Say Hello to Crazy Thin ‘Deep Insert’ ATM Skimmers

A number of financial institutions in and around New York City are dealing with a rash of super-thin “deep insert” skimming devices designed to fit inside the mouth of an ATM’s card acceptance slot. The card skimmers are paired with tiny pinhole cameras that are cleverly disguised as part of the cash machine. Here’s a look at some of the more sophisticated deep insert skimmer technology that fraud investigators have recently found in the wild.

This ultra thin and flexible “deep insert” skimmer recently recovered from an NCR cash machine in New York is about half the height of a U.S. dime. The large yellow rectangle is a battery. Image: KrebsOnSecurity.com.

The insert skimmer pictured above is approximately .68 millimeters tall. This leaves more than enough space to accommodate most payment cards (~.54 mm) without interrupting the machine’s ability to grab and return the customer’s card. For comparison, this flexible skimmer is about half the height of a U.S. dime (1.35 mm).

These skimmers do not attempt to siphon chip-card data or transactions, but rather are after the cardholder data still stored in plain text on the magnetic stripe on the back of most payment cards issued to Americans.

Here’s what the other side of that insert skimmer looks like:

The other side of the deep insert skimmer. Image: KrebsOnSecurity.com.

The thieves who designed this skimmer were after the magnetic stripe data and the customer’s 4-digit personal identification number (PIN). With those two pieces of data, the crooks can then clone payment cards and use them to siphon money from victim accounts at other ATMs.

To steal PINs, the fraudsters in this case embedded pinhole cameras in a false panel made to fit snugly over the cash machine enclosure on one side of the PIN pad.

Pinhole cameras were hidden in these false side panels glued to one side of the ATM, and angled toward the PIN pad. Image: KrebsOnSecurity.com.

The skimming devices pictured above were pulled from a brand of ATMs made by NCR called the NCR SelfServ 84 Walk-Up. In January 2022, NCR produced a report on motorized deep insert skimmers, which offers a closer look at other insert skimmers found targeting this same line of ATMs.

Here are some variations on deep insert skimmers NCR found in recent investigations:

Image: NCR.

Image: NCR

The NCR report included additional photos that show how fake ATM side panels with the hidden cameras are carefully crafted to slip over top of the real ATM side panels.

Image: NCR.

Sometimes the skimmer thieves embed their pinhole spy cameras in fake panels directly above the PIN pad, as in these recent attacks targeting a similar NCR model:

Image: NCR

In the image below, the thieves hid their pinhole camera in a “consumer awareness mirror” placed directly above an ATM retrofitted with an insert skimmer:

Image: NCR

The financial institution that shared the images above said it has seen success in stopping most of these insert skimmer attacks by incorporating a solution that NCR sells called an “insert kit,” which it said stops current insert skimmer designs. NCR also is conducting field trials on a “smart detect kit” that adds a standard USB camera to view the internal card reader area, and uses image recognition software to identify any fraudulent device inside the reader.

Skimming devices will continue to mature in miniaturization and stealth as long as payment cards continue to hold cardholder data in plain text on a magnetic stripe. It may seem silly that we’ve spent years rolling out more tamper- and clone-proof chip-based payment cards, only to undermine this advance in the name of backwards compatibility. However, there are a great many smaller businesses in the United States that still rely on being able to swipe the customer’s card.

Many newer ATM models, including the NCR SelfServ referenced throughout this post, now include contactless capability, meaning customers no longer need to insert their ATM card anywhere: They can instead just tap their smart card against the wireless indicator to the left of the card acceptance slot (and right below the “Use Mobile Device Here” sign on the ATM).

For simple ease-of-use reasons, this contactless feature is now increasingly prevalent at drive-thru ATMs. If your payment card supports contactless technology, you will notice a wireless signal icon printed somewhere on the card — most likely on the back. ATMs with contactless capabilities also feature this same wireless icon.

Once you become aware of ATM skimmers, it’s difficult to use a cash machine without also tugging on parts of it to make sure nothing comes off. But the truth is you probably have a better chance of getting physically mugged after withdrawing cash than you do encountering a skimmer in real life.

