top of page
  • Writer's pictureCamille Delcour

Expert Advice - 5 Steps Against Account Theft

Updated: Dec 28, 2021

La cybercriminalité est le premier type de fraude auquel sont confrontées les PME (La Fraude, oui même chez les PME). David Boisseleau, Consultant Sécurité Informatique, Expert Protection des données (RGPD), Cryptographie, Architecte Sécurité, DPO Adjoint avec plus de 19 ans d’expériences dans ces domaines, nous explique les simples gestes qui peuvent nous éviter l’usurpation de nos comptes.

We are faced a lot with account theft, the brute force account password attack, that's the plague. Why ? Because most people don't apply basic security rules to their computer tools.

Today the Grail, for a hacker, is to control a person's email account (gmail, etc.) because we know well that a large majority of people use this same email account as a login and / or recovery address for all other web accounts without enabling two-factor authentication options.

Once a hacker has mastered this email account, he can attempt password reset procedures on all other potential web accounts that use the same email as their login, and in particular that of social networks. He can then reset the passwords for all these other accounts. Once the passwords are reset (and therefore unknown to the account owner), regaining control over these accounts will be extremely difficult and time consuming.

It's a classic, and it touches on account theft, because hackers will then use these accounts to conduct fraudulent operations. For example, spoofing an account of a customer of an e-commerce company who has means of payment registered in his e-account, makes it possible to make purchases in his name and have them delivered elsewhere.


Here are the 5 actions that every entrepreneur must follow to avoid this type of unpleasant situation:


1. Use a different password and login for each web account :


Use the aliases of your main email by identifying the site on which it will be used . Example: facebook@boisseleau.com for Facebook. This technique has the advantage that if you receive spam on this alias, you will know which operator transmitted your email (and therefore potentially all your personal data) to third parties. What within the framework of the RGPD gives you possible means of recourse if you had not given your free, specific, informed and unambiguous agreement by a declaration or by a clear positive act (reference:GDPR, Article 4.11).


2. Use strong passwords :


A strong password contains several letters, upper case letters, lower case letters, numbers and special characters, minimum length of 12 characters, no word, expression or number directly related to the person concerned (password completely decorrelated from easily guessable personal information).

The alternative combines the advantages of safety and ergonomics: a sentence of at least 6 words without real meaning with respect for case and punctuation, embellished with a few special characters and / or numbers. Example: “The @ 39 requirements of Bulgarian hedgehogs. ". Easy to remember (phrase) and very difficult to break (length and complexity combined). Avoid the classic substitutions of the type a -> @, l-> 1, o-> 0 which are perfectly known to pirates and fully integrated (with all their variants) in their dictionary building software.


3. Regularly renew passwords :


The good practice is to do this every 3 months.


4. Activate double authentication mechanisms :


Prefer the method based on a TOTP application such as Google Authenticator rather than by SMS (potentially hackable by simply knowing the phone number).


5. Store your connection information in local encrypted storage software (via the web) :


The recommendation: Keepass. Why not on the web? Because you have to know that any information stored in the Cloud (Internet) will be copied, duplicated and stored in order to decipher this data when technical means allow it, in particular thanks to quantum computing (horizon 5 to 10 years). So for secrets whose lifespan must be greater than 5 years, storage on the Internet is to be avoided. This alarmist assessment must obviously be qualified according to the confidentiality of the data concerned and their period of validity (approach to security through risks).


David Boisseleau, expert en sécurité informatique

d.boisseleau@secureack.fr

06 29 53 96 57






 
1 view0 comments

Comments


bottom of page