Tag: security

How to test your password strength

By Devon Delfino for Business Insider US

Creating and maintaining secure passwords may seem like a hassle, but it’s a modern necessity if you want to keep your information safe.

To help you understand what makes a secure password, and how to validate the strength of your password using online security tools like NordPass, here’s a quick breakdown of everything you should know about safeguarding your online identity.

How to ensure your password is secure
The core characteristics of a strong password is length (NordPass suggests 12 or more characters) and an unpredictable mix of upper and lower case letters, numbers, and symbols, with no ties to obvious personal information.

Most people are aware of the basics of password best practices: It shouldn’t include something that’s easy to guess, like names of children, birthdays, or house numbers. And you should never use commonly used passwords, or variations of them. Avoid the likes of “password” and “PaSSw0rd,” or “123456” and “123456-Devon,” for instance.

Beyond creating an unpredictable sequence of letters and numbers that meaningful to you and only you, there are other tips to help keep your password strong and secure:

  • Don’t reuse passwords: Different passwords for different accounts is always a good idea. That way, if one account is compromised, the breach is contained.
  • Don’t write your password down: While it may seem like a good idea to have a physical copy of your usernames and passwords for quick reference, this can open you up to security issues in the real world.
  • Use a password manager: A password manager is a solid tool that can help keep you organised. These store your various passwords in a secure account, and typically provide a simple solution for easily storing, managing and filling in your passwords. Some examples of password managers include NordPass and LastPass.

How to check your password’s strength and security

There are many web-based tools that can help rate your password strength, but it’s important to choose one that you trust with your credentials.

An industry-trusted password checker you can use is one from NordPass, a password management tool by the VPN service provider NordVPN.

To understand how NordPass rates your password strength, it’s important to learn the main methods hackers use to steal passwords.

These methods include:

  • Brute force attack: This is when someone tries to simply guess your username and password using trial and error, via a computer program. This allows a hacker to try many different combinations of your login information.
  • Dictionary attack: This attack type is a systematic way of guessing passwords, and typically employs commonly used passwords (like variations of “p@ssworD.”)
  • Phishing techniques: This is when someone tries to get you to reveal your personal information, like your social security number or passwords, via email or text message. The key here is that phishing scams can look like they’re coming from a company you trust or know.
  • Credential stuffing: When a companies’ security is compromised, users are left potentially open to credential stuffing. That’s when people purchase your compromised information off the dark web and then use the login from that source to try to access other accounts on popular websites. So if you re-use your passwords for multiple accounts, you can leave yourself open to this method of digital theft.

With that in mind, here’s how to use NordPass’s online strength checker tool:

  • Go to the Nordpass secure password page and click “No, use online strength checker.”
  • Input your password in the text bar.
  • Nordpass will immediately rate it for you, and provide information about your password composition, an estimate of how long it would take someone to crack your password, and if your password had been previously exposed in a data breach.

Postbank forced to replace 12m bank cards

Source: MyBroadband

Postbank needs to replace 12-million bank cards at a cost of R1-billion after its “master key” was compromised, the Sunday Times reported.

Citing several internal Postbank reports, the Times found that the bank’s master key was stored in plaintext during a data centre migration in July 2018. Two staff members also stored the key in plaintext on USB flash drives and one of the drives can’t be located.

One of the internal reports cited in the article, an overview of financial crime, reportedly stated that Postbank found 25,000 fraudulent transactions between March 2018 and December 2019. R56 million was stolen.

The master key was generated in January 2018, according to the report.

The article described the master key as a 36-digit code which allows anyone to read and write account balances, and read and change information on any of the cards the bank has issued.

The Post Office denied that its master key for Postbank’s cards had been compromised, saying that the “stories” were unfounded and only seek to create panic among Postbank’s clients.

Postbank’s clients include millions of social security beneficiaries who receive grants from the government every month.

No audit trail
Referring to another internal report titled “Overall IT Security Register” from January 2020, the Sunday Times reported that the Postbank had no logging in place to trace fraudulent transactions.

Postbank was not able to audit when an account was accessed, who accessed it, and what was done on the account.

A spokesperson for the Post Office said that it is on record that “systematic difficulties” were uncovered with the “reconciliation functionality” of the integrated grant payments system, and that the issue has been resolved.

R42-million stolen from Postbank in 2012
This is not the first time information security problems at Postbank has resulted in money being stolen.

In 2012, a syndicate stole R42 million from Postbank in a heist that took place over the New Year holidays — between 1 January and 3 January.

The syndicate opened several Postbank accounts across South Africa towards the end of 2011, and over New Year’s they gained access to a Rustenburg Post Office employee’s computer. From there the syndicate made deposits from other accounts into its own.

