By Brechin Piper
October is Cybersecurity Awareness Month and Concordia University of Edmonton (CUE)’s International Information System Security Certification Consortium (IS2C) club president Brechin Piper interviewed two fellow students about how to perform an “account workout.” The suggested exercises from the Government of Canada in an account workout are:
Here’s what second-year graduate students in the Masters of Information Systems Security Management (MISSM) program Pooja Shah and Atilade Ayanbadejo have to say about cybersecurity for students and the public alike.
The Communications Security Establishment recommends that I use strong and unique passwords and passphrases. What does that actually mean? Isn’t P@ssword!23 strong since it’s got upper and lowercase, numbers, and symbols? And what’s a passphrase?
Pooja: Over time, passwords have changed from being simple to really complex. So, let’s break it down. What is a strong password? In simple terms, it’s the one that is difficult for both humans and computers to crack. A mix of different characters like uppercase, lowercase, numbers and symbols can make it harder for someone to crack, but also harder to remember. Your example—P@ssword!23—does blend a variety of characters, which is great. But sadly, not enough. Attackers trying to crack passwords use datasets of popular passwords and patterns and they are evolving too. Variations of “password” are very commonly used in passwords, so they’re near the top of the list for an attacker to try first.
Atilade: Where a password is normally one word, or something short, a passphrase is several words and much longer. Each additional character you can add to your passphrase makes it much stronger and resistant to being cracked. A phrase is often easier to remember than a word where you’ve swapped certain letters for numbers.
Pooja: an example of a passphrase could be something like “DiscoDogsForestFiesta.” That’s pretty easy for me to remember, and hard for an attacker to guess.
Alright, my second question is should I make one super strong password or passphrase, and use it on all of my accounts? One password to rule them all is a lot easier for me to remember!
Atilade: You should always avoid passphrase reuse. This includes variants of a passphrase, don’t just add a number or change it slightly. You really need to emphasize the uniqueness of passwords/passphrases. It sounds really hard to have unique passwords for each account, but a password manager can make this a lot easier, there are so many options for password managers, they’re built into devices, browsers, etc. Your one password to rule them all can be for your password manager, and the manager can help you make other unique passphrases you don’t need to memorize.
Pooja: Using one password for everything is just like having one key for your house, car, locker, and all your other valuables. Convenient? Yes. Safe? Not Really. There are many ways passwords can be compromised, either by user error or by the companies that you trust. If any of your account passwords get compromised, the potential damage and required repairs increase significantly if that password can let the attacker into multiple accounts!
Why should I turn on Multi-Factor Authentication (MFA)? It’s really annoying getting a text or having to open another app when I want to log into something!
Pooja: We put alarms on our cars, homes, right? The digital world is no different. We are up against global invisible threats. If your password gets compromised, that second step in MFA can be a game-changer.
Fun fact from 2019: Google found that just by adding a mobile number for extra verification, users thwarted nearly all phishing attempts. That extra step of security really does make a huge difference.
Atilade: MFA can really feel like it’s slowing you down sometimes, especially if you’ve switched numbers recently or are having issues with an app like Google Authenticator. While it can feel like overkill, MFA really does elevate the security of sensitive accounts or systems. Bank accounts, or accounts with sensitive information like an instructors account at CUE should definitely have MFA enabled. You probably don’t require it on all of your accounts, say Netflix for instance.
Phishing and social engineering are when the attackers try to trick you into giving up information about yourself, like your username and password, banking information, etc. Do you have any tips to share to avoid phishing and social engineering scams?
Atilade: Be skeptical of anything you get electronically. Don’t trust links or anything you get unsolicited. If you get a phishing text or email, just delete it and flag it as spam if your phone allows it. If something feels too good to be true, be skeptical. Scammers are preying on your greed and hoping a limited time offer will entice you. It’s becoming easier and easier to impersonate people online, so never feel bad ending a call, or checking with someone via a different means of communication if you think they’re being impersonated.
Pooja: The individuals behind these attacks are CONSTANTLY coming up with new methods. The key to defending against phishing and social engineering scams is vigilance. Always question the authenticity of an email, call, or any other interaction from unfamiliar sources. Phishing emails and scam messages function similarly—they tell appealing stories to distract you while stealing your information. It doesn’t matter how secure your password is if you can be tricked into sharing it with an attacker!
I got these text messages in the past 2 days, can you guys help me decipher some tell-tale signs that they’re scams?
Atilade: Looking at the Netflix text, you can see that Netflix is misspelt in the link. That’s an obvious giveaway. One thing to note is this attacker is using https for their website. The common misconception is that the “s” in https is for secure, so it can’t be fake. This isn’t true, anyone can register a website with https, it just means traffic to the website is encrypted. If you clicked on this link, the attacker would probably direct you to a site that looked like Netflix and hope to steal your username and password.
The CRA text is less obvious and looks like some effort went into crafting it. There are no obvious misspellings, and in this case they are not using https which should be a giveaway. To clarify, not using https is a sure sign the site is not legitimate, but just because it does have https doesn’t mean it’s safe. The other giveaways are that the website they’re directing you to ends in .info instead of .gov.ca or .ca, and the length of the URL. Another one is this is out of character for the CRA. When I log into the CRA portal, I can provide my banking info, so I don’t think the CRA would send me an e-transfer like this over text.
Pooja: Some other things you can do is google those links, they’ll probably pop up quite quickly as scams. If you wanted to make sure everything was ok with your Netflix account, or see if the CRA had a refund for you, log into your accounts from the Netflix or CRA websites WITHOUT clicking these links, or call the organization. Also you can see that your cell phone provider thinks these texts are questionable and likely smishing (which is the text message form of phishing).
What should I do if I think I’m being scammed?
Pooja: If something feels off, stay calm. You’ve already taken the first step to stop further damage, which is detecting a potential scam. Next step is to STOP the interaction and verify the information with the official entity. For example, if someone claims to be from Amazon, take Amazon’s customer service contact details from their official website and verify. If you’ve shared sensitive information like a password, change it immediately. If it’s critical data like your Social Insurance Number, alert the authorities. And lastly, always report potential scams to protect yourself and others.
Atilade: If you feel like you’ve given out sensitive information, call the relevant authority, such as your bank. Being a victim of fraud can make you panic or feel ashamed and want to hide the issue or attempt to fix it yourself. Breathe, remain calm, and reach out for help to get the issue sorted out as quickly as possible.