Account Hijacking: How It Happens and What Can You Do to Prevent It

Account Hijacking

Account hijacking is a serious problem. In effect, it's a form of identity theft, and the consequences could be devastating. If your social media profile is compromised, for example, crooks can get in touch with your friends and send them malicious links or files. The same goes for your email, although with it, they can also change the passwords for the rest of your accounts and leave you locked out. If they break into your bank account or an account that has your social security number, the consequences could be even more serious.

How do cybercrooks manage to get access to your accounts?

There are several options and we'll now list the most common ones.

Password guessing. If you've locked your account with an easy-to-guess password, you've unwittingly laid the red carpet for the criminals. Resourceful crooks that have set their sights on ruining your online life can learn quite a lot about you if they're determined enough. They can check out your Facebook profile, for example, and see that you have a dog called "Fido." If you've used this as a password (or as an answer to your security question), they can get in easily.

Guessing a password is a lot of manual labor, and hackers don't like manual labor. That's why they've developed automatic tools that can try common (and not so common) passwords at rates of millions of guesses per second. These tools have evolved quite a bit over the last few years, and they now "know" that you tend to capitalize the first letter of your password. They also know that when a website tells you to add a special character to your password, you just put an exclamation mark at the end.

Insecure password storage. When you sign up for an account, the service provider must store your password in order to make authentication possible. It can't (or, more precisely, shouldn't) just put your password in an Excel spreadsheet, though.

Vendors should hash your password. Hashing is a one-way cryptographic function that turns your password into an unintelligible string of characters. Before hashing it, however, the service provider should ideally salt it. Salting means adding a unique string to the end of your password which ensures that identical passwords don't produce the same hash value. Finally, the service provider needs to store your salted and hashed password in a database that is not easily accessible.

Unfortunately, not all vendors take the necessary measures, and sometimes, it's trivially easy for crooks to get their hands on a vast number of passwords.

Password reuse. When they have your login credentials for a specific website, hackers can often log in to the account at the said website without any problems. They'll try the same username and password combination on other websites as well, though, and if you've reused your password, they'll be able to successfully hijack the rest of your accounts. In fact, the attack is called "credential stuffing," and its popularity is growing. To avoid raising suspicion because of the many login attempts from a single IP, the crooks have even created botnets (networks of infected computers spread all around the world) with the purpose of carrying out credential stuffing attacks on a large scale.

Password theft. The first of Microsoft's Immutable Laws of Security says that "If a bad guy can persuade you to run his program on your computer, it's not your computer anymore." A few sentences later, they say that "when a computer program runs, it will do what it's programmed to do, even if it's programmed to be harmful." Unfortunately, some malicious programs are programmed to steal passwords from your computer. Some of them will scrape the login credentials you've saved in your browser. Others will log your keystrokes. Others still can steal the Excel spreadsheet you use to save the username and password combinations for the different websites.

Phishing. It's one of the simplest cyberattacks out there, and many people think that they're too smart to fall for the lure. In reality, however, cybercriminals have upped their social engineering game so much, that even well-educated and tech-savvy users fall victims to phishing attacks sometimes. Nowadays, phishing pages are extremely well-crafted, and some even come with SSL certificates which make them look legitimate. Meanwhile, the emails that link to them usually call for urgent action (for example, "Suspicious activity detected on your account. Click here to log in and see if anything's missing."), which means that users are more likely to be too distracted to see that they're led to a suspicious website.

Now that we know some of the tricks of the cybercrooks' trade, it's time to take a look at what we can do to stop account hijacking attacks.

Prevention is the mother of all cures

Cleaning up the mess after your personal information has already been compromised is a nuisance. First, you have to change your password (or passwords if you've reused the same credentials on numerous websites). This, in and of itself, can be a bit of a nightmare, and as if that wasn't enough, you need to check all the rest of your accounts, just to make sure that they're not touched in any way. It's best not to let your accounts get compromised in the first place, and while there is no magic bullet, there are several steps you can take to minimize the risk.

Be careful. The Internet is a big place, and threats lurk around every corner. Be careful with the emails you receive and the links you click, even when they look like they're coming from a legitimate source. If your bank (or someone impersonating your bank) tells you that you need to do something with your account, for example, don't click the link in the email (sending login links via email is not the best security practice anyway). Instead, open a new tab in your browser, navigate to your bank's website, make sure that the URL is correct, and log in from there. If you're not sure about something, contact your bank and ask if the email you've just received is real. In some cases, this is all that's necessary to stop you from visiting phishing pages and handing over your login credentials to crooks.

Keep your software updated. Up-to-date software can't guarantee 100% security, but it's much more likely to be able to deal with the tons of new malware threats that appear every day. Browsers, PDF readers, AV products and all the rest of the programs should have their automatic updates turned on. It's risk mitigation 101.

Enable two-factor authentication. As we mentioned already, you never know when a lazy website administrator is going to put your plain text password in a database that is accessible from anywhere in the world. When crooks find it, there will be nothing to stop them from hijacking your account. Unless, of course, you have two-factor authentication enabled.

Two-factor authentication means that when you're logging in, you'll need to provide something you know (your password) and something you have (usually, a temporary code that is emailed/texted to you or generated by an app on your smartphone). If two-factor authentication is on, your login credentials will be as good as useless for the criminals because they won't have the temporary code.

The login process does take a fraction longer, but two-factor authentication adds another layer of security that could be enough to keep your information safe. Unfortunately, it's not as widely adopted as it should be. Most major platforms offer it, but some websites still don't. Do take the time to check if it's available, and if it is, make sure it's on.

Use a password manager. A password management application is the easiest solution to the password problem. Human beings are just too predictable when it comes to creating strong passwords, and when they do get it right, they're not terribly good at remembering them.

A dedicated password management application like Cyclonis Password Manager will let you create strong, unique passwords for all your accounts, and it will remember them for you. The information is accessible through a single master password, and it can be synced across all your devices thanks to the cloud storage option. At the same time, the additional features provided by the browser extension will transform the way you perform regular tasks online. It's a convenient way of sticking to the best password practices. It's also free.

April 17, 2018

Leave a Reply