So keep your wits about you when you’re at the ATM, and avoid dodgy-looking and standalone cash machines in low-lit areas, if possible. When possible, stick to ATMs that are physically installed at a bank. And be especially vigilant when withdrawing cash on the weekends; thieves tend to install skimming devices on Saturdays after business hours — when they know the bank won’t be open again for more than 24 hours.

Lastly but most importantlycovering the PIN pad with your hand defeats one key component of most skimmer scams: The spy camera that thieves typically hide somewhere on or near the compromised ATM to capture customers entering their PINs.

Shockingly, few people bother to take this simple, effective step. Or at least, that’s what KrebsOnSecurity found in this skimmer tale from 2012, wherein we obtained hours worth of video seized from two ATM skimming operations and saw customer after customer walk up, insert their cards and punch in their digits — all in the clear.

Source: https://krebsonsecurity.com/2022/09/say-hello-to-crazy-thin-deep-insert-atm-skimmers/

SURVEILLANCE SELF-DEFENSE

TIPS, TOOLS AND HOW-TOS FOR SAFER ONLINE COMMUNICATIONS

A PROJECT OF THE ELECTRONIC FRONTIER FOUNDATION

We’re the Electronic Frontier Foundation, an independent non-profit working to protect online privacy for nearly thirty years. This is Surveillance Self-Defense : our expert guide to protecting you and your friends from online spying.

Read the BASICS to find out how online surveillance works. Dive into our TOOL GUIDES for instructions to installing our pick of the best, most secure applications. We have more detailed information in our FURTHER LEARNING sections. If you’d like a guided tour, look for our list of common SECURITY SCENARIOS.

Source: https://ssd.eff.org/en

What Do Those Pesky ‘Cookie Preferences’ Pop-Ups Really Mean?

We asked the engineer who invented cookies what they mean and how to handle them.

YOU ARE NOT the only person irritated by those pesky cookie permissions boxes. If you click “Accept” by rote, you have no idea what you’re agreeing to. Or perhaps you don’t care? Many users think they have to accept all cookies to access the website, but that’s not always the case. Another option is to manage your cookies, but what does that even mean?

To find out, we spoke to Lou Montulli, the engineer who invented cookies at age 23.

“I’m just like everybody else,” says Montulli. “I want that pop-up to go away as soon as possible. The idea of asking people about permissions every single time they go to a website is annoying.”

Every website you visit places cookies on your browser. The purpose of the cookie is to allow a website to recognize a browser. That’s why you can return to a site and be recognized, even if you don’t always log in. It’s why the stuff in your shopping cart is still there the next day, or that article remembers where you stopped reading. You don’t have to “introduce” yourself every time you visit a site, but is the convenience worth it?

With Montulli’s help, here are some of the most frequently used terms those annoying permissions boxes are asking you about, and what you might want to choose when you see them.

Common Terms

First, let’s explain what some of the types of cookies you’ll see really do:

  • Session Cookies are temporary. These aren’t saved when you quit your browser.
  • Persistent Cookies will stay on your hard drive until you delete them, or your browser does. These have an expiration date written into their code. That expiration date varies depending on the site or service that issued them and is chosen by the website that places them on your browser.
  • First-Party Cookies are those placed directly onto your device by the website you’re visiting.
  • Third-Party Cookies are placed on your device but not by the website you’re on, aka the first party. Instead, they’re put onto your device by advertisers, data partners, or any analytics tools that track visitors (usually at the request of that first party. Think Google Analytics for your favorite tech magazine website, for example.)
  • Strictly Necessary Cookies allow you to view a website’s content and use its features.
  • Preference Cookies, aka Functionality Cookies, allow a website to remember data you typed: for example, your user ID, password, delivery address, email, phone, and preferred method of payment.
  • Statistics Cookies, aka Performance Cookies, record how you used a website. Although these see links clicked and pages visited, your identity is not attached to these stats. These can include cookies from a third party. So if a website uses an analytics system from a third party to track what visitors do on that first-party website, it only divulges that tracking info to the website that hired the third party for analytics.

