These days, not a week goes by where we don’t read about a breach.
Recently, it was genealogy service MyHeritage exposing login credentials of almost all of its 94 million customers.
Bad actors have caught on that the path of least resistance is weak, stolen, or default passwords. Why go up against billions of dollars’ worth of sophisticated technology when they can more easily find that person still using ‘password’ as their password?
Or better yet, they can use simple tactics to swindle credentials directly from users themselves.
Booking.com customers were recently faced with this approach during a phishing attack. What made this phishing attack notable is that it used real reservation information gathered from other breaches of hotels, which was then used to create emails posing as Booking.com with their actual reservation information to get users to click through and enter their login info.
Generally, hackers are never truly satisfied and always will be going for more. Not content with the information they already had from smaller breaches at hotels, they went for a bigger fish.
The same is true with breaches of enterprise security. Once hackers have used an employee’s credentials to get inside the network, they then turn their attention to getting even more access, typically privileged accounts that are the “keys to the kingdom.” From there, they have almost unlimited control to access sensitive data and hold the company hostage.
To combat this, many organizations are turning to a cybersecurity approach called Zero Trust - which assumes that the bad guys are already inside the corporate network, and therefore no one is to be trusted. Therefore, every user needs to be verified, their device needs to be validated, their access and privilege needs to be limited, and then a smart machine learning system needs to learn and adapt to known user behavior so not to limit their productivity.
The old security adage has been, “trust, but verify.” With Zero Trust, the new mantra is, “never trust, always verify.”
Consumers reading the headlines might wonder what they can do to stop breaches, whether to protect themselves or other potential victims. In most cases, it’s not their fault and, in all honesty, there’s not much they can do. However, as the Booking.com phishing scheme teaches us, there are some ways consumers can do their part.
Here are five ways consumers can adopt a Zero Trust approach to help keep their credentials and data secure, usually in less than five seconds:
- Be aware: it’s easy to quickly scroll through emails and miss minor things, but when you do stop on an email and are considering doing something with it, take a few extra seconds to make sure it’s legitimate.
Are there spelling errors? Is the email address not from the company it’s purporting to be? Does the company’s logo look old or wrong? Some of these basic things are tell-tale signs of a phishing email.
- Hover before you click: this take one second. Always be sure to hover your cursor over any link before you click on it. If it looks like it’s taking you somewhere that doesn’t look right, don’t click on it.
- Check the browser address: if you do click on a link and it takes you to a page that asks for any information from you (username, password, credit card number, SSN, etc.), take a quick glance at the browser address field and make sure you’re in a trusted domain.
For example, if it’s supposed to say www.booking.com and instead it says www.givemeyourlogin.net, you know something’s wrong. Close the browser immediately, and delete the email you came from.
- Use a password manager or single sign-on (SSO): the password is really outdated and, frankly, it’s time for it to die. Until it does, we have to remain vigilant. Many companies offer single sign-on solutions for work apps, and some of these solutions also allow for users to save their credentials for websites and other apps as well.
This is a good way to foolproof yourself. If you use a password manager or SSO and you are taken to a site where you are not automatically logged in, you know something is phishy (pardon the pun). Don’t sign in.
- Use multi-factor authentication: many employers also offer multi-factor authentication (MFA), sometimes referred to as two-factor authentication. When a user successfully logs in, the system then sends a push notification to a known device the user has, such as a phone or tablet, to confirm their identity. Typically this only requires a few extra seconds to enter the code or do a biometric finger scan to be verified, and be on your way.
Many web sites are starting to use MFA as an extra authentication step as well. Most notable are Google, Twitter, and a lot of banking web sites or apps. If this additional security feature is available to you, be sure to use it. Not only does it offer great protection, but you know that if you aren’t prompted for a second authentication then something is amiss.
It’s a scary online world we live in, and no one should be trusted. The same security requirements we adhere to in our professional lives should carry over into our personal lives as well. The best way to do that is to adopt a Zero Trust approach to everything you do online, which thankfully can now be done with little inconvenience or interruption of your productivity. Spending a few extra seconds on additional security could save you months of headaches.
