Many of us would feel lost without our smartphones in hand – but what if that same device became a tool for criminals?
Kieran Burge, a security consultant at Prism Infosec, has revealed the five common mistakes that could let him crack into your smartphone within seconds.
As a penetration tester – a legal hacker who tests companies’ cybersecurity to find weaknesses before criminals do – Kieran knows what he’s talking about.
And he says that simple mistakes such as reusing passwords, clicking on dodgy links and sharing too much information on social media could land you in hot water.
So, are you guilty of these security blunders? Read on to find out.
Kieran Burge, a security consultant at Prism Infosec, has revealed the five common mistakes that could let him crack into your smartphone within seconds
As a penetration tester – a legal hacker who tests companies’ cybersecurity to find weaknesses before criminals do – Kieran knows what he’s talking about
1. Using out-of-date software
Keiran told MailOnline that one of the first things he and other hackers look for when preparing an attack is out-of-date software.
‘Out-of-date software is a really big issue because, if the software has been updated, it’s probably because there is a security issue’, he explained.
Software, whether it is the operating system of your iPhone or the control system for a factory, often has some sort of vulnerability.
While these can quickly fixed by developers, they are also often shared online through forums and hacker communities.
If you haven’t updated your software to include the fix, Keiran explains, ‘people can get in and steal really sensitive information and even sometimes take control of the software.’
Keiran told MailOnline that one of the first things he and other hackers look for when preparing an attack is out-of-date software
The vulnerabilities can take many different forms and allow criminals to cause serious disruption for companies and individuals.
These attacks are often opportunistic as criminal groups scan online archives for out-of-date versions of software.
Keiran says the recent crippling hack on the British Library was likely to have been an opportunistic attack of this kind
To keep safe online, Keiran says you should ‘always ensure that your software is up to date.’
2. Reusing passwords
Another common way that hackers get hold of your personal data, according to Keiran, is by exploiting reused passwords.
Keiran told MailOnline: ‘No matter what site you’re giving information to you, you don’t know what they’re going to do with that information or how they’re going to protect it.’
He says that the big risk of re-using passwords is that if even one site you use is compromised, it can give hackers access to all of your accounts.
‘As soon as a company is breached there’s usually a big database dump that gets put on the darkweb,’ Keiran said.
The dark web is an encrypted part of the internet not accessible with normal search engines which is often used to host criminal marketplaces.
In April this year, an international raid brought down a hacker bazaar called Genesis Market which the FBI claims offered access to over 80 million account access credentials.
Keiran said: ‘There are going to be databases out there with user name and password combinations for your accounts.’
‘If you’re reusing passwords then any hacker can take that combination and use it to take control of another company.’
Reusing passwords puts you at risk because your account credentials can be stolen and resold on marketplaces like Genesis Market which the AI took down earlier this year
3. Giving out too much information online
‘On a personal level, for someone in their day-to-day activities one of the most important things that people need to think about is how much information they’re sharing online,’ Keiran said.
In ‘red teaming’ – a cybersecurity term for testing the defences of a company – one of the first places Keiran and his team look is social media.
‘We can do almost anything to get into a company, but one of the tools we use is harvesting data from social media,’ Keiran explained.
‘We scour social media sites like LinkedIn to see what we can find.’
Not only might this reveal usernames which can be linked to stolen account credentials, but it also opens the door to a whole range of other attacks.
One of the most insidious attacks that this exposes you to is a technique called ‘sim swapping’ or ‘sim-jacking’.
Keiran explains that hackers will search the web for information such as your date of birth, address, and even the answers to common security questions like your mother’s maiden name.
‘Once you have all that information you can use social engineering techniques to ring up their mobile provider and convince them to transfer the mobile number to a new sim,’ he said.
Now, whenever a text or call would go to the victim’s phone it instead goes straight to the attackers.
‘Once they have that you suddenly have access to all the multi-factor authentication sites that the person is signed up to,’ he added.
This could include work email accounts, online shopping accounts, and even online banking.
‘Everything you put up online you no longer have control over, and if you’re unlucky and all that information links up then you can get your identity partly stolen,’ Keiran warned.
Giving away too much information online can leave you at risk of Sim-Jacking attacks in which hackers transfer your phone number to a new sim to intercept your calls and messages (stock image)
4. Connecting to unprotected public networks
‘In the last few years something that’s become a lot more important is remote working,’ Keiran said.
‘A big part of that involves people going to cafes like Starbucks and connecting to their public WiFi.’
The problem is that these kinds of public networks use a type of system called ‘open authentication’ to connect your device to the web without having to use identity verification.
While this makes it easy for you to quickly jump onto the coffee shop WiFi to send a few emails, it also puts you at risk of attacks from cybercriminals.
Open authentication means that the data you send across the network is not encrypted and can be captured by anybody else on the network.
‘Someone could be sat outside a public WiFi network and just listening in on what’s being sent,’ Keiran warned.
‘They could be in the cafe or they could be using specialist hardware to increase the range at which they can listen in on the network.
‘They can be hidden a safe distance away then all they have to do is listen and wait.’
To avoid personal information like banking details being stolen from public WiFi, Keiran recommends that you always use a VPN when in public.
These services encrypt your data so that any eavesdroppers on the network won’t be able to read what your sending.
On public WiFi anyone could be listening in on the information you’re sending, waiting to steal sensitive information such as bank details and passwords
5. Clicking dodgy links
Finally, Keiran says that sending dodgy links is still the most common way that people get hacked.
Phishing scams remain the most prevalent attack in the UK according to the UK’s National Cyber Security Centre (NCSC).
In 2022 alone, 7.1 million malicious emails and URLs were flagged to the NCSC – the equivalent of nearly 20,000 reports a day.
Keiran explains that hackers will send fake emails and text messages to targets containing links to malicious websites or instructions to download software.
Once one of these links has been clicked, it gives criminals a window to install malware on their victim’s device which can steal data and even take control.
But as sophisticated as a computer virus might be, hackers still need someone to follow a link to a compromised website or download files containing hidden malware.
‘You need to be vigilant of anyone that is sending you something when you don’t expect it,’ Kieran concluded.
‘Don’t click on dodgy links, don’t download dodgy files, don’t fall into their trap.’