What Am I Supposed to Choose? Does It Matter?

Montulli refers to the pop-up permissions box as “a really silly idea.” His preference would be a much more efficient and technical solution. For example, a user could choose their cookie preferences once in their browser, and every website they visit would honor that choice, similar to the design of Do Not Track. Montulli explained it like this: “Say I want to accept one type of cookie, but not that other cookie, or those cookies, any website could just ask the browser once what any user’s preferences are.” One and done.

That would be better, but what happens when you click “Accept All”—aside from thoughts like, Why does every website keep asking me these questions?

What many people (especially Americans) may not know is that in 2018, the European Union (EU) passed the General Data Protection Regulation (GDPR). And even if they have heard of it, they may not know enough to understand that this law is partially why cookie permission boxes are becoming more prevalent.

As part of GDPR, companies based outside Europe can be hit with enormous fines if they track and analyze EU visitors to their website. In other words, say your company resides in New York, but that company has European visitors and customers, or collects their data. If that’s the case, they can be penalized to the tune of tens of millions in fines if they don’t disclose their data collection and obtain the user’s consent.

Understandably, American companies want to avoid huge fines, which is why US users are seeing more and more of these permission boxes.

The boxes are designed to offer users more control over their data, as the EU law was put into place to protect all data belonging to EU citizens and residents. The confusion within the US market exists because the country doesn’t have similar laws to protect the privacy of its citizens.

In February 2022, Saryu Nayyar wrote a piece for Forbes that asks if it’s time for a US version of GDPR. Nayyar wrote that the point of such a law would be “gaining explicit consent for collecting data and deleting data if consent is withdrawn.” That sounds like an awesome idea, but after consulting Montulli, the privacy plot thickens.

Personally, I find it impossible to separate cookies and privacy online. I asked Montulli if it’s true that everything on the internet stays on the internet.

“No,” he says. That’s because information on the internet is detached from your current online presence. The purpose of the cookie is to allow a website to know when the same browser returns. The cookie may contain additional pieces of information. “But the predominant use of it is to pass an ID to your browser as an identifier,” he says.

Source: https://www.wired.com/story/what-do-cookie-preferences-pop-ups-mean/

Google, like Amazon, may let police see your video without a warrant

Arlo, Apple, Wyze, and Anker, owner of Eufy, all confirmed to CNET that they won’t give authorities access to your smart home camera’s footage unless they’re shown a warrant or court order. If you’re wondering why they’re specifying that, it’s because we’ve now learned Google and Amazon can do just the opposite: they’ll allow police to get this data without a warrant if police claim there’s been an emergency. And while Google says that it hasn’t used this power, Amazon’s admitted to doing it almost a dozen times this year.

Earlier this month my colleague Sean Hollister wrote about how Amazon, the company behind the smart doorbells and security systems, will indeed give police that warrantless access to customers’ footage in those “emergency” situations. And as CNET now points out, Google’s privacy policy has a similar carveout as Amazon’s, meaning law enforcement can access data from its Nest products — or theoretically any other data you store with Google — without a warrant.

Google and Amazon’s information request policies for the US say that in most cases, authorities will have to present a warrant, subpoena, or similar court order before they’ll hand over data. This much is true for AppleArloAnker, and Wyze too — they’d be breaking the law if they didn’t. Unlike those companies, though, Google and Amazon will make exceptions if a law enforcement submits an emergency request for data.

While their policies may be similar, it appears that the two companies comply with these kinds of requests at drastically different rates. Earlier this month, Amazon disclosed that it had already fulfilled 11 such requests this year. In an email, Google spokesperson Kimberly Taylor told The Verge that the company has never turned over Nest data during an ongoing emergency. Taylor says:

If there is an ongoing emergency where getting Nest data would be critical to addressing the problem, we are, per the TOS, allowed to send that data to authorities. To date, we have never done this, [emphasis theirs] but it’s important that we reserve the right to do so.

