring 2023. Examine the records for all MoveIt transfers since January 1, 2023, and the data that were transferred. Assume that these data have been stolen and could be sold to other hackers or published on the Dark Web. Do not assume that paying a ransom will protect your data. Criminals may take your money and sell the data anyway. You must assume that any sensitive information sent via MoveIt after January 1 has been compromised.

Change login credentials. All logins must be updated. This is a good time to consider adding two-factor authentication or a password manager if you do not currently have them.

Alert any potentially impacted clients or customers. Failure to disclose knowledge of a data breach can lead to lawsuits, government fines and possible sanctions on the organization or its senior leaders. If there is any doubt about data theft, assume the data were stolen and notify everyone who was potentially impacted. It is better to over-respond in this situation than to discover that you failed to notify victims.

Discuss phishing and pretexting risks with employees and reinforce protocols. Data stolen in this breach could include both business and personal emails for employees, which could provide fuel for pretexting attacks for the next 12 months. Cyber security employee training can help employees identify and respond to risks, but when the threat of an attack rises, organizations must instill extra vigilance through additional communications. Explain to employees what happened, how the stolen data can be used to commit acts of fraud or theft and how to respond if they receive an unusual or unexpected request from a co-worker or organizational leader.

Step up monitoring. IT and Accounting personnel should be on the lookout for new or unusual behavior. Pay particular attention to an increased number of login attempts, new remote login attempts or very small charges hitting bank accounts or debit/credit cards. These are all possible signs of criminals attempting to validate stolen credentials ahead of a larger attack.

How Should Individuals React to the MoveIt Hack?

Assume your personal data have been stolen. The MoveIt breach is just one of many ongoing data breaches. Most people should assume that their personal information, including passwords, phone number, email and address have been stolen and are available on the Dark Web. You will take a much more active and stronger approach to online security if you believe your personal information has been compromised than if you assume that it has not.

Freeze your credit. Unless you are applying for credit cards, a mortgage or a loan, freezing your credit is one of the best ways to prevent identity theft. You will need to reach out to each of the three credit-reporting agencies to do this, and to unfreeze your credit if you decide to apply for a loan in the future.

Use two-factor authentication on all sensitive logins. If two-factor authentication is available, you should take advantage of it and ensure that codes are sent to your smart phone rather than an email address that a criminal could compromise. If the sites you commonly use do not require two-factor authentication, consider using a password manager to gain an extra bit of security. The benefit of two-factor authentication is simple: Even if criminals steal your password, they cannot access your accounts without the two-factor authentication code.

Monitor your financial statements closely. Be on the lookout for very small charges, from one penny to just over one dollar, originating from unknown sources, as well as small charges that are quickly refunded to your account. Criminals use these small charges to validate stolen credit and debit cards before they carry out significant attacks. Some legitimate businesses that require access to your bank account will also use this method. When in doubt, contact your bank and ask about the transaction.

Be wary of emails about the MoveIt hack. Nearly every high-profile data breach is accompanied by a second wave of phishing attacks attempting to capitalize on it. You may receive official-looking emails from banks or service providers informing you of the breach and asking you to log in to verify your account or update your information. Never click on links in emails or text messages, even if you believe they are legitimate. Open a web browser, go to the verified website for the business and log in there.

Expect a wave of phishing and spam attacks. Any time a major data breach occurs, a rise in phishing and spam attacks follows as recently stolen email addresses and phone numbers get added to criminals’ databases. Be particularly mindful of attacks that spoof popular shopping sites or delivery services, such as Amazon, eBay or UPS. Follow the same rule for emails and texts about the MoveIt attack: do not click on links in emails or texts and log in directly to websites to verify any potential issues. Block any spam messages that you receive and block numbers that send spam or phishing texts.

Maintaining vigilance after a significant data breach can be challenging. Many people and organizations will be alert for a week or two, then assume that things are back to normal if no attacks occur. While there are no hard and fast data on the lag between when data are stolen and when criminals launch attacks, know that a fresh set of stolen data can circulate for up to two years online. High-value data, such as login credentials, may be used by criminals within a few hours to try and compromise additional systems.

Preventing fraud and theft online requires a consistent approach amid evolving threats. Protect Now offers in-depth seminars and online cyber security employee training that raises vigilance and empowers employees to recognize and stop cyber threats. To learn more, contact us online or call us at 1-800-658-8311.

