As part of our Cyber Security awareness campaign, we’re covering a new topic each month to help boost your knowledge and keep you and the University safe and secure.
This month we discuss ‘credential compromise’ and how you can stop it happening to you.
What is credential compromise?
Credential compromise is the theft or unauthorised use of user credentials like usernames and passwords or access tokens.
Credentials are used as a security measure for all manner of accounts, apps and systems and whilst they’re a great first step to staying secure they are not infallible.
Once cyber criminals have your credentials (through various means we’ll discuss) they can access things like your data and money and then lock you out of your accounts for good measure.
So how do attackers get hold of my credentials?
There are many ways that your credentials could end up in the wrong hands – we’ve listed five of the most common below:
- Phishing: Criminals trick you into sharing your credentials using bogus emails, websites or texts.
- Credential stuffing: Automated tools test stolen credentials across various apps and accounts (particularly dangerous if you reuse your login details).
- Malware: Malicious software such as keyloggers can record login details as you type giving your credentials directly to the cybercriminal.
- Social engineering: Criminals impersonate trusted contacts and manipulate victims into sharing credentials (often creating a sense of urgency).
- Brute force attacks: Automated systems systematically test every combination of letters, numbers and symbols to crack your password.
A real-life example
Earlier this month the BBC reported on a Sussex-based social media star who had her credentials compromised by fraudsters impersonating legitimate business contacts.
The victim was asked to share the credentials for her Meta Business Suite - supposedly to allow the contacts to find and book a slot with her for a podcast.
When the day of recording passed without further contact it became clear that the contacts were in fact fraudsters who now had access to the victim’s accounts.
Commenting on the case social media consultant Gareth Cairns said:
"The consequences of them getting access to your Facebook page is that they could take down your page, and maybe change the name of your page to show something else, to push out their message to your followers.
“What they can do in some cases is possibly blackmail people as well, and try and gain money off them to get access back to their page."
Source: BBC
What can I do to keep myself safe?
Check out our five top tips below to keep yourself safe from credential compromise.
- Use strong and unique passwords - Make sure your passwords are complex (mixing upper and lower-case letters with numbers and symbols) and use a different one for each account you use. Don’t use anything predictable like your pet’s name or child’s birthday. You can use a password management tool to keep your passwords safe.
- Look out for Phishing attacks – stay vigilant – cybercriminals are using increasingly more sophisticated fake emails, websites and messages to trick you into sharing your credentials. Be cautious of unexpected communications and always check links before clicking on them.
- Use Multi-factor authentication - Whenever you can use multi-factor authentication (MFA) to protect yourself at work or at home. MFA gives you an extra layer of security by asking for a second type of verification like a code sent to your phone.
- Check login history – check the login history for your accounts regularly – if you notice any activity you don’t recognise change your password immediately.
- Update your devices and software – Update your operating system, apps, and antivirus software regularly to stop cyber criminals exploiting vulnerabilities to steal your credentials.
How to learn more
Each month, we’re releasing a matching bitesize training via Proofpoint, our online learning platform, which is emailed to you. This month’s training arrived in your inbox on Tuesday 15 April and you have until Friday 16 May to complete it.