HACK ALERT: A second layer of protection
“I had one of those heart stopping moments where suddenly a lot of your friends, colleagues, network are texting you and saying, ‘hey, we're getting some strange messages from your LinkedIn account’. You could be hacked.” Louise Higgins
I recently caught up with ANZ Chief Information Security Officer Lynwen Connick and Chief Financial Officer, Technology Louise Higgins to discuss the importance of Multi-Factor Authentication (MFA) - and Louise’s very real experience of being hacked.
Scrolling through your socials, you notice you have a message from a colleague: “Hey, I've got a great opportunity for you. Can you remind me of your mobile number?”
Seems innocent, maybe even an exciting prospect. It’s from a colleague.
Except it’s not. Your colleague has been hacked. And as you finish reading the message, the majority of their network has already been infiltrated by the perpetrators.
The huge shift to a more virtual world over the past 12 months has greatly increased our need to enlist the help of online applications and programs, be it for work, home or school.
But it’s also spurred a huge increase in cybercrime.
One simple step we can take to improve our security is the use of Multi-Factor Authentication (MFA).
ANZ Chief Information Security Officer Lynwen Connick says it is a very simple security measure everyone can adopt, to assist in making our online experience safer.
And it’s certainly one I made sure I quickly set up on my social accounts as soon as we finished this conversation….
What exactly is MFA?
MFA can be likened to the age old notion the more difficult it is for people to access your possessions, the less likely you are to be the victim of crime.
When you log into online accounts, be it social channels such as LinkedIn, email, online applications, even shopping sites, instead of relying on a single password you can choose to ‘add another layer’ of protection – another ‘factor’.
Lynwen says it’s a bit like having an alarm system as well as a lock on your door – a second layer that amplifies the protection of a password.
“Multi-factor authentication sounds really complicated but it's not,” Lynwen says. “It’s really very simple.
When you first login to say your social media account, it'll ask you to enter a code that will easily, automatically pop up on your device, that you enter into the login to make sure that it really is you – just in case someone else has got access to your password. It’s really, really good protection.”
A valuable lesson
But hindsight is a wonderful thing. ANZ Chief Financial Officer, Technology Louise Higgins wishes she had set up MFA for online accounts from the start on her LinkedIn account – because she recently fell victim to having her account hacked.
“The first clue was I found one day I couldn't access my LinkedIn account. But we lead busy lives and I thought, well, actually, not being able to access LinkedIn today is not my top priority,” says Louise.
“But a few days later, I had one of those heart stopping moments where suddenly a lot of your friends, colleagues, network are texting you and saying, ‘hey, we're getting some strange messages from your LinkedIn account’. You could be hacked.”
Louise was unable to get access to her LinkedIn account because the hacker gained access and changed the login details connected to the account.
They then reached out to her network, in a tone of voice very similar to hers, saying ‘hey, I've got a great opportunity for you. Can you remind me of your mobile number?’
“I think this is the scary bit, how sophisticated it got” says Louise.
A fair proportion of her network actually responded with their mobile details, as it looked like an authentic message.
They were then sent what looked like a very authentic link to a Zoom meeting and again many in her network clicked it, which in turn provided the hackers with their details.
“The trauma came from several places,” Louise says. “First, the heart stopping moment of ‘I think someone else is sending out messages on my behalf’. Secondly, realising that you are responsible for others providing their personal information and thirdly, the ramifications that then had on some of my network - having their accounts hacked.”
She adds “it was a terrifying experience but a good wake-up call to go through and make sure every other platform or application that you use isn't compromised, that you have got strong passwords and, most importantly, you've got that multi factor authentication.”
“It could have been much worse but it's a very valuable lesson”.
Did you know…
- 81 per cent of hacking-related breaches leverage stolen and/or weak passwords
- 90 per cent of the global workforce can have their passwords hacked in around six hours
- 65 per cent of people use the same password everywhere
- A password containing numbers, upper and lower case letters and symbols can be hacked in 13 minutes if it has less than seven characters. If you increase the character count to 10 it can take 928 years
- A password with just upper and lower case letters can be hacked instantly if it is less than eight characters
Working together to get the message out
Having recently attended a parliamentary roundtable on multi-factor authentication with The Hon. Andrew Hastie MP, the Australian Cyber Security Centre (ACSC) and the chief information security officers from the other big four banks, Lynwen says there was agreement on steps needed to be taken and how to get everyone to understand what they need to do – getting the message out there to help people.
“We all need to work together to help protect our customers and the community more broadly. And multi-factor authentication is clearly one of the easy things that everyone can implement to stay much safer and secure online… We agreed that we can promote and work together to help everyone across the community leverage multi-factor authentication” says Lynwen.
“We talked about a range of things we can do that are quite simple to improve security … this piece around Multi-factor authentication is something that we’ve all been talking about at the banks and the government has been talking about as well. It’s one of the key steps that helps protect us all from cyber-attacks, whether it be large organisations, small companies or individuals.
It’s such an easy thing to do as Louise talked about…so we are trying to combine together to get that message out there”
Activating MFA is one of the four simple steps we recommend everyone implement. The steps form the easy to remember acronym, PACT, in-which ‘A’ is for “Activate” MFA.
Setting up MFA is a personal responsibility. The onus has to be on the individual to make sure all is being done to ensure they are set up securely online.
Louise says if she’d had multi-factor authentication, the situation with her LinkedIn account would not have occurred.
“The whole thing could have been avoided. It (MFA) might sound complicated. It's not. The onus is on you as an individual to make sure that you're adequately protected.”
For more information on MFA and how you can be better protected online, visit the Australian Cyber Security Centre (ACSC).
Tips for businesses to stay safe at home, online