“Humans are very vulnerable.” This is stated by Yuliya Novikova, head of Fingerprint Intelligence at the cybersecurity company Kaspersky, after an exhaustive study of 193 million passwords that has shown that only two in ten are secure. Most can find out in an hour and many of them, in just one minute. And the cost is minimal, the channels of the dark web (the network hidden from conventional search engines) and Telegram where cybercrime weapons are sold, they offer “all-inclusive” packages: programs, cloud servers and data on potential victims for only 80 euros per week.
“Our data is like our houses. Would you leave it open for anyone to enter?” he asks. Lilian Balatsou, expert in artificial intelligence linguistics and doctor in Cognitive Neuroscience from Bangor University during a meeting of the cybersecurity firm in Athens. The answer, after Kaspersky’s study, is yes, we leave the house open half of the time.
Novikova explains that 40% of attacks (a third of them followed by kidnapping and extortion) begin with a compromised account. Employees and suppliers of companies with a username and password to operate recognize that they violate the corporations’ regulations on security, due to boredom or by carrying out their tasks without added complications.
In this way, these house key holders misuse it and leave the lock unlocked or allow themselves to be copied, more than once in 21% of cases. “Human error is the main cause of incidents,” warns Novikova, who details that 10 million systems were infected last year, 32% more than at the beginning of the decade.
According to Kaspersky data, 45% of passwords are compromised in less than a minute, 14% in less than an hour and another 14% more in a day or less than a month. In this way, only a little more than two out of every 10 access keys to critical systems are robust.
The rest use names or common words or dictionary terms that, even if altered by numbers or signs that replace letters, are easily vulnerable. There is no pirate behind (hacker) spending their time deciphering them. “Cybercriminals are very creative, but also lazy,” says the expert from the security firm, pointing out that the cyberattack weapons sales channels are already offering, for 80 euros per week, subscription packages that include not only the databases of vulnerable victims, but also the programs and servers to be able to run them without their own infrastructure. These systems are capable of violating even multi-factor authentication protocols, which only facilitate a user’s access when they provide two or more different proofs of their identity.
Solutions
Marco Preuss, deputy director of the Global Research and Analysis Team (GReAT) and head of the Kaspersky Europe Research Center, is even wary of biometric identification systems, which he believes also involve the use of personal information.
In this way, the experts who participated in the meeting in Athens opt for the generalization of password managers, programs that can safely store unique users and access codes and even generate them in a robust way for each use.
In addition to these, the most effective tactics are: use a different password for each service so that, in case of theft, only one account is compromised, use unusual words or mix them up, check using online services the robustness of the chosen one, prevent them from responding to personal data that hackers may have access to (such as personal names and dates that are accessible through social networks) and enable two-factor authentication (2FA).
Rafael Conde del Pozo, director of innovation at Softtek, adds one more element of risk: phones. As he explains, “mobile devices have become extensions of ourselves and require comprehensive protection against emerging vulnerabilities.”
In this sense, it proposes providing them with advanced biometric authentication systems, popular in mobile payment; behavioral, which analyzes patterns that do not fit the user; and artificial intelligence to identify anomalies, encrypt data and restrict access.
Regarding mobile vulnerabilities, the Threat Intelligence division of Check Point has identified multiple campaigns that leverage Rafel RAT, an open source tool for Android devices that was developed for phishing (deception) through messages and conversations in order for the user to install malicious applications disguised under a false name and icon. They request extensive permissions, display legitimate web pages or imitate them, and then secretly track the device to exfiltrate data.
Security measures involve all types of programs, including social networking applications. The same security company, after detecting illegal access through direct messages on TikTok, recommends establishing strong passwords, configuring two-factor authentication through the network’s security page to activate the “log in with verification” function and report any strange activity. A vulnerability in this network has recently affected media accounts and popular figures.
You can follow The USA Print in Facebook and x or sign up here to receive our weekly newsletter.
Subscribe to continue reading
Read without limits
_
