It has become common knowledge that password protection and encryption of data are some of the most effective ways of preventing your information from ending up in the wrong hands.
As cybercriminals adapt to advances in password protection and encryption technology, it is important to remember that these measures cannot completely eliminate the risk of data loss and data theft. Sometimes, malicious actors are able to access personal information by hacking into an organisation’s network through no fault of individual users.
We expect that in 2019 there will be an increase in attempted cyber-attacks against Australian organisations and individuals.
Increasing Sophistication of Cybercriminals
Cybercriminals and the tools they use to commit cyberattacks are becoming increasingly sophisticated. Their technical capabilities are improving and some commentators consider certain cybercriminals’ abilities now equal to those of many governments and organisations. Organised crime’s entrance into the cyber space has resulted in more serious, creative and frequent attacks.
For small to medium sized enterprises alone, a survey conducted by Symantec indicated that over 500,000 Australian businesses fell victim to cybercrime in 2017. The speed of cybercrime attacks continue to rise and has been found to be the second most reported economic-related crime globally by PwC in their 2018 Global Economic Crime and Fraud Survey.
Method of Attack
There are a variety of methods that malicious actors can adopt to circumvent password protection and encryption. Below, we focus on a few of these methods, including:
- social engineering
- accessing user’s internet traffic via unsecured networks and
- a combination of the above methods.
Phishing can be achieved through sending infected links via fake emails, fake hyperlinks or pop-ups. In their phishing messages, cybercriminals often create a sense of urgency amongst users telling them that their credit card has been deactivated, or account blocked and prompt users to enter their credentials into imitation login pages. Unfortunately for users, cybercriminals are creating login pages that look increasing safe and legitimate with the intention of tricking users into giving up their logins and passwords.
Phishing is also an extremely effective and popular method employed by cybercriminals to install malicious software (often called “malware”) onto devices. Opening infected links, emails or downloading infected files can lead to the installation of malware to a user’s system which can compromise the usernames, passwords and data of the entire network. Some malware, often installed through harmful mobile apps, has the ability to enable cybercriminals to gain access and control the mobile device. Once this happens, cybercriminals are able to capture users’ data and password information.
Social engineering is a relatively new method that cybercriminals have been using to gain sensitive data about a person. Social engineering is where cybercriminals methodically research their targets to find out as much information about them as possible. Then, whilst impersonating a trusted source, they contact the person either via phone call or SMS and build trust with them to eventually trick the individual into providing sensitive or confidential information and/or passwords. Armed with this information, cybercriminals can implement traditional hacking methods to deduce the credentials for that person’s various accounts.
Since 2002, data concealed by 64-bit encryption has been readily decrypted by motivated parties. Now, the American, German and French governments have standardised the use of 128-bit encryption, even though some encryption software providers and other organisations are increasingly recommending 256-bit encryption. To put this in context, it is estimated that it would take 1 quintillion (1 billion x 1 billion) years to crack a 128-bit key by brute force given the number of possible combinations.
Via unsecured networks, cybercriminals can redirect internet traffic through their devices as the data travels between the user’s device and the network provider. This allows cybercriminals to watch and capture a user’s activity to learn their credentials for personal or business accounts.
Cybercriminals can carry out these “Person-in-the-Middle” attacks on legitimate public Wi-Fi such as in airports or shopping centres, or by creating their own Wi-Fi connections in those places with deceptively similar names to trick people into using their Wi-Fi. Anecdotally, victims of identity theft or cybercrime generally have pointed to the recent use of unsecured public networks as the genesis of their loss.
Are you safe?
The increasing use of computers and storage of electronic data by organisations and individuals offers myriad benefits. These benefits also come with risk as cybercriminals develop methods to steal information or assets for financial gain or other sinister motives. While no network is immune from attack, there are various steps that can be taken to reduce risk, some of which are set out above.
In our view, it is worthwhile discussing ways to reduce risk with your IT service provider and other advisors to ensure you are doing what you can to protect your information and assets. We also consider that organisations should take out a cyber insurance policy as a safety net in case something slips through the cracks.