Privacy and security / September 22, 2020

Is it time for a digital hygiene check up?

Nimmi Kanji

Nimmi Kanji

Director - Social Purpose Programs, For Good and TELUS Wise

20-1249 - CRA hack

On August 15, 2020, the Canada Revenue Agency (CRA) experienced a serious security breach that affected 5,500 accounts. The Government worked quickly to address the vulnerability, inform people whose accounts were affected and restore service to Canadians. But what can this attack, and ones like it, teach us about digital hygiene?

A case of credential stuffing

After some investigation, CRA security authorities discovered credential stuffing was the source of the attack. Wired explains how credential stuffing works: “Attackers take a massive trove of usernames and passwords (often from a corporate mega-breach – think LinkedIn and Dropbox in 2012) and try to "stuff" those credentials into the login page of other digital services.”

Essentially,hackers program their bots with compromised login credentials bought on the dark web and try their luck. The bots attempt logins on various websites and digital accounts. In the case of the CRA breach, hackers hit the jackpot 5,500 times. But why does it work?

Unfortunately, average Internet users unknowingly help because they reuse the same passwords across multiple sites and online accounts. Even though it’s safer to use unique and strong passwords, many people don’t want the hassle of managing and remembering them for each site. Despite the known danger, password reuse remains a popular practice.

If password reuse isn’t dangerous enough, most of the time, those passwords are weak as well. That just makes it easier for hackers. Forbes ranked the world’s top 100 worst passwords, based on research done by NordPass, a password manager. NordPass used 500 million passwords leaked in data breaches in 2019 and ranked them in order of usage. Shockingly, the top three are 12345, 123456 and 123456789!

How can you protect yourself?

Protection lies in the basics of digital hygiene. The Government of Canada’s Canadian Centre for Cyber Security has created a five-step process to help you protect yourself from COVID-19 scams, but these five steps can apply for every day security and protection as well.

The five steps include:

  1. Practicing good password etiquette including strong passwords
  2. Understanding how to spot phishing attempts
  3. Securing social media and other accounts with as many protections as possible
  4. Keeping devices up to date
  5. Storing data securely

In addition to your own diligence, there are two key solutions that can help you protect your safety online.

Multi-factor authentication (also known as two-factor authentication) offers a second way for you to verify yourself on a digital account. Typically, you use two out of three options – a password, a numeric code sent to your device or a fingerprint. This PC Mag article explains two-factor authentication and provides instructions on how to set it up on commonly used sites and apps.

A password manager is a great way to create strong, secure passwords, remember them and access them when you need them. Instead of memorizing passwords or writing them down, you can keep your logins under lock and key, making you less vulnerable to password-based attacks. This Wired article highlights recommended password manager options for PC, Mac, Android, iPhone and web browsers.

The CRA attack and ones like it reinforce the importance of digital hygiene and password etiquette. While securing your digital accounts is a combined responsibility between you and the site or application you are using, unique and strong passwords are critical. Do an audit of your passwords, and change any that are weak or reused. This simple action can go a long way in protecting your digital accounts.

For more tips to help protect your privacy online visit telus.com/wise.

Tags:
Frauds & scams
Safe digital habits
Identity theft
Share this article with your friends:

There is more to explore

Privacy and security

Don't get fooled: how to spot scams in your inbox

Learn how to protect yourself from falling victim to phishing emails.

Read article

Privacy and security

Safeguarding your email from hackers

Learn how to protect your email and reduce potential exposure.

Read article

Privacy and security

Protecting your personal information in our interconnected world

Learn best practices to ensure the security and privacy of your online accounts.

Read article