Here’s what Google’s information request policy has to say about “requests for information in emergencies:”

If we reasonably believe that we can prevent someone from dying or from suffering serious physical harm, we may provide information to a government agency — for example, in the case of bomb threats, school shootings, kidnappings, suicide prevention, and missing persons cases. We still consider these requests in light of applicable laws and our policies

Taylor also says that Google takes emergency disclosure requests “very seriously, and have dedicated teams and strict policies in place that are designed to ensure that we provide information that can assist first responders in the event of an emergency while ensuring that we only disclose data that is reasonably necessary to avert an ongoing threat.”

Fulfilling emergency requests is legally allowed, but not mandated

An unnamed Nest spokesperson did tell CNET that the company tries to give its users notice when it provides their data under these circumstances (though it does say that in emergency cases that notice may not come unless Google hears that “the emergency has passed”). Amazon, on the other hand, declined to tell either The Verge or CNET whether it would even let its users know that it let police access their videos.

Legally speaking, a company is allowed to share this kind of data with police if it believes there’s an emergency, but the laws we’ve seen don’t force companies to share. Perhaps that’s why Arlo is pushing back against Amazon and Google’s practices and suggesting that police should get a warrant if the situation really is an emergency.

“If a situation is urgent enough for law enforcement to request a warrantless search of Arlo’s property then this situation also should be urgent enough for law enforcement or a prosecuting attorney to instead request an immediate hearing from a judge for issuance of a warrant to promptly serve on Arlo,” the company told CNET. Amazon told CNET that it does deny some emergency requests “when we believe that law enforcement can swiftly obtain and serve us with such a demand.”

Apple and Anker’s Eufy, meanwhile, claim that even they don’t have access to users’ video, thanks to the fact that their systems use end-to-end encryption by default. Despite all the partnerships Ring has with police, you can turn on end-to-end encryption for some of its products, though there are a lot of caveats. For one, the feature doesn’t work with its battery-operated cameras, which are, you know, pretty much the thing everybody thinks of when they think of Ring. It’s also not on by default, and you have to give up a few features to use it, like using Alexa greetings, or viewing Ring videos on your computer. Google, meanwhile, doesn’t offer end-to-end encryption on its Nest Cams last we checked.

It’s worth stating the obvious: Arlo, Apple, Wyze, and Eufy’s policies around emergency requests from law enforcement don’t necessarily mean these companies are keeping your data safe in other ways. Last year, Anker apologized after hundreds of Eufy customers had their cameras’ feeds exposed to strangers, and it recently came to light that Wyze failed failed to alert its customers to gaping security flaws in some of its cameras that it had known about for years. And while Apple may not have a way to share your HomeKit Secure Video footage, it does comply with other emergency data requests from law enforcement — as evidenced by reports that it, and other companies like Meta, shared customer information with hackers sending in phony emergency requests.

Source: https://www.theverge.com/2022/7/26/23279562/arlo-apple-wyze-eufy-google-ring-security-camera-foortage-warrant

Why Cybercrime is like Trout Fishing

“Why push on a locked door when there’s an open window?”

As any seasoned fly angler knows, trout are highly selective, continuous feeders with their entire survival strategy centered on conserving energy, remaining close to a safe holding place, and gaining maximum protein intake with minimal movement. To fool the wily trout, fly angler have developed a practice of “matching the hatch” is used by fly anglers to present an artificial fly that most resembles what the trout are currently feeding on and getting it close to where a feeding trout is holding. And often, with the right presentation, the trout is fooled and hooked.

So what does fly fishing have to do with cyber security?

In many ways, cyber criminals behave exactly like seasoned fly anglers. Rarely do they waste time, energy and resources bombarding a company’s firewall. Or in the case of fly fishing, randomly cast using any fly pattern available. And as cybercrime becomes more sophisticated and controlled by criminal gangs and nation states, they favor a targeted approach. Cybercriminals today look for the easiest and quickest way through a company’s security defenses, often focusing on individual employees using an approach called social engineering.

