Almost every day, reports surface in the media about new cyber security breaches. It’s often major organisations and software providers that are hacked; and these organisations are supposed to be the ones we’re meant to trust the most.
The proliferation of online applications means that we are more regularly trusting the applications we use to handle our information carefully, and to keep it out of the hands of criminals. Unfortunately, this sometimes proves very difficult to do and two recent high-profile Australian based incidents are a perfect example.
Westpac PayID credentials breach
New reports have surfaced that Westpac detected malicious activity where a group of hackers used the money transferring platform to access customer information. They randomly input Australian phone numbers until a valid PayID account was found, and recorded the full name associated with it.
This action gave hackers access to a full name linked with a phone number and in some cases an email address, all of which could be used to breach other accounts the user may hold.
Australian design application Canva was also breached in an attack that saw 139 million users' sensitive information compromised. Amongst that information included usernames, real names, email addresses, city and country information. 78 million users’ information also included their Google tokens used to log in to the platform.
Passwords were also present, but thankfully in their encrypted form.
The hacker responsible for the Canva breach calls themselves GnosticPlayers; and unfortunately, this wasn’t their first hack. They were also responsible for the security breaches of 45 other companies including 500px, UnderArmor, and ShareThis, where they then sold stolen credentials on the dark web.
What this means for you
Full names, user names, passwords and other sensitive information obtained by a hacker means they may be able to access your account and perform any number of malicious actions. Even if the passwords obtained are encrypted, cybercriminals will use the other information they’ve obtained to reset your passwords and lock you out of your account.
So, what can you do?
A great last line of defence is two-factor authentication (2FA). 2FA requires a secondary form of authentication when logging into accounts to verify your identity. It’s usually in the form of your username and password plus a text message to your nominated phone number, or a notification on another device like an Apple Watch. 2FA requires physical access to a mobile phone or device, so hackers can’t get in to your account.
Utilising a platform like DUO and their two-factor authentication service can significantly improve security posture, as well as strengthening your defence against malicious activity. Our team at Forsythes Technology are experts in implementing security solutions for businesses and are available to chat on 1300 766 661.