TORONTO -- As a recent breach of 5,500 accounts with the Canada Revenue Agency (CRA) has shown, personal hygiene isn鈥檛 the only thing Canadians need to worry about during this pandemic.
According to Ritesh Kotak, a digital technology expert, it鈥檚 important to keep up with your 鈥渃yber hygiene鈥 as well to ensure you don鈥檛 become a victim of digital fraud.
The CRA temporarily suspended its online services on the weekend in response to the cyberattack. The agency, which has been used by thousands of Canadians during the pandemic to apply for the $2,000-per-month Canada Emergency Response Benefit (CERB) for COVID-19, said the attack was a 鈥渃redential stuffing鈥 scheme.
One victim told the Canadian Press that someone who had hacked into her account applied for CERB in her name and received funds by using her information.
But what is 鈥渃redential stuffing鈥? And how can Canadians stay safe?
鈥淎 credential is a username and password, and stuffing is when, essentially you have these usernames and passwords and you test them against very popular sites,鈥 Kotak told CTV News.
Hackers who have acquired hundreds of usernames and passwords will turn to bots to see if the account details allow them access to anything.
鈥淭his bot will actually go out, and it will try to input your username and password into popular sites, and if there鈥檚 a match, then the fraudster gets notified,鈥 Kotak said.
鈥淪o the big question is, how do these hackers even get your username and password? And the most common way is through other breaches.鈥
If financial institutions, hotels, airlines or any place you have given your information, get hacked, that personal information, such as a username, an email address and a password, can now be accessed and shared, Kotak explained.
鈥淎nd if you鈥檙e re-using your username and password, you now become vulnerable to these types of attacks.鈥
If the login you鈥檝e used to book a hotel that suffers a breach is the same as your login for your bank account, or another account that contains banking details on it, these hackers can gain access to an extraordinary amount of data.
鈥淥nce you get access to somebody鈥檚 account, it is whatever information is available on that account, you now have access to it,鈥 Kotak said. 鈥淪o it could be your personal information, your financial information, your previous returns, essentially anything. And once you鈥檙e in, you can also change up information, such as your mailing address or email address to make it even more difficult for the rightful owner to gain access back to their account.鈥
With this recent breach on the CRA, Kotak said it seems that the hackers were purely "after the money."
鈥淚t seems that the motivation behind these breaches is strictly financial. It is to get as much money in a short amount of time as possible, without getting detected.鈥
'BASIC CYBER HYGIENE'
Much like with guarding against COVID-19, the strategies you can use to avoid becoming the victim of a 鈥渃redential stuffing鈥 plot are as simple as putting on a mask or washing your hands.
Just use different passwords and usernames, Kotak says.
鈥淚t is convenient for us to use the same username and password,鈥 he admitted. 鈥淲e have maybe a hundred different accounts online, we have our email, we have data storage, we might have our food delivery apps, so we have a lot of different apps that all require usernames and passwords. And as a result, a lot of us kind of get a little bit lazy.
鈥淟et this be a lesson on why it is important to have different usernames and passwords for different sites, so if a breach does occur, you will not be affected.鈥
Kotak calls it 鈥渂asic cyber hygiene to have different usernames and passwords.鈥 He emphasized that creating 鈥渟trong passwords鈥 which mix upper and lowercase letters, numbers, symbols, and avoid using 鈥渄ictionary words鈥 is also important.
However, he said the blame is not on just one person for these types of breaches.
There are other parties involved, such as the CRA, and other financial institutions, which are responsible for putting in fraud detection mechanisms to catch these schemes early on.
鈥淭his is joint responsibility,鈥 he said. 鈥淎s users, use different usernames and passwords. As the CRA, or any government entity, ensure that you put proper security measures in place, and you use some sort of anomaly detection, and same thing with these financial institutions. If we all take these steps, then these types of breaches are preventable.鈥