Cybercriminals, like fly anglers, look for the easiest way to fool their target.  And in today’s disrupted business world that seems to be employees working from home, where in most cases the home environment is far less secure than the office IT environment. They also, like a fly angler matching the hatch, impersonate senior executives demanding a lower-level employee (for example from the finance department) wire money immediately to an (fake) client account. All too often the employee, when receiving an urgent email from a named senior executive, complies.

The savvy trout angler spends a great deal of time understanding the trout species they are targeting, the river environment, the types of insect life and potential food sources, most active feeding times etc. They even visit nearby fly shops and talk with knowledgeable fishing guides for specific information. They build a knowledge base used to match the hatch and fool the trout.

 In a similar way, a cybercriminal spends a great amount of time researching the company they are targeting. They scour LinkedIn profiles, search company websites for the names and titles of employees, gather information about employees on Facebook, Tinder, Instagram, Snapchat and other social media platforms. Recently they have begun to telephone employees at home pretending to be a legitimate research company, even offering cash for answering survey questions. In many cases, employee emails and other confidential information can be purchased from other criminal groups on the Dark Net. Using all this information they put together a list of potential employees to target with Phishing emails and social engineering.

Trout anglers know that older and larger trout are more “educated” in spotting real food from an anglers imitation. Older trout have probably seen numerous presentations from lots of different anglers and learned to be wary and highly selective. Also, the clearer the water, the more wary the trout are in general to protect themselves from predators. Smaller, younger trout have yet to learn and are easier to fool. 

Cybercriminals know that new employees are easier to fool as well. This is especially true when cyber security training is minimal and there is little peer to peer education about what to watch out for when it comes to email phishing and social engineering. And working from home has in most cases reduced the amount of team learning and peer to peer interactions, which provide a safe place for new employees to ask questions and seek advice. In many training classes few employees want to be singled out for asking “naïve” questions.

A Human Approach to Mitigating Cybercrime

To blunt the growing impact of cybercrime, companies need to focus more on the human aspect of cyber security. In most organizations, 98% of the cyber security budget is spent on technology and less than 2% on employees. Yet 88% of cyber breaches are the result of human error, poor cyber hygiene, mismanagement, and insider actions. Just 12% of breaches are due to technology failures. And 61% of cyber victims fail to report the incident. 

The analogy between fly fishing and cybercrime offers many opportunities for companies to improve their cyber security. For example, clarity of water in a trout stream is easily equated with open transparency and cross-functional communications in the corporate world. Learning from others, on-going communications about attempted cyberattacks and successful breaches allows everyone to learn quickly and become more aware and accountable. Having the IT department help secure the home technology and internet environment of senior executives, Board Directors and other high value targets helps prevent breaches and high-value-employee data mining by cyber criminals. Adding additional support for the cyber security and IT team to improve and keep on top of cyber hygiene, patches and software upgrades can go a long way in mitigating cyber risks.

Cyber security is the number one threat to businesses and organizations everywhere. Between 2020 and 2021, ransomware attacks increased by 60%, with the average ransomware payment approaching $4.5 million (IBM). And that’s just the payment to the hackers. The cost of downtime, lost revenue, reputational damage and decline in market value is nearly 10 times the ransom payment.

It is past time senior leaders prioritize the human firewall. Otherwise cybercrime will continue to grow and pose an ever growing threat to our global economy and way of life.

Source: https://www.linkedin.com/pulse/why-cybercrime-like-trout-fishing-john-r-childress/?trk=public_post

Patch Now: The WordPress 6.0.3 Security Update Contains Important Fixes

The WordPress 6.0.3 Security Update contains patches for a large number of vulnerabilities, most of which are low in severity or require a highly privileged user account or additional vulnerable code in order to exploit.

As with every WordPress core release containing security fixes, the Wordfence Threat Intelligence team analyzed the code changes in detail to evaluate the impact of these vulnerabilities on our customers, and to ensure our customers remain protected.

The Wordfence Firewall which ProtectYourWP installs on all our clients’ sites provides protection from the majority of these vulnerabilities, and most sites should have been updated to the patched version automatically. Nonetheless, we strongly recommend updating your site as soon as possible, if it has not automatically been updated.

