Categories
authentication business cybersecurity Data and Security Data Breach enterprise Hack hacking Password password manager ReadWrite two factor authentication

Passwords and Their Ability to Bring Down Even the Largest of Enterprises

passwords hacking

The dangers of using passwords as a means of authentication cannot be overemphasized. According to reports by IT Governance, poor password behavior is the number one cause of data breaches. Despite this, passwords are still very common in the average person’s personal and work life. Here are passwords and their ability to bring down even the largest of enterprises.

Passwords are difficult to manage, and bad password habits are easy to develop because of how difficult it is to store multiple complex passwords.

They are also very insecure because passwords are just too easy to guess, hack or intercept. What’s more, the legacy of bad password habits, reusing and sharing online credentials, leads to constant cybersecurity attacks of both people’s personal accounts and enterprises.

The consequences of a cybersecurity attack from a leaked, stolen, or shared password could be disastrous; a hacker could launch a highly sophisticated attack on you or your business, causing serious short-term and long-term damages. This could lead to serious financial and legal implications. In a worst-case scenario, a malicious attack could even sabotage your business and its operations to the extent that it may never be able to recover.

Too Many People Use Old Passwords — STOP THAT!

According to a 2019 HYPR password usage study, a study that involved analyzing data from over 500 American and Canadian full-time workers, about 72% of people surveyed reuse an old password when forced to change to a new one, and 78% percent of them forgot their passwords in the previous 90 days.

This can be said to be due to the overwhelming number of passwords users have to manage because the study further showed that over 37% of respondents have over 20 passwords in their personal life, which in most cases is too much to manage effectively.

Hackers will Always Try to Attack Your Employees

Many negative implications come with your business’ security being compromised due to poor passwords, some of which are discussed below.

  • Financial Implications

On average, cybersecurity attacks in 2017 alone cost enterprises $1.3 million and $117,000 for small and medium scale businesses to repair hardware and software. A data breach can also lead to legal consequences for your company if data leaked belongs to a third party or contains sensitive information.

  • Data Theft and Sabotage

Every single day, companies from around the world lose about 5 million records containing sensitive data due to vulnerability in their system or a human factor failure, with only a mere 4% of escaped data being protected by strong encryption and, therefore, cannot be misused.

In some cases, millions of email addresses and passwords are leaked during a single data breach.

Hacking and data breaches may also negatively affect digital data or even physical equipment. Some hackers may intentionally modify or damage data in order to harm their targets.

  • Poor Web Presence

For many businesses, especially small ones, most sales and operations are made online – as an online presence exposes businesses to larger markets, with two-thirds of small businesses relying on websites to connect them to customers.

Hacking or data breach, in this case, however, may be seriously detrimental to your online presence; it may lead to your website being slowed down considerably as hackers try to upload and run files on your company server.

Also, if hackers try to use your IP address to attack other websites, your web hosting might be suspended, or your website may shut down entirely and only display a “PAGE NOT FOUND – 404 ERROR” message; all these will also cause your company’s SEO ranking to take a big hit.

  • Damages to Company Reputation

When a business is hacked, its reputation also takes a huge hit, either temporarily or permanently. A large percentage of a hacked company’s customers may choose to switch over to their more secure competitor.

According to a 2019 study published on BitSight, nearly two out of five (38%) enterprises admit that they have lost business due to either a real or perceived lack of security performance within their organization. Nearly half of all executives surveyed in that same report admit that their ability to attract new customers was harmed following a security incident.

  • Business Failure

Many businesses, especially small ones or those in their early stage, operate on low margins and may not withstand the significant financial loss resulting from data breaches.

Depending on the severity of such attacks, how stolen data is used, or the damage caused, your business might not be able to withstand the financial implications. It may be forced to close all operations and shut down.

How Enterprises Can Protect Themselves

Data breaches due to bad passwords are bound to happen when you ask employees to create and manage their passwords without providing them with the proper tools to do so.

There are limits to how many passwords your employees can remember and how complex they can be; this, coupled with the ever-growing number of online accounts, makes it easy for your employees to settle for poor password habits and security shortcuts put your company at risk of a data breach.

Employees often create passwords that are easy to remember and very predictable, as creating and storing different complex passwords is a burden.

Hence, employers and enterprises need to sensitize their employees to keep good password behavior with some of the solutions below.

A. Password Managers

Password managers are secure software applications designed to store and manage your online credentials. They make your accounts more secure by freeing you from generating and remembering sufficiently complex passwords, thus allowing for single-purpose passwords that meet a much higher security level.

From auto-filling to encrypting passwords, password managers ensure that credentials stored with them are kept secure.

