Thu 25 January 2024:
Cyber-skulduggery is becoming the bane of modern life. Australia’s prime minister has called it a “scourge”, and he is correct. In 2022–23, nearly 94,000 cyber crimes were reported in Australia, up 23% on the previous year.
In the latest high-profile attack, around 15,000 customers of alcohol retailer Dan Murphy, Mexican restaurant chain Guzman y Gomez, Event Cinemas, and home shopping network TVSN had their login credentials and credit card details used fraudulently to buy goods and services in what is known as a “credential stuffing” attack.
So what is credential stuffing – and how can you reduce the risk of it happening to you?
Re-using the same login details
Credential stuffing is a type of cyber attack where hackers use stolen usernames and passwords to gain unauthorised access to other online accounts.
In other words, they steal a set of login details for one site, and try it on another site to see if it works there too.
This is possible because many people use the same username and password combination across multiple websites.
It is common for people to use the same password for multiple accounts (even though this is very risky).
Some even use the same password for all their accounts. This means if one account is compromised, hackers can potentially access many (or all) their other accounts with the same credentials.
‘Brute force’ attacks
Hackers purchase job lots of login credentials (obtained from earlier data breaches) on the “dark web”.
They then use automated tools called “bots” to perform credential stuffing attacks. These tools can also be purchased on the dark web.
Bots are programs that perform tasks on the internet much faster and more efficiently than humans can.
In what is colourfully termed a “brute force” attack, hackers use bots to test millions of username and password combinations on different websites until they find a match. It’s easier and quicker than many people realise.
It is happening more often because the barrier to entry for would-be cybercriminals has never been lower. The dark web is readily accessible and the resources needed to launch attacks are available to anyone with cryptocurrency to spend and the will to cross over to the dark side.
How can you protect yourself from credential stuffing?
The best way is to never reuse passwords across multiple sites or apps. Always use a unique and strong password for each online account.
Choose a password or pass phrase that is at least 12 characters long, is complex, and hard to guess. It should include a mix of uppercase and lowercase letters, numbers, and symbols. Don’t use pet names, birthdays or anything else that can be found on social media.
You can use a password manager to generate unique passwords for all your accounts and store them securely. These use strong encryption and are generally regarded as pretty safe.
Another way to protect yourself from credential stuffing is to enable two-factor authentication (2FA) for your online accounts.
Two-factor authentication is a security feature that requires you to enter a code or use a device in addition to your password when you log in.
This adds an extra layer of protection in case your password is stolen. You can use an app, a text message, or a hardware device (such as a little “key” you plug into a computer) to receive your two-factor authentication code.
Monitor your online accounts regularly to look for any suspicious activity. You can also check if your email or password has been exposed in a data breach by using the website Have I Been Pwned.
You may be surprised by what you see. If you do discover your login details on there, use this as a timely warning to change your passwords as soon as possible.
Eternal vigilance
In today’s world of rising cyber crime, your best defence against credential stuffing and other forms of hacking is vigilance. Be proactive, not complacent about online security.
Use unique passwords and a password manager, enable two-factor authentication, monitor your accounts, and check breach notification sites (like Have I Been Pwned).
Remember, the recent attacks on Dan Murphy, Guzman y Gomez and others show how readily our online lives can be disrupted. Don’t let your credentials become another statistic. As you are reading this, the criminals are thinking up new ways to exploit our vulnerabilities.
By adopting good digital hygiene and effective security measures, we can take back control of our online identities.
Author:
David Tuffley
Senior Lecturer in Applied Ethics & CyberSecurity, Griffith University
David is a Senior Lecturer in Applied Ethics and CyberSecurity at Griffith University’s School of Information & Communication Technology in Brisbane/Gold Coast.
David is a high-profile academic who appears regularly on local, national and international media (newspaper, radio and TV) commenting on the social impact of technology. Since 2005, his global audience reach will be in excess of a hundred million. David’s articles published in The Conversation and republished in newspapers like the Washington Post and Chicago Tribune have reached over 2.25 million readers. His work has been translated into German, Chinese, Indonesian and Japanese.
Among several other high-profile events, David was a guest panelist in the 2017 World Science Festival, and guest speaker at the 2019 Festival (see Ockham’s Razor link below).
David spends a month each year since 2016 at Humboldt University in Berlin, the high technology capital of eastern Europe, and San Jose/San Francisco where he studies innovation culture.
David’s formal qualifications include a PhD (Software Engineering), M Phil (Information Systems), Graduate Certificate in Higher Education (Griffith University), Bachelor of Arts (Psychology, English Literature, Anthropology) (Queensland).
David writes on a broad range of topics; from Comparative Religion, Anthropology, Psychology, Ancient and Modern History, Linguistics, Rhetoric, Philosophy, Architectural History, Environments and Ecosystems.
With over 60 titles in print and eBook and millions of verified downloads, David is a non-fiction author of international significance. Beyond the English-speaking world, his work has been translated into Chinese, German and Japanese.
David is Director and Founder of Altiora Publications. Established in 1994, Altiora is one of the oldest book-sellers on the Web, pre-dating Amazon. Altiora’s Software Engineering project management titles have been selling continuously since 1994. Altiora offers its titles at reasonable rates for both print and eBook versions to make them accessible to low-income readers for whom the high price of books is a barrier.
See http://www.altiorapublications.com/
See author Bio at Amazon: https://www.amazon.com/author/davidtuffley
______________________________________________________________
FOLLOW INDEPENDENT PRESS:
WhatsApp CHANNEL
https://whatsapp.com/channel/0029VaAtNxX8fewmiFmN7N22
TWITTER (CLICK HERE)
https://twitter.com/IpIndependent
FACEBOOK (CLICK HERE)
https://web.facebook.com/ipindependent
Think your friends would be interested? Share this story!