Municipal IT Director Put on Leave Following Breach

Hackers Had Access for Months Before Launching Ransomware Attack

Municipal IT Director Put on Leave Following BreachIn another sign that accountability is rising in cyber security, the IT director of the Suffolk County Clerk’s Office in New York has been put on paid administrative leave. An investigation following a September ransomware attack found that hackers had been exploring and exploiting Suffolk County’s systems since December 19, 2021, and accused IT Director Peter Schlussler of acting in “an incredibly nonchalant manner” toward the county’s cyber security.

Schlussler disputed the investigation’s findings in an email to The New York Times, noting that his requests for stronger cyber security at the County Clerk’s office had been rejected by superiors. Suffolk County wound up taking all of its systems offline in September when the hack was finally discovered and, according to the Times, is still using workarounds for some online functions.

Suffolk County Hack Timeline Illustrates Common Tactics and Detection Failures

An examination of the Suffolk County hack reveals opportunities when the intrusion could have been detected, had the IT Director been following security protocols that most cyber security specialists recommend.

December 19, 2021: Criminals gain access to the County Clerk’s systems via a known flaw in a common piece of software. Investigators found that there was no centralized authority for the municipal systems run by Suffolk County. As a result, patches to fix the known vulnerability were not applied across all systems. Suffolk County Executive Steven C. Bellone cited the IT director’s failure to patch the vulnerability as a cause of the cyber attack.

January 2022: Hackers install Bitcoin mining software on the Suffolk County systems. Criminals install software like this for two reasons: To see if it will be detected and removed, and to see if the data it sends will be detected and removed. Organizations that fail to spot rogue software communicating with unknown parties will have their data stolen.

Many IT directors perform regular scans of all systems to look for new software installations, which can be sign of a breach. This can be a challenging task in a large, decentralized environment, which is why cyber security professionals recommend centralized administration for users and software.

March 2022: Hackers install tools to run Suffolk County systems remotely. Criminals who do this have a high level of confidence in their ability to carry out significant attacks. These systems will be tested before the next phase of intrusion begins, offering an opportunity to detect the activity.

Every IT director and security professional should be scanning systems regularly for all known remote clients. Although New York investigators did not specify the kind of remote access tools used, many criminals use the same remote-access software that organizations use to keep their own remote employees connected. By itself, the presence of remote access software may not trigger concern, but the alarm should be raised if it is suddenly used more often, at unusual times of day or in unusual ways. Use a Virtual Private Network (VPN) secured with two-factor authentication (2FA) to enhance the security of remote access.

April 2022: Criminals create the first of several admin-level user accounts in the County Clerk’s systems. This is the boldest step yet, and at this point, the hacker is the IT director. With Admin-level access, criminals can install software, exfiltrate data and manipulate systems to cover their tracks.

There are a number of ways to alert IT staff when new accounts are created, and a number of ways to limit the access that new users have. Beyond these safeguards, user lists and access levels should be audited and verified on a regular basis, with any unrecognized accounts immediately flagged and suspended.

July 2022: Data exfiltration begins, including at least one file with the name, “Passwords.”

August 2022: Keyloggers are installed. Intrusions begin on systems connected to the County Clerk’s system. Hackers encrypt everything they can access as they prepare to launch a ransomware attack.

What should stand out about the Suffolk County attack is the patient, meticulous nature of the hackers. This was not a high-speed raid or a crime of immediate opportunity. Hackers got in, then slowly built up their presence and toolkit over time, starting with nuisance software and moving on to complete control and surveillance. At each step, the hackers stopped and waited to see if their activity would be detected. When it was not, they executed the next step of their takeover plan.

The month-by-month increase in activity correlates with what hackers know about most cyber security solutions: Scans run at least once a month. If 30 days pass and software or activity has not been detected, it is safe to escalate. Think of this like a burglar finding a series of unlocked doors in a home. After opening each door, the burglar looks around to make sure it is safe before opening the next door.

