written by Rob Tharle, Head of Product

Data breaches are at the heart of most frauds and scams with the data used directly or indirectly by fraudsters and cybercriminals. They help them find people to target and convince them they are genuine by telling them supposedly secret information. At CYBERA we’re here to disrupt cybercriminals helping both victims and institutions to help prevent abuse and deal with the it once its happened. 

Breaches are a common occurrence, and a new breach at LastPass is worrying. Back before the New Year, on 23rd December, LastPass announced they had a second breach following on from one announced in August 2022. Whilst it got some press at the time due to the holiday period, its only in the last couple of weeks it’s been getting fully analysed.

This time data from the first breach was used to take consumer data. It needs to be said that a lot of the datawas encrypted (e.g. passwords), but not all of it was (e.g. URLs of the websites).

I’ll not cover the technical details here as there are number of detailed breakdowns available for example here courtesy of Peter Taylor and Daniel Card. 

The reality is that if your LastPass master password was strong, (i.e. long and hard to guess), then the encrypted data should be safe at least for a while. If not, then urgent action is required.

In any instance LastPass users should:

• Change their master password
• Turn on 2FA if not already on for LastPass 
• Change the passwords stored in LastPass with financial services and Apple, Google, and email providers as a priority and anything not protected with 2FA

No, it doesn’t. Password managers are part of multi-layered approach to you online security and if used correctly, will help keep you safe, by having strong, unique passwords for each website you use. Clearly many propel are still using very weak passwords as this article makes clear.

A password manager should be layered with use of two/multi factor authentication (2FA/MFA) for sensitives sites.

Hopefully 2023 will also see the beginning for the end for passwords with the introduction of FIDO passkeys.

Passkeys – 2023 is hopefully the start of the end of passwords

What is a passkey & how do they work?

A passkey is a digital credential that is tied to a particular website (for that user).  Using public key cryptography and the FIDO alliance standards each website can have a unique passkey. The passkey will then only be used with the genuine website or app and when approved with the users private key. 

What are the benefits?

Security and usability are key benefits for numerous reasons:

• Easy to register and nothing to remember
• Passkeys can be backed up and replicated across devices on the same platform e.g. Apple, Android/Google, Microsoft.
• Can be used cross platform, e.g. Windows and Android phone or Windows and FIDO Security Key (has the passkey) and this can be used to bootstrap a new credential in the new platform.
• Stronger versions available using only hardware security keys that are device bound
• Can’t be phished 
• Unique and not reused
• Not stored by the website, so no data breaches
• End to End Encrypted by the provider
• Can’t be subject to credential stuffing attacks

When and where are they available?

Passkey support is available from Apple, Google and Microsoft now, although you may need to upgrade OS levels or to the latest browser versions. Support is dependent on individual websites and apps.

For more details on passkeys see here: https://fidoalliance.org/passkeys/#faq                                   

Data breaches and data compromise are the seed of most cybercrimes, so prevention is usually easier than curing the problem after its happened, so strong security for both firms and consumers is key. Therefore., strong web security is key element of protecting yourself online.  Have a look at our security tips here [link] for more information on how to protect yourself online. 

The use of encryption and public key cryptography can  help in the fight against data breaches. But when you’ve been a victim of cybercrime, CYBERA can help. If you have been a victim of a cybercrime you can use our CYBERCRIME COMPLAINT ^TM to report your fraud/scam via one of our partners:

• Cyber Helpline
• Crypto Currency Collective
• or directly with CYBERA

CYBERA can also help with asset tracing for crypto, to find exactly where the coins are and request the exchange freeze them, increase the chances of recovery.

About CYBERA

At CYBERA we’re on a mission to stop money laundering and help protect customers from scams and other financial cybercrime. We close gaps that allow cyber criminals to thrive by sharing crime data in real-time with financial institutions, fintech, and crypto exchanges, and coordinating a global response to support customers who have become victims of financial cybercrime.

CYBERCRIME WATCHLIST^TM helps support firms to reduce fraud and money laundering and meet the requirements of the CRM as part of a holistic fraud and financial crime strategy.

Financial Institutions (FIs) can check against the CYBERCRIME WATCHLIST^TM for confirmed mule accounts when processing payments. For outbound & inbound payments, where there is a match on either IBAN (Account Number & Sort code) or on Name the transaction can be flagged as high risk.

At account opening and ongoing CDD, email, phone and name can be used to match to CYBERCRIME WATCHLIST^TM to reduce opening new mule accounts.CYBERCRIME COMPLAINT^TM further supports by providing users with alerts of any of their accounts reported as mules directly in their dashboard.