Over the next three days, automated teller machines in Gauteng, Free State and KwaZulu-Natal were used to withdraw cash from the accounts.

By Phillip de Wet for Business Insider SA

Scammers are separating helpful South Africans from their money in what appears to be a wave of fraud that relies on hijacking WhatsApp accounts – and then simply asking for money.

The scammers first take control of a victim’s phone number, usually by porting the number to a new service provider, and so associating it with a SIM card under their control. That allows them to receive confirmatory SMSes from WhatsApp, and so take control of an existing account, while the now-offline victim is none the wiser.

Now able to impersonate the victim, the scammers access the phone numbers of friends and acquaintances, in many instances seemingly just waiting for incoming messages, or by way of WhatsApp groups to which the victim belongs. Then they simply ask for money.

Number porting has in the past often been used to intercept one-time PIN (OTP) numbers – but that requirers scammers to have control of bank accounts, either by skimming credit card information or stealing login details for online banking.

In the current wave of scams, the attackers do not need such access. Friends of victims are asked to send money via services such as First National Bank’s eWallet, which sends the code required to withdraw money from an ATM via SMS – with the cash immediately available.

As of Wednesday it was not yet clear how widespread the new scam was, with network operators saying they were detecting only a small number of fraudulent attempts to port numbers – while many people said they were receiving worrying notifications, or had already seen their friends approached for money.

Here’s how to protect yourself against both sides of the latest WhatsApp hijacking scam.

Turn on security notifications in WhatsApp.
WhatsApp security code settings
WhatsApp will alert you when a contact changes their phones – if you let it. For those in many big WhatsApp groups – with people who like to switch phones – the constant messages that a contact’s “security code has changed” can becoming annoying, so some people turn it off.

If you are one of those people, turn those notifications back on by going to “settings”, then selecting “account”, and from there “security”.

Should a “friend” ask for money shortly after their security code changes, be extremely suspicious.

Don’t ignore porting SMSes.
Cellphone companies will send out notification, by SMS, before porting a number – but will consider no response as permission. If you receive an SMS that warns your number is to be ported, do not ignore it.

If you are worried that message might be a scam in itself, phone your network provider on the usual service number.

Don’t turn off your phone if you’re getting annoying calls.
Some victims of porting say they were bombarded by annoying phone calls before their numbers were hijacked. The idea behind constantly ringing your number is to make you turn off your phone – so that you won’t receive porting notifications, and won’t notice you have suddenly been kicked off the network.

If someone keeps phoning then putting down the phone before you can answer, or you keep receiving calls with nobody on the other side, assume you are being scammed, and rather put your phone on silent while watching out for SMSes.

Don’t ignore a loss of cellphone signal.
If your phone suddenly won’t connect to your mobile network – and you aren’t in the middle of nowhere, or in an area being load-shed – assume your number is being hijacked, and get in touch with your network service provider as soon as possible.

Don’t register a new WhatsApp account if you change phone numbers, update your number instead.
Some victims of WhatsApp identity fraud believe they were impersonated after their former, abandoned cellphone numbers were recycled by network operators.

If you are switching numbers and want to be sure nobody can pretend to be you in future, you can change the phone number associated with your WhatsApp account.

If you really care about your security, enable the PIN function on WhatsApp.
WhatsApp 2-step verification
For ultimate protection, you can create a six-digit PIN number in WhatsApp, without which it should be impossible to register on the service – so that no number-porting scam or other mechanism will let someone steal your identity.

There is no better way to protect yourself, but this two-step verification measure comes with a couple of caveats. If you do not associate an email address with that PIN, or lose access to the email address you register, you are in deep trouble if you ever forget your PIN. Also, WhatsApp will from time to time demand the number from you, which could get annoying.

The PIN activation is under “settings”, “account”, and then “two step verification”.

By Aaron Holmes for Business Insider US

The most effective way to protect yourself against hackers is to build good password habits, experts say.

Cybersecurity experts shared straightforward tips with Business Insider that can make it exponentially harder for hackers to break into your account.

There’s no reason that your password should be a single word – a “passphrase” consisting of multiple words is much safer.

If your password is one word, you’re doing it wrong – it’s time to upgrade to a multi-word “passphrase.”

Password strength is one of the most important pieces of online security. The vast majority of hacks result from phishing – the act of guessing users’ login credentials based on information gleaned from messages and online profiles – which stems from human error and is easily preventable.

Hackers are also developing increasingly sophisticated methods to track and exchange peoples’ passwords, making preventative action all the more crucial.

Business Insider spoke to cybersecurity experts, who outlined simple steps users can take to make sure their online accounts are secure. Here’s what they recommend.

“‘Password’ is a bit of a misnomer. What you should actually be using is a passphrase,” says Kiersten Todt, managing director of the Cyber Readiness Institute and a former cybersecurity adviser to the Obama administration.