The Myth of “Opportunistic” Cyber Attacks

Far too many business owners and organizational leaders think a cyber attack occurs because someone lets their guard down for a moment. While these attacks do occur, they tend to be low-level financial attacks that scam a few hundred or a few thousand dollars. Real cyber criminals are as patient and methodical as the group that attacked Suffolk County, and the damage they cause can lead to millions of dollars in remedies and restitution. Large, distributed, heavily used networks like those found in municipal government offices are ripe targets for the troves of personal information they hold and the opportunities they offer for criminals to conceal their activities.

We see multiple points where the Suffolk County attack could have been stopped, but we also see the challenges faced by the IT director, which are common to both businesses and the private sector. Too many leaders do not understand the real nature of cyber attacks. Too many government and private-sector organizations see Virtual CISO services or Dark Web Monitoring as a needless expense. The irony here is that they wind up paying for these services after a breach, alongside any fines and costs associated with data loss and system repairs, when they could have prevented the intrusion in the first place.

There is also the question of accountability, and the decision to suspend the Suffolk County Clerk’s IT director. This follows Federal sanctions against the CEO of Drizly following the theft of customer data. In both of these cases, investigators uncovered events that should have been prevented by cyber security best practices and held the people responsible for overseeing cyber security accountable.

Here are 12 Ways to Contain a Hack for Yourself and Your Business

Do you have a business? If “yes,” you have to read this. Do you have personal information? “Yes,” you do. In both scenarios, you will find that hackers have you on their radar, and here are 12 ways that you can mitigate the damage caused by a hack.

Ways to Contain a Hack for Yourself and Your Business

  1. Work with a Professional – It is very possible for a small business to be hacked because staff often did not use professional techs in the first place. So, companies offering breach mitigation and security should be contacted ASAP. These IT professionals, also known as chief information security officers or if virtual are virtual chief information security officers, are experts in containment, and they can forensically determine the nature of a hack, remove any vulnerabilities, update hardware and software, and ensure that breaches like this won’t happen again.
  2. Temporarily Disconnect Every Device from the Internet – You want to remove all devices from the network temporarily to stop data from leaving the network and prevent hackers from communicating with the server. This could mean totally disconnecting internet connections and routers.
  3. Reset and Change All Passwords – You also want to make sure that you and all staff are changing and resetting passwords. The moment the network or device goes back online, the hacker will try the same passwords again, and they can get right in.
  4. Update Your Software – Start by scanning all of your software and hardware with an anti-virus program and remove anything malicious. Many vulnerabilities are caused by outdated anti-virus software. Updating this software with patches eliminates the threats.
  5. Get New Hardware – You should also consider getting new hardware, too. Old hardware can often not keep up with the requirements of new software.
  6. Back Up Your Data – You also have to make sure that you are backing up your data on a consistent basis.
  7. Manage Any and All Identities – You also should make sure that you are managing all identities and access to your accounts. Do this across the board. It could make your network very vulnerable.
  8. Start Using Conditional Access – On top of this, you should make sure you are using conditional access that is based on things like device and location.
  9. Use Multi-Factor Authentication – You should also use multi-factor authentication to keep your accounts safe, too.
  10. Invest in Security Awareness Training – Make sure your employees know what to do…and what not to do…in regard to network security. Providing good security awareness helps make your entire company safe.
  11. Patching – Create a system so you can always make sure that both your hardware and software is patched and updated regularly. This also makes sure that your data is safe.
  12. Align Your IT Security with Other Security – Finally, if you are in the IT industry, you might feel like you are constantly struggling to keep up with everchanging technology, including security technology. The success of your business is based on keeping it safe and secure, and by keeping security in mind, it can have a direct and positive impact on your revenue.

Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.

Russian Hackers: 14 Ways to Protect Yourself and Your Business

What’s happening in the Ukraine is an example of the worst that humanity has to offer. Millions of people being displaced, and thousands being killed. Our collective governments are walking a fine line in order to help prevent loss of life there and here. In addition, Ukrainians, prior dodging bombs and bullets, dealt with cyberattacks and Russian Hackers on a wide scale.

Unsurprisingly, the White House and CISA published a directive “There is now evolving intelligence that Russia may be exploring options for potential cyberattacks.” To those in the security community, this is nothing new, we know this is been going on forever.

These attacks would be designed to cripple critical infrastructures wherever they are successful. That means going after the Internet itself, the electrical grid, water supplies, and the financial systems. All of this will have a significant impact on the supply chain, including the food supply.

