Earlier today, The Times reported that hackers are trading email addresses and passwords belonging to thousands of British politicians, ambassadors and other top officials online. The newspaper conducted an investigation, which found two massive lists of stolen credentials were put up for sale or traded on Russian-speaking hacking sites, which included the log-in details of 1,000 British MPs and parliamentary staff, 7,000 police employees and over 1,000 Foreign Office officials. IT security experts commented below.
Ryan Wilk, Vice President at NuData Security:
“Data in the wrong hands can have a huge impact. Email addresses and password information, combined with other data on the consumer from other breaches and social media, builds a more complete profile. In the hands of fraudsters and criminal organisations, these valuable identity sets are usually sold to other cybercriminals and used for myriad criminal activities, both on the Internet and in the physical world. Using these real identities, and sometimes fake identities with valid credentials, they’ll take over accounts, apply for loans and much more. Every hack has a snowball effect that far outlasts the initial breach.
All personal information is valuable to fraudsters. Names, physical and email addresses, passwords, the content of emails – everything that can be used to compile an identity will be used. We must change the current equation of “breach = fraud” by changing how we think about online identity verification. We need to protect all consumer data, but more importantly, we need to make it valueless.
The technology exists right now that prevents fraudsters with stolen valid credentials from accessing accounts because they can’t replicate the real users’ behaviour.
Analysing user behaviour with passive biometrics is completely invisible to real customers and fraudsters alike. It has the added benefit of providing valid users with a great experience without the extra friction that often comes with other consumer identification techniques. When fraudsters try to use stolen consumer data or login credentials, they will find the data is useless. The balance of power will return to consumer protection when more companies implement such techniques and technology.”
Graeme Newman, Chief Innovation Officer at CFC Underwriting:
“This desire for profits will continue to support the growth of cybercrime in the years to come. As long as they take the proper cautions, like configuring their anonymous access browser and using a proxy to further hide their location, hackers and criminals will continue to be able to buy and sell the fruits of their questionable labour.
“The Dark Web is a playground for criminals, as today’s news has shown, but it‘s big businesses for cyber criminals and is fuelling an underground economy. From our own research, we found that account login details are sold from $35 to $1000 according to their balance, while US social security numbers with 800+ credit ratings are sold for up to $100. We can only guess how much the email addresses and passwords of these MPs have been sold for.”
Mark James, Security Specialist at ESET:
“With so many breaches happening so frequently, we can be forgiven for briefly glancing over the news when we read of another one happening to another large well known company. The problem of course is not always the current hack or breach, it’s the fact that this small amount of data could be the next piece of the jigsaw in your online profile.
Once that profile is large enough to be useful, it may be offered for sale on the web. This data could then be used to access other accounts if you reuse passwords, or if it’s access to email accounts then they now have an excellent base to start a targeted phishing attack that would seem to come from someone you know or already do business with.
We encounter spam and phishing attacks on a daily basis and most end up in the bin; but if we recognise the sender, then the level of trust is elevated and that could now mean being one step away from being a victim.
As always try where possible to never use the same password twice, use a pass-phrase rather than password, and make it unique- password managers are a good way to protect your digital logins.
Andrew Clarke, EMEA Director at One Identity:
“So every organisation makes efforts to secure the authentication credentials of the users – and often forces regular changes on them to ensure that the passwords don’t get stale. Occasionally the password change forces a totally different character sequence – but occasionally the user can get away with just appending a character to an existing password to make the change but to aid memory. Passwords are used for every day web site accesses – whether it be social media sites or shopping sites. Human behaviour often results in the same password being used time and time again. So, if one of these sites gets compromised – then every other site where the same password is used is subject to being compromised. Users are encourages to create strong passwords – but the challenge is always having one that is memorable. Rather than the usual 12345 or QWERTY sequence, the user could take a phrase that they can remember such as “Always look on the bright side of life” – ALOTBSOL – a sequence that is not subject to a standard dictionary attack.
One way in which businesses and government organisations can overcome the password reuse issue is by introducing Multi-factor Authentication (MFA). To access a system, the user has to not only provide the password but also the 2nd factor – which may be for example a code that has been sent via SMS to a trusted device. We see this working very effectively with apple devices for example, where it is easy to switch on Two-factor authentication and if a request from a new location occurs, the trusted device.
Sometimes, it makes time to change to MFA, so if passwords are the only authentication used within the business; then a Password Manager tool would help on a number of fronts. Firstly, it would help re-enforce organisational policies and data security standards – the business could ensure that sensible choices for a password are taken – and if a password is tried unsuccessfully then the system access is actually locked out. Associated with such a tool is a series of profile questions that empower the user to reset their own passwords by asking personalised questions to which the user has predetermined the answers. Many organisations that take the step to implement this control are able to realise their return-on-investment very quickly as it is simple to setup and simple to use – and as well as improving security cuts down on administrative overhead.”
Pete Turner, Consumer Security Expert at Avast:
“It’s highly concerning that sensitive email and password data for so many public officials in the UK is being sold online and it illustrates the importance of changing your password if a website you use has been hacked. This data is believed to have come from the LinkedIn and MySpace hacks several years back, so anyone who used those services at that time and has not since changed their password, should do so immediately. This means any of their password information that may be included in this database will be rendered unusable to the hackers.
For those who suspect they have been affected by this breach, or indeed any data breach we are aware of which has compromised login information, I would strongly advise that your first course of action is to change your password on your online accounts. If you use the same username and password combination for more than one website, then this is especially important as the hackers would then have access to your other accounts that share this information.
It’s important to use different passwords for all your accounts and make them as complex as possible. I know it’s hard to remember different, complex passwords but you can use a password manager to help with this. A password manager tool helps create strong passwords for all of your accounts and securely stores them behind a master password. This way, all you have to do is remember one secure password to access your password manager tool, which should then auto-fill your passwords when accessing your accounts.
It’s also a good idea to take advantage of two-factor authentication that is now regularly offered by online providers. This provides an extra layer of security for online accounts as it requires you to enter a second piece of information, such as a single use code generated at login, along with your username and password. This code is typically sent to a mobile number or email address associated with your account and can be generated on a mobile device. If you’re not the one trying to log in to your account, two-factor authentication can also serve as a warning system when someone else is trying to break in.
Finally, as we never know when a hack has happened – and typically we find out one or two years after the breach has taken place – it’s good security practice to change your passwords on a regular basis, such as every three or six months. This way, if a hack has occurred and your login details are stolen, they cannot be used by hackers because you have already changed them prior to the database being circulated amongst other cybercriminals.”