MyCRA Specialist Credit Repair Lawyers

Tag: password security

  • Lax cyber-security makes us all vulnerable: Cyber Security Awareness Week 2013

    password securityIf your password is one of the most 1,000 common passwords, it could be hacked in literally seconds…

    Are you one of the millions of Australians who have a pretty basic password? We show you how important strong passwords and other security measures are to keep you, your credit file, your business and perhaps your country safe from cyber-attack. This week is Cyber Security Awareness Week 2013, hosted by Stay Smart Online. This is an Australian Government initiative, held annually in partnership with industry, community and consumer groups and state and territory governments. As part of this week we have been fortunate to speak with online expert Daniel Smith about cyber-security. He gives us a unique insight into the importance of cyber-security awareness for every ordinary Australian.

    By Graham Doessel, Founder and CEO of MyCRA Credit Rating Repair and www.fixmybadcredit.com.au.

    You may have heard last month about the biggest ever global brute-force attack. You may have heard about it, but like many it may have gone straight over your head. But the ramifications of an attack like this are pretty important.

    The attack was on WordPress sites, which currently powers over 60 million websites and is read by over a quarter of a billion users every month. WordPress was attacked by a botnet of tens of thousands of individual computers. The botnet targeted WordPress users with the username “admin”, trying thousands of possible passwords.

    But online expert Daniel Smith warns this attack is definitely only a small taste of things to come.

    “Last month’s attack was orchestrated on a large scale, but this happens continuously on an individual basis on sites like WordPress, Joomla, Drupal or similar,” Daniel says.

    “I liken it to a locksmith with a whole set of generic keys – he can turn the keys in many doors until he finds one that fits. Hackers have common password ‘keys’, and they roll trials of these passwords until one unlocks the computer, and enables them to use the resources powered by the site which are far more than could be gained by a singular desktop computer,” he says.

    The ramifications for individuals and businesses who become part of a botnet are loss of data, loss of secure personal information and break-down of the site.

    “I know victims who have had to close their business down because they have lost so much information,” he says.

    But he warns, hackers don’t always delete the information on these sites, but may leave it intact, putting in files in back doors so that they can go undetected – making use of these resources again and again.

    “Hackers can on-sell information to cyber-terrorists or spammers, and can also on-sell the entire bot-net to be used in a brute-force attack that is capable of crashing a country’s economy,” he cautions.

    He says individuals with a WordPress or similar blog, and small companies could be at risk.

    “They don’t have the money to spend on security protection that a larger business would – and they are the ones that think their small site or blog is ineffectual, when in fact its resources make it a prime target for hackers,” he says.

    So just how easy is it to find these passwords?

    “I did a quick 5 minute search on the internet yesterday, and found a list of 6 million usernames and passwords that are out there. If I went searching for more in depth, there would be more there,” he says.

    Daniel says what’s gone wrong, is that the way we’ve been taught to create usernames and passwords is in fact broken. He says we need to make these changes to the way we run sites like WordPress:

    1. Use secure pass phrases. Come up with a unique scheme that is a minimum of 8 characters long – for example every 3rd vowel could be a number or symbol and you should always add some uppercase letters, numbers and any character that requires the shift key to type. Use multiple words in a pass phrase. You could use two unrelated words which are memorable to you.

    2. Use a different password for each account.

    3. Use a unique username – not the default setting. Never use ‘admin’ as a username.

    4. Minimise password login attempts. Restrict the number of attempts allowed to access the site, before the user is ‘locked out’, which prevents multiple attempts to crack the password.

    5. Include a 2-step verification plug-in. You can download a plug-in which requires 2-step authentification similar to bank requirements when logging in to the site. This is harder to infiltrate by hackers, but Mr Smith says many don’t use 2-step verifications because they seem inconvenient.

     

    “We may need to get a little inconvenienced to prevent what could be a business disaster, or in worst case scenario, a future global disaster,” he says.

    So where do we as credit repairers come in to cyber-security?

    Stealing passwords or personal information through these channels can lead to identity theft and potentially fraud. Hackers can on-sell your personal information to fraudsters who have identity theft as part of their repertoire.

    Information like dates of birth, account numbers, full names etc can be warehoused and used to steal your identity and take credit out in your name. Fraudsters have been known to go so far as to take out personal loans, credit cards and even mortgage homes in their victim’s name.

    Unfortunately fraudsters are never so kind as to pay this credit back – which leads to defaults on your credit rating. Most victims are unaware of this until they apply for credit in their own right and are flat out refused.

    For between 5 and 7 years you can be locked out of credit while your credit rating shows up someone else’s defaults.

    Unfortunately in the past it has not been easy for identity theft victims to prove they did not initiate the credit, particularly if they have no idea how they were duped in the first place. Often this sophisticated type of fraud is instigated by overseas crime syndicates who don’t leave much of a trail, or even if they do, can’t be prosecuted easily.

    SSO_Logo+WebPrevention really is key to protecting your credit file from this fraud – so spend some time and make sure the passwords on your site, or others that you use, are as secure as possible.

    To stay one step ahead of fraudsters, you can subscribe to Stay Smart Online Alerts – which let you know about security issues as soon as they unfold.

    Image 1: digitalart/ www.FreeDigitalPhotos.net

    Image 2: courtesy Stay Smart Online.

