I really enjoyed the session “Think Like a Hacker: What Designers need to know about Cybersecurity,” organized by Experience Design Perth, today evening (14 March 2024) at Humaan Perth. The venue was amazing, the attendees were lovely and I learned a lot of new stuff. Here is a summary of “what did I learn today.”
Personally Identifiable Information (PII)
“Finding Tony Abbott’s Passport Number and entering the Do Not Get Arrested Challenge 2020” is a hilarious and informative video from the white hacker “Alex.” Tony Abbott is Australia’s former Prime Minister. Diana, the Experience Designer & Researcher and one of the organizers of this event, shared this gem with us.
In this video, “Alex” Hope narrates how he ‘decoded’ the former Prime Minister’s passport number and phone number from the photo of an airline ticket shared by Tony Abbott himself on the social media!
Personally identifiable information (PII) is any information connected to a specific individual that can be used to uncover that individual’s identity, such as their social security number, full name, email address or phone number.
– What is personally identifiable information (PII)?: IBM
Phishing
Caitriona, the Cybersecurity Expert who talked at the Experience Design Perth event, emphasized the point that even tech savvy and knowledgeable people fall for phishing emails. She narrated an episode where she sent an email to all the employees of a company about the annual holiday leaves which were still under discussion. She got most of them clicking on the spoofed link. She even got the CXOs and board members as well!
Caitriona also encourages the use of password manager apps like 1password or Keeper or Dashlane. She gives out free licenses of password manager apps to employees for their personal use. This is because If they are familiar with password manager apps, the employees will definitely internalize and comply with the password policies implemented by organizations.
Phishing is a way cyber criminals trick you into giving them personal information. They send you fraudulent emails or text messages often pretending to be from large organisations you know or trust. They may try to steal your online banking logins, credit card details or passwords. Phishing can result in the loss of information, money or identity theft.
– Phishing emails and texts: Australian Signals Directorate
Multi Factor Authentication (MFA)
Josh, Technology leader and author, stressed that the two factor authentication (2FA) involving a code sent to your mobile as an SMS is not safe at all. In this day and age, mobile phone numbers can be easily spoofed by misleading the mobile carrier company by the cyber criminals. The SMS code can be stolen by them and they get unauthorized access to our accounts.
Instead, Josh advised the use of software-based authenticator apps like those from Google or Microsoft or Red Hat. Josh also mentioned his experience with a password policy implemented by his ex-employer of setting up monthly passwords of 25 characters long!
A cybercriminal, with a few important details about your life in hand, can answer security questions correctly, impersonate you, and convince your mobile carrier to reassign your phone number to a new SIM card. At that point, the criminal can get access to your phone’s data and start changing your account passwords to lock you out of your online banking profile, email, and more.
– What Is SIM Swapping? 3 Ways to Protect Your Smartphone: McAfee
Workshop: How to protect a small or medium business from social engineering attack
The attendees were split into groups of four members.
- We were asked to select a real-life small or medium business and research on the publicly available information.
- We were given template sheets to profile bad actors who might target the business.
- We identified opportunities for the bad actors to initiate an attack.
- We found mitigation steps against the attack to protect the business.
Although we were short on time, it was a fun experience! Thank you Jayden, Michael, James and Jay for the teamwork!
Social engineering attacks manipulate people into sharing information that they shouldn’t share, downloading software that they shouldn’t download, visiting websites they shouldn’t visit, sending money to criminals or making other mistakes that compromise their personal or organizational security.
– What is social engineering?: IBM
How Designers can help with Cybersecurity
- Bring security perspective into designing products or services
- Consider ‘Motivation vs Opportunity’ model of bad actor behavior
- Reducing data breach risk through the ‘datensparsamkeit’ approach
- Reduce the risk together by working with the technology and product team
Protecting Yourself from Cyberattacks
End-to-End Encryption (E2EE)
Popular messaging apps, like Meta’s WhatsApp, Telegram, and Signal, are all giving end-to-end encryption for messages.
End-to-end encryption (E2EE) is a secure communication process that prevents third parties from accessing data transferred from one endpoint to another.
– E2EE: IBM
Resources and References
- Check if your email address is in a data breach: Haveibeenpwned.com
- Book: The Checklist Manifesto
- Book: Influence: The Psychology of Persuasion
- West Coast Cyber Podcast
- Open source intelligence (OSINT) Framework
- puprplecon YouTube channel
