Share

Related Links

Related Stories

Top 5 Stories

News

You don’t need to be hacked if you give away your credentials

22 May 2012

GFI Software highlights the problems of users’ carelessness with their credentials: who needs hacking skills when log-on details are just handed over?

Chris Boyd, a senior threat researcher at GFI Software, noticed and blogged a gaming incident. “Well, i got my account hacked today, lost all my stuff,” complained a gamer. And what do the administrators do? “Nothing,” said the gamer. “they cant find whos doing it...”

But the administrators did find who did it (one ‘beef43302’), and responded, “So yes, as expected the ‘hacked’ account wasn't hacked, I suggest you keep confidential account information to yourself in the future, and change your password now. Even though this was entirely your own fault, and you incorrectly accuse us of incompetence, we shall roll your characters back to before the incident.”

In the real world, the business rather than gaming world, there are no over-arching gods like the game administrators who can role things back so we can continue just as if nothing ever happened. And it appears that we are just as relaxed with our business credentials as we are with our gaming credentials – especially, for example, in things like social media. "As more companies depend upon social media to promote their brand and interact with their customers,” Boyd told Infosecurity, “the risk from simply sharing passwords becomes problematic.”

Companies often allow multiple access to corporate Twitter or Facebook accounts. In such cases, “What tends to happen,” he explained, “is they weaken the strength of the password to allow everyone to remember it, when they should be using a dedicated password management tool with secure sharing functionality. Given that shared accounts can be used for everything from social networks to important admin / IT accounts behind the scenes it's crucial that shared passwords are hidden from view as much as possible.”

And all too often, they are not. “I've seen individuals post screenshots of their workplace monitor to social networks, seemingly unaware that they have post-it notes containing everything from phone numbers to what look like passwords in the photograph.” Who needs hacking skills when we just give them the keys?

This article is featured in:
Identity and Access Management  •  Internet and Network Security  •  Security Training and Education

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×