Source and more details: https://www.wordfence.com/blog/2022/10/patch-now-the-wordpress-6-0-3-security-update-contains-important-fixes

See also: https://wordpress.org/news/2022/10/wordpress-6-0-3-security-release

Chrome extensions with 1.4M installs covertly track visits and inject code

If you’ve installed any of these extensions, manually remove them stat.

Google has removed browser extensions with more than 1.4 million downloads from the Chrome Web Store after third-party researchers reported they were surreptitiously tracking users’ browsing history and inserting tracking code into specific ecommerce sites they visited.

The five extensions flagged by McAfee purport to offer various services, including the ability to stream Netflix videos to groups of people, take screenshots, and automatically find and apply coupon codes. Behind the scenes, company researchers said, the extensions kept a running list of each site a user visited and took additional actions when users landed on specific sites.

The extensions sent the name of each site visited to the developer-designated site d.langhort.com, along with a unique identifier and the country, city, and zip code of the visiting device. If the site visited matched a list of ecommerce sites, the developer domain instructed the extensions to insert JavaScript into the visited page. The code modified the cookies for the site so that the extension authors receive affiliate payment for any items purchased.

To help keep the activity covert, some of the extensions were programmed to wait 15 days after installation before beginning the data collection and code injection. The extensions McAfee identified are:

NameExtension IDUsers
Netflix Partymmnbenehknklpbendgmgngeaignppnbe800,000
Netflix Party 2flijfnhifgdcbhglkneplegafminjnhn300,000
FlipShope – Price Tracker Extension adikhbfjdbjkhelbdnffogkobkekkkej80,000
Full Page Screenshot Capture – Screenshotting pojgkmkfincpdkdgjepkmdekcahmckjp200,000
AutoBuy Flash Salesgbnahglfafmhaehbdmjedfhdmimjcbed20,000

As of early September, all five extensions have been removed from the Chrome Web Store, a Google spokesperson said. Removing the extensions from its servers isn’t the same as uninstalling the extensions from the 1.4 million infected devices. People who have installed the extensions should manually inspect their browsers and ensure they no longer run.

Source: Chrome extensions with 1.4M installs covertly track visits and inject code | Ars Technica

National Cyber Security Awareness Month: You Could Be the Biggest Threat to Your WordPress Site

October is National Cyber Security Awareness Month in the U.S., and this year’s theme is “See Yourself in Cyber.” What is really being said by this theme is that we all have a role to play in cyber security, whether we work in the industry or not. With this in mind, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) have identified four key areas where we can all take action to protect our presence online, and work to keep others safe. These same concepts can be used to help secure WordPress sites as well.

Think Before You Click

The idea behind this concept is that you should always be on the lookout for phishing attempts. This is true in general, but also applies specifically to anyone who is an administrator of a WordPress site. Anyone who is in this role is likely very familiar with receiving emails from their website that advise of available updates, or comments that need to be moderated, and plenty of plugins have their own reasons for sending emails to administrators as well. As most administrators don’t log into the admin panel daily, these emails are often a critical part of the site management workflow.

WordPress is currently used on over 40% of all websites, making it both well-known and a large target for threat actors. What this means is that threat actors are aware of the emails that website administrators are used to receiving, and can likely duplicate them with relative ease. Whenever you receive an email from your website, it is best to check that any links do not contain domain names from other websites before clicking, or better yet log into the admin panel directly and navigate to the page that needs your attention.

Even more important than checking links in the emails you are used to receiving is checking links in emails you aren’t expecting. The folks at WordFence recently discussed how links can be manipulated to enable a complete account takeover, among other malicious activities. By remaining vigilant and checking the actual URL being used, these types of attacks can be avoided.

Update Your Software

One of the best ways to keep a website secure is to ensure that any software being used is regularly updated with the latest security updates. In WordPress, this means keeping your core WordPress version up to date, as well as any themes or plugins that are installed. ProtectYourWP.com does this for you with daily site checks and updates.

