Hacking by having someone’s password is barely a hack at all, however it can be devastating. There are instances of this happening over the past year. There has been a lot of talk in the IT community of how this is ramping up and we’re not even close to the peak of where this is going. I’m going to give you an example of a real-life hack that I’ve seen with my own eyes. Very similar attacks are becoming more common place and for the most part, require very little skill to execute.
Names and identities have been changed to protect the identity of the victims.
Rhonda – Executive and Partner
Rhonda began the day like all others: grabbing coffee, getting settled for the day, and texting with her husband to make sure the kids got off to school and didn’t forget their recorders and baritone horns. Later that day, Rhonda received a phone call from one of her vendors that she hadn’t dealt with in a long time. The vendor was calling to ask why she had requested a money transfer.
Confused, Rhonda asked the vendor what they were talking about. The vendor stated that Rhonda had emailed them asking for a money transfer. The vendor emailed back asking for details and Rhonda had responded to that email, however, the vendor had closed their account from inactivity and decided to call and clarify why any transfer would be required.
Rhonda hadn’t responded to that email. Rhonda never even received that email response from the vendor. She checked her sent items and didn’t see any emails from herself asking for a money transfer. She became quite concerned and gave us a call.
We jumped onto her computer and took a look at her Office365 account. What we discovered was that a) her computer was not infected with any viruses or malware, and b) there was a set of complicated mail rules setup on her email account that was about as advanced as we had ever seen.
The mailbox rules that were setup used her mailbox as an email relay. Someone had gotten access to her mailbox and gathered her contact list, then setup the rules that allowed the bad actors to relay email to and from her contacts using her mailbox. As responses would come into her mailbox, they were automatically forwarded to an outside address, then removed from her mailbox immediately. Rhonda, like most executives works from her cell phone more often than not and didn’t see any mail of this type flowing through. Even working from Outlook, it wouldn’t have been noticeable.
What we uncovered was that Rhonda’s LinkedIn credentials were leaked a few years prior. Unfortunately, Rhonda used the same password on LinkedIn as she did for her work email. The hacker was able to log into Rhonda’s work email using the password from the LinkedIn leak, and setup camp within her mailbox.
We quickly removed the rules and helped send out an email to all of Rhonda’s contacts that there was a breach.
Multifactor authentication could have prevented all of this.
Microsoft has recently updated their password recommendations. They recommend making passwords easier to remember (no more crazy characters), making the password longer than 8 characters, and let passwords stay static (don’t make passwords expire). The caveat is that multifactor authentication needs to be in place. If your password from another site is leaked, or a hacker manages to guess your password somehow, they will not be able to get in if they don’t have your multifactor authentication code.
Even if Rhonda’s password wasn’t leaked on LinkedIn, a computers’ ability to rapidly guess combinations of passwords is getting to the point where the password itself doesn’t matter as much. In 2015, it would take computers 5 days to guess a 9 character password. In 2018, that has dropped to 2 minutes. Adding special characters increases that time to guess from 2 minutes to 2 hours.
The example I’ve written above is only one of the many hacks we’ve seen from leaked passwords. Sometimes the hacker will just forward a copy of all email to an outside email address or steal the contact list and add them to their spam email and phone lists. There’s even demonstrations of email being encrypted and held for ransom. Of course, Sony had a major hack occur in 2014 which cost them millions of dollars and put so much stress on people that the head of Sony Pictures stepped down.
So what can we do about it?
If your password is used on multiple sites, and those sites have leaks, then your password is already out there. It is certainly prudent to change your password to a passphrase using multiple words. That being said, multifactor authentication is the best way to take care of it. A passphrase of three words takes 3 seconds to crack. A passphrase of 5 words currently takes 8 years, but as you can see from the timeline above, that time to guess will drop significantly over the next couple of years.
Multifactor authentication, like the type the banks make you use when you log in, is your best defense. We believe strongly in multifactor authentication (also called mfa or 2fa). This allows you to continue to use whatever password you like, and is the easiest form of security for users. The product we use doesn’t even require you to type in a number, your phone alerts you that there is a login and you either Accept or Reject the login. You can even approve it on your smart watch!
Multifactor authentication also gives additional benefits, like being able to restrict logins for users to certain countries. If I’m confident that I will only ever log in from Canada, then I can restrict every other country. However, maybe you travel to the US and Japan, often, we can keep those countries open and restrict every other country.
It’s time to take the step to multifactor authentication and fortify your front door.
Karl Fulljames | COO