Sunday, April 19, 2020

ZOOM! Slow Down, Your Info was Stolen

Welcome back readers!  It has been about a month, but it is time for another CYBR 650 course post.  Just to recap, last month I gave you some information about those jerks capitalizing on the COVID-19 pandemic by sending Coronavirus spam and phishing messages and setting up bogus websites, all trying to steal your information.  That leads us to the related, but not new topic of stolen account credentials.

tl;dr

Social distancing has changed the way we do business and interact with our friends and family.  Software designed to help bring us closer together while far apart is a bigger target than ever.  How can you keep your account secure, even if it is part of a breach?  A strong, complex password is the first step to keeping your account safe.

Working and Being with Family While Socially Distanced

If you are anything like me lately, you have been working from home and rely on collaboration and video conferencing software to interact with coworkers, friends, and family.  In this time of social distancing, we use software to “feel” close to those we need to interact with.  The video conferencing software provider Zoom recently suffered a breach where more than half a million account credentials were stolen.  On April 13, Forbes reported credentials for more than 530,000 Zoom accounts were being sold on an underground hacking forum.  These 530,000 accounts were purchased by Cyble, a group of cyber risk assessment experts.  The thing I find most shocking about their purchase is that they did it for next to nothing.  Basically, the account information was being sold for extremely cheap, less than a penny each or, in some cases, given away for free.  These accounts were stolen and then sold for less than $5,000.

Part of the problem with these credentials is the same with any other time an account has been stolen, people tend to reuse the same passwords for multiple accounts.  I won’t preach about the importance of creating a strong, complex password…I’ve already done that and you can read all about it here: http://cyberschopp.blogspot.com/2016/03/pesky-passwords.html.  Take a read, and then start changing your password 😊


Ensuring you have a strong password is a critical way to keep your accounts safe.  One other thing you should do is to check if the e-mail addressed used to register for accounts has been flagged as a stolen account.  The site haveibeenpwned.com can help you check that.  Checking my e-mail address, the site tells me that I have accounts on 11 breached sites.  Fortunately, I already knew this an changed the passwords associated with those breaches.  Some of the breaches my e-mail has been affected by are the 2013 Adobe breach, Collection #1 in 2019, and Lord of the Rings Online (don’t judge me).

Password Manager

One recommendation I did not give in 2016 when I jumped on my password soapbox is the use of a password manager.  A password manager keeps track of login information, including username and passwords, for sites and services you have accounts for.  Google Chrome has this built in, as well as the nicety of suggesting a complex password when creating a new account or changing your password on an existing account.  The advantage of this is the creation of an incredibly complex password that will make your account very secure.  The disadvantage of this is that the password is usually so complex and does not make sense, so remembering it would be next to impossible.  This is okay as long as you have access to your password manager, or are willing to change it often when you need to access the account from a different system.

Multi-factor Authentication

Another option for securing accounts is to use multi-factor authentication.  You are probably already using this to some extent but let me creak it down for you.  You login to your bank account with your username and password.  Your bank website then prompts you to select either your e-mail or phone to receive a message with a one-time PIN to get into your account.  Since you have your phone right next to you, you select text message and wait for a moment.  Sure enough, you just got a text with a number you need to enter into the bank website.  Once you do, you no have access to all your monies!  That is multi-factor, using information from two or more devices to access one site.

Hopefully this hasn’t left you feeling hopeless.  The first step after finding out your information has been stolen is to change your password.  You should also really consider if you actually need that account.  If not, change the password to something complex and meaningless that you’ll never use again, then disable or delete the account.  This ensures that if the account information is stolen later, the credentials cannot be used on another site.

Be safe out there!


REFERENCES:
https://www.cyble.io/
https://www.forbes.com/sites/leemathews/2020/04/13/500000-hacked-zoom-accounts-given-away-for-free-on-the-dark-web/#7ef72e6758c5
https://haveibeenpwned.com/

No comments:

Post a Comment