Despite the ability to update all of this software automatically, many site administrators allow their websites to run on outdated versions, many of which contain security vulnerabilities. Some may have reasons for using older versions, such as theme or plugin compatibility issues. However, these issues should be resolved as quickly as possible, finding replacement themes or plugins if necessary.

The majority of the targeted attack attempts we see are attempting to make use of vulnerabilities in outdated plugins. As threat actors become aware of vulnerabilities, they also know they can find success in exploiting those vulnerabilities because of the number of administrators who allow outdated plugins to remain active on the website. The simple act of updating all of the site software is one of the simplest ways to prevent the success of an exploit attempt.

Use Strong Passwords – and a Password Manager

It can’t be stated enough that passwords need to be as strong as possible. Threat actors have been looking for ways to get into user accounts since the dawn of the modern era of computing, and they have a number of tools at their disposal to guess or “crack” passwords. The stronger the password, the lower their chance of success. Longer passwords are considered more secure, with current recommendations calling for a minimum of a 16-character password wherever possible. Each password should only be used to log into a single account. This means that individuals should have strong and unique passwords for each and every account they have from WordPress to Gmail and everything in between.

While the requirement to use a unique password for every account may sound like overkill to some, there is a very good reason for it. A type of attack known as credential stuffing is easily prevented simply by using unique passwords. Credential stuffing consists of using known usernames and passwords to try to log in to as many accounts as possible. If credentials from an account are leaked in a data breach, stolen through phishing, or otherwise obtained by a malicious actor, they are often able to gain access to multiple accounts simply by using those same credentials in other accounts, such as Gmail, banks, and of course WordPress.

Another common method of guessing a password is what is known as a dictionary attack. This type of attack utilizes techniques like trying lists of common passwords, or even seemingly random strings, in the password field to attempt to find one that provides access to the account. In the last 30 days, we have blocked 4,239,859,063 password attack attempts, which highlights the importance of using a strong password to keep malicious actors out of accounts.

Blocked password attacks in the last 30 days

Using long passwords that are unique for each account can seem intimidating, especially once you consider that the average person has around 100 different accounts that need passwords. This is where password managers come in. Most password managers can automatically generate secure passwords, and securely store those passwords to easily copy and paste into login forms. There are a number of password managers available, all with their own set of features and use-cases. Ultimately, which password manager you use is far less important than the fact that you are using one, so use the one that fits your needs the best.

Refresh your memory with 10 of the most common password mistakes we’ve seen and employ techniques to mitigate the risks of each one.

Enable Multi-Factor Authentication

While strong passwords are important, enabling multi-factor authentication (MFA) is one of the most effective methods of preventing unauthorized account access. According to details provided in a White House press briefing, 80-90% of all cyber attacks can be prevented with the implementation of multi-factor authentication (MFA). There are various forms that MFA can take, but the basic idea behind it is that you are using something you know (password), along with something you are like biometrics or something you have such as a smartphone or usb device, to provide access.

What makes MFA so effective is the fact that it requires at least one additional form of authentication that a malicious actor is not likely to possess with the first factor. This means that even if a threat actor obtains a username and password through a phishing scam, they still won’t have access to the smart card, MFA token, or other additional form of authentication required. Most MFA methods are also relatively simple for the authorized user to utilize, and combining this with strong unique passwords that are stored in a password manager can even be more convenient for the user than trying to remember password variants that work with the various password requirements of their accounts. As a reminder, Wordfence makes it incredibly easy for site owners to set-up MFA for all Wordfence users.

Conclusion

National Cyber Security Awareness Month is a great time to review our personal and professional security hygiene. Each year a different theme is chosen, based on the areas that have been observed to need the most improvement. The specific behaviors and techniques highlighted should be reviewed and applied everywhere possible. Following this year’s theme of “See Yourself in Cyber” we gain the understanding that cyber security is everyone’s responsibility, and that we can apply new behaviors to avoid phishing and vulnerabilities, as well as better secure access to our accounts.