     

  • Fraudsters cashing in on public fear over password security

    fake password checking siteAustralians are warned to be aware of a scam which is targeting public uncertainty following publicised hacking events or data breaches. People are being sent links to fake sites which ‘test’ your logon details for popular sites such as Twitter, LinkedIn, Facebook, Hotmail and Gmail. But be warned, many of these are fake password checking sites, or similar and are phishing for your user name, password and other personal information. We look at this scam in more detail, and how it could impact you and your credit file.

    By Graham Doessel, Founder and CEO of MyCRA Credit Rating Repair and www.fixmybadcredit.com.au.

    Giving away your details to these sites could put you at risk of identity theft and credit fraud– so the message from Australia’s ‘Stay Smart Online’ is – always be suspicious of sites asking for your user name, password or personal information. If you’re not sure – don’t take the chance.

    “Links to password checking sites often circulate on social media and email after publicised hacking events or breaches – such as the hacking of the Associated Press’s Twitter account – a time when checking the strength or security of your own account might seem appealing,” Stay Smart Online warned in an alert yesterday.

    SSO advises never to enter your username and password anywhere except on the site it is intended for:

    Don’t use links in emails or social media messages that take you to a log in page. Navigate there yourself independently to make sure you are on the legitimate site’s logon page.

    Make sure the addresses of the websites you use are correct.

    When logging on to a website, check for HTTPS (or a padlock) in the address bar. This is the secure form of HTTP. Websites that don’t offer HTTPS at logon are unsecured.

    Always be suspicious of unsolicited emails, especially those seeking personal or financial information.

    SSO says there are some legitimate password-checking sites out there, and some of the legitimate sites have been copied.

    Legitimate sites can use minimal information supplied by you, such as your email address (not your password!) to check your address against lists of stolen information found in data dumps on hacker sites. Other legitimate sites may offer to simply test the strength of your password. But trying to distinguish the real from the fake may not be worth the risk.

    SSO warns fake sites may be very difficult to distinguish from legitimate ones, and will simply collect your details.

    “…someone then has everything they need to access to your account,” SSO states.

    The danger in clicking on any link from an unknown source is not only that the personal information that you give out could be directly warehoused for future purposes of identity theft for fraud, but you could also end up downloading malware or a virus which takes that information from your computer.

    Recently MSN Money commented on this latest scam in its story Avoid Password-Checking Sites:

    Given that most people still use simplistic passwords and use them across multiple sites — as has been shown in a variety of data breaches and surveys — there’s a lot at stake when you give yours away. Imagine losing control of not only your social networks, but also access to your email, online banking and other personal and financial information.

    Even if you catch the breach quickly, it will still be a colossal pain to get everything back to normal.

    What can fraudsters do if they can get their hands on your personal information?

    They can steal passwords to your bank or credit accounts and they can also create a patchwork quilt of information that can allow them to eventually have enough on you to request duplicate identity documents, and apply for credit in your name.

    Running up credit all over town, perhaps buying and selling goods in your name, or in some cases mortgaging properties – the victim can have a stack of credit defaults against their name by the end of their ordeal – and sometimes no proof it wasn’t them that didn’t initiate the credit in the first place.

    Recovery can be slow, and in some cases victims have had no way to prove they weren’t responsible for the debt – with fraudsters leaving no trail and the actual identity crime happening long before the fraud took place.

    New laws coming through in March 2014 are aimed at protecting your credit file following an incidence of identity theft. If you know you have been scammed, you will be able to put a ‘ban’ on your credit file – so no one will be able to access your credit information – therefore protecting your credit information from misuse.

    But if you don’t know you have been scammed until it’s too late, or if you can’t pinpoint what’s happened to you, it may be still be difficult to protect your credit rating. So you have to be sure you protect all of that, by staying ahead of scams such as this, and by keeping strong passwords.

    MSN Money provides some tips from Microsoft about password security to consider when creating — or changing — a password:

    • Make your password at least eight characters long

    • Mix up the characters with capitals, lower case, numbers, symbols and punctuation marks

    • Change your passwords regularly

    • Use different passwords on different sites

    If you think you might have entered details into a fake site…

    * Change your password immediately. If you use the same logon information elsewhere you should also change these passwords, ensuring you create a unique password for each service.

    * Contact the Police – as well as your bank – especially if you have given over personal information to fraudsters. Don’t be embarrassed – it is only through identity theft being reported that data gets collected and appropriate preventative measures eventually get put in place. You should also contact the credit reporting agencies that hold your credit file and inform them that you may be at risk of identity theft.

    * Order a copy of your credit report. If there are any inconsistencies on your credit report – change of address, strange credit enquiries and credit you don’t believe you’ve accessed, then you may already be a victim – and should do all that’s possible to follow up on each account so as not to accrue defaults on your credit file that should not be there.

    Credit file defaults are difficult for the individual to remove and generally people are told by creditors they remain on our file for 5 years, regardless of how they got there.

    Although it seemed so easy for the fraudster to use your good name in the first place, you are now faced with proving the case of identity theft with copious amounts of documentary evidence.

    If you have neither the time nor the knowledge of our credit reporting system that you may need to fight your case yourself, you can seek the help of a credit repairer. A credit repairer can help you to clear your credit file and restore the financial freedom you rightly deserve.

    The reason a credit repairer is usually so successful in removing your credit file defaults, is their relationships with creditors, and their knowledge of current legislation.

    Visit www.mycra.com.au  for more information on identity theft or how to repair bad credit.

    image: foto76/ www.FreeDigitalPhotos.net