TORONTO -- As a recent breach of 5,500 accounts with the Canada Revenue Agency (CRA) has shown, personal hygiene isnât the only thing Canadians need to worry about during this pandemic.
According to Ritesh Kotak, a digital technology expert, itâs important to keep up with your âcyber hygieneâ as well to ensure you donât become a victim of digital fraud.
The CRA temporarily suspended its online services on the weekend in response to the cyberattack. The agency, which has been used by thousands of Canadians during the pandemic to apply for the $2,000-per-month Canada Emergency Response Benefit (CERB) for COVID-19, said the attack was a âcredential stuffingâ scheme.
One victim told the Canadian Press that someone who had hacked into her account applied for CERB in her name and received funds by using her information.
But what is âcredential stuffingâ? And how can Canadians stay safe?
âA credential is a username and password, and stuffing is when, essentially you have these usernames and passwords and you test them against very popular sites,â Kotak told ŰÎŰ´ŤĂ˝.
Hackers who have acquired hundreds of usernames and passwords will turn to bots to see if the account details allow them access to anything.
âThis bot will actually go out, and it will try to input your username and password into popular sites, and if thereâs a match, then the fraudster gets notified,â Kotak said.
âSo the big question is, how do these hackers even get your username and password? And the most common way is through other breaches.â
If financial institutions, hotels, airlines or any place you have given your information, get hacked, that personal information, such as a username, an email address and a password, can now be accessed and shared, Kotak explained.
âAnd if youâre re-using your username and password, you now become vulnerable to these types of attacks.â
If the login youâve used to book a hotel that suffers a breach is the same as your login for your bank account, or another account that contains banking details on it, these hackers can gain access to an extraordinary amount of data.
âOnce you get access to somebodyâs account, it is whatever information is available on that account, you now have access to it,â Kotak said. âSo it could be your personal information, your financial information, your previous returns, essentially anything. And once youâre in, you can also change up information, such as your mailing address or email address to make it even more difficult for the rightful owner to gain access back to their account.â
With this recent breach on the CRA, Kotak said it seems that the hackers were purely "after the money."
âIt seems that the motivation behind these breaches is strictly financial. It is to get as much money in a short amount of time as possible, without getting detected.â
'BASIC CYBER HYGIENE'
Much like with guarding against COVID-19, the strategies you can use to avoid becoming the victim of a âcredential stuffingâ plot are as simple as putting on a mask or washing your hands.
Just use different passwords and usernames, Kotak says.
âIt is convenient for us to use the same username and password,â he admitted. âWe have maybe a hundred different accounts online, we have our email, we have data storage, we might have our food delivery apps, so we have a lot of different apps that all require usernames and passwords. And as a result, a lot of us kind of get a little bit lazy.
âLet this be a lesson on why it is important to have different usernames and passwords for different sites, so if a breach does occur, you will not be affected.â
Kotak calls it âbasic cyber hygiene to have different usernames and passwords.â He emphasized that creating âstrong passwordsâ which mix upper and lowercase letters, numbers, symbols, and avoid using âdictionary wordsâ is also important.
However, he said the blame is not on just one person for these types of breaches.
There are other parties involved, such as the CRA, and other financial institutions, which are responsible for putting in fraud detection mechanisms to catch these schemes early on.
âThis is joint responsibility,â he said. âAs users, use different usernames and passwords. As the CRA, or any government entity, ensure that you put proper security measures in place, and you use some sort of anomaly detection, and same thing with these financial institutions. If we all take these steps, then these types of breaches are preventable.â