IT security has been in the news lately with the theft of money from superannuation funds. It’s bad, but when you consider that they only made off with $500,000 from the $4.2 trillion that Australians have in super funds it’s pretty inconsequential. It’s not going to ruin anyone’s day. Not even devops, because they’re saying it was a credential stuffing attack.
To do a bit of maths: $500,000 from $4.2 trillion is 1.2×10-7%. Or 0.00000012%. When it’s easier to work in scientific notation you know it’s insignificant.
But it could have been bad.
Preventing credential stuffing is pretty easy – don’t reuse your passwords. This becomes nearly trivial when you use a password manager. You don’t need to remember the passwords that are generated and they can be long and random. The one password that you need to remember to log in to your password manager can be long and simple. (You can look at the maths behind it here: XKCD.com.)
Then there’s that second factor authentication. When you try to log in, you get an SMS or email with a code sent to the number or address on file that you need to enter before you get let in. Or you need to dig out a number from an app that changes at regular intervals in sync with a service that you’re logging in to.
There’s a third factor that is tricky to implement – some sort of biometric factor. Like eyes, fingerprint, DNA (Severance style).
<pretend I found a jif of the fingerprick scenes from Severance>
I don’t think my super fund has 2FA (or MFA) set up. So I can’t rely on that as a second factor. But I do have an email service that allows for subaddressing email addresses. That link goes to a very dull publication about what subaddressing is.
In short, it’s that you can add details to the left side of an email address – the bit before the @. So if my main email address is ko@example.com, an email sent to ko+sometext@example.com will be delivered to ko@example.com, but with the +sometext as part of the to field. This is really handy for filtering emails.
It’s also handy to find out whether your email has been part of a breach or has been sold. If you suddenly get emails to ko+company1@example.com from Company 2, you know that your email address has either been sold or stolen. Handy for the curious but not that useful.
But where it might come in handy is to add another factor of authentication to limit credential stuffing. If you’ve happened to reuse a password somewhere, but if the username for the places are different, then you’re steps ahead in protecting yourself because there’s no match.
I hope.
.
.
.
.