If you haven’t already been, do these things NOW to Protect Yourself and Your Business from Russian

  1. Mandate the use of multi-factor authentication on your systems to make it harder for attackers to get onto your system;
  2. Deploy modern security tools on your computers and devices to continuously look for and mitigate threats;
  3. Check with your cybersecurity professionals to make sure that your systems are patched and protected against all known vulnerabilities, and change passwords across your networks so that previously stolen credentials are useless to malicious actors;
  4. Back up your data and ensure you have offline backups beyond the reach of malicious actors;
  5. Run exercises and drill your emergency plans so that you are prepared to respond quickly to minimize the impact of any attack;
  6. Encrypt your data so it cannot be used if it is stolen;
  7. Provide security awareness training. Educate your employees to common tactics that Russian Hackers and other attackers will use over email or through websites, and encourage them to report if their computers or phones have shown unusual behavior, such as unusual crashes or operating very slowly; and
  8. Engage proactively with your local FBI field office or CISA Regional Office to establish relationships in advance of any cyber incidents. Please encourage your IT and Security leadership to visit the websites of CISA and the FBI where they will find technical information and other useful resources.

9. Focus on bolstering America’s cybersecurity over the long term.

We encourage technology and software companies to:

  1. Build security into your products from the ground up — “bake it in, don’t bolt it on” — to protect both your intellectual property and your customers’ privacy.
  2. Develop software only on a system that is highly secure and accessible only to those actually working on a particular project. This will make it much harder for an intruder to jump from system to system and compromise a product or steal your intellectual property.
  3. Use modern tools to check for known and potential vulnerabilities. (Use Protect Now’s Hacked Email Checking Tool) Developers can fix most software vulnerabilities — if they know about them. There are automated tools that can review code and find most coding errors before software ships, and before a malicious actor takes advantage of them.
  4. Software developers are responsible for all code used in their products, including open source code. Most software is built using many different components and libraries, much of which is open source. Make sure developers know the provenance (i.e., origin) of components they are using and have a “software bill of materials” in case one of those components is later found to have a vulnerability so you can rapidly correct it.
  5. Implement the security practices mandated in the President’s Executive Order, Improving our Nation’s Cybersecurity. Pursuant to that EO, all software the U.S. government purchases is now required to meet security standards in how it is built and deployed. We encourage you to follow those practices more broadly.

Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.

Wi-Fi Hackers Snoop on Your Phone and Laptop: Here’s How They Do It

Wi-Fi is inherently flawed. Wi-Fi was born convenient, not secure. It is likely that you have heard about how dangerous it is to use an unsecured public Wi-Fi connection, and one reason is because a scammer can easily snoop. It is easier than you might think for a person to hack into your device when it is connected to a public Wi-Fi connection. In some cases they may be able to read your emails and messages, access your passwords, or even get personal information like your bank account number.

wiIt’s possible that your router or any router you connect to has been hacked and you won’t know it. A known tactic called DNS (Domain Name Server) hacking or hijacking, skilled hackers, (both black-hat and white-hat) can crack the security of a business or your home Wi‑Fi resulting in a breach. From there, if they are savvy, they’d set up a spoofed website (like a bank, or ecommerce site) and redirect you there.  From here the goal is to collect login credentials or even monitor or spy on your transaction’s on any website.

Think about this too; you are sitting in a local coffee shop working on your laptop while connected to the shops Wi-Fi. Someone sitting near you could easily download a free wireless network analyzer, and with some inexpensive hardware and software (google “Wifi Pineapple”), they can see exactly what you are doing online…unless your device is protected. They can read emails that you are sending and receiving, and they can do the same with texts.

Using a Wi-Fi Hotspot Safely: Tips

 Knowing what can happen when you are connecting to a public Wi-Fi spot, you want to know how to use them securely. Here are some ideas:

  • Don’t automatically connect to Wi-Fi networks. When initially connecting to a wireless network, we are often faced with a checkbox or option to “automatically connect” to the network in the future. Uncheck this and always manually connect. For example, if your home network is “Netgear” and you are somewhere and your device sees another network named “Netgear,” your device may connect to its namesake—which may not necessarily be as safe, potentially leaving your device vulnerable to anyone monitoring that new network.
  • When setting up a wireless router, there are a few different security protocol options. The basics are WiFi Protected Access (WPA and WPA2) is a certification program that was created in response to several serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy (WEP), was introduced in 1997.
  • Confirm the network you are connecting to. Granted, this is easier said than done. There are rogue networks called “evil twins” that criminals set up; they are designed to lure you into connecting by spoofing the name of a legitimate network. For example, you may use what you see as “Starbucks Wi-Fi” to connect while you’re sipping your latte, but you may also see a listing for “FREE Starbucks Wi-Fi.” Or “ATT WIFI” might be real, but a hacker might have “Free ATT WIFI” as a fake network. Which one—if either—is for real? Such setups are designed to lure you in—and once connected, your data might get filtered through a criminal’s device. If you don’t know if a network is safe or not, feel free to ask.
  • This is a bit 101, but when you log into any website, make sure the connection is encrypted. The URL should start with HTTPS, not HTTP. Most sites today encrypt your session automatically.
  • Use a VPN when you connect to a public Wi-Fi connection. A VPN is a technology that creates a secure connection over an unsecured network. It’s important to use because a scammer can potentially “see” your login information on an unsecured network. For instance, when you log in to your bank account, the hacker may be able to record your information, and even take money from your account. VPNs are free to a monthly/annual fee or a lifetime license.
  • If you are using a private network, make sure that you understand that they, too, are vulnerable. Anyone who has some knowledge can use these networks for evil. Always use a secure connection, and seriously, consider a VPN.

Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.

Holiday Hacking is Very Risky for You and Your Family

It’s the holidays once again, and each year, people flock to the internet to do online shopping. Hackers know this, and they set themselves up to steal your data.

Every year there is a big hack, and this year will likely be no different. Here are some tips to protect yourself shopping online now and in the future:

Do Business With Trusted Sites

There are zillions of websites that look perfectly legitimate even using HTTPS in the URL. Many of these sites utilize perfect grammar, they incorporate an online “chat” feature where someone engages you immediately, and they even have a functional shopping cart. But they are in fact built specifically to scam you. You will generally stumble upon these sites in Google search when looking for a specific hard to find item.

To prevent being scammed, only pay by a credit card which you can be refunded upon learning of the scam, never wire money, or use Zelle or PayPal or Venmo etc. And search the name of the company and its URL to see if anybody else has been scammed. You might find references via the Better Business Bureau, “Scam detector” or other reputation based sites, or various forums revolving around that specific product category.

Only Use Strong Passwords

You should have a different password for every site you use. Keep in mind that this password might be the only thing stopping someone from accessing your personal information including your address, credit card information, and more. The best passwords should contain upper and lower case letters, symbols, and numbers. Also, avoid choosing anything obvious like the name of your pet, and never, ever use the same password for more than one account.

Update All Device Software

All of us are probably guilty of not updating our software when it needs to be updated. However, there is one type of software you never, ever want to skip updating: your anti-virus software. Anti-virus software helps to prevent hackers from getting access to your accounts, and make sure to update your operating system and other software on your devices.

Always Use Two-Step Verification When You Can

Many companies offer two-step verification for customers If this is available, choose it! This adds one more layer of security that a hacker has to get through, and it’s quite difficult to do because not only do they need access to your account, but also need access to your device. Most major retailers allow this, including Amazon and eBay.

Ignore Strange Looking Emails

Also, keep an eye out for strange looking emails. Many companies send holiday sales emails, for instance, and some hackers will take advantage of this. They will send an email that looks like it comes from a legitimate source, like Macy’s, but it’s actually a fake email that is coming from a weird email address and not Macys.com.

Watch Your Credit Card Statements

It is also important to watch your credit card statements, and if something looks strange, report it immediately. Consider getting notifications and alerts for any charges.

Keep Your Devices Locked

Another thing you can do is make sure all of your devices are locked. A device that is unlocked can easily expose your personal info to hackers, so keep those devices locked with a biometric option, like a finger print, or a strong password.

Don’t Use Unsafe Apps

If you are shopping from an app, make sure it’s a trusted one. You should only download apps from the Apple App Store, the Google Play Store, or Amazon App Store. Also, make sure that you are looking into what permissions you are giving these apps. For example, does an app need access to your contact list? No, it doesn’t.

When Shopping From Your Computer, Stay Safe

Even if you are shopping from a computer or mobile phone, you need to be connected to a safe and secure network. Don’t use public Wi-Fi unless you are also using a virtual private network, or a VPN.