B. Two Factor Authentication

Two-factor authentication makes use of newer improvements to authentication by combining two out of the three types of authentication; what you know (password, pin), what you have (bank card, sim card), and who you are (fingerprint, facial recognition).

Two-factor authentication is far more secure than passwords alone because it considers two forms of authentication rather than one. Other methods of two-factor authentication include using an authenticator app like Google authenticator or Microsoft authenticator, SMS Codes, and biometrics alongside your password for more secure verification.

C. Passwordless Authentication

One major shortcoming of both password managers and two-factor authentication that is commonly overlooked is the fact that they don’t completely eliminate the burden that is passwords’; this is where passwordless authentication comes in. This provides enterprises the ability to deploy desktop MFA and strong customer authentication.

The passwordless authentication technology removes hackers’ most popular target by completely replacing passwords, forcing them to attack all devices individually. This provides enterprises with increased security and a more secure means of authentication.

In Conclusion

It is becoming clearer that passwords are more of a burden or headache than they are a security tool. As a business owner, protecting your personal and customer data and ensuring your website’s security has to be one of your top daily priorities.

Hackers will always try to attack your employees, the weakest link in your security infrastructure.

The best way to strengthen your entire security system is to make sure both your employees and IT admins are aware of their responsibility to maintain good password security and that necessary steps are taken to provide employees with the necessary tools to fulfill this responsibility.

The post Passwords and Their Ability to Bring Down Even the Largest of Enterprises appeared first on ReadWrite.

Categories
cyber attack cyber security Data and Security Hack hacking Software TikTok

How to Protect Your TikTok Account from Hackers

TikTok

TikTok, a mobile video-sharing service owned by Beijing-based technology company ByteDance, has been around since 2016. Its popularity shifted into hyper-drive over the past two years, with the user count exceeding 2 billion (according to Craig Chapple, a mobile insights strategist) globally at the time of this publication.

TikTok generated a whopping 315 million installs in Q1 2020 alone, which eclipses any other app’s achievements in terms of quarterly growth.

It’s common knowledge that cybercriminals follow the trends.

Cybercriminals are following the trends — so they treat the hype around TikTok as an opportunity to extend their reach. Haters, spammers, con artists, and malware distributors can weaponize hacked accounts in a snap. Therefore, it’s in every user’s interest to ascertain that their video blogging experience isn’t vulnerable to exploitation.

The good news is, you can benefit from TikTok’s built-in security and privacy features to raise the bar for malicious actors. This article provides simple steps to harden the defenses and make your account a hard nut to crack. Before delving into the protection facet of the matter, though, let’s see what security concerns about this service have been unearthed to date.

Known TikTok Security Loopholes

In early January 2020, experts at cybersecurity company Check Point Research discovered a series of TikTok vulnerabilities that might undermine the protection of one’s account. According to the white hats, a hypothetical attacker could take advantage of these flaws to do the following:

  • Compromise an account and alter its content
  • Erase videos
  • Upload new videos
  • Change the status of private videos to “publicâ€�
  • Obtain the victim’s email address and other sensitive information related to the account

SMS link spoofing is one of the malicious techniques piggybacking on TikTok imperfections. It can cause a great deal of harm with very little effort. This foul play is fueled by a somewhat crude implementation of a feature called “Text yourself a link to download TikTok,� which is available through the platform’s official website.

(Image by Check Point Research, “Tik or Tok? Is TikTok secure enough?� article)

A malefactor can use a proxy tool to skew the underlying HTTP query that consists of a user’s phone number and the legitimate app download link. This interference allows the hacker to substitute the URL with a custom value and thereby send malware-riddled text messages on behalf of TikTok.

Malware distribution and scams are the obvious use cases of this technique. The resulting sketchy site can be a credential phishing page or have exploits onboard.

Offensive mechanisms such as cross-site request forgery (CSRF) or cross-site scripting (XSS) may also kick in to execute malicious JavaScript code surreptitiously. This abuse can entail particularly disruptive outcomes, making it easy for an adversary to tamper with the victim’s browser cookies and perform different actions in their name.

What does the cybercriminal do next?

This access can pave the crook’s way towards removing arbitrary videos, adding new ones, approving followers, and making private content public. The info-stealing facet of this exploitation puts the victim’s sensitive data at risk, including their email address, payment details, and birth date. Thankfully, the company behind TikTok has since released patches for these issues.

Another pitfall is that the service isn’t too fair and square when it comes to users’ privacy.

In March 2020, security researchers exposed more than 50 iOS and iPadOS applications that regularly read the clipboard information. TikTok ended up on that list, too.

Whereas it’s not entirely clear what the application does with this data, such activity resembles eavesdropping at its worst. An additional concern is that an attacker who succeeds in compromising the TikTok app will be able to keep a record of everything the user copies to the device’s clipboard, including credit card details and login credentials for other services.

