- Delia du Toit
Online attacks and phishing surged during Covid-19. Is there a permanent solution to cybercrime?
“Sorry, but your password must contain an uppercase letter, a number, a haiku, a gang sign, a hieroglyph, and the blood of a virgin,” states a meme in circulation for some time. Indeed, few online efforts are as frustrating as setting up and remembering a password. In the internet age, the average person has more passwords than they can remember – 70 to 80, according to password manager NordPass.
It’s no wonder then that instead of picking a complex password, many people opt for something that is easily guessed. Last year, the UK's National Cyber Security Centre (NCSC) analysed passwords belonging to accounts worldwide that had been breached – the most popular passwords included gems like “password”, “111111” and “abc123”. The top hacked password, though, was “123456”, which was supposed to protect over 23 million of the accounts, followed by “123456789” on over seven million accounts. Band names, first names and sports teams were also popular passwords.
Dodgy digital defences
Just as housebreakers look for weak spots in fences to enter a home, online criminals hunt for weak online security to exploit. When they do so, human error is most often to blame. “Most online users are naïve and hardly have time for their security despite the warnings and awareness creation. Simple security hygiene is not observed,” says Dr Uche Mbanaso, visiting scholar at the Wits Learning Information Networking Knowledge (LINK) Centre and executive director of the Centre for Cyberspace Studies (CCS) at Nasarawa State University, Nigeria.
The pandemic created the perfect storm for cyber criminals to take advantage, with Interpol reporting an increase in cyber-attacks targeting small businesses, corporations and governments, says Dr Kiru Pillay, LINK visiting researcher and convenor of the Wits Cybersecurity Professional Practice and Leadership Certificate Programme.
“Data breaches impact both individuals and organisations by releasing personally identifiable information [PII], which can be used to identify an individual, into the public domain or selling it on the dark web. This data is often used for identity theft and making transactions online or, with some additional information, could be used to create new bank accounts or take out loans under a real person’s name.”
For corporations, data breaches can be devastating. Besides the reputational damage, loss of income and costs incurred to contain the breach and increase security, regulators are increasingly seeking to impose fines on corporations after data breaches, says Pillay. Equifax, a US-based credit agency, was fined $700 million after a 2017 data breach.
Hackers are always ahead of the game, says Mbanaso. “Beating hackers would require operating like them - thinking and acting indiscriminately.” Pillay says that, increasingly, the private sector is stepping up: “The South African Banking Risk Information Centre [SABRIC], for example, is a non-profit formed by the four major banks to assist in combatting organised bank-related crimes.”
And policy is catching up – President Ramaphosa is considering the Cybercrimes Bill, which the National Assembly and the National Council of Provinces have already approved. “The Bill will codify numerous existing offences related to cybercrime and will create a variety of new offences,” says Pillay. But user vigilance, such as strong passwords, remain the best individual defence.
- Delia du Toit is a freelance writer.
- This article first appeared in Curiosity, a research magazine produced by Wits Communications and the Research Office.
- Read more in the 11th issue, themed: #Viral. Inspired by the SARS-CoV-2 global pandemic, content relates to both the virus that causes Covid-19, as well as the socio-economic, political, and environmental ramifications.