Though it should be the responsibility of online retailers to ensure their sites are safe, but we all know that this just doesn’t always happen. So, make sure you are taking these extra steps to stop hacking.

Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.

How to Protect Your Email from Hackers

It is easier than you might think to secure your email from hackers. The number one thing you can do is set up two step verification. Even if your username and password is compromised, bad guys will still need your mobile phone to access your account. And of course, never ever click on any links that come through your email unless you are positive it’s coming from a trusted sender. Not clicking on those links is easier said, than done, and even though is sometimes not enough.

Hackers have a saying – “Own the email, and you’ll own the person.” If you get hacked, the scammers will now have access to many, if not all, of the accounts that are associated with your email address.

How do they get access? Well, they send phishing emails, which look very much like real messages from a source you trust like UPS, PayPal, the IRS, your bank, a friend, your mom, etc.

Even people who seem smart or those who are in leadership positions can get tricked into clicking links in emails. Even John Podesta, who was the campaign chairman when Hillary Clinton, fell for a hack like this. He clicked on a link that seemed like it was from Google, but really it was a hacker…and that hacker got into his entire email account.

Don’t Let a Hacker Get Into Your Email Account

If you see a link and you want to or are supposed to click it, there are a few things you should do:

  • Hover your mouse over the URL to see if it looks strange. If the email says it’s coming from Chase Bank, but the URL looks like a bunch of nonsense, it’s probably not safe to click.
  • Many times, however, the URL can look very legitimate. So, you want to look for some other signs.
  • Look at the email for things like misspellings, grammar mistakes, or other odd things.
  • When in doubt, contact the sender via telephone

Additional Tips

  • If you see some type of urgency in the email, such as your account being compromised or your account being suspended, don’t be so quick to click.
  • There might also be some good, unexpected news in the email that you want to click…but again, be smart and only click if you are absolutely sure.
  • Is the message telling you that you must re-set your password? Be careful here. It’s likely a scam.

Emails from UPS, the IRS, PayPal, a major retailer, or your bank could also be suspicious, so again, don’t click until you are totally sure the link is safe.

Tips for Protecting Your Account

Here are some final tips that you can use to protect your account:

  • Employers need to engage security awareness training in the form of phishing simulation training.
  • Use strong passwords that are long and difficult to guess. They should be mixed with letters, numbers, and symbols.
  • Use two-factor authentication for all accounts, including your email account.
  • Don’t click on attachments unless you know exactly what they are.

When you really think about it, protecting your email account is one of the most important things that you can do to keep your information safe. Everything here is simple to do and understand, and it can make a big difference in your life, especially when you consider how easy it is to get hacked.

Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.

Is Two Factor Authentication a Good Thing to Use?

“TechWorld” has some interesting information, such as a story on a report from the National Institute of Standards and Technology. And while you may not see this as being “fun”, it is at a minimum interesting. I’m here to break it down for you.

two factor authenticationIn this report, the public was advised to stop using two factor authentication. However, other people suggest that this is the very best way to prevent identity theft. So, which is it? Let’s take a look.

When you get a message from someone, you surely want to make sure that they are who they say they are. In fact, many of us rely on tools like Caller ID. However, you might want to stop doing that, as caller ID can be faked. As hackers start using this more, they are finding ways to also fake SMS, too, which means technically, they could be faking two-factor or two step authorization/verification which heavily relies on text messaging. So, it is very important to stay vigilant about protecting your information and being careful about what you respond to via text

Why Authorization is Important

When it comes to the importance of authorization in transactions, it’s imperative that you are confident that you can access your info. We now know that it is very easy for a criminal, if they know what they are doing, to get into your accounts by using your password and username. But just a username and a password isn’t enough.

How Two-Factor Authentication Works

When you choose to use two-factor authentication, after entering your password online, you will receive an SMS, one-time use code, which you then use to fully log into your account. For this to work, the following must occur:

  • You must have a mobile device
  • You must know how to access the device (PIN or biometrics)
  • You must have a username and password to an online account
  • You must have the one-time use code, which will be sent to the device

Unless all four of these things are present, the account cannot be accessed. So, even if a hacker has your username and password, if you have two-factor authentication set up, they would also need your device to access the account. This makes it much more difficult to illegally access an account and helps your account to be much safer.

