Security Behaviour Database
/

Account Compromise

Account compromise happens when unauthorised people access them.


Behaviours

Using multi-factor authentication

Using multi-factor authentication

Multi-Factor Authentication (MFA) is the process of signing in to an account using two pieces of information. ...

Enabling fingerprint or facial login for devices and/or accounts

Enabling fingerprint or facial login for devices and/or accounts

People can access devices and accounts with biometric information (such as a fingerprint or facial scan). The ...

Using a separate passphrase for email account(s)

Using a separate passphrase for email account(s)

Separate passphrases should be used for important workplace accounts, like primary workplace email accounts and ...

Not using personal details in passwords

Not using personal details in passwords

Using personal details in passwords makes them easier to crack. Random words provide greater resilience.

Using Single Sign On

Using Single Sign On

Single Sign-On reduces login friction and can encourage stronger password/passphrase use.

Creating a passphrase ruleset

Creating a passphrase ruleset

Complex passwords are difficult to remember. Passphrases provide a more secure solution and are easier to ...

Checking password exposure

Checking password exposure

Tools such as haveibeenpwnd.com can be used to check if passwords (or other personal data) have been leaked in ...

Checking personal data exposure

Checking personal data exposure

Security questions provide a recovery option for online accounts. Their answers must be protected. Before posting ...

Reporting old accounts

Reporting old accounts

Dormant accounts may still hold or provide access to sensitive data. Security teams should be notified when ...

Doesn't share passwords

Doesn't share passwords

Password sharing increases the likelihood of an account being compromised. Passwords should not be shared. Any ...

Using a password manager

Using a password manager

A password manager is an application that securely stores passwords. They can be application or browser-based. ...

Reporting security incidents

Reporting security incidents

Reporting known or suspected security incidents helps protect the workplace. If the incident is reported early, IT ...

Asking for help

Asking for help

Asking for help can help people learn. Security professionals can advise on how best to approach and resolve ...

Completing security awareness training

Completing security awareness training

Security Awareness training is an important part of organisational security. Completing awareness training ensures ...

Using different passwords

Using different passwords

Using different passwords ensures that if one of your passwords is leaked, not all your accounts can be accessed.

Installing antivirus on workplace devices

Installing antivirus on workplace devices

Antivirus/Endpoint protection programs provide excellent coverage against known online threats. They should be ...

Following security warnings

Following security warnings

Security warning alert to potential harmful activity, like when a malicious website is visited. The advice should ...

Using privacy screens

Using privacy screens

Privacy screens prevent opportunistic onlookers from viewing sensitive information. They should be used when ...

Reads security policies

Reads security policies

Security policies help reduce risk by increasing the chance that people will understand what to do to keep their ...

Challenging security policies

Challenging security policies

Sometimes security controls can prevent or disrupt job activity. In these instances controls may be ignored to ...

Setting an account password with network provider

Setting an account password with network provider

Criminals with access to network providers can launch SIM swap or mobile phone number porting attacks. Agreeing a ...

Using private browsing windows

Using private browsing windows

If workplace devices are shared between colleagues, private browsing should be enabled by default. This means ...

Doesn't click links in unexpected texts

Doesn't click links in unexpected texts

Criminals will often use instant messaging as an attack vector. Unexpected messages should always be checked for ...

Reporting suspicious messages

Reporting suspicious messages

Suspicious messages received via email, text or phone should be reported to a single point of contact. This allows ...

Checking emails for signs of deception

Checking emails for signs of deception

Criminals will often use emails as an attack vector. Unexpected emails should always be checked for malicious ...

Case study

Sarah Morrison

In 2019, Sarah Morrison found out why reusing passwords is such a bad idea. It cost her $13,000.

Her ordeal started with an email. The email concerned a takeaway she’d “ordered” 3,000 miles from her home in New York.

Sarah thought little of it. She notified Grubhub of the charge, which Grubhub promptly refunded. Just to be safe, Sarah also changed her Grubhub password. But the precaution wasn’t enough.

Five months later, Sarah logged into her bank account and realised she’d lost $13,103.91. Sarah had reused the compromised Grubhub password to protect her online bank account. Which, of course, wasn’t much protection at all.

It took Sarah several stress-ridden months to regain full control of her accounts. The trouble could have been avoided if she’d used separate passwords for her individual accounts.

Sarah could have also turned on two-factor authentication as an extra security layer.

“I really should have bothered!” says Sarah. “So should you.”

Claire Pearson

In April 2017, Claire Pearson watched as a £71,000 inheritance from her late father was stolen from her account.

It started with a text message from her bank informing her of suspicious account activity. Worried about possible fraud, she called the “fraud prevention helpline” mentioned in the text... without checking the identity of the sender.

After a quick chat, Claire shared her account details and password and was told she’d receive a new card within three days. However, when she called her bank back – this time using a saved number – she realised she’d been tricked.

Despite her efforts, Claire could not recover all her money. In retrospect, Claire wishes she’d verified the fraudulent text by calling her bank using the number she had stored in her phone.

The incident could also have been avoided had Claire realised that real bank officials never ask for account passwords.

Twitter Hack, 2020

In July 2020, various high-profile celebrities and companies tweeted a link to their followers. The tweets asked followers to send in Bitcoin payments, then watch as the payments were doubled then returned.

The tweets were fraudulent, posted by hackers who were about to earn $120,000 through one of the biggest account compromises Twitter has ever known.

The hackers breached 130 Twitter accounts in total, including those of Barack Obama, Elon Musk, Kanye West, Bill Gates, Apple and Uber. Twitter called the hack an elaborate case of social engineering.

In response to the breaches, Twitter restricted password resets and temporarily restricted verified accounts from tweeting.

SebDB is brought to you byCybSafe| © 2020 CybSafe Ltd