IMAGE: ARCHI BANAL

Overdue to be ‘pwned’? Here’s how to keep hackers out of your online accounts

New data shows hundreds of New Zealanders have been victims of recent cyber attacks. In the latest instalment of IRL, Dylan Reeve explores how you can avoid becoming one of them. 

After a balmy day lounging with her husband on a secluded Portuguese beach during a three week holiday in 2019, Sharon, an Auckland office manager in her early 60s, returned to her hotel room to discover dozens of new emails on her phone. The messages were replies to emails Sharon was certain she hadn’t sent, all in Russian. She began to panic. 

“I thought, ‘If they have got into my phone, and are able to send emails, what on earth else have they got?’” Sharon said. “It wasn’t like we had millions stashed away or anything, but I felt quite vulnerable being away from home.” 

Sharon didn’t know what to do – she was miles from New Zealand, wasn’t exactly a computer whizz, and had never encountered a situation like this. So she did the one thing that felt safest: “I turned my phone off.”

Sharon’s experience isn’t uncommon: new data released last week by CERT NZ, the government’s Computer Emergency Response Team, revealed that hundreds of New Zealanders were the victims of cyber attacks over a three month period this year – per the online lingo, they were pwned. CERT NZ has seen a steady rise in incident reports in the four years it’s been around, partly because people are becoming aware of the organisation’s work but also because more New Zealanders are falling victim to cyber criminals.

“We suspect it’s still only a small part of the bigger picture,” said CERT NZ director Rob Pope. “It’s an upward trend.”

A large part of the problem, according to Erica Anderson, chief operating officer of security consultancy SafeStack and self-described security nerd, is that “you can’t do anything nowadays without having some type of online account”. Today, many New Zealanders begrudgingly comply as their supermarkets, hairdressers, TV channels and even news outlets pester them to create yet another login.

But with so much personal information online, New Zealanders are putting themselves at risk of security breaches. Even a seemingly inconsequential account takeover – a supermarket loyalty card, say – can lead hackers to more important email, social media or even banking accounts. In the worst cases, information gained from user profiles may even be used to conduct identity theft, as an unlucky electronics developer from Lower Hutt recently discovered

Our geographic isolation is no protection, either. “When you’re online, no one cares that you live on a small island in the middle of the ocean,” Anderson said. “They’re just looking for whatever accounts they can get into.”

Research released this month by Google showed that almost 70% of New Zealanders are taking a “she’ll be right” attitude to their online security and failing to take the steps they should in order to protect themselves online. But the good news is these lax security habits are easy enough to rectify. 

For most regular punters, the first place to start is by improving password hygiene. Internet users quickly stack up dozens or even hundreds of online accounts without blinking an eye, but most aren’t using unique passwords for every site. Many use just a small handful, often a variation of a pet’s name (fluffycat14) or whatever was on their desk eight years ago when they signed up (gr33npen).

The ideal situation is one password per website, because hackers engage in “credential stuffing” on the (often correct) assumption that internet denizens use the same password in multiple places. Like the school caretaker trying every key on the giant key ring until the padlock finally opens, credential stuffing involves hackers using lists of usernames and passwords stolen from one site to try logging into many others, as thousands of Disney+ users found out the hard way a couple of years ago

THE WEBSITE HAVEIBEENPWNED.COM LETS INTERNET USERS TRACK POTENTIAL PASSWORD LEAKS.

Back in Aotearoa in 2019, Sharon’s son David – an IT professional with years of experience dealing with unwanted invaders on business computers – was alerted to the possibility she was facing down hackers on her holiday.  When he received “some random emails” purportedly from Sharon “that were clearly not from her,” he sprung into action: “I messaged her and let her know what was going on.”

He soon clocked what had happened. Hackers had accessed Sharon’s email using a password stolen from another site, and were sending malicious links to hundreds of email addresses in the hopes of tricking recipients into giving up their login details.

David believes the root of the problem was a hack into Dropbox a few years earlier, where over 68 million accounts were compromised – including his mum’s. “I must admit that password, I’d used it for a few things,” Sharon said, “but I didn’t know Dropbox had been compromised.” 

Keeping New Zealanders safe on the internet is a core role for CERT NZ. “People, through our advice and steps, are able to take more proactive action to look after themselves,” said Pope. And chief among CERT’s recommendations is to use a password manager.

It might sound counterintuitive, but it’s usually better not to know or remember passwords, as it’s too easy to fall into familiar bad habits (remember “fluffycat14”?). Instead, it’s better to have long passwords that are very random, and a password manager makes this practical by using a single master password, or a “passphrase”. This is the “final boss” of passwords, so it’s important that it be even longer than usual. Very long. Like, really, really long. 