A malefactor with advanced tech skills can broaden the attack surface.

For instance, a feature called Universal Clipboard plays into crooks’ hands in this regard. It is intended to facilitate the process of copying and pasting between different devices under Apple’s umbrella.

Therefore, if an attacker takes over a TikTok account used on an iOS or iPadOS gadget, they may be able to access sensitive information on a related Mac computer.

For the record, the latest version of TikTok is no longer peeking into clipboard data. However, the aftertaste of past foul play remains. All of the reported caveats have called forth some restrictive moves at the level of governments and military branch departments.

In December 2019, the U.S. Navy banned personnel from using this service, and so did the U.S. Army shortly afterward.

TikTok Account Security Tips

Because a TikTok account is a goldmine of the user’s sensitive information, cybercriminals are lured to find ways to circumvent its defenses and get in. The following red flags may indicate a compromise and should urge you to take immediate action:

  • Your TikTok password, security email address, or phone number tied to the account has been changed.
  • Your username or nickname has been modified.
  • Someone is removing or adding videos behind your back.
  • Messages are being sent without your permission.

This brings us to the techniques that will keep perpetrators from gaining unauthorized access to your account. Below is a summary of TikTok security best practices:

1. Use a Strong Password

No matter how vanilla this recommendation may sound, it’s the stronghold of your account’s intactness. In addition to making your password at least 12 characters long, include special characters (%, $, &, etc.), uppercase letters, and numerals.

Also, make sure it looks as random as possible to prevent crooks from guessing it based on your personal details available on publicly accessible resources such as social networks.

2. Refrain from Reusing Passwords

Data breaches happen, so you don’t want your authentication info for another account to match the TikTok password. Using the same password across different services is a classic instance of a potential single point of failure (SPOF).

3. “Log In with Verification� Feature Can Make Your Day

If you enable the verification by adding your phone number to the profile details, the TikTok platform will be creating a one-time password (OTP) every time you sign in. But note the issue above with your phone number.

As opposed to the better-known two-factor authentication (2FA), the phone technique replaces password protection rather than boosting its efficiency. By the way, the video blogging service under scrutiny doesn’t currently provide 2FA.

A text message with TikTok verification code inside

4. Prevent Your Password from Being Automatically Saved

It goes without saying that password saving is a handy option. In fact, TikTok does it by default.

The whole convenience, though, can be overshadowed by the security risks stemming from this mechanism.

Consider turning the auto password save OFF to err on the side of caution.

  • Tap the Me icon at the bottom right of TikTok main screen.
  • Head to Settings and privacy
  • Select Manage my account
  • Then slide the Save login info toggle to the left — that turns it OFF.

Switch OFF the Save login info option

5. Stay Abreast of Account Usage Statistics

The app’s Your Devices pane lets you know what devices your account is opened on your mobile at any given time.

You may have previously signed in from somebody else’s gadget and forgot to exit the account. This is a benign scenario, though.

If the list includes a smartphone you can’t identify, it might be a heads-up. To make sure you are in the clear, go to Manage my Account, proceed to Security, and take a look at the account activity stats and the list of logged-in devices.

TikTok account activity stats

6. Stay Away from Sketchy Links

Cybercriminals may try to social-engineer you into tapping a hyperlink that leads to a malicious web page hosting a harmful payload. These links may arrive via booby-trapped text messages, phishing emails sent by strangers, or malicious redirects caused by malware.

As one of the abuse techniques demonstrates — the messages can as well impersonate TikTok. Don’t be gullible and ignore them.

7. Think What You Share

Don’t spill any personally identifiable information (PII) such as the email address or phone number in video descriptions. A seasoned hacker may mishandle the info to compromise your account.

What to Do If Your TikTok Account Has Been Hacked?

If you spot the slightest sign of a breach, go ahead and change your account password without a second thought.

Here’s how you do it: go to Settings and privacy — proceed to Manage my account, and follow the on-screen prompts to complete the procedure. As part of the attack remediation, be sure to check the accuracy of your account information on the same screen.

In case you are having issues with this, go to the Report a problem subsection under Support to access the Feedback and help screen. Then, tap the paper sheet icon in the top right corner to submit a support ticket describing your situation in detail.

TikTok Feedback and help section

All in all, TikTok is a great service bringing so many bells and whistles to your fingertips and allowing you to express yourself via nifty videos.

It’s not perfect in terms of security, though. Do your homework and tweak some settings to prevent your account from being low-hanging fruit for a cyberattack. Stay safe.

The post How to Protect Your TikTok Account from Hackers appeared first on ReadWrite.