The password is often the only thing that stands between a cybercriminal and the user’s personal and financial data, which is why they are currently one of the main targets of their criminal practices.
These keys are the Achilles heel of many people’s digital lives, especially since today the average user has to remember a hundred access credentials, and the number has only increased in recent years.
The cybersecurity company ESET has compiled which are the five most widespread techniques that cybercriminals use to get hold of people’s access passwords to their accounts.
PHISHING AND SOCIAL ENGINEERING
The most widely used attack technique takes advantage of the human tendency to make wrong decisions, especially when they decide in a hurry. Cybercriminals take advantage of these weaknesses through social engineering, a psychological scam trick designed to get people to do something they shouldn’t.
Phishing is one of the most famous examples. In this case, the criminals pose as legitimate entities, such as friends, family, companies with which the user has done business, etc.
These emails or texts will appear authentic, but include a malicious link or attachment that, if clicked, will download ‘malware’ or take you to a page providing personal data.
MALWARE
Another popular way to get passwords is through ‘malware’ or malicious program. Phishing emails are a prime vector for this type of attack, although you can also fall victim to clicking on a malicious ad (‘malvertising’), or even visiting a compromised website (‘drive-by- download ‘).
As ESET has highlighted, ‘malware’ can even hide in a legitimate-looking mobile application, which is often found in third-party app stores.
There are several varieties of ‘malware’ to steal information, but some of the most common are designed to record the keys that the user presses on the keyboard or to take screenshots of the device and send them to the attackers.
BRUTE FORCE
The average number of passwords a person has to manage is estimated to have increased 25 percent year-on-year in 2020. Many people use easy-to-remember passwords and reuse them across multiple sites, but this may open the door to so-called force techniques. gross.
One of the most common attacks is credential checking. In this case, attackers inject large volumes of previously stolen username and password combinations into automated ‘software’.
The tool then tests them across a large number of sites, hoping to find a match. In this way, criminals can unlock multiple accounts with a single password.
By one estimate, there were 193 billion attempted attacks of this type around the world last year. One of the most notable victims recently has been the Canadian government.
Another brute force technique is random password testing. In this case, hackers use automated ‘software’ to test a list of commonly used passwords against an account.
Riddles
Although cybercriminals have automated tools to force password deduction, sometimes they are not even necessary: even simple guesswork – as opposed to the more systematic approach used in brute force attacks – can achieve the goal.
The most common password for 2020 was ‘123456’, followed by ‘123456789’. In fourth place is the very word ‘password’, password in English.
‘TO LOOK OVER THE SHOULDER’
Although there are many ways to steal a password virtually, it is worth remembering that there are still ways of knowing a password in the physical world that pose a risk.
This is the case of what is known in English as ‘shoulder surfing’, simply called ‘looking over the shoulder’ in Spanish. This not only affects the credit card pin, and ESET has conducted experiments showing how easily a Snapchat password can be guessed using this system.
PROTECTION MEASURES
To help protect Internet users, ESET has shared a series of recommendations so that users do not end up suffering theft of their passwords.
Some of these tips are recurring, such as using only strong and unique passwords or phrases across all accounts, especially banking, email, and social media accounts. This includes avoiding reusing credentials.
Another recommendation is to enable two-factor authentication (2FA) or use a password manager, which will store strong and unique passwords for each site and account. It is also important to change your password immediately if a provider reports data theft.
Users should be aware of and use only HTTPS sites to log in, do not click or open attachments in unsolicited emails, and download only apps from official stores.
It is also advisable to use cybersecurity ‘software’, always use updated operating systems and applications, be careful with possible ‘peepers’ in public spaces and never connect to accounts from public WiFi networks, in which the use of VPN tools is recommended.
.