Automated systems used by hackers can predict and access your passwords within seconds, and Frances Zelazny, Vice President of BioCatch, tells TechRepublic's Dan Patterson how they do it. The following is an edited transcript of the interview.
Dan Patterson: I think security professionals, in their head, kind of understand the tools and the tactics used to get these passwords. Some of those are common and free, like Burp Suite or John the Ripper, which go through, and what's called brute force, they look for combinations of names and numbers. But what are some of the other methods, some of the low tech methods of obtaining a password?
Frances Zelazny: So most passwords are just plain guessed, because there's a limited amount of permutations that you're looking for, on a phone for example, four digits, there's only so many. So once you start using an automated system, in a number of seconds most passwords can be guessed.
But what's really happening is that more and more sophisticated methods, not very high tech, but very effective, is just through phishing and basically tricking people into divulging their password and access credentials into their systems or accounts.
Dan Patterson: So what happens during a phishing or a social engineering pre-texting attack?
SEE: Network security policy (Tech Pro Research)
Frances Zelazny: So one example is that you get a call at the help desk that says "Hey, my name is John, and I'm trying to get into this folder, and I'm having trouble. I can't get into it. I've tried resetting my password and it's not working, can you help me?"
So usually what will happen is they'll get some sort of an email, or something, and they say if you just click on this link, it'll get you to where you need to go. So the person clicks on the links and voila, he's in.
That's one very low-ech example of how people can be tricked. Another example is, again, through all of the breaches and hacks that are out there, most personal information is out there on the dark web for as little as 50 cents, for sale. So by calling somebody and telling them, trying to verify information about them, they will not even need to give you their password, they will just let you in and give you access.
And there are many, many stories of that happening unfortunately every single day.
- Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic)
- Orbitz says hacker stole two years' worth of customer data (ZDNet)
- Dark Web: The smart person's guide (TechRepublic)
- Yahoo users can sue over data breaches, judge rules (ZDNet)
- 5 ways to build your company's defense against a data breach before it happens (TechRepublic)
Dan Patterson has nothing to disclose. He does not hold investments in the technology companies he covers.
Dan is a Senior Writer for TechRepublic. He covers cybersecurity and the intersection of technology, politics and government.