“Make that passphrase as long and difficult as possible,” Todt added. Four words long is safe, and five is even safer.
Contrary to popular belief, it’s perfectly fine to use spaces in your password. Many major sites, like Google and Facebook, accept “space” as a valid password character.

A “passphrase” is stronger than a single password because it increases entropy, or the amount of randomness in a password, making it harder to guess.
The creators of ProtonMail, a security-minded email service, say multi-word passphrases are a solution to the problem that “we humans are bad at creating randomness, and we’re bad at remembering things.”

Unlike complex one-word passwords with lots of special characters, passphrases are easy to remember. If your ‘secure system’ isn’t easy to use, people won’t use it, negating the security benefit,” the ProtonMail team argues.

Even when using passphrases, it’s crucial to change your password: “The people who are getting hit by hacks are the low hanging fruit who reuse the same passwords,” according to Alex Heid, chief technology officer at SecurityScoreCard.

Discovery Bank discovered a system flaw on Monday which allowed the incorrect credit card card verification value (CVV) numbers to be used for online payments.

The CVV is the last three digits on the back of a bank card, and is considered a critical as a last-ditch security measure against certain card fraud.

Business Insider South Africa was tipped off about the flaw, and on Monday morning was able to make payments with a random CVV code, such as 000.

  • Discovery Bank said it was alerted about the issue last week
  • The bank suffered no fraud losses due to the issue
  • The flaw has now been fixed
  • Previously, the Bank didn’t require further authorisation such as an OTP (one-time pin)
  • When Business Insider later tried to use an incorrect CVV number, a call centre agent phoned to let them know it was incorrect us after the transaction to alert us that an incorrect CVV number had been used.

 

First National Bank (FNB) has announced that users will no longer be able to save their online banking passwords in their browsers.

Going forward, whenever a user wants to log into their account they will have to do so manually.

This forces users to keep their banking passwords secure.

“All stored passwords on your device can be viewed during a malware attack. Passwords can be easily accessed on your unattended/unlocked/stolen device,” FNB stated in a MyBroadband article.

FNB advises that users do the following to keep their passwords safe:

  • Do not share login details with anyone
  • Always use a different password for different websites. Avoid using the same one over and over
  • Report any fraudulent activity immediately to the FNB Fraud Centre: 087 575 9444
  • This change may interfere with various third-party password lockers such as LastPass

The Shoprite Group is fighting crime by investing heavily in sophisticated security and other measures to make its shopping space secure, reduce the number of criminal incidents and increase the number of arrests.

This is in the wake of the retail industry experiencing significant crime incidents in which the Shoprite Group had to contend with 489 armed robberies and burglaries in its 2018 financial year.

Its investments in crime prevention, including a centralised Command Centre and anti-crime team, gives the Group the ability to monitor stores and vehicles, remotely trigger security devices, follow up on crime incidents and ensure suspects are arrested.

Through an extensive intelligence network, the Command Centre receives live information on strikes, protests and other incidents. This information can be used to react and take necessary measures to safeguard the Group’s fleet on the road as well as staff and customers in its stores.

Shoprite’s efforts to keep its customers and staff safe are reflected in a reduction of contact (violent) crime incidents and increased prosecutions. “It is a work in progress,” says Group Loss Prevention Manager, Oswald Meiring. “Incidents of violent crime and robberies are coming down, and we will continue to do everything we can to make us a harder target.”

Arrests have increased by 200% as a result of the Group increasing its capability to identify, trace and arrest suspects. Recently the Group was also able to assist with the arrest of two suspects after the manager of its Worcester branch was shot and killed in a robbery. A third suspect has been identified and arrest is imminent.

“We continue to focus on creating a safer environment for customers and staff. That is our first priority and we will go to any length to prosecute whoever is committing these crimes.”

The Group works closely with the South African Police Service (SAPS) and the National Prosecuting Authority (NPA) to affect the necessary arrests. It shares intelligence with them to ensure that bail is successfully opposed and that prosecution of criminals is successful.

In addition to tracking devices, the Group installed cameras and electronic locks on trucks which are managed from the Command Centre. Trucks can be remotely opened and closed, with alarms triggered if trucks are stationery for a certain length of time, or if unusual driving behaviour is detected. Since these devices were installed, there have been no incidents in transit on these vehicles.

It has also employed an in-house investigation team made up of experienced investigators. It has a team of Data and Crime Analysts who utilise predictive and historical analysis of all the crime data, to identify which stores or areas should be focused on. The Group has also employed an expert criminal lawyer to assist with the successful prosecution of criminals.

By James Pero for DailyMail.com

Malware that replaces victims’ legitimate apps with a malicious doppelgänger has infected 25-million devices across India, the UK and the US, say security researchers.