“I tend to recommend a phrase from a book or a phrase from a poem,” suggested Anderson. “Just like, a long sentence that really sticks with you.”

Handily, the Google Chrome and Microsoft Edge browsers that most people already use have these capabilities built in, as do Apple’s devices. The downside, though, is these systems can be hard to access for non-website uses, or on other devices. 

A popular alternative is a third-party password manager, such as LogMeOnce, LastPass, Dashlane and 1Password. These apps securely store and manage passwords online under lock and key, like very security-conscious digital librarians. Then the apps can be incorporated into a web browser or installed on other devices such as smartphones and tablets.

With a password manager in place, it’s simple to generate a unique password per website and level up from “fluffycat14” to “d@R_qGJ8GiEZa9KxbYgv” (passwords that look like that time Fluffy the cat jumped on the keyboard while chasing a moth are the strongest.)

For those who stubbornly insist on remembering passwords, one way to improve security is by “salting” a strong and long base password, ie tweaking it each time with a predictable and memorable modification. For example, if your rule is that the first and third letter of the website in question be added into the base password’s second-to-last and first position respectively, the base password “password” – never, ever use this, by the way – would become “ipassworTd” when used for Twitter. Clear as mud?

It’s important to note, though, that salting isn’t as secure as using truly random passwords and a password manager. If an attacker acquired copies of passwords from multiple websites, they might be able to crack the salting formula – especially if it’s as transparent as “ipassworTd”. 

A second key area of vulnerability for New Zealanders online is the failure to use two-factor or multi-factor authentication. Google’s data shows that fewer than 1 in 10 New Zealanders are using this tool widely, but that’s a real mistake, as it provides crucial additional security.

“It’s like putting a second lock on your house,” said Pope. “So apart from a key lock, you might have a deadlock as well. Even if attackers get into the first layer, there’s a second layer.”

Still not sure what that means? Well, a password is a single factor, “something you know”. Adding “something you have” – like a device known to be controlled by the user – is a second factor, and some systems add a third by requiring biometric data such as a fingerprint, ie “something you are”. This stuff can sound more like it belongs in Mr Robot than the day-to-day lives of everyday New Zealanders, but Pope disagrees. 

In terms of setting up two-factor authentication, while many websites can be configured to send a text message to confirm new logins, often this isn’t ideal due to SMS delays and the periodic switching up of phone numbers. A better option is an authenticator app like Authy that runs on a phone or computer and generates a new six-digit code every 30 seconds. The app and the website share a secret code between them so they’re always thinking of the same number, meaning the website has peace of mind about who exactly is trying to get in.

IMAGE: ARCHI BANAL

Voila! With these two key steps – using unique passwords, and adding multi-factor authentication to key accounts – New Zealanders can dramatically reduce their risk of falling victim to cyber criminals. 

But what about keeping everyone’s actual devices and computers safe? Anderson’s advice is to trust the manufacturers. “Just use automatic [operating system] updates,” she said. Rest assured modern operating systems and mobile devices are being updated pretty often, and security is a key component.

A final word of warning from CERT NZ is to be scrupulous about information shared online. “A recent example is a Facebook post, ‘What’s your celebrity name?’ – you enter your first pet’s name and street name,” Pope explained. “It seems like a fun thing, but it’s a way that attackers are gathering personal information.”

For anyone who ends up in hot water or detects something suspicious, Anderson suggests phoning a friend, just as Sharon did to David. “Knowing who to call when something just seems kind of off or wrong, is helpful,” she said. “Maybe you have kids who are a bit tech savvy or a friend who works in IT.” If there are no friendly geeks readily accessible, all New Zealanders can reach out directly to CERT NZ

In the end, Sharon got lucky in Portugal: David thwarted the plans of the Russian hackers by wresting her email account back with a swift password change before they could do any lasting damage. (Also, in an ironic twist, we now know the Dropbox breach that first exposed Sharon’s password was the result of password reuse by a Dropbox employee, highlighting just how common these bad habits are.)

Sharon learned her lesson about online security the hard way, and knows things could have been much worse without David’s intervention: “I think it made me aware that I had to be more prepared than I had been,” she concluded. Sharon probably won’t have another run-in with Russian hackers anytime soon, thanks to her newly beefed-up security habits. But the thousands of New Zealanders reusing “fluffycat14” on website after website may not be so fortunate. 

Get in touch with us at irl@thespinoff.co.nz. 




The Spinoff is made possible by the generous support of the following organisations.
Please help us by supporting them.