[ad_1]
“Many people use the same username and password combinations across multiple online platforms… It only takes one of these to be breached for your details to be exposed.”
Maloney said hackers were having a field day given the sheer amount of Australian login information available for purchase. There are some 24.6 billion username and password combinations circulating on dark web marketplaces, according to recent research from software provider Digital Shadows.
‘We would never use the same key to access every building we enter: home, office, garage, safe. The same thinking should apply to online passwords.’
Garrett O’Hara, Mimecast senior director
“The dark web and various hacking communities provide a marketplace for stolen login credentials obtained from data breaches; from here, cyber criminals can easily purchase or acquire these stolen credentials, and gain access to other accounts using these details,” Maloney said.
“The compromise of a single set of credentials can have a cascading effect, jeopardising the security of numerous accounts and platforms linked to the affected user.”
Nigel Phair, professor of cybersecurity at Monash University, said the rise in credential stuffing attacks was due to the sheer scale of breaches targeting high-profile companies, affecting millions of Australians.
Tens of millions of Australians have been caught up in recent breaches including customers of Optus, HWL Ebsworth, Latitude Financial, Medibank, DP World and Dymocks, in what’s being dubbed a “new normal” of consistent attacks.
“This is a direct consequence of those cyberattacks. This is what happens with the data that is taken,” Phair said.
“Once personal data, logins and passwords have been taken in a data breach, that information could be available for cybercriminals to access easily, instantly, and forever.”
Garrett O’Hara, senior director at Mimecast, said attackers were looking for where they can easily make the most money.
With the huge number of breaches that have happened in recent years – combined with many people who still use the same password for many accounts – attackers now have both a massive availability of username and password combos and huge computer power to automate credential stuffing many sites, he said.
“Compared to the effort involved in novel or sophisticated breaches, credential stuffing is technically very simple, making it available to more attackers,” O’Hara said.
“It’s preventable – we don’t need to see these stories hit the news.
“We need a population that is better aware of the dangers of reusing passwords. For obvious reasons we would never use the same key to access every building we enter: home, office, garage, safe. The same thinking should apply to our online passwords.”
O’Hara said consumers should use a password manager, turn on multifactor authentication and check websites such as haveibeenpwned.com to see if they have been caught up in previous data breaches.
One person who claimed to have direct knowledge of The Iconic cyber incident said the people responsible did not execute the data breaches themselves, but instead had their own suppliers carry out the breaches who then on-sold the accounts.
The person, speaking anonymously to protect their identity, said the hackers used scripts to automatically input the purchased logins into websites. The scripts then categorise whether the login was successful, and what data is linked to the account, including credit card information, for example.
“I can let you know right now that The Iconic isn’t the only store that is being targeted,” the person said.
“There are heaps of others and unfortunately a majority of them don’t bother letting their customers know that their information has been compromised.
“What they did was not morally and legally right,” they said of the hackers.
Ted Dunstone is the CEO of biometric consulting firm Biometix. He said the credential stuffing attacks impacting The Iconic, Dan Murphy’s and others shows how much personal data is in circulation.
“The frequency and sophistication of credential stuffing assaults are certain to rise. This poses a serious danger not just to individual users, but also to businesses where the damage is not only financial but loss of customer confidence,” he said.
“The real advance will be the removal of the passwords completely.”
Loading
Some of the world’s largest tech firms, including Apple and Google, have begun rolling out passkey technology that allows authentication via fingerprint ID, facial ID or a PIN entered via a smartphone. It’s a development being viewed by many in the technology industry as the beginning of the end for passwords.
The technology is still in its early stages, but can prevent hackers from stealing login information, given that the biometric information is never shared.
“The complete shift to a passwordless world will begin with consumers making it a natural part of their lives. Any viable solution must be safer, easier and faster than the passwords and legacy multifactor authentication methods used today,” said Alex Simons, corporate vice-president of Microsoft’s Identity Program Management.
“By working together as a community across platforms, we can at last achieve this vision and make significant progress toward eliminating passwords.”
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.
[ad_2]
Source link