How Hackers are Being Smarter than Two-Factor Authentication

Though it is more difficult for a hacker to get into your account that has two-factor authentication, it is not impossible. Here are some ways that hackers are able to get around it:

Man in the Middle Attack:

  • The hacker gets access to your username and password
  • The hacker tries to login and is denied because you have two-factor authentication set up.
  • The hacker contacts you via social media, email, or phone with some type of trick to get your one-time code.

Phone Cloning:

  • The hacker will go into a brick and mortar cell phone carrier store and pretend they are you. They get a new phone with your number.

Changing the Number

  • The hacker creates a fake website, and you enter your number into it. They then take your number and change it, and then they keep your original number. This sounds more complicated than it is.

There is a Lot of Confidence About SMS Two-Factor Authentication

When you use SMS two-factor authentication, you don’t’ have to worry or have concern if your password gets into the wrong hands. Remember, the criminal who has your password still needs your one-time code…and unless they have your phone, they can’t access it.

Companies that offer two-factor authentication give their customers more confidence, and there is an increased interest in the company’s products and services because transactions are more secure.

So, should you be nervous about SMS two-factor authentication? No, you don’t need to. You really do have an extra level of protection, but remember, it isn’t totally fool proof. There are still ways that a hacker can access your accounts, though it is quite difficult.

You can have confidence in two things – First, that banks continue to come up with easy and friendly way to keep all of us safe with an alternative to two-factor authentication, and second, that you are already a step ahead of hackers thanks to your new-found knowledge from reading this article.

One simple way to engage and activate two factor authentication for all critical websites is to simply do a Google search for “two factor” and then the name of the site. And example would be “two factor Amazon. ”You’ll definitely find plenty of options to enable to factor authentication on every critical website your visit.

ROBERT SICILIANO CSP, is a #1 Best Selling Amazon author, CEO of CreditParent.com, the architect of the CSI Protection certification; a Cyber Social and Identity and Personal Protection security awareness training program.

Protecting Your Company and Yourself from COVID-19 Hackers

Many people are asking how they can not only protect themselves, but also their organizations, from all of these COVID-19 hacks that are currently popping up.

As with any other phishing scam, vigilance is extremely important. We are certainly going to have to keep on our toes for months, or even years, as this fallout from the pandemic could be around for a long time.

You have to be suspicious of each and every unsolicited email, phone call, or text, especially if someone is looking for account or contact details, or they ask to share personal information. If you feel like information seekers are asking for too much, you should vet the email, dig deeper, do some web searches, and make sure its legitimate.

Don’t use any links or phone numbers within the email of based on the call until you do this. If you get a recorded message, make sure you don’t press any button when asked. If you do, you may be giving them some type of approval and you end up being a victim.

  • In response to ransomware, you should make sure that you are totally backing up your data on all of your devices.
  • For any online account you have, set up or turn on two-factor or multi-factor authentication when you can. This, at least, makes those accounts less likely to be breached, even if someone does get ahold of some of your information.

You might think this is a pain right now, but it definitely won’t be a pain if your information is breached and you start to lose money.

There are many organizations that are being forced to give their employees access to their networks from home…and in most cases, they never planned for that. This working from home increases the criminals attack surface. So, the network is probably more vulnerable, and in some cases, security policies and processes are even being bypassed to ensure all employees have access to it. This comes at a big risk, and with every employee who has access to the company network, there is an opportunity for a hacker to get inside.

Most cybercriminals who go for this type of hack want to get access to this so they can get sensitive information and turn it into cash. Other hackers want to go big time, and they will use the credentials that they are hacking to use in attacks like “password stuffing/spraying,” to access multiple critical user accounts. With a larger “attack surface”, these companies are definitely at risk and because of staff working from all over the place, any attempt to break into the network could go unnoticed until it is too late.

Corporate cybersecurity and IT teams are working hard, but they, too, are generally working from home. With even more workload and more remote information to go over, this also means that they don’t have the time to pay as close attention as they should. This makes things even more dangerous, so keep your eyes open.

ROBERT SICILIANO CSP, is a #1 Best Selling Amazon author, CEO of CreditParent.com, the architect of the CSI Protection certification; a Cyber Social and Identity and Personal Protection security awareness training program.