Around 90 user accounts belonging to members of the UK parliament have been compromised by a cyber attack. The house of lords and the house of commons were both targeted, with about 1% of users finding themselves unable to access their email accounts.
The method used by the cyber criminals was a simple brute force attack. This is where attackers use software to try thousands of different passwords in conjunction with your username or email address.
There are several things you should do to reduce the likelihood of your email accounts being compromised:
- Use strong passwords and don’t reuse them across multiple services/websites.
- A password containing numbers, symbols and a mixture of upper and lower case letters could take decades to crack by brute force.
- Use Two Factor Authentication.
- This will prevent anyone from getting into your account without access to your second method of authentication, even if they know your password.
- Review your online privacy settings on sites like Facebook to prevent cyber criminals researching you to guess your password.
- Be careful of phishing emails and phony websites designed to capture your login details.
How Many Unsuccessful Login Attempts Do Your Systems Allow?
One simple way to prevent against brute force attacks is simply to enforce a lock-out policy, so that the account cannot be accessed after an incorrect password has been entered a certain number of times (usually three). After this point, an administrator must reset the account. Unless a hacker actually knows your password, this should prevent them from gaining access because it is unlikely that the brute force attack will succeed with as little as three attempts.
You’ve Heard it Before, But Check Your Privacy Settings and Don’t Reuse Passwords!
Reviewing the privacy settings of your online accounts (especially social media) is vital to maintain top security. Sometimes cyber criminals can get an idea of your password by researching you online. This is most likely to happen to people in positions of power, such as directors of businesses, politicians, or anyone with access to money or sensitive information.
If your privacy settings on Facebook, for example, are too low it could be fairly easy to work out the names of your children or spouse, or important dates like your anniversary or birth dates of your children. Sometimes just trying these as passwords will yield access. In other cases the attacker can start their brute force attack with these and program it to also try variations like replacing letters with numbers, or adding symbols to the start or end. This will shorten the amount of time it takes to crack your password.
Beware Phony Websites!
In some cases, there is no need to guess your password because someone else has already done the work. Cyber criminals often collect login details by building websites that look like well known sites, e.g. Paypal. They will then send out lots of spam emails that look like legitimate communications from “Paypal”. These emails will link people to the fake website, which might look exactly like the real Paypal website. It could use a domain not registered to Paypal like “paypal-london.com” or “paypa1.com”. People then try to log in to the fake website, and the criminals collect the email addresses and passwords used.
These passwords are then often posted for sale online. As many people reuse the same password for multiple things, that Paypal password could be what gives a cyber criminal access to an MP’s work emails, along with all of the sensitive information contained within.
How to Prevent Unauthorised Access to Your Accounts
To prevent unauthorised access to your accounts, you should be using Two Factor Authentication.
Two factor authentication means a second method of verification is needed, in addition to a username and password, in order to log in.
This is usually something that only the authorised person has access to, such as a physical token that generates a unique code for each log-in. The code needs to be entered alongside your password, and will expire after a short period of time. Sometimes the code can be generated in an app on a smartphone linked to the user’s account, or the code can be texted to the user’s mobile number. For Office 365, a pop-up appears on the smartphone linked to the account asking you if you want to approve the sign-in attempt.
Two Factor Authentication is Available for Many Popular Services
If your emails are on Office 365, Google Mail, Hotmail and many other systems, two factor authentication is available. It just needs to be enabled. Two factor authentication is also available for signing in to Windows – either when you’re physically at your PC or when you’re trying to access it remotely.
Has Your IT Provider Recommended You Use Two Factor Authentication?
If not, it’s a good sign that it’s time for you to change to a provider who prioritises the security of your systems and data!