The virus, named ‘Agent Smith’ after a fictional character from the, ‘The Matrix’ who is able to make others into copies of himself, was highlighted by the security firm Check Point on Wednesday and affects users on Android devices.

Instead of stealing data, the malware covertly replaces apps inside a user’s phone with hacked versions which display ads selected by the hackers, allowing them to profit off their views.

To avoid detection, the malware — under its disguise as popular apps like WhatsApp or Flipkart — is also capable of replacing code in the original program with its own malicious version that prevents an app from being updated.

At least 15-million of the devices infected are located in India and 300,000 have been detected in the U.S. Other infections are spread across Asia as well as the U.K., and Australia.

‘The malware attacks user-installed applications silently, making it challenging for common Android users to combat such threats on their own,’ said Jonathan Shimonovich, head of Mobile Threat Detection Research at Check Point.

‘Combining advanced threat prevention and threat intelligence while adopting a ‘hygiene first’ approach to safeguard digital assets is the best protection against invasive mobile malware attacks like ‘Agent Smith”

A malware called ‘Agent Smith’ was found to have infected 25 million device mostly in India.

Malicious code was able to disguise itself as legitimate apps and take over the ads served inside those programs.

Hackers didn’t steal users data but were able to make money off serving up phoney ads.

Many users were unaware that they had been infected.

Code spread via third party app-store 9Apps and unsuccessfully tried to infect users in the Google Play store.

The malware is named after a fictional villain in the 1999 movie ‘The Matrix’ who was able to turn victims into copies of himself.

Researchers say Agent Smith was able to spread to devices through a third-party app store called 9Apps.

Malicious code was embedded into photo apps and sex-related apps which were then downloaded by users.

Once inside a victim’s device, the malware would disguise itself as a legitimate app and then begin replacing code.

As reported by The Verge, creators of the malware also attempted to infect users in the Google Play store through 11 apps containing bits of malicious code.

The foray was reportedly unsuccessful and Google has removed all the apps from its store.

A vulnerability in Android that allowed hackers to include their code was patched several years ago, but developers failed to patch their apps, leaving many open to attack.

To avoid being compromised by malware like Agent Smith, Check Point has some simple words of advice.

‘Users should only be downloading apps from trusted app stores to mitigate the risk of infection as third party app stores often lack the security measures required to block adware loaded apps,’ wrote researchers.

How loadshedding affects your security

By Ntwaagae Seleka for News24

Home owners and businesses have been urged to test their security systems as a matter of urgency and to pay particular attention to the battery back-up systems during load shedding periods.

“Many people are under the incorrect assumption that their home alarm system is deactivated when the power supply is interrupted. However, if you have a stable and correctly programmed system coupled with a battery that is in good condition, it will continue to protect the premises during a power outage – regardless if the outage is because of load shedding or not,” said Charnel Hattingh, national marketing and communications manager at Fidelity ADT.

The only time it may not function correctly is if there is a technical issue, or the battery power is low.

“Most modern alarm systems have a back-up battery pack that activates automatically when there is a power failure. There are a number of practical steps that can be taken to ensure security is not compromised during any power cuts.

“Some of these include ensuring that the alarm system has an adequate battery supply, that all automated gates and doors are secured and lastly to remain vigilant and report any suspicious activity to your security provider or the South African Police Service,” said Hattingh.

With the added inconvenience of the lights going out at night due to power cuts, candles and touch-lights are handy alternatives.

Home owners are also advised that it is important that their alarm systems have adequate battery supply and that batteries should be checked regularly. Alarms should be checked during extended power outages to keep systems running.

Power cuts can affect fire systems and fire control systems, so these also need to be checked regularly. The more frequent use of gas and candles can increase the risk of fire and home fire extinguishers should be on hand.

People are urged to remain vigilant during power cuts and be on the lookout for any suspicious activity and report this to their security company or the police immediately.

Hattingh said home and business owners should consider installing Light Emitting Diode (LED) technology, which is integrated into the alarm system’s wiring and automatically switches on for a maximum of 15 minutes when there is a power outage.

“If there is an additional battery pack, the small, non-intrusive LED lights can stay on for the duration of the power outage – or a maximum of 40 hours – without draining the primary alarm battery. Because of load shedding, there might also be a higher than usual number of alarm activation signals received by security companies and their monitoring centres.

“This could lead to a delay in monitoring centre agents making contact with customers. You can assist by manually cancelling any potential false alarms caused by load shedding, and thus help call centre agents in prioritising the calls needing urgent attention,” said Hattingh.

 

Follow us on social media: 

               

View our magazine archives: 

                       


My Office News Ⓒ 2017 - Designed by A Collective


SUBSCRIBE TO OUR